tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-29 08:44:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Replaced text strings to allow translations

Browse Source
This commit is contained in:
Michael Boelen 2016-06-18 11:14:01 +02:00
parent 9c093f7a97
commit 983e293eb1
40 changed files with 736 additions and 736 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
include/tests_accounting
View File

@ -35,11 +35,11 @@
Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --description "Check for available FreeBSD accounting information" Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --description "Check for available FreeBSD accounting information"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /var/account/acct ]; then if [ -f /var/account/acct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
LogText "Result: /var/account/acct available" LogText "Result: /var/account/acct available"
AddHP 3 3 AddHP 3 3
else else
Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: No accounting information available" LogText "Result: No accounting information available"
LogText "Remark: Possibly there is another location where the accounting data is stored" LogText "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting" ReportSuggestion ${TEST_NO} "Enable process accounting"
@ -54,11 +54,11 @@
Register --test-no ACCT-2760 --os OpenBSD --weight L --network NO --description "Check for available OpenBSD accounting information" Register --test-no ACCT-2760 --os OpenBSD --weight L --network NO --description "Check for available OpenBSD accounting information"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /var/account/acct ]; then if [ -f /var/account/acct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
LogText "Result: /var/account/acct available" LogText "Result: /var/account/acct available"
AddHP 3 3 AddHP 3 3
else else
Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: No accounting information available" LogText "Result: No accounting information available"
LogText "Remark: Possibly there is another location where the accounting data is stored" LogText "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting" ReportSuggestion ${TEST_NO} "Enable process accounting"
@ -75,19 +75,19 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check accounting information" LogText "Test: Check accounting information"
if [ -f /var/account/pacct ]; then if [ -f /var/account/pacct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
LogText "Result: /var/account/pacct available" LogText "Result: /var/account/pacct available"
AddHP 3 3 AddHP 3 3
elif [ -f /var/log/account/pacct ]; then elif [ -f /var/log/account/pacct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
LogText "Result: /var/log/account/pacct available" LogText "Result: /var/log/account/pacct available"
AddHP 3 3 AddHP 3 3
elif [ -f /var/log/pacct ]; then elif [ -f /var/log/pacct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
LogText "Result: /var/log/pacct available" LogText "Result: /var/log/pacct available"
AddHP 3 3 AddHP 3 3
else else
Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: No accounting information available (/var/account/pacct, /var/log/account/pact nor /var/log/pact exist)" LogText "Result: No accounting information available (/var/account/pacct, /var/log/account/pact nor /var/log/pact exist)"
LogText "Remark: Possibly there is another location where the accounting data is stored" LogText "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting" ReportSuggestion ${TEST_NO} "Enable process accounting"
@ -107,25 +107,25 @@
FIND=`grep "^ENABLED" /etc/default/sysstat | grep -i true` FIND=`grep "^ENABLED" /etc/default/sysstat | grep -i true`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: sysstat enabled via /etc/default/sysstat" LogText "Result: sysstat enabled via /etc/default/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
else else
LogText "Result: sysstat disabled via /etc/default/sysstat" LogText "Result: sysstat disabled via /etc/default/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)" ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)"
fi fi
elif [ -f /etc/cron.d/sysstat ]; then elif [ -f /etc/cron.d/sysstat ]; then
FIND=`grep -v '^[[:space:]]*\(#\|$\)' /etc/cron.d/sysstat` FIND=`grep -v '^[[:space:]]*\(#\|$\)' /etc/cron.d/sysstat`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: sysstat enabled via /etc/cron.d/sysstat" LogText "Result: sysstat enabled via /etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
else else
LogText "Result: sysstat disabled via /etc/cron.d/sysstat" LogText "Result: sysstat disabled via /etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)" ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)"
fi fi
else else
LogText "Result: sysstat not found via /etc/default/sysstat or /etc/cron.d/sysstat" LogText "Result: sysstat not found via /etc/default/sysstat or /etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)" ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)"
fi fi
fi fi
@ -142,7 +142,7 @@
IsRunning auditd IsRunning auditd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: auditd running" LogText "Result: auditd running"
Display --indent 2 --text "- Checking auditd" --result ENABLED --color GREEN Display --indent 2 --text "- Checking auditd" --result "${STATUS_ENABLED}" --color GREEN
LINUX_AUDITD_RUNNING=1 LINUX_AUDITD_RUNNING=1
AUDIT_DAEMON_RUNNING=1 AUDIT_DAEMON_RUNNING=1
Report "audit_trail_tool[]=auditd" Report "audit_trail_tool[]=auditd"
@ -150,7 +150,7 @@
AddHP 4 4 AddHP 4 4
else else
LogText "Result: auditd not active" LogText "Result: auditd not active"
Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking auditd" --result "${STATUS_NOT_FOUND}" --color WHITE
if [ ! "${VMTYPE}" = "openvz" ]; then if [ ! "${VMTYPE}" = "openvz" ]; then
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information" ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
fi fi
@ -170,12 +170,12 @@
FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"` FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: auditd rules empty" LogText "Result: auditd rules empty"
Display --indent 4 --text "- Checking audit rules" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking audit rules" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 0 2 AddHP 0 2
ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules" ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules"
else else
LogText "Result: found auditd rules" LogText "Result: found auditd rules"
Display --indent 4 --text "- Checking audit rules" --result OK --color GREEN Display --indent 4 --text "- Checking audit rules" --result "${STATUS_OK}" --color GREEN
# Log audit daemon rules # Log audit daemon rules
FIND=`${AUDITCTLBINARY} -l | sed 's/ /!space!/g'` FIND=`${AUDITCTLBINARY} -l | sed 's/ /!space!/g'`
for I in ${FIND}; do for I in ${FIND}; do
@ -203,10 +203,10 @@
done done
# Check if we discovered the configuration file. It should be there is the binaries are available and process is running # Check if we discovered the configuration file. It should be there is the binaries are available and process is running
if [ ! "${AUDITD_CONF_FILE}" = "" ]; then if [ ! "${AUDITD_CONF_FILE}" = "" ]; then
Display --indent 4 --text "- Checking audit configuration file" --result OK --color GREEN Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: could not find auditd configuration file" LogText "Result: could not find auditd configuration file"
Display --indent 4 --text "- Checking audit configuration file" --result WARNING --color RED Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file" ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file"
fi fi
fi fi
@ -225,16 +225,16 @@
LogText "Defined value: ${FIND}" LogText "Defined value: ${FIND}"
if [ -f ${FIND} ]; then if [ -f ${FIND} ]; then
LogText "Result: log file ${FIND} exists on disk" LogText "Result: log file ${FIND} exists on disk"
Display --indent 4 --text "- Checking auditd log file" --result FOUND --color GREEN Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_FOUND}" --color GREEN
Report "logfile[]=${FIND}" Report "logfile[]=${FIND}"
else else
LogText "Result: can't find log file ${FIND} on disk" LogText "Result: can't find log file ${FIND} on disk"
Display --indent 4 --text "- Checking auditd log file" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check auditd log file location" ReportSuggestion ${TEST_NO} "Check auditd log file location"
fi fi
else else
LogText "Result: no log file found" LogText "Result: no log file found"
Display --indent 4 --text "- Checking auditd log file" --result WARNING --color RED Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "Auditd log file is defined but can not be found on disk" ReportWarning ${TEST_NO} "L" "Auditd log file is defined but can not be found on disk"
fi fi
fi fi
@ -248,7 +248,7 @@
FILE="/lib/snoopy.so" FILE="/lib/snoopy.so"
if [ -f ${FILE} ]; then if [ -f ${FILE} ]; then
LogText "Result: found ${FILE}" LogText "Result: found ${FILE}"
Display --indent 2 --text "- Checking Snoopy" --result FOUND --color GREEN Display --indent 2 --text "- Checking Snoopy" --result "${STATUS_FOUND}" --color GREEN
if [ -f /etc/ld.so.preload ]; then if [ -f /etc/ld.so.preload ]; then
LogText "Result: found /etc/ld.so.preload, testing if snoopy.so is listed" LogText "Result: found /etc/ld.so.preload, testing if snoopy.so is listed"
FIND=`grep ${FILE} /etc/ld.so.preload` FIND=`grep ${FILE} /etc/ld.so.preload`
@ -258,13 +258,13 @@
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
Report "audit_trail_tool[]=snoopy" Report "audit_trail_tool[]=snoopy"
else else
Display --indent 6 --text "- Library in ld.so.preload" --result "NOT FOUND" --color YELLOW Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via /etc/ld.so.preload" ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via /etc/ld.so.preload"
AddHP 3 3 AddHP 3 3
fi fi
else else
LogText "Result: /etc/ld.so.preload does not exist" LogText "Result: /etc/ld.so.preload does not exist"
Display --indent 6 --text "- Library in ld.so.preload" --result "UNKNOWN" --color PURPLE Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_UNKNOWN}" --color PURPLE
ReportException "${TEST_NO}:1" "Unsure how Snoopy might be loaded as ld.so.preload does not exist" ReportException "${TEST_NO}:1" "Unsure how Snoopy might be loaded as ld.so.preload does not exist"
fi fi
fi fi
@ -282,10 +282,10 @@
LogText "Result: Solaris audit daemon is running" LogText "Result: Solaris audit daemon is running"
SOLARIS_AUDITD_RUNNING=1 SOLARIS_AUDITD_RUNNING=1
AUDIT_DAEMON_RUNNING=1 AUDIT_DAEMON_RUNNING=1
Display --indent 2 --text "- Checking Solaris audit daemon status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking Solaris audit daemon status" --result "${STATUS_RUNNING}" --color GREEN
else else
LogText "Result: Solaris audit daemon is not running" LogText "Result: Solaris audit daemon is not running"
Display --indent 2 --text "- Checking Solaris audit daemon status" --result "NOT RUNNING" --color YELLOW Display --indent 2 --text "- Checking Solaris audit daemon status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
fi fi
fi fi
# #
@ -300,7 +300,7 @@
FIND=`/usr/bin/svcs svc:/system/auditd:default | grep "^online"` FIND=`/usr/bin/svcs svc:/system/auditd:default | grep "^online"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: auditd service is online" LogText "Result: auditd service is online"
Display --indent 4 --text "- Checking Solaris audit daemon status" --result ONLINE --color GREEN Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN
else else
Display --indent 4 --text "- Checking Solaris audit daemon status" --result "NOT ONLINE" --color YELLOW Display --indent 4 --text "- Checking Solaris audit daemon status" --result "NOT ONLINE" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check status of audit daemon" ReportSuggestion "${TEST_NO}" "Check status of audit daemon"
@ -319,9 +319,9 @@
FIND=`grep 'set c2audit:audit_load = 1' /etc/system` FIND=`grep 'set c2audit:audit_load = 1' /etc/system`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: BSM is enabled in /etc/system" LogText "Result: BSM is enabled in /etc/system"
Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result ENABLED --color GREEN Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "${STATUS_ENABLED}" --color GREEN
else else
Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi fi
else else
LogText "Result: /etc/system does not exist" LogText "Result: /etc/system does not exist"
@ -340,10 +340,10 @@
FIND=`/usr/sbin/modinfo | grep c2audit` FIND=`/usr/sbin/modinfo | grep c2audit`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: c2audit found in modinfo output" LogText "Result: c2audit found in modinfo output"
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result ENABLED --color GREEN Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN
else else
LogText "Result: c2audit not found in modinfo output" LogText "Result: c2audit not found in modinfo output"
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi fi
else else
LogText "Result: /usr/sbin/modinfo does not exist, skipping test" LogText "Result: /usr/sbin/modinfo does not exist, skipping test"
@ -366,20 +366,20 @@
LogText "Test: Checking if location is a valid directory" LogText "Test: Checking if location is a valid directory"
if [ -d ${FIND} ]; then if [ -d ${FIND} ]; then
LogText "Result: location ${FIND} is valid" LogText "Result: location ${FIND} is valid"
Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: location ${FIND} does not exist" LogText "Result: location ${FIND} does not exist"
Display --indent 4 --text "- Checking Solaris audit location" --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available" ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available"
fi fi
else else
LogText "Result: unknown event location" LogText "Result: unknown event location"
Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured" ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured"
fi fi
else else
LogText "Result: could not find /etc/security/audit_control" LogText "Result: could not find /etc/security/audit_control"
Display --indent 4 --text "- Checking Solaris audit location" --result SKIPPED --color YELLOW Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_SKIPPED}" --color YELLOW
fi fi
fi fi
# #
@ -396,10 +396,10 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Output: ${I}" LogText "Output: ${I}"
done done
Display --indent 4 --text "- Checking Solaris audit statistics" --result DONE --color GREEN Display --indent 4 --text "- Checking Solaris audit statistics" --result "${STATUS_DONE}" --color GREEN
else else
LogText "Result: /usr/sbin/auditstat not found, skipping test" LogText "Result: /usr/sbin/auditstat not found, skipping test"
Display --indent 4 --text "- Checking Solaris audit statistics" --result SKIPPED --color YELLOW Display --indent 4 --text "- Checking Solaris audit statistics" --result "${STATUS_SKIPPED}" --color YELLOW
fi fi
fi fi
# #

150
include/tests_authentication
View File

@ -42,7 +42,7 @@
LogText "Test: Searching accounts with UID 0" LogText "Test: Searching accounts with UID 0"
FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'` FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED Display --indent 2 --text "- Search administrator accounts" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found more than one administrator accounts" LogText "Result: Found more than one administrator accounts"
ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file" ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file"
for I in ${FIND}; do for I in ${FIND}; do
@ -54,7 +54,7 @@
fi fi
done done
else else
Display --indent 2 --text "- Search administrator accounts" --result OK --color GREEN Display --indent 2 --text "- Search administrator accounts" --result "${STATUS_OK}" --color GREEN
LogText "Result: No accounts found with UID 0 other than root." LogText "Result: No accounts found with UID 0 other than root."
fi fi
fi fi
@ -75,16 +75,16 @@
if [ -f ${PASSWD_FILE} ]; then if [ -f ${PASSWD_FILE} ]; then
FIND=`grep -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d` FIND=`grep -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for non-unique UIDs" --result OK --color GREEN Display --indent 2 --text "- Checking for non-unique UIDs" --result "${STATUS_OK}" --color GREEN
LogText "Result: all accounts found in ${PASSWD_FILE} are unique" LogText "Result: all accounts found in ${PASSWD_FILE} are unique"
else else
Display --indent 2 --text "- Checking for non-unique UIDs" --result WARNING --color RED Display --indent 2 --text "- Checking for non-unique UIDs" --result "${STATUS_WARNING}" --color RED
LogText "Result: found multiple accounts with same UID" LogText "Result: found multiple accounts with same UID"
LogText "Output (non-unique UIDs): ${FIND}" LogText "Output (non-unique UIDs): ${FIND}"
ReportWarning ${TEST_NO} "Multiple accounts found with same UID" ReportWarning ${TEST_NO} "Multiple accounts found with same UID"
fi fi
else else
Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE Display --indent 2 --text "- Checking UIDs" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: test skipped, ${PASSWD_FILE} file not available" LogText "Result: test skipped, ${PASSWD_FILE} file not available"
fi fi
LogText "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake" LogText "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake"
@ -97,15 +97,15 @@
if [ -f /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -f /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file" Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking chkgrp tool" --result FOUND --color GREEN Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)."
LogText "Test: Testing consistency of /etc/group file" LogText "Test: Testing consistency of /etc/group file"
FIND=`/usr/sbin/chkgrp | grep -v 'is fine'` FIND=`/usr/sbin/chkgrp | grep -v 'is fine'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking consistency of /etc/group file" --result OK --color GREEN Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_OK}" --color GREEN
LogText "Result: chkgrp test performed, Group file seems to be ok." LogText "Result: chkgrp test performed, Group file seems to be ok."
else else
Display --indent 4 --text "- Checking consistency of /etc/group file" --result WARNING --color RED Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_WARNING}" --color RED
LogText "Result: chkgrp found some errors. Run the tool manually to see details." LogText "Result: chkgrp found some errors. Run the tool manually to see details."
LogText "chkgrp output: ${FIND}" LogText "chkgrp output: ${FIND}"
ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file" ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file"
@ -139,10 +139,10 @@
# Check exit-code # Check exit-code
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking consistency of group files (grpck)" --result OK --color GREEN Display --indent 2 --text "- Checking consistency of group files (grpck)" --result "${STATUS_OK}" --color GREEN
LogText "Result: grpck binary didn't find any errors in the group files" LogText "Result: grpck binary didn't find any errors in the group files"
else else
Display --indent 2 --text "- Checking consistency of group files (grpck)" --result WARNING --color RED Display --indent 2 --text "- Checking consistency of group files (grpck)" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files" ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files"
ReportSuggestion ${TEST_NO} "Run grpck manually and check your group files" ReportSuggestion ${TEST_NO} "Run grpck manually and check your group files"
fi fi
@ -161,9 +161,9 @@
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent # Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=`grep "[a-z]:\*:" /etc/master.passwd | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'` FIND=`grep "[a-z]:\*:" /etc/master.passwd | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking login shells" --result OK --color GREEN Display --indent 2 --text "- Checking login shells" --result "${STATUS_OK}" --color GREEN
else else
Display --indent 2 --text "- Checking login shells" --result WARNING --color RED Display --indent 2 --text "- Checking login shells" --result "${STATUS_WARNING}" --color RED
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'` I=`echo ${I} | sed 's/!space!/ /g'`
J=`echo ${I} | awk -F: '{ print $10 }'` J=`echo ${I} | awk -F: '{ print $10 }'`
@ -186,7 +186,7 @@
fi fi
fi fi
else else
Display --indent 2 --text "- Checking login shells" --result SKIPPED --color WHITE Display --indent 2 --text "- Checking login shells" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: No /etc/master.passwd file found" LogText "Result: No /etc/master.passwd file found"
fi fi
fi fi
@ -200,10 +200,10 @@
LogText "Test: Checking for non unique group ID's in /etc/group" LogText "Test: Checking for non unique group ID's in /etc/group"
FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group ID's" --result OK --color GREEN Display --indent 2 --text "- Checking non unique group ID's" --result "${STATUS_OK}" --color GREEN
LogText "Result: All group ID's are unique" LogText "Result: All group ID's are unique"
else else
Display --indent 2 --text "- Checking non unique group ID's" --result WARNING --color RED Display --indent 2 --text "- Checking non unique group ID's" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found the same group ID multiple times" LogText "Result: Found the same group ID multiple times"
LogText "Output: ${FIND}" LogText "Output: ${FIND}"
ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID" ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID"
@ -221,10 +221,10 @@
LogText "Test: Checking for non unique group names in /etc/group" LogText "Test: Checking for non unique group names in /etc/group"
FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d` FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group names" --result OK --color GREEN Display --indent 2 --text "- Checking non unique group names" --result "${STATUS_OK}" --color GREEN
LogText "Result: All group names are unique" LogText "Result: All group names are unique"
else else
Display --indent 2 --text "- Checking non unique group names" --result WARNING --color WARNING Display --indent 2 --text "- Checking non unique group names" --result "${STATUS_WARNING}" --color WARNING
LogText "Result: Found the same group name multiple times" LogText "Result: Found the same group name multiple times"
LogText "Output: ${FIND}" LogText "Output: ${FIND}"
ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)" ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)"
@ -257,11 +257,11 @@
esac esac
# Only display if this test has been executed # Only display if this test has been executed
if [ ${TESTED} -eq 1 -a "${FIND}" = "0" ]; then if [ ${TESTED} -eq 1 -a "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN Display --indent 2 --text "- Checking password file consistency" --result "${STATUS_OK}" --color GREEN
LogText "Result: pwck check didn't find any problems" LogText "Result: pwck check didn't find any problems"
AddHP 2 2 AddHP 2 2
else else
Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED Display --indent 2 --text "- Checking password file consistency" --result "${STATUS_WARNING}" --color RED
LogText "Result: pwck found one or more errors/warnings in the password file." LogText "Result: pwck found one or more errors/warnings in the password file."
ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
@ -318,9 +318,9 @@
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "Result: No users found/unknown result" Display --indent 4 --text "Result: No users found/unknown result"
LogText "Result: Querying of system users skipped" LogText "Result: Querying of system users skipped"
Display --indent 2 --text "- Query system users (non daemons)" --result UNKNOWN --color YELLOW Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_UNKNOWN}" --color YELLOW
else else
Display --indent 2 --text "- Query system users (non daemons)" --result DONE --color GREEN Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_DONE}" --color GREEN
for I in ${FIND}; do for I in ${FIND}; do
LogText "Real user: ${I}" LogText "Real user: ${I}"
Report "real_user[]=${I}" Report "real_user[]=${I}"
@ -344,7 +344,7 @@
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"` FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"`
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
LogText "Result: NIS+ authentication enabled" LogText "Result: NIS+ authentication enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN Display --indent 2 --text "- Checking NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
else else
LogText "Result: NIS+ authentication not enabled" LogText "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
@ -371,7 +371,7 @@
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
LogText "Result: NIS authentication enabled" LogText "Result: NIS authentication enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN Display --indent 2 --text "- Checking NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
else else
LogText "Result: NIS authentication not enabled" LogText "Result: NIS authentication not enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
@ -401,10 +401,10 @@
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
LogText "Result: sudoers file found (${SUDOERS_FILE})" LogText "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN Display --indent 2 --text "- Checking sudoers file" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: sudoers file NOT found" LogText "Result: sudoers file NOT found"
Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi fi
fi fi
# #
@ -420,10 +420,10 @@
LogText "Result: Found file permissions: ${FIND}" LogText "Result: Found file permissions: ${FIND}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
LogText "Result: file ${SUDOERS_FILE} has correct permissions" LogText "Result: file ${SUDOERS_FILE} has correct permissions"
Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: file has possibly unsafe file permissions" LogText "Result: file has possibly unsafe file permissions"
Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_WARNING}" --color RED
fi fi
fi fi
# #
@ -436,12 +436,12 @@
FIND=`logins -p | awk '{ print $1 }'` FIND=`logins -p | awk '{ print $1 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: no passwordless accounts found" LogText "Result: no passwordless accounts found"
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN
else else
for I in ${FIND}; do for I in ${FIND}; do
ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})" ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
done done
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result WARNING --color RED Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result "${STATUS_WARNING}" --color RED
fi fi
fi fi
# #
@ -504,12 +504,12 @@
fi fi
if [ ${FOUND} -eq 0 ]; then if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking PAM password strength tools" --result "SUGGESTION" --color YELLOW Display --indent 2 --text "- Checking PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: no PAM modules for password strength testing found" LogText "Result: no PAM modules for password strength testing found"
ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc" ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
AddHP 0 3 AddHP 0 3
else else
Display --indent 2 --text "- Checking PAM password strength tools" --result OK --color GREEN Display --indent 2 --text "- Checking PAM password strength tools" --result "${STATUS_OK}" --color GREEN
LogText "Result: found at least one PAM module for password strength testing" LogText "Result: found at least one PAM module for password strength testing"
AddHP 3 3 AddHP 3 3
fi fi
@ -524,7 +524,7 @@
LogText "Test: Checking file /etc/pam.conf" LogText "Test: Checking file /etc/pam.conf"
if [ -f /etc/pam.conf ]; then if [ -f /etc/pam.conf ]; then
LogText "Result: file /etc/pam.conf exists" LogText "Result: file /etc/pam.conf exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files" LogText "Test: searching PAM configuration files"
FIND=`grep -v "^#" /etc/pam.conf | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'` FIND=`grep -v "^#" /etc/pam.conf | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
@ -538,7 +538,7 @@
fi fi
else else
LogText "Result: file /etc/pam.conf could not be found" LogText "Result: file /etc/pam.conf could not be found"
Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -551,7 +551,7 @@
LogText "Test: Checking directory /etc/pam.d" LogText "Test: Checking directory /etc/pam.d"
if [ -d /etc/pam.d ]; then if [ -d /etc/pam.d ]; then
LogText "Result: directory /etc/pam.d exists" LogText "Result: directory /etc/pam.d exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files" LogText "Test: searching PAM configuration files"
FIND=`find /etc/pam.d -type f -print | sort` FIND=`find /etc/pam.d -type f -print | sort`
for I in ${FIND}; do for I in ${FIND}; do
@ -559,7 +559,7 @@
done done
else else
LogText "Result: directory /etc/pam.d could not be found" LogText "Result: directory /etc/pam.d could not be found"
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -590,10 +590,10 @@
done done
# Check if we found at least one module # Check if we found at least one module
if [ ${FOUND} -eq 0 ]; then if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking PAM modules" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking PAM modules" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: no PAM modules found" LogText "Result: no PAM modules found"
else else
Display --indent 2 --text "- Checking PAM modules" --result FOUND --color GREEN Display --indent 2 --text "- Checking PAM modules" --result "${STATUS_FOUND}" --color GREEN
fi fi
fi fi
# #
@ -611,12 +611,12 @@
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: LDAP module present" LogText "Result: LDAP module present"
LogText "Output: ${FIND}" LogText "Output: ${FIND}"
Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN Display --indent 2 --text "- Checking LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN
LDAP_AUTH_ENABLED=1 LDAP_AUTH_ENABLED=1
LDAP_PAM_ENABLED=1 LDAP_PAM_ENABLED=1
else else
LogText "Result: LDAP module not found" LogText "Result: LDAP module not found"
Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
else else
LogText "Result: file /etc/pam.d/common-auth not found, skipping test" LogText "Result: file /etc/pam.d/common-auth not found, skipping test"
@ -660,13 +660,13 @@
LogText "Test: Checking Linux version and password expire date status" LogText "Test: Checking Linux version and password expire date status"
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: all accounts seem to have an expire date" LogText "Result: all accounts seem to have an expire date"
Display --indent 2 --text "- Checking accounts without expire date" --result OK --color GREEN Display --indent 2 --text "- Checking accounts without expire date" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: found one or more accounts with expire date set" LogText "Result: found one or more accounts with expire date set"
for I in ${FIND}; do for I in ${FIND}; do
LogText "Account without expire date: ${I}" LogText "Account without expire date: ${I}"
done done
Display --indent 2 --text "- Checking accounts without expire date" --result SUGGESTION --color YELLOW Display --indent 2 --text "- Checking accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts" ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts"
fi fi
fi fi
@ -677,14 +677,14 @@
LogText "Test: Checking passwordless accounts" LogText "Test: Checking passwordless accounts"
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
LogText "Result: all accounts seem to have a password" LogText "Result: all accounts seem to have a password"
Display --indent 2 --text "- Checking accounts without password" --result OK --color GREEN Display --indent 2 --text "- Checking accounts without password" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: found one or more accounts without password" LogText "Result: found one or more accounts without password"
for I in ${FIND2}; do for I in ${FIND2}; do
LogText "Account without password: ${I}" LogText "Account without password: ${I}"
Report "account_without_password=${I}" Report "account_without_password=${I}"
done done
Display --indent 2 --text "- Checking accounts without password" --result WARNING --color RED Display --indent 2 --text "- Checking accounts without password" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found accounts without password" ReportWarning ${TEST_NO} "Found accounts without password"
fi fi
fi fi
@ -702,7 +702,7 @@
FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'` FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'`
if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then
LogText "Result: password minimum age is not configured" LogText "Result: password minimum age is not configured"
Display --indent 2 --text "- Checking user password aging (minimum)" --result DISABLED --color YELLOW Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW
ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs" ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs"
AddHP 0 1 AddHP 0 1
else else
@ -716,7 +716,7 @@
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
LogText "Result: password aging limits are not configured" LogText "Result: password aging limits are not configured"
Display --indent 2 --text "- Checking user password aging (maximum)" --result DISABLED --color YELLOW Display --indent 2 --text "- Checking user password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW
ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs" ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs"
AddHP 0 1 AddHP 0 1
else else
@ -747,15 +747,15 @@
Report "account_password_expired[]=${ACCOUNT}" Report "account_password_expired[]=${ACCOUNT}"
done done
AddHP 0 10 AddHP 0 10
Display --indent 2 --text "- Checking expired passwords" --result FOUND --color RED Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_FOUND}" --color RED
ReportSuggestion "${TEST_NO}" "Delete accounts which are no longer used" ReportSuggestion "${TEST_NO}" "Delete accounts which are no longer used"
else else
LogText "Result: good, no passwords have been expired" LogText "Result: good, no passwords have been expired"
Display --indent 2 --text "- Checking expired passwords" --result OK --color GREEN Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_OK}" --color GREEN
AddHP 10 10 AddHP 10 10
fi fi
else else
Display --indent 2 --text "- Checking expired passwords" --result SKIPPED --color YELLOW Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_SKIPPED}" --color YELLOW
fi fi
fi fi
# #
@ -773,11 +773,11 @@
FIND=`grep "^PASSREQ=NO" /etc/default/sulogin` FIND=`grep "^PASSREQ=NO" /etc/default/sulogin`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: option not present or configured to request a password at single user mode login" LogText "Result: option not present or configured to request a password at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_OK}" --color GREEN
AddHP 1 1 AddHP 1 1
else else
LogText "Result: option present, no password needed at single user mode login" LogText "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "H" "No password needed for single user mode login" ReportWarning ${TEST_NO} "H" "No password needed for single user mode login"
AddHP 0 1 AddHP 0 1
fi fi
@ -803,11 +803,11 @@
FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default` FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: option not set, password is needed at boot" LogText "Result: option not set, password is needed at boot"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_OK}" --color GREEN
AddHP 1 1 AddHP 1 1
else else
LogText "Result: option present, no password needed at single user mode login" LogText "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Set password for system boot" ReportSuggestion ${TEST_NO} "Set password for system boot"
AddHP 0 1 AddHP 0 1
fi fi
@ -886,13 +886,13 @@
if [ ${TEST_PERFORMED} -eq 1 ]; then if [ ${TEST_PERFORMED} -eq 1 ]; then
if [ ${FOUND} -eq 0 ]; then if [ ${FOUND} -eq 0 ]; then
LogText "Result: option not set, no password needed at single user mode boot" LogText "Result: option not set, no password needed at single user mode boot"
Display --indent 2 --text "- Checking Linux single user mode authentication" --result WARNING --color RED Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "No password set for single mode" ReportWarning ${TEST_NO} "L" "No password set for single mode"
ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface" ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface"
AddHP 0 2 AddHP 0 2
else else
LogText "Result: option set, password is needed at single user mode boot" LogText "Result: option set, password is needed at single user mode boot"
Display --indent 2 --text "- Checking Linux single user mode authentication" --result OK --color GREEN Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
fi fi
else else
@ -952,17 +952,17 @@
if [ ${FOUND_UMASK} -eq 1 ]; then if [ ${FOUND_UMASK} -eq 1 ]; then
if [ ${WEAK_UMASK} -eq 0 ]; then if [ ${WEAK_UMASK} -eq 0 ]; then
Display --indent 4 --text "- Checking umask (/etc/profile)" --result OK --color GREEN Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
else else
Display --indent 4 --text "- Checking umask (/etc/profile)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/profile could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/profile could be more strict like 027"
AddHP 0 2 AddHP 0 2
fi fi
else else
# Some operating systems don't have a default umask defined in /etc/profile (Debian) # Some operating systems don't have a default umask defined in /etc/profile (Debian)
LogText "Result: found no umask. Please check if this is correct" LogText "Result: found no umask. Please check if this is correct"
Display --indent 4 --text "- Checking umask (/etc/profile)" --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi fi
else else
LogText "Result: file /etc/profile does not exist" LogText "Result: file /etc/profile does not exist"
@ -989,16 +989,16 @@
FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'` FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: umask value is not configured (most likely it will have the default 022 value)" LogText "Result: umask value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2 AddHP 1 2
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
LogText "Result: umask is ${FIND}, which is fine" LogText "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result OK --color GREEN Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
else else
LogText "Result: found umask ${FIND}, which could be improved" LogText "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027"
AddHP 0 2 AddHP 0 2
fi fi
@ -1014,14 +1014,14 @@
FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'` FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: umask is not configured" LogText "Result: umask is not configured"
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result NONE --color WHITE Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
LogText "Result: umask is ${FIND}, which is fine" LogText "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result OK --color GREEN Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
else else
LogText "Result: found umask ${FIND}, which could be improved" LogText "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 0 2 AddHP 0 2
fi fi
else else
@ -1036,16 +1036,16 @@
FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'` FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2 AddHP 1 2
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
LogText "Result: umask is ${FIND}, which is fine" LogText "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result OK --color GREEN Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
else else
LogText "Result: found umask ${FIND}, which could be improved" LogText "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027"
AddHP 0 2 AddHP 0 2
fi fi
@ -1078,14 +1078,14 @@
fi fi
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
if [ ${WEAK_UMASK} -eq 0 ]; then if [ ${WEAK_UMASK} -eq 0 ]; then
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result OK --color GREEN Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "${STATUS_OK}" --color GREEN
else else
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result WEAK --color YELLOW Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027" ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027"
fi fi
else else
LogText "Result: no umask setting found in /etc/login.conf, which is unexpected" LogText "Result: no umask setting found in /etc/login.conf, which is unexpected"
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result NONE --color YELLOW Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "${STATUS_NONE}" --color YELLOW
fi fi
fi fi
@ -1099,16 +1099,16 @@
FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'` FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'`
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2 AddHP 1 2
elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then
LogText "Result: umask is ${FIND2}, which is fine" LogText "Result: umask is ${FIND2}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result OK --color GREEN Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
else else
LogText "Result: found umask ${FIND2}, which could be improved" LogText "Result: found umask ${FIND2}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027"
AddHP 0 2 AddHP 0 2
fi fi
@ -1167,7 +1167,7 @@
fi fi
fi fi
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking account locking" --result "ENABLED" --color GREEN Display --indent 2 --text "- Checking account locking" --result "${STATUS_ENABLED}" --color GREEN
else else
Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW
fi fi
@ -1186,7 +1186,7 @@
Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE
else else
LogText "Result: LDAP authentication enabled" LogText "Result: LDAP authentication enabled"
Display --indent 2 --text "- Checking LDAP authentication support" --result "ENABLED" --color GREEN Display --indent 2 --text "- Checking LDAP authentication support" --result "${STATUS_ENABLED}" --color GREEN
LDAP_AUTH_ENABLED=1 LDAP_AUTH_ENABLED=1
fi fi
else else
@ -1233,11 +1233,11 @@
if [ "${FIND}" = "yes" ]; then if [ "${FIND}" = "yes" ]; then
AUTH_FAILED_LOGINS_LOGGED=1 AUTH_FAILED_LOGINS_LOGGED=1
LogText "Result: failed login attempts are logged in /var/log/faillog" LogText "Result: failed login attempts are logged in /var/log/faillog"
Display --indent 2 --text "- Logging failed login attempts" --result ENABLED --color GREEN Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
LogText "Result: failed login attempts are not logged" LogText "Result: failed login attempts are not logged"
Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_DISABLED}" --color YELLOW
#ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog" #ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog"
AddHP 0 1 AddHP 0 1
fi fi

30
include/tests_banners
View File

@ -37,26 +37,26 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT" LogText "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT"
if [ -f /COPYRIGHT ]; then if [ -f /COPYRIGHT ]; then
Display --indent 2 --text "- /COPYRIGHT" --result FOUND --color GREEN Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s /COPYRIGHT ]; then if [ -s /COPYRIGHT ]; then
LogText "Result: /COPYRIGHT available and contains text" LogText "Result: /COPYRIGHT available and contains text"
else else
LogText "Result: /COPYRIGHT available, but empty" LogText "Result: /COPYRIGHT available, but empty"
fi fi
else else
Display --indent 2 --text "- /COPYRIGHT" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: /COPYRIGHT not found" LogText "Result: /COPYRIGHT not found"
fi fi
if [ -f /etc/COPYRIGHT ]; then if [ -f /etc/COPYRIGHT ]; then
Display --indent 2 --text "- /etc/COPYRIGHT" --result FOUND --color GREEN Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s /etc/COPYRIGHT ]; then if [ -s /etc/COPYRIGHT ]; then
LogText "Result: /etc/COPYRIGHT available and contains text" LogText "Result: /etc/COPYRIGHT available and contains text"
else else
LogText "Result: /etc/COPYRIGHT available, but empty" LogText "Result: /etc/COPYRIGHT available, but empty"
fi fi
else else
Display --indent 2 --text "- /etc/COPYRIGHT" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: /etc/COPYRIGHT not found" LogText "Result: /etc/COPYRIGHT not found"
fi fi
fi fi
@ -70,14 +70,14 @@
# LogText "Test: Testing existence /etc/motd" # LogText "Test: Testing existence /etc/motd"
# if [ -f /etc/motd ]; then # if [ -f /etc/motd ]; then
# LogText "Result: file /etc/motd exists" # LogText "Result: file /etc/motd exists"
# Display --indent 2 --text "- /etc/motd" --result FOUND --color GREEN # Display --indent 2 --text "- /etc/motd" --result "${STATUS_FOUND}" --color GREEN
# if [ ! -L /etc/motd ]; then # if [ ! -L /etc/motd ]; then
# if IsWorldWritable /etc/motd; then # if IsWorldWritable /etc/motd; then
# Display --indent 4 --text "- /etc/motd permissions" --result WARNING --color RED # Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_WARNING}" --color RED
# LogText "Result: /etc/motd is world writable. Users can change this file!" # LogText "Result: /etc/motd is world writable. Users can change this file!"
# ReportWarning ${TEST_NO} "H" "/etc/motd is world writable" # ReportWarning ${TEST_NO} "H" "/etc/motd is world writable"
# else # else
# Display --indent 4 --text "- /etc/motd permissions" --result OK --color GREEN # Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_OK}" --color GREEN
# LogText "Result: /etc/motd is not world writable." # LogText "Result: /etc/motd is not world writable."
# fi # fi
# else # else
@ -85,7 +85,7 @@
# fi # fi
# else # else
# LogText "Result: File /etc/motd not found" # LogText "Result: File /etc/motd not found"
# Display --indent 2 --text "- /etc/motd" --result "NOT FOUND" --color WHITE # Display --indent 2 --text "- /etc/motd" --result "${STATUS_NOT_FOUND}" --color WHITE
# fi # fi
#fi #fi
# #
@ -109,7 +109,7 @@
# # Check if we have 5 or more key words # # Check if we have 5 or more key words
# if [ ${N} -gt 4 ]; then # if [ ${N} -gt 4 ]; then
# LogText "Result: Found ${N} key words, to warn unauthorized users" # LogText "Result: Found ${N} key words, to warn unauthorized users"
# Display --indent 4 --text "- /etc/motd contents" --result OK --color GREEN # Display --indent 4 --text "- /etc/motd contents" --result "${STATUS_OK}" --color GREEN
# AddHP 2 2 # AddHP 2 2
# else # else
# LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased" # LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
@ -132,11 +132,11 @@
LogText "Result: file /etc/issue exists (symlink)" LogText "Result: file /etc/issue exists (symlink)"
Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN
else else
Display --indent 2 --text "- /etc/issue" --result FOUND --color GREEN Display --indent 2 --text "- /etc/issue" --result "${STATUS_FOUND}" --color GREEN
fi fi
else else
LogText "Result: file /etc/issue does not exist" LogText "Result: file /etc/issue does not exist"
Display --indent 2 --text "- /etc/issue" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- /etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -160,7 +160,7 @@
# Check if we have 5 or more key words # Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then if [ ${N} -gt 4 ]; then
LogText "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users" LogText "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users"
Display --indent 4 --text "- /etc/issue contents" --result OK --color GREEN Display --indent 4 --text "- /etc/issue contents" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
else else
LogText "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased" LogText "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased"
@ -184,11 +184,11 @@
Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN
else else
LogText "Result: file /etc/issue.net exists" LogText "Result: file /etc/issue.net exists"
Display --indent 2 --text "- /etc/issue.net" --result FOUND --color GREEN Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_FOUND}" --color GREEN
fi fi
else else
LogText "Result: file /etc/issue.net does not exist" LogText "Result: file /etc/issue.net does not exist"
Display --indent 2 --text "- /etc/issue.net" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -212,7 +212,7 @@
# Check if we have 5 or more key words # Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then if [ ${N} -gt 4 ]; then
LogText "Result: Found ${N} key words, to warn unauthorized users" LogText "Result: Found ${N} key words, to warn unauthorized users"
Display --indent 4 --text "- /etc/issue.net contents" --result OK --color GREEN Display --indent 4 --text "- /etc/issue.net contents" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
else else
LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased" LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"

74
include/tests_boot_services
View File

@ -45,12 +45,12 @@
FIND=`/usr/sbin/bootinfo -b` FIND=`/usr/sbin/bootinfo -b`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found boot device ${FIND}" LogText "Result: found boot device ${FIND}"
Display --indent 2 --text "- Checking boot device (bootinfo)" --result FOUND --color GREEN Display --indent 2 --text "- Checking boot device (bootinfo)" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="ROS" BOOT_LOADER="ROS"
BOOT_LOADER_FOUND=1 BOOT_LOADER_FOUND=1
else else
LogText "Result: no data received from bootinfo, most likely boot device not found" LogText "Result: no data received from bootinfo, most likely boot device not found"
#Display --indent 4 --text "- Checking boot device (bootinfo)" --result "NOT FOUND" --color YELLOW #Display --indent 4 --text "- Checking boot device (bootinfo)" --result "${STATUS_NOT_FOUND}" --color YELLOW
#ReportSuggestion ${TEST_NO} "Only use root (not sudo account) to query properly boot device" #ReportSuggestion ${TEST_NO} "Only use root (not sudo account) to query properly boot device"
fi fi
fi fi
@ -126,7 +126,7 @@
esac esac
LogText "Result: service manager found = ${SERVICE_MANAGER}" LogText "Result: service manager found = ${SERVICE_MANAGER}"
if [ "${SERVICE_MANAGER}" = "" -o "${SERVICE_MANAGER}" = "unknown" ]; then if [ "${SERVICE_MANAGER}" = "" -o "${SERVICE_MANAGER}" = "unknown" ]; then
Display --indent 2 --text "- Service Manager" --result "UNKNOWN" --color YELLOW Display --indent 2 --text "- Service Manager" --result "${STATUS_UNKNOWN}" --color YELLOW
else else
Display --indent 2 --text "- Service Manager" --result "${SERVICE_MANAGER}" --color GREEN Display --indent 2 --text "- Service Manager" --result "${SERVICE_MANAGER}" --color GREEN
fi fi
@ -193,15 +193,15 @@
;; ;;
esac esac
if [ ${UEFI_BOOTED} -eq 1 ]; then if [ ${UEFI_BOOTED} -eq 1 ]; then
Display --indent 2 --text "- Checking UEFI boot" --result ENABLED --color GREEN Display --indent 2 --text "- Checking UEFI boot" --result "${STATUS_ENABLED}" --color GREEN
if [ ${UEFI_BOOTED_SECURE} -eq 1 ]; then if [ ${UEFI_BOOTED_SECURE} -eq 1 ]; then
Display --indent 2 --text "- Checking Secure Boot" --result ENABLED --color GREEN Display --indent 2 --text "- Checking Secure Boot" --result "${STATUS_ENABLED}" --color GREEN
else else
Display --indent 2 --text "- Checking Secure Boot" --result DISABLED --color YELLOW Display --indent 2 --text "- Checking Secure Boot" --result "${STATUS_DISABLED}" --color YELLOW
fi fi
else else
if [ ${UEFI_TESTS_PERFORMED} -eq 1 ]; then if [ ${UEFI_TESTS_PERFORMED} -eq 1 ]; then
Display --indent 2 --text "- Checking UEFI boot" --result DISABLED --color WHITE Display --indent 2 --text "- Checking UEFI boot" --result "${STATUS_DISABLED}" --color WHITE
fi fi
fi fi
fi fi
@ -220,7 +220,7 @@
BOOT_LOADER="GRUB" BOOT_LOADER="GRUB"
BOOT_LOADER_FOUND=1 BOOT_LOADER_FOUND=1
GRUB_VERSION=1 GRUB_VERSION=1
Display --indent 2 --text "- Checking presence GRUB" --result "OK" --color GREEN Display --indent 2 --text "- Checking presence GRUB" --result "${STATUS_OK}" --color GREEN
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
fi fi
@ -230,7 +230,7 @@
BOOT_LOADER="GRUB2" BOOT_LOADER="GRUB2"
BOOT_LOADER_FOUND=1 BOOT_LOADER_FOUND=1
GRUB_VERSION=2 GRUB_VERSION=2
Display --indent 2 --text "- Checking presence GRUB2" --result FOUND --color GREEN Display --indent 2 --text "- Checking presence GRUB2" --result "${STATUS_FOUND}" --color GREEN
if [ -f /boot/grub/grub.cfg ]; then if [ -f /boot/grub/grub.cfg ]; then
GRUBCONFFILE="/boot/grub/grub.cfg" GRUBCONFFILE="/boot/grub/grub.cfg"
elif [ -f /boot/grub2/grub.cfg ]; then elif [ -f /boot/grub2/grub.cfg ]; then
@ -277,11 +277,11 @@
FOUND=1 FOUND=1
fi fi
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking for password protection" --result OK --color GREEN Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN
LogText "Result: GRUB has password protection." LogText "Result: GRUB has password protection."
AddHP 4 4 AddHP 4 4
else else
Display --indent 4 --text "- Checking for password protection" --result WARNING --color RED Display --indent 4 --text "- Checking for password protection" --result "${STATUS_WARNING}" --color RED
LogText "Result: Didn't find hashed password line in GRUB boot file!" LogText "Result: Didn't find hashed password line in GRUB boot file!"
ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)" ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
AddHP 0 2 AddHP 0 2
@ -300,7 +300,7 @@
BOOT_LOADER_SEARCHED=1 BOOT_LOADER_SEARCHED=1
if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then
LogText "Result: found boot1, boot2 and loader files in /boot" LogText "Result: found boot1, boot2 and loader files in /boot"
Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN Display --indent 2 --text "- Checking presence FreeBSD loader" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="FreeBSD" BOOT_LOADER="FreeBSD"
BOOT_LOADER_FOUND=1 BOOT_LOADER_FOUND=1
else else
@ -317,7 +317,7 @@
BOOT_LOADER_SEARCHED=1 BOOT_LOADER_SEARCHED=1
if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then
LogText "Result: found NetBSD secondary bootstrap" LogText "Result: found NetBSD secondary bootstrap"
Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN Display --indent 2 --text "- Checking presence NetBSD loader" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="NetBSD" BOOT_LOADER="NetBSD"
BOOT_LOADER_FOUND=1 BOOT_LOADER_FOUND=1
else else
@ -341,18 +341,18 @@
if [ ${CANREAD} -eq 1 ]; then if [ ${CANREAD} -eq 1 ]; then
BOOT_LOADER="LILO" BOOT_LOADER="LILO"
BOOT_LOADER_FOUND=1 BOOT_LOADER_FOUND=1
Display --indent 2 --text "- Checking presence LILO" --result "OK" --color GREEN Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN
LogText "Checking password option LILO" LogText "Checking password option LILO"
FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | grep -v "^#"` FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | grep -v "^#"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Password option presence " --result "WARNING" --color RED Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED
LogText "Result: no password set for LILO. Bootloader is unprotected to" LogText "Result: no password set for LILO. Bootloader is unprotected to"
LogText "dropping to single user mode or unauthorized access to devices/data." LogText "dropping to single user mode or unauthorized access to devices/data."
ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>" ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader" ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader"
AddHP 0 2 AddHP 0 2
else else
Display --indent 4 --text "- Password option presence " --result "OK" --color GREEN Display --indent 4 --text "- Password option presence " --result "${STATUS_OK}" --color GREEN
LogText "Result: LILO password option set" LogText "Result: LILO password option set"
AddHP 4 4 AddHP 4 4
fi fi
@ -373,7 +373,7 @@
BOOT_LOADER_SEARCHED=1 BOOT_LOADER_SEARCHED=1
if [ -f /etc/silo.conf ]; then if [ -f /etc/silo.conf ]; then
LogText "Result: Found SILO configuration file (/etc/silo.conf)" LogText "Result: Found SILO configuration file (/etc/silo.conf)"
Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN Display --indent 2 --text "- Checking boot loader SILO" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="SILO" BOOT_LOADER="SILO"
BOOT_LOADER_FOUND=1 BOOT_LOADER_FOUND=1
else else
@ -392,11 +392,11 @@
# FIND=`/sbin/silo | grep "appears to be valid"` # FIND=`/sbin/silo | grep "appears to be valid"`
# if [ ! "${FIND}" = "" ]; then # if [ ! "${FIND}" = "" ]; then
# LogText "Result: Found SILO configuration file (/etc/silo.conf)" # LogText "Result: Found SILO configuration file (/etc/silo.conf)"
# Display --indent 6 --text "- Checking SILO consistency" --result OK --color GREEN # Display --indent 6 --text "- Checking SILO consistency" --result "${STATUS_OK}" --color GREEN
# else # else
# LogText "Result: no positive result received from silo binary" # LogText "Result: no positive result received from silo binary"
# ReportWarning ${TEST_NO} "Possible issue with boot loader (SILO)" # ReportWarning ${TEST_NO} "Possible issue with boot loader (SILO)"
# Display --indent 6 --text "- Checking SILO consistency" --result WARNING --color RED # Display --indent 6 --text "- Checking SILO consistency" --result "${STATUS_WARNING}" --color RED
# fi # fi
# fi # fi
# fi # fi
@ -411,7 +411,7 @@
LogText "Test: Check for /etc/yaboot.conf" LogText "Test: Check for /etc/yaboot.conf"
if [ -f /etc/yaboot.conf ]; then if [ -f /etc/yaboot.conf ]; then
LogText "Result: Found YABOOT configuration file (/etc/yaboot.conf)" LogText "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN Display --indent 4 --text "- Checking boot loader YABOOT" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="YABOOT" BOOT_LOADER="YABOOT"
BOOT_LOADER_FOUND=1 BOOT_LOADER_FOUND=1
else else
@ -437,18 +437,18 @@
# Configuration file # Configuration file
if [ -f /etc/boot.conf ]; then if [ -f /etc/boot.conf ]; then
FOUND=1 FOUND=1
Display --indent 2 --text "- Checking /etc/boot.conf" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking /etc/boot.conf" --result "${STATUS_FOUND}" --color GREEN
FIND=`grep '^boot' /etc/boot.conf` FIND=`grep '^boot' /etc/boot.conf`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking boot option" --result WARNING --color RED Display --indent 4 --text "- Checking boot option" --result "${STATUS_WARNING}" --color RED
#ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode." #ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password" ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password"
else else
Display --indent 4 --text "- Checking boot option" --result OK --color GREEN Display --indent 4 --text "- Checking boot option" --result "${STATUS_OK}" --color GREEN
LogText "Ok, boot option is enabled." LogText "Ok, boot option is enabled."
fi fi
else else
Display --indent 2 --text "- Checking /etc/boot.conf" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking /etc/boot.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: no /etc/boot.conf found. When using the default boot loader, physical" LogText "Result: no /etc/boot.conf found. When using the default boot loader, physical"
LogText "access to the server can be used to possibly enter single user mode." LogText "access to the server can be used to possibly enter single user mode."
ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time." ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time."
@ -491,7 +491,7 @@
Report "boottask[]=${I}" Report "boottask[]=${I}"
N=$((N + 1)) N=$((N + 1))
done done
Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "DONE" --color GREEN Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "${STATUS_DONE}" --color GREEN
Display --indent 6 --text "Result: found $N services/options set" Display --indent 6 --text "Result: found $N services/options set"
LogText "Found $N services/options to run at startup" LogText "Found $N services/options to run at startup"
fi fi
@ -519,7 +519,7 @@
N=$((N + 1)) N=$((N + 1))
done done
LogText "Note: Run systemctl --full --type=service to see all services" LogText "Note: Run systemctl --full --type=service to see all services"
Display --indent 2 --text "- Check running services (systemctl)" --result "DONE" --color GREEN Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found $N running services" Display --indent 8 --text "Result: found $N running services"
LogText "Result: Found $N enabled services" LogText "Result: Found $N enabled services"
@ -534,7 +534,7 @@
N=$((N + 1)) N=$((N + 1))
done done
LogText "Note: Run systemctl list-unit-files --type=service to see all services" LogText "Note: Run systemctl list-unit-files --type=service to see all services"
Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "DONE" --color GREEN Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found $N enabled services" Display --indent 8 --text "Result: found $N enabled services"
LogText "Result: Found $N running services" LogText "Result: Found $N running services"
@ -552,7 +552,7 @@
N=$((N + 1)) N=$((N + 1))
done done
LogText "Hint: Run chkconfig --list to see all services and disable unneeded services" LogText "Hint: Run chkconfig --list to see all services and disable unneeded services"
Display --indent 2 --text "- Check services at startup (chkconfig)" --result "DONE" --color GREEN Display --indent 2 --text "- Check services at startup (chkconfig)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found $N services" Display --indent 8 --text "Result: found $N services"
LogText "Result: Found $N services at startup" LogText "Result: Found $N services at startup"
else else
@ -581,7 +581,7 @@
LogText "Found service (at boot, runlevel 2): ${I}" LogText "Found service (at boot, runlevel 2): ${I}"
N=$((N + 1)) N=$((N + 1))
done done
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE Display --indent 2 --text "- Check services at startup (rc2.d)" --result "${STATUS_DONE}" --color WHITE
Display --indent 4 --text "Result: found $N services" Display --indent 4 --text "Result: found $N services"
LogText "Result: found $N services" LogText "Result: found $N services"
fi fi
@ -667,12 +667,12 @@
# Check results # Check results
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Check startup files (permissions)" --result "WARNING" --color RED Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-" ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-"
LogText "Result: found one or more scripts which are possibly writable by other users" LogText "Result: found one or more scripts which are possibly writable by other users"
AddHP 0 3 AddHP 0 3
else else
Display --indent 2 --text "- Check startup files (permissions)" --result "OK" --color GREEN Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_OK}" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi
@ -691,7 +691,7 @@
if [ -f /proc/uptime ]; then if [ -f /proc/uptime ]; then
FIND=`cat /proc/uptime | cut -d ' ' -f1 | cut -d '.' -f1` FIND=`cat /proc/uptime | cut -d ' ' -f1 | cut -d '.' -f1`
else else
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:1" "No uptime test available for this operating system (/proc/uptime missing)" ReportException "${TEST_NO}:1" "No uptime test available for this operating system (/proc/uptime missing)"
fi fi
;; ;;
@ -700,7 +700,7 @@
if [ ! "${SYSCTLBINARY}" = "" ]; then if [ ! "${SYSCTLBINARY}" = "" ]; then
FIND=`${SYSCTLBINARY} kern.boottime | awk '{ print $5 }' | sed -e 's/,//' | grep "[0-9]"` FIND=`${SYSCTLBINARY} kern.boottime | awk '{ print $5 }' | sed -e 's/,//' | grep "[0-9]"`
else else
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)" ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
fi fi
;; ;;
@ -717,7 +717,7 @@
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime" ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
fi fi
else else
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)" ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
fi fi
;; ;;
@ -726,13 +726,13 @@
if [ ! "${KSTATBINARY}" = "" ]; then if [ ! "${KSTATBINARY}" = "" ]; then
FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | grep "^unix" | awk '{print $2}' | cut -d "." -f1` FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | grep "^unix" | awk '{print $2}' | cut -d "." -f1`
else else
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)" ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)"
fi fi
;; ;;
*) *)
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
# Want to help improving Lynis? Share your operating system and a way to determine the uptime (in seconds) # Want to help improving Lynis? Share your operating system and a way to determine the uptime (in seconds)
ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system" ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system"
@ -769,7 +769,7 @@
else else
LogText "Result: did not find sulogin in rescue.service" LogText "Result: did not find sulogin in rescue.service"
AddHP 1 3 AddHP 1 3
Display --indent 2 --text "- Checking sulogin in rescue.service" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking sulogin in rescue.service" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Protect rescue.service by using sulogin" ReportSuggestion "${TEST_NO}" "Protect rescue.service by using sulogin"
fi fi
else else

12
include/tests_containers
View File

@ -50,7 +50,7 @@
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else else
LogText "Result: no running zones found" LogText "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE Display --indent 2 --text "- Checking Solaris Zones" --result "${STATUS_NONE}" --color WHITE
fi fi
fi fi
# #
@ -82,7 +82,7 @@
Report "docker_daemon_running=1" Report "docker_daemon_running=1"
DOCKER_DAEMON_RUNNING=1 DOCKER_DAEMON_RUNNING=1
Display --indent 4 --text "- Docker" Display --indent 4 --text "- Docker"
Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN Display --indent 6 --text "- Docker daemon" --result "${STATUS_RUNNING}" --color GREEN
fi fi
fi fi
# #
@ -109,7 +109,7 @@
AddHP 3 4 AddHP 3 4
else else
LogText "Result: no warnings found from 'docker info' output" LogText "Result: no warnings found from 'docker info' output"
Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN Display --indent 8 --text "- Docker info output (warnings)" --result "${STATUS_NONE}" --color GREEN
AddHP 1 1 AddHP 1 1
fi fi
fi fi
@ -136,7 +136,7 @@
if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then
LogText "Result: difference detected, which is unexpected" LogText "Result: difference detected, which is unexpected"
ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers" ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers"
Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED Display --indent 8 --text "- Total containers" --result "${STATUS_UNKNOWN}" --color RED
else else
Display --indent 8 --text "- Total containers" --result "${DOCKER_CONTAINERS_TOTAL}" --color WHITE Display --indent 8 --text "- Total containers" --result "${DOCKER_CONTAINERS_TOTAL}" --color WHITE
fi fi
@ -190,10 +190,10 @@
fi fi
done done
if [ ${DOCKER_FILE_PERMISSIONS_WARNINGS} -gt 0 ]; then if [ ${DOCKER_FILE_PERMISSIONS_WARNINGS} -gt 0 ]; then
Display --indent 4 --text "- File permissions" --result WARNINGS --color YELLOW Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}"S --color YELLOW
AddHP 0 5 AddHP 0 5
else else
Display --indent 4 --text "- File permissions" --result OK --color GREEN Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
AddHP 5 5 AddHP 5 5
fi fi
fi fi

4
include/tests_crypto
View File

@ -78,9 +78,9 @@
done done
if [ ${FOUNDPROBLEM} -eq 0 ]; then if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking for expired SSL certificates" --result NONE --color GREEN Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_NONE}" --color GREEN
else else
Display --indent 2 --text "- Checking for expired SSL certificates" --result FOUND --color RED Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Check available certificates for expiration" ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
fi fi
fi fi

14
include/tests_custom.template
View File

@ -23,9 +23,9 @@
# --text text to be displayed on screen # --text text to be displayed on screen
# --result text at end of line # --result text at end of line
# --color color of result text # --color color of result text
Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_OK}" --color GREEN
Display --indent 4 --text "This shows one level deeper " --result NOTICE --color YELLOW Display --indent 4 --text "This shows one level deeper " --result "${STATUS_NO}"TICE --color YELLOW
Display --indent 6 --text "And even deeper" --result WARNING --color RED Display --indent 6 --text "And even deeper" --result "${STATUS_WARNING}" --color RED
# Here we could add specific tests, like testing for a directory # Here we could add specific tests, like testing for a directory
# Most tests use the "if-then-else". If something is true, take one step, otherwise the other. # Most tests use the "if-then-else". If something is true, take one step, otherwise the other.
@ -54,12 +54,12 @@
# Only match one value # Only match one value
"Linux") "Linux")
LogText "Found Linux" LogText "Found Linux"
Display --indent 2 --text "OS: Linux" --result OK --color GREEN Display --indent 2 --text "OS: Linux" --result "${STATUS_OK}" --color GREEN
;; ;;
# Matching several platforms # Matching several platforms
"FreeBSD" | "NetBSD" | "OpenBSD") "FreeBSD" | "NetBSD" | "OpenBSD")
LogText "Found an operating system based on BSD" LogText "Found an operating system based on BSD"
Display --indent 2 --text "OS: *BSD" --result OK --color GREEN Display --indent 2 --text "OS: *BSD" --result "${STATUS_OK}" --color GREEN
;; ;;
# Catch-all for unknown values # Catch-all for unknown values
*) *)
@ -96,9 +96,9 @@
fi fi
if [ ${FOUNDPROBLEM} -eq 0 ]; then if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_OK}" --color GREEN
else else
Display --indent 2 --text "- Checking if everything is OK..." --result WARNING --color RED Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "This is a suggestion" ReportSuggestion ${TEST_NO} "This is a suggestion"
fi fi
fi fi

20
include/tests_databases
View File

@ -37,10 +37,10 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"` FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "NOT FOUND" --color WHITE --debug; fi if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: MySQL process not active" LogText "Result: MySQL process not active"
else else
Display --indent 2 --text "- MySQL process status" --result "FOUND" --color GREEN Display --indent 2 --text "- MySQL process status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: MySQL is active" LogText "Result: MySQL is active"
MYSQL_RUNNING=1 MYSQL_RUNNING=1
Report "mysql_running=${MYSQL_RUNNING}" Report "mysql_running=${MYSQL_RUNNING}"
@ -76,11 +76,11 @@
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: Login succeeded, no MySQL root password set!" LogText "Result: Login succeeded, no MySQL root password set!"
ReportWarning ${TEST_NO} "H" "No MySQL root password set" ReportWarning ${TEST_NO} "H" "No MySQL root password set"
Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED
AddHP 0 5 AddHP 0 5
else else
LogText "Result: Login did not succeed, so a MySQL root password is set" LogText "Result: Login did not succeed, so a MySQL root password is set"
Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN Display --indent 4 --text "- Checking MySQL root password" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
fi fi
else else
@ -94,12 +94,12 @@
Register --test-no DBS-1826 --weight L --network NO --description "Checking active PostgreSQL processes" Register --test-no DBS-1826 --weight L --network NO --description "Checking active PostgreSQL processes"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning "postgres:"; then if IsRunning "postgres:"; then
Display --indent 2 --text "- PostgreSQL processes status" --result "FOUND" --color GREEN Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: PostgreSQL is active" LogText "Result: PostgreSQL is active"
POSTGRESQL_RUNNING=1 POSTGRESQL_RUNNING=1
Report "postgresql_running=${POSTGRESQL_RUNNING}" Report "postgresql_running=${POSTGRESQL_RUNNING}"
else else
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "NOT FOUND" --color WHITE --debug; fi if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: PostgreSQL process not active" LogText "Result: PostgreSQL process not active"
fi fi
fi fi
@ -120,10 +120,10 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"` FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "NOT FOUND" --color WHITE --debug; fi if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: Oracle process(es) not active" LogText "Result: Oracle process(es) not active"
else else
Display --indent 2 --text "- Oracle processes status" --result "FOUND" --color GREEN Display --indent 2 --text "- Oracle processes status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Oracle is active" LogText "Result: Oracle is active"
ORACLE_RUNNING=1 ORACLE_RUNNING=1
Report "oracle_running=${ORACLE_RUNNING}" Report "oracle_running=${ORACLE_RUNNING}"
@ -148,12 +148,12 @@
Register --test-no DBS-1860 --weight L --network NO --description "Checking active DB2 instances" Register --test-no DBS-1860 --weight L --network NO --description "Checking active DB2 instances"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning db2sysc; then if IsRunning db2sysc; then
Display --indent 2 --text "- DB2 instance running" --result "FOUND" --color GREEN Display --indent 2 --text "- DB2 instance running" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: At least one DB2 instance is running" LogText "Result: At least one DB2 instance is running"
DB2_RUNNING=1 DB2_RUNNING=1
Report "db2_running=${DB2_RUNNING}" Report "db2_running=${DB2_RUNNING}"
else else
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- DB2 instance running" --result "NOT FOUND" --color WHITE --debug; fi if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- DB2 instance running" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: No DB2 instances are running" LogText "Result: No DB2 instances are running"
fi fi
fi fi

62
include/tests_file_integrity
View File

@ -39,10 +39,10 @@
Report "file_integrity_tool[]=afick" Report "file_integrity_tool[]=afick"
FILE_INT_TOOL="afick" FILE_INT_TOOL="afick"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK" --result FOUND --color GREEN Display --indent 4 --text "- AFICK" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: AFICK is not installed" LogText "Result: AFICK is not installed"
if IsVerbose; then Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 4 --text "- AFICK" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -58,10 +58,10 @@
Report "file_integrity_tool[]=aide" Report "file_integrity_tool[]=aide"
FILE_INT_TOOL="aide" FILE_INT_TOOL="aide"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE" --result FOUND --color GREEN Display --indent 4 --text "- AIDE" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: AIDE is not installed" LogText "Result: AIDE is not installed"
if IsVerbose; then Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 4 --text "- AIDE" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -81,14 +81,14 @@
fi fi
done done
if [ "${AIDECONFIG}" = "" ]; then if [ "${AIDECONFIG}" = "" ]; then
Display --indent 6 --text "- AIDE config file" --result "NOT FOUND" --color YELLOW Display --indent 6 --text "- AIDE config file" --result "${STATUS_NOT_FOUND}" --color YELLOW
else else
LogText "Checking configuration file ${AIDECONFIG} for errors" LogText "Checking configuration file ${AIDECONFIG} for errors"
FIND=$(${AIDEBINARY} --config=${AIDECONFIG} -D) FIND=$(${AIDEBINARY} --config=${AIDECONFIG} -D)
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
Display --indent 6 --text "- AIDE config file" --result FOUND --color GREEN Display --indent 6 --text "- AIDE config file" --result "${STATUS_FOUND}" --color GREEN
else else
Display --indent 6 --text "- AIDE config file" --result WARNING --color YELLOW Display --indent 6 --text "- AIDE config file" --result "${STATUS_WARNING}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check the AIDE configuratio file as it may contain errors" ReportSuggestion "${TEST_NO}" "Check the AIDE configuratio file as it may contain errors"
fi fi
fi fi
@ -106,10 +106,10 @@
Report "file_integrity_tool[]=osiris" Report "file_integrity_tool[]=osiris"
FILE_INT_TOOL="osiris" FILE_INT_TOOL="osiris"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris" --result FOUND --color GREEN Display --indent 4 --text "- Osiris" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: Osiris is not installed" LogText "Result: Osiris is not installed"
if IsVerbose; then Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 4 --text "- Osiris" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -125,10 +125,10 @@
Report "file_integrity_tool[]=samhain" Report "file_integrity_tool[]=samhain"
FILE_INT_TOOL="samhain" FILE_INT_TOOL="samhain"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain" --result FOUND --color GREEN Display --indent 4 --text "- Samhain" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: Samhain is not installed" LogText "Result: Samhain is not installed"
if IsVerbose; then Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 4 --text "- Samhain" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -144,10 +144,10 @@
Report "file_integrity_tool[]=tripwire" Report "file_integrity_tool[]=tripwire"
FILE_INT_TOOL="tripwire" FILE_INT_TOOL="tripwire"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN Display --indent 4 --text "- Tripwire" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: Tripwire is not installed" LogText "Result: Tripwire is not installed"
if IsVerbose; then Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 4 --text "- Tripwire" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -164,10 +164,10 @@
Report "file_integrity_tool[]=ossec" Report "file_integrity_tool[]=ossec"
FILE_INT_TOOL="ossec-syscheck" FILE_INT_TOOL="ossec-syscheck"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN Display --indent 4 --text "- OSSEC (syscheck)" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: syscheck (OSSEC) not installed" LogText "Result: syscheck (OSSEC) not installed"
if IsVerbose; then Display --indent 4 --text "- OSSEC" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 4 --text "- OSSEC" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -184,10 +184,10 @@
Report "file_integrity_tool[]=mtree" Report "file_integrity_tool[]=mtree"
FILE_INT_TOOL="mtree" FILE_INT_TOOL="mtree"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree" --result FOUND --color GREEN Display --indent 4 --text "- mtree" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: mtree is not installed" LogText "Result: mtree is not installed"
if IsVerbose; then Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 4 --text "- mtree" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -198,16 +198,16 @@
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status" Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN Display --indent 4 --text "- lfd (CSF)" --result "${STATUS_FOUND}" --color GREEN
IsRunning 'lfd ' IsRunning 'lfd '
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: lfd daemon is running (CSF)" LogText "Result: lfd daemon is running (CSF)"
Report "file_integrity_tool[]=csf-lfd" Report "file_integrity_tool[]=csf-lfd"
Display --indent 6 --text "- LFD (CSF) daemon" --result RUNNING --color GREEN Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_RUNNING}" --color GREEN
FILE_INT_TOOL="csf-lfd" FILE_INT_TOOL="csf-lfd"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
else else
Display --indent 6 --text "- LFD (CSF) daemon" --result "NOT RUNNING" --color YELLOW Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_NOT_RUNNING}" --color YELLOW
fi fi
fi fi
# #
@ -222,24 +222,24 @@
ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}` ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}`
if [ ! "${ENABLED}" = "" ]; then if [ ! "${ENABLED}" = "" ]; then
LogText "Result: lfd service is configured to run" LogText "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN
else else
LogText "Result: lfd service is configured NOT to run" LogText "Result: lfd service is configured NOT to run"
Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
fi fi
ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})" LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
else else
LogText "Result: lfd directory watching is disabled" LogText "Result: lfd directory watching is disabled"
Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
fi fi
ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
Display --indent 6 --text "- Directory/File watches" --result ENABLED --color GREEN Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
else else
Display --indent 6 --text "- Directory/File watches" --result DISABLED --color YELLOW Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW
fi fi
fi fi
# #
@ -256,10 +256,10 @@
Report "file_integrity_tool[]=osquery" Report "file_integrity_tool[]=osquery"
FILE_INT_TOOL="osquery" FILE_INT_TOOL="osquery"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- osquery daemon (syscheck)" --result FOUND --color GREEN Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: syscheck (osquery) not installed" LogText "Result: syscheck (osquery) not installed"
if IsVerbose; then Display --indent 4 --text "- osquery daemon (syscheck)" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -278,7 +278,7 @@
AddHP 1 3 AddHP 1 3
else else
LogText "Result: Found SHA256 or SHA512 found for creating checksums" LogText "Result: Found SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result OK --color GREEN Display --indent 6 --text "- AIDE config (Checksum)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
fi fi
fi fi
@ -292,11 +292,11 @@
LogText "Test: Check if at least on file integrity tool is available/installed" LogText "Test: Check if at least on file integrity tool is available/installed"
if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then
LogText "Result: found at least one file integrity tool" LogText "Result: found at least one file integrity tool"
Display --indent 2 --text "- Checking presence integrity tool" --result FOUND --color GREEN Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_FOUND}" --color GREEN
AddHP 5 5 AddHP 5 5
else else
LogText "Result: No file integrity tools found" LogText "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files" ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
AddHP 0 5 AddHP 0 5
fi fi

6
include/tests_file_permissions
View File

@ -42,11 +42,11 @@
LogText " Actual permissions: ${FILEVALUE}" LogText " Actual permissions: ${FILEVALUE}"
LogText " Result: $PERMS" LogText " Result: $PERMS"
if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then
Display --indent 4 --text "${I}" --result "NOT FOUND" --color WHITE Display --indent 4 --text "${I}" --result "${STATUS_NOT_FOUND}" --color WHITE
elif [ "${PERMS}" = "OK" ]; then elif [ "${PERMS}" = "OK" ]; then
Display --indent 4 --text "${I}" --result OK --color GREEN Display --indent 4 --text "${I}" --result "${STATUS_OK}" --color GREEN
elif [ "${PERMS}" = "BAD" ]; then elif [ "${PERMS}" = "BAD" ]; then
Display --indent 4 --text "${I}" --result WARNING --color RED Display --indent 4 --text "${I}" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "Incorrect permissions for file ${I}" ReportWarning ${TEST_NO} "M" "Incorrect permissions for file ${I}"
else else
LogText "UNKNOWN status for file" LogText "UNKNOWN status for file"

46
include/tests_filesystems
View File

@ -51,11 +51,11 @@
FIND=`mount | grep "${I}"` FIND=`mount | grep "${I}"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${I} as a separated mount point" LogText "Result: found ${I} as a separated mount point"
Display --indent 4 --text "- Checking ${I} mount point" --result OK --color GREEN Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_OK}" --color GREEN
AddHP 10 10 AddHP 10 10
else else
LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system" LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system"
Display --indent 4 --text "- Checking ${I} mount point" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition" ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition"
AddHP 9 10 AddHP 9 10
fi fi
@ -92,10 +92,10 @@
Report "lvm_volume_group[]=${I}" Report "lvm_volume_group[]=${I}"
done done
LVM_VG_USED=1 LVM_VG_USED=1
Display --indent 2 --text "- Checking LVM volume groups" --result FOUND --color GREEN Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: no LVM volume groups found" LogText "Result: no LVM volume groups found"
if IsVerbose; then Display --indent 2 --text "- Checking LVM volume groups" --result NONE --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_NONE}" --color WHITE; fi
fi fi
fi fi
# #
@ -125,10 +125,10 @@
LogText "Found LVM volume: ${I}" LogText "Found LVM volume: ${I}"
Report "lvm_volume[]=${I}" Report "lvm_volume[]=${I}"
done done
Display --indent 4 --text "- Checking LVM volumes" --result FOUND --color GREEN Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: no LVM volume groups found" LogText "Result: no LVM volume groups found"
Display --indent 4 --text "- Checking LVM volumes" --result NONE --color WHITE Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_NONE}" --color WHITE
fi fi
fi fi
# #
@ -172,10 +172,10 @@
LogText "Test: Query /etc/fstab for available FFS/UFS mount points" LogText "Test: Query /etc/fstab for available FFS/UFS mount points"
FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab` FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result NONE --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_NONE}" --color WHITE; fi
LogText "Result: unable to find any single mount point (FFS/UFS)" LogText "Result: unable to find any single mount point (FFS/UFS)"
else else
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result FOUND --color GREEN Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_FOUND}" --color GREEN
Report "filesystem[]=ufs" Report "filesystem[]=ufs"
for I in ${FIND}; do for I in ${FIND}; do
LogText "FFS/UFS mount found: ${I}" LogText "FFS/UFS mount found: ${I}"
@ -193,10 +193,10 @@
LogText "Test: Query /etc/fstab for available ZFS mount points" LogText "Test: Query /etc/fstab for available ZFS mount points"
FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'` FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result NONE --color WHITE Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
LogText "Result: unable to find any single mount point (ZFS)" LogText "Result: unable to find any single mount point (ZFS)"
else else
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result FOUND --color GREEN Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_FOUND}" --color GREEN
Report "filesystem[]=zfs" Report "filesystem[]=zfs"
for I in ${FIND}; do for I in ${FIND}; do
LogText "ZFS mount found: ${I}" LogText "ZFS mount found: ${I}"
@ -257,9 +257,9 @@
Report "swap_partition[]=${I},${REAL}," Report "swap_partition[]=${I},${REAL},"
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_OK}" --color GREEN
else else
Display --indent 2 --text "- Query swap partitions (fstab)" --result NONE --color YELLOW Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_NONE}" --color YELLOW
LogText "Result: no swap partitions found in /etc/fstab" LogText "Result: no swap partitions found in /etc/fstab"
fi fi
fi fi
@ -278,7 +278,7 @@
#FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` #FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`
FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab` FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_OK}" --color GREEN
LogText "Result: all swap partitions have correct options (sw or swap)" LogText "Result: all swap partitions have correct options (sw or swap)"
else else
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
@ -300,10 +300,10 @@
# Search for files only in /tmp, with an access time older than X days # Search for files only in /tmp, with an access time older than X days
FIND=`find /tmp -xdev -type f -atime +${TMP_OLD_DAYS} | sed 's/ /!space!/g'` FIND=`find /tmp -xdev -type f -atime +${TMP_OLD_DAYS} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN
LogText "Result: no files found in /tmp which are older than 3 months" LogText "Result: no files found in /tmp which are older than 3 months"
else else
Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED
N=0 N=0
for I in ${FIND}; do for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'` FILE=`echo ${I} | sed 's/!space!/ /g'`
@ -329,11 +329,11 @@
# Depending on OS, number of field with 'tmp' differs # Depending on OS, number of field with 'tmp' differs
FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10` FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10`
if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then
Display --indent 2 --text "- Checking /tmp sticky bit" --result OK --color GREEN Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_OK}" --color GREEN
LogText "Result: Sticky bit (${FIND}) found on /tmp directory" LogText "Result: Sticky bit (${FIND}) found on /tmp directory"
AddHP 3 3 AddHP 3 3
else else
Display --indent 2 --text "- Checking /tmp sticky bit" --result WARNING --color RED Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!" ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!"
ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory." ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory."
AddHP 0 3 AddHP 0 3
@ -402,11 +402,11 @@
LogText "Result: ACL option NOT enabled on root file system" LogText "Result: ACL option NOT enabled on root file system"
LogText "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option" LogText "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option"
LogText "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file" LogText "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file"
Display --indent 2 --text "- ACL support root file system" --result DISABLED --color YELLOW Display --indent 2 --text "- ACL support root file system" --result "${STATUS_DISABLED}" --color YELLOW
AddHP 0 1 AddHP 0 1
else else
LogText "Result: ACL option enabled on root file system" LogText "Result: ACL option enabled on root file system"
Display --indent 2 --text "- ACL support root file system" --result ENABLED --color GREEN Display --indent 2 --text "- ACL support root file system" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi
@ -427,7 +427,7 @@
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: mount system / is configured with options: ${FIND}" LogText "Result: mount system / is configured with options: ${FIND}"
if [ "${FIND}" = "defaults" ]; then if [ "${FIND}" = "defaults" ]; then
Display --indent 2 --text "- Mount options of /" --result OK --color GREEN Display --indent 2 --text "- Mount options of /" --result "${STATUS_OK}" --color GREEN
else else
Display --indent 2 --text "- Mount options of /" --result "NON DEFAULT" --color YELLOW Display --indent 2 --text "- Mount options of /" --result "NON DEFAULT" --color YELLOW
fi fi
@ -522,7 +522,7 @@
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: mount system /var/tmp is configured with options: ${FIND}" LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
if [ "${BIND}" = "YES" ]; then if [ "${BIND}" = "YES" ]; then
Display --indent 2 --text "- /var/tmp is bound to /tmp" --result OK --color GREEN Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN
LogText "Result : /var/tmp is bind to /tmp" LogText "Result : /var/tmp is bind to /tmp"
else else
Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "NON DEFAULT" --color YELLOW Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "NON DEFAULT" --color YELLOW
@ -599,11 +599,11 @@
fi fi
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking Locate database" --result FOUND --color GREEN Display --indent 2 --text "- Checking Locate database" --result "${STATUS_FOUND}" --color GREEN
Report "locate_db=${LOCATE_DB}" Report "locate_db=${LOCATE_DB}"
else else
LogText "Result: database not found" LogText "Result: database not found"
Display --indent 2 --text "- Checking Locate database" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking Locate database" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file." ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
fi fi
fi fi

52
include/tests_firewalls
View File

@ -46,13 +46,13 @@
FIREWALL_SOFTWARE="iptables" FIREWALL_SOFTWARE="iptables"
IPTABLES_ACTIVE=1 IPTABLES_ACTIVE=1
IPTABLES_MODULE_ACTIVE=1 IPTABLES_MODULE_ACTIVE=1
Display --indent 2 --text "- Checking iptables kernel module" --result FOUND --color GREEN Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found iptables in loaded kernel modules" LogText "Result: Found iptables in loaded kernel modules"
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found module: ${I}" LogText "Found module: ${I}"
done done
else else
Display --indent 2 --text "- Checking iptables kernel module" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_NOT_FOUND}" --color WHITE
# If we can't find an active module, try to find the Linux configuration file and check that # If we can't find an active module, try to find the Linux configuration file and check that
if [ -f /proc/config.gz ]; then if [ -f /proc/config.gz ]; then
@ -80,13 +80,13 @@
IPTABLES_INKERNEL_ACTIVE=1 IPTABLES_INKERNEL_ACTIVE=1
FIREWALL_ACTIVE=1 FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="iptables" FIREWALL_SOFTWARE="iptables"
Display --indent 2 --text "- Checking iptables in config file" --result FOUND --color GREEN Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: no iptables found in Linux kernel config file" LogText "Result: no iptables found in Linux kernel config file"
fi fi
else else
LogText "Result: no Linux configuration file found" LogText "Result: no Linux configuration file found"
Display --indent 2 --text "- Checking iptables in config file" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
fi fi
@ -102,7 +102,7 @@
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check used policies of iptables chains" Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check used policies of iptables chains"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Checking iptables policies of chains" --result FOUND --color GREEN Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN
TABLES="filter" TABLES="filter"
for TABLE in ${TABLES}; do for TABLE in ${TABLES}; do
LogText "Test: gathering information from table ${TABLE}" LogText "Test: gathering information from table ${TABLE}"
@ -155,11 +155,11 @@
# Firewall is active, but clearly needs configuration # Firewall is active, but clearly needs configuration
FIREWALL_EMPTY_RULESET=1 FIREWALL_EMPTY_RULESET=1
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active" ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
else else
LogText "Result: one or more rules are available (${FIND} rules)" LogText "Result: one or more rules are available (${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
fi fi
fi fi
fi fi
@ -173,10 +173,10 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs` FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN
LogText "Result: There are no unused rules present" LogText "Result: There are no unused rules present"
else else
Display --indent 4 --text "- Checking for unused rules" --result FOUND --color YELLOW Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW
LogText "Result: Found one or more possible unused rules" LogText "Result: Found one or more possible unused rules"
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
@ -201,17 +201,17 @@
if [ ! "${PFCTLBINARY}" = "" ]; then if [ ! "${PFCTLBINARY}" = "" ]; then
FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'` FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'`
if [ "${FIND}" = "Enabled" ]; then if [ "${FIND}" = "Enabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result ENABLED --color GREEN Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_ENABLED}" --color GREEN
LogText "Result: pf is enabled" LogText "Result: pf is enabled"
PFFOUND=1 PFFOUND=1
AddHP 3 3 AddHP 3 3
else else
if [ "${FIND}" = "Disabled" ]; then if [ "${FIND}" = "Disabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result DISABLED --color RED Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED
LogText "Result: pf is disabled" LogText "Result: pf is disabled"
AddHP 0 3 AddHP 0 3
else else
Display --indent 2 --text "- Checking pf status (pfctl)" --result UNKNOWN --color YELLOW Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportException ${TEST_NO} "Unknown status of pf firewall" ReportException ${TEST_NO} "Unknown status of pf firewall"
fi fi
fi fi
@ -236,7 +236,7 @@
IsRunning pflogd IsRunning pflogd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found pflog daemon in process list" LogText "Result: found pflog daemon in process list"
Display --indent 4 --text "- Checking pflogd status" --result ACTIVE --color GREEN Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN
PFFOUND=1 PFFOUND=1
PFLOGDFOUND=1 PFLOGDFOUND=1
else else
@ -267,10 +267,10 @@
# Check results from pfctl # Check results from pfctl
PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'` PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'`
if [ "${PFWARNINGS}" = "" ]; then if [ "${PFWARNINGS}" = "" ]; then
Display --indent 4 --text "- Checking pf configuration consistency" --result OK --color GREEN Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN
LogText "Result: no pf filter warnings found" LogText "Result: no pf filter warnings found"
else else
Display --indent 4 --text "- Checking pf configuration consistency" --result WARNING --color RED Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
LogText "Result: found one or more warnings in the pf filter rules" LogText "Result: found one or more warnings in the pf filter rules"
ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file" ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file"
ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
@ -298,7 +298,7 @@
FIREWALL_ACTIVE=1 FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="csf" FIREWALL_SOFTWARE="csf"
Report "firewall_software[]=csf" Report "firewall_software[]=csf"
Display --indent 2 --text "- Checking CSF status (configuration file)" --result FOUND --color GREEN Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: ${FILE} does NOT exist" LogText "Result: ${FILE} does NOT exist"
fi fi
@ -313,13 +313,13 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'` FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'`
if [ "${FIND}" = "yes" ]; then if [ "${FIND}" = "yes" ]; then
Display --indent 4 --text "- Checking ipf status" --result RUNNING --color GREEN Display --indent 4 --text "- Checking ipf status" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: ipf is enabled and running" LogText "Result: ipf is enabled and running"
FIREWALL_ACTIVE=1 FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipf" FIREWALL_SOFTWARE="ipf"
Report "firewall_software[]=ipf" Report "firewall_software[]=ipf"
else else
Display --indent 4 --text "- Checking ipf status" --result "NOT RUNNING" --color YELLOW Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
LogText "Result: ipf is not running" LogText "Result: ipf is not running"
fi fi
fi fi
@ -334,25 +334,25 @@
# For now, only check for IPv4. # For now, only check for IPv4.
FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'`
if [ "${FIND}" = "1" ]; then if [ "${FIND}" = "1" ]; then
Display --indent 2 --text "- Checking IPFW status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: IPFW is running for IPv4" LogText "Result: IPFW is running for IPv4"
FIREWALL_ACTIVE=1 FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipfw" FIREWALL_SOFTWARE="ipfw"
Report "firewall_software[]=ipfw" Report "firewall_software[]=ipfw"
IPFW_ENABLED=`service -e | grep -o ipfw` IPFW_ENABLED=`service -e | grep -o ipfw`
if [ "${IPFW_ENABLED}" = "ipfw" ]; then if [ "${IPFW_ENABLED}" = "ipfw" ]; then
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result YES --color GREEN Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN
LogText "Result: IPFW is enabled at start-up for IPv4" LogText "Result: IPFW is enabled at start-up for IPv4"
else else
Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW
LogText "Result: IPFW is disabled at start-up for IPv4" LogText "Result: IPFW is disabled at start-up for IPv4"
fi fi
else else
Display --indent 2 --text "- Checking IPFW status" --result "NOT RUNNING" --color YELLOW Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
LogText "Result: IPFW is not running for IPv4" LogText "Result: IPFW is not running for IPv4"
fi fi
else else
Display --indent 2 --text "- Checking IPFW" --result SKIPPED --color YELLOW Display --indent 2 --text "- Checking IPFW" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)" ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)"
fi fi
fi fi
@ -366,13 +366,13 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | grep "Firewall is enabled"` FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | grep "Firewall is enabled"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result ENABLED --color GREEN Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3 AddHP 3 3
LogText "Result: application firewall of Mac OS X is enabled" LogText "Result: application firewall of Mac OS X is enabled"
APPLICATION_FIREWALL_ACTIVE=1 APPLICATION_FIREWALL_ACTIVE=1
Report "app_fw[]=macosx-app-fw" Report "app_fw[]=macosx-app-fw"
else else
Display --indent 2 --text "- Checking IPFW" --result DISABLED --color YELLOW Display --indent 2 --text "- Checking IPFW" --result "${STATUS_DISABLED}" --color YELLOW
AddHP 1 3 AddHP 1 3
LogText "Result: application firewall of Mac OS X is disabled" LogText "Result: application firewall of Mac OS X is disabled"
fi fi
@ -422,7 +422,7 @@
Register --test-no FIRE-4590 --weight L --network NO --description "Check firewall status" Register --test-no FIRE-4590 --weight L --network NO --description "Check firewall status"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then if [ ${FIREWALL_ACTIVE} -eq 1 ]; then
Display --indent 2 --text "- Checking host based firewall" --result ACTIVE --color GREEN Display --indent 2 --text "- Checking host based firewall" --result "ACTIVE" --color GREEN
LogText "Result: host based firewall or packet filter is active" LogText "Result: host based firewall or packet filter is active"
Report "manual[]=Verify if there is a formal process for testing and applying firewall rules" Report "manual[]=Verify if there is a formal process for testing and applying firewall rules"
Report "manual[]=Verify all traffic is filtered the right way between the different security zones" Report "manual[]=Verify all traffic is filtered the right way between the different security zones"

10
include/tests_hardening
View File

@ -33,11 +33,11 @@
LogText "Test: Check if one or more compilers can be found on the system" LogText "Test: Check if one or more compilers can be found on the system"
if [ ${COMPILER_INSTALLED} -eq 0 ]; then if [ ${COMPILER_INSTALLED} -eq 0 ]; then
LogText "Result: no compilers found" LogText "Result: no compilers found"
Display --indent 4 --text "- Installed compiler(s)" --result "NOT FOUND" --color GREEN Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
LogText "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'" LogText "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'"
Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
AddHP 1 3 AddHP 1 3
fi fi
fi fi
@ -84,7 +84,7 @@
fi fi
#YYY check if compilers have a specific group (like compiler, or NOT root/wheel) #YYY check if compilers have a specific group (like compiler, or NOT root/wheel)
# Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED # Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
# /usr/bin/*cc* # /usr/bin/*cc*
# /usr/bin/*++* # /usr/bin/*++*
# /usr/bin/ld # /usr/bin/ld
@ -101,11 +101,11 @@
LogText "Test: Check if a malware scanner is installed" LogText "Test: Check if a malware scanner is installed"
if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
LogText "Result: found at least one malware scanner" LogText "Result: found at least one malware scanner"
Display --indent 4 --text "- Installed malware scanner" --result "FOUND" --color GREEN Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
LogText "Result: no malware scanner found" LogText "Result: no malware scanner found"
Display --indent 4 --text "- Installed malware scanner" --result "NOT FOUND" --color RED Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Harden the system by installing at least one malware scanner, to perform periodic file system scans" ReportSuggestion ${TEST_NO} "Harden the system by installing at least one malware scanner, to perform periodic file system scans"
AddHP 1 3 AddHP 1 3
fi fi

6
include/tests_homedirs
View File

@ -63,10 +63,10 @@
FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" ! -type f -print` FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" ! -type f -print`
fi fi
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking shell history files" --result OK --color GREEN Display --indent 2 --text "- Checking shell history files" --result "${STATUS_OK}" --color GREEN
LogText "Result: Ok, history files are type 'file'." LogText "Result: Ok, history files are type 'file'."
else else
Display --indent 2 --text "- Checking shell history files" --result WARNING --color RED Display --indent 2 --text "- Checking shell history files" --result "${STATUS_WARNING}" --color RED
LogText "Result: the following files seem to be of the wrong file type:" LogText "Result: the following files seem to be of the wrong file type:"
LogText "Output: ${FIND}" LogText "Output: ${FIND}"
LogText "Info: above files could be redirected files to avoid logging and should be investigated" LogText "Info: above files could be redirected files to avoid logging and should be investigated"
@ -74,7 +74,7 @@
fi fi
LogText "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful." LogText "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful."
else else
Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE Display --indent 2 --text "- Checking shell history files" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: Homedirs is empty, test will be skipped" LogText "Result: Homedirs is empty, test will be skipped"
fi fi
fi fi

14
include/tests_insecure_services
View File

@ -40,7 +40,7 @@
IsRunning inetd IsRunning inetd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: inetd is running" LogText "Result: inetd is running"
Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN Display --indent 2 --text "- Checking inetd status" --result "ACTIVE" --color GREEN
INETD_ACTIVE=1 INETD_ACTIVE=1
else else
LogText "Result: inetd is NOT running" LogText "Result: inetd is NOT running"
@ -59,10 +59,10 @@
LogText "Test: Searching for file ${INETD_CONFIG_FILE}" LogText "Test: Searching for file ${INETD_CONFIG_FILE}"
if [ -f ${INETD_CONFIG_FILE} ]; then if [ -f ${INETD_CONFIG_FILE} ]; then
LogText "Result: ${INETD_CONFIG_FILE} exists" LogText "Result: ${INETD_CONFIG_FILE} exists"
Display --indent 4 --text "- Checking inetd.conf" --result FOUND --color WHITE Display --indent 4 --text "- Checking inetd.conf" --result "${STATUS_FOUND}" --color WHITE
else else
LogText "Result: ${INETD_CONFIG_FILE} does not exist" LogText "Result: ${INETD_CONFIG_FILE} does not exist"
Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking inetd.conf" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -77,9 +77,9 @@
LogText "Test: check if all services are disabled if inetd is disabled" LogText "Test: check if all services are disabled if inetd is disabled"
FIND=`grep -v "^#" ${INETD_CONFIG_FILE} | grep -v "^$"` FIND=`grep -v "^#" ${INETD_CONFIG_FILE} | grep -v "^$"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking inetd.conf services" --result OK --color GREEN Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN
else else
Display --indent 4 --text "- Checking inetd.conf services" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}" ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}"
fi fi
fi fi
@ -95,11 +95,11 @@
FIND=`grep "^telnet" ${INETD_CONFIG_FILE}` FIND=`grep "^telnet" ${INETD_CONFIG_FILE}`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}" LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)" --result "NOT FOUND" --color GREEN Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
LogText "Result: telnet enabled in ${INETD_CONFIG_FILE}" LogText "Result: telnet enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)" --result WARNING --color RED Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Disable telnet in inetd configuration and use SSH instead" ReportSuggestion "${TEST_NO}" "Disable telnet in inetd configuration and use SSH instead"
AddHP 1 3 AddHP 1 3
fi fi

50
include/tests_kernel
View File

@ -61,7 +61,7 @@
fi fi
else else
LogText "Result: No readlink binary, can't determine where symlink is pointing to" LogText "Result: No readlink binary, can't determine where symlink is pointing to"
Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
fi fi
else else
LogText "Result: no systemd found, so trying inittab" LogText "Result: no systemd found, so trying inittab"
@ -71,7 +71,7 @@
LogText "Test: Checking default Linux run level" LogText "Test: Checking default Linux run level"
FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1` FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: Can't determine default run level from /etc/inittab" LogText "Result: Can't determine default run level from /etc/inittab"
else else
Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN
@ -89,7 +89,7 @@
Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN
else else
LogText "Result: Can't determine default run level from who -r" LogText "Result: Can't determine default run level from who -r"
Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
fi fi
fi fi
fi fi
@ -140,13 +140,13 @@
fi fi
fi fi
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result FOUND --color GREEN Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result "${STATUS_FOUND}" --color GREEN
else else
Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result NONE --color YELLOW Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result "${STATUS_NONE}" --color YELLOW
ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support" ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
fi fi
else else
Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result SKIPPED --color YELLOW Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result "${STATUS_SKIPPED}" --color YELLOW
LogText "Result: /proc/cpuinfo not found" LogText "Result: /proc/cpuinfo not found"
fi fi
fi fi
@ -172,7 +172,7 @@
LINUX_KERNEL_VERSION=`uname -v` LINUX_KERNEL_VERSION=`uname -v`
Report "linux_kernel_version=${LINUX_KERNEL_VERSION}" Report "linux_kernel_version=${LINUX_KERNEL_VERSION}"
LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}" LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}"
Display --indent 2 --text "- Checking kernel version and release" --result DONE --color GREEN Display --indent 2 --text "- Checking kernel version and release" --result "${STATUS_DONE}" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -185,7 +185,7 @@
LogText "Test: checking if kernel is monolithic or modular" LogText "Test: checking if kernel is monolithic or modular"
# Checking if any modules are loaded # Checking if any modules are loaded
FIND=`${LSMODBINARY} | grep -v "^Module" | wc -l | tr -s ' ' | tr -d ' '` FIND=`${LSMODBINARY} | grep -v "^Module" | wc -l | tr -s ' ' | tr -d ' '`
Display --indent 2 --text "- Checking kernel type" --result DONE --color GREEN Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: Found monolithic kernel" LogText "Result: Found monolithic kernel"
Report "linux_kernel_type=monolithic" Report "linux_kernel_type=monolithic"
@ -208,7 +208,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
FIND=`${LSMODBINARY} | awk '{ if ($1!="Module") print $1 }' | sort` FIND=`${LSMODBINARY} | awk '{ if ($1!="Module") print $1 }' | sort`
Display --indent 2 --text "- Checking loaded kernel modules" --result DONE --color GREEN Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Loaded modules according lsmod:" LogText "Loaded modules according lsmod:"
N=0 N=0
@ -237,15 +237,15 @@
if [ -f ${CHECKFILE} ]; then if [ -f ${CHECKFILE} ]; then
LINUXCONFIGFILE="${CHECKFILE}" LINUXCONFIGFILE="${CHECKFILE}"
LogText "Result: found config (${LINUXCONFIGFILE})" LogText "Result: found config (${LINUXCONFIGFILE})"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
elif [ -f /proc/config.gz ]; then elif [ -f /proc/config.gz ]; then
LINUXCONFIGFILE="${CHECKFILE}" LINUXCONFIGFILE="${CHECKFILE}"
LINUXCONFIGFILE_ZIPPED=1 LINUXCONFIGFILE_ZIPPED=1
LogText "Result: found config: /proc/config.gz (compressed)" LogText "Result: found config: /proc/config.gz (compressed)"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: no Linux kernel configuration file found in /boot" LogText "Result: no Linux kernel configuration file found in /boot"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ ! "${LINUXCONFIGFILE}" = "" ]; then
Report "linux_config_file=${LINUXCONFIGFILE}" Report "linux_config_file=${LINUXCONFIGFILE}"
@ -270,11 +270,11 @@
LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | awk -F= '{ print $2 }' | sed s/\"//g` LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | awk -F= '{ print $2 }' | sed s/\"//g`
if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then
LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'" LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result FOUND --color GREEN Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN
Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}" Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
else else
LogText "Result: no default i/o kernel scheduler found" LogText "Result: no default i/o kernel scheduler found"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
else else
ReportException "${TEST_NO}" "No valid grep tool found to search kernel settings" ReportException "${TEST_NO}" "No valid grep tool found to search kernel settings"
@ -301,9 +301,9 @@
Report "loaded_kernel_module[]=${I}" Report "loaded_kernel_module[]=${I}"
N=$((N + 1)) N=$((N + 1))
done done
Display --indent 4 --text "Found ${N} kernel modules" --result DONE --color GREEN Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN
else else
Display --indent 4 --text "Test failed" --result WARNING --color RED Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
LogText "Result: Problem with executing kldstat" LogText "Result: Problem with executing kldstat"
fi fi
else else
@ -325,10 +325,10 @@
LogText "Found module: ${I}" LogText "Found module: ${I}"
Report "loaded_kernel_module[]=${I}" Report "loaded_kernel_module[]=${I}"
done done
Display --indent 2 --text "- Checking Solaris active kernel modules" --result DONE --color GREEN Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_DONE}" --color GREEN
else else
LogText "Result: no output" LogText "Result: no output"
Display --indent 2 --text "- Checking Solaris active kernel modules" --result UNKNOWN --color YELLOW Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_UNKNOWN}" --color YELLOW
fi fi
fi fi
# #
@ -363,7 +363,7 @@
LogText "Kernel installed: ${FINDINST}" LogText "Kernel installed: ${FINDINST}"
LogText "Kernel candidate: ${FINDCAND}" LogText "Kernel candidate: ${FINDCAND}"
if [ "${FINDINST}" = "" ]; then if [ "${FINDINST}" = "" ]; then
Display --indent 2 --text "- Checking for available kernel update" --result UNKNOWN --color YELLOW Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: Exception occured, no output from apt-cache policy" LogText "Result: Exception occured, no output from apt-cache policy"
ReportException "${TEST_NO}:01" ReportException "${TEST_NO}:01"
LogText "Exception: apt-cache policy did not return an installed kernel version" LogText "Exception: apt-cache policy did not return an installed kernel version"
@ -375,7 +375,7 @@
LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available"
ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch"
else else
Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN
LogText "Result: no kernel update available" LogText "Result: no kernel update available"
fi fi
else else
@ -403,12 +403,12 @@
FIND2=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'` FIND2=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'`
if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps (soft or hard) are enabled" LogText "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration" --result ENABLED --color YELLOW Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW
AddSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system" AddSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system"
AddHP 1 2 AddHP 1 2
else else
LogText "Result: core dumps (soft and hard) are both disabled" LogText "Result: core dumps (soft and hard) are both disabled"
Display --indent 2 --text "- Checking core dumps configuration" --result DISABLED --color GREEN Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN
CORE_DUMPS_DISABLED=1 CORE_DUMPS_DISABLED=1
AddHP 3 3 AddHP 3 3
fi fi
@ -583,14 +583,14 @@
# Display discovered status # Display discovered status
if [ ${REBOOT_NEEDED} -eq 0 ]; then if [ ${REBOOT_NEEDED} -eq 0 ]; then
Display --indent 2 --text "- Check if reboot is needed" --result NO --color GREEN Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_NO}" --color GREEN
AddHP 5 5 AddHP 5 5
elif [ ${REBOOT_NEEDED} -eq 1 ]; then elif [ ${REBOOT_NEEDED} -eq 1 ]; then
Display --indent 2 --text "- Check if reboot is needed" --result YES --color RED Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED
ReportWarning ${TEST_NO} "H" "Reboot of system is most likely needed" ReportWarning ${TEST_NO} "H" "Reboot of system is most likely needed"
AddHP 0 5 AddHP 0 5
else else
Display --indent 2 --text "- Check if reboot is needed" --result UNKNOWN --color YELLOW Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW
fi fi
fi fi
# #

2
include/tests_kernel_hardening
View File

@ -46,7 +46,7 @@
if [ ! "${tFINDcurvalue}" = "" ]; then if [ ! "${tFINDcurvalue}" = "" ]; then
if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then
LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})" LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result OK --color GREEN Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN
AddHP ${tFINDhp} ${tFINDhp} AddHP ${tFINDhp} ${tFINDhp}
else else
LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}" LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"

8
include/tests_ldap
View File

@ -39,10 +39,10 @@
#YYY add additional slash #YYY add additional slash
IsRunning slapd IsRunning slapd
if [ ${RUNNING} -eq 0 ]; then if [ ${RUNNING} -eq 0 ]; then
Display --indent 2 --text "- Checking OpenLDAP instance" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: No running slapd process found." LogText "Result: No running slapd process found."
else else
Display --indent 2 --text "- Checking OpenLDAP instance" --result FOUND --color GREEN Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found running slapd process" LogText "Result: Found running slapd process"
SLAPDFOUND=1 SLAPDFOUND=1
SLAPD_RUNNING=1 SLAPD_RUNNING=1
@ -67,9 +67,9 @@
done done
# Check if we found a valid location # Check if we found a valid location
if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking slapd.conf" --result FOUND --color GREEN Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN
else else
Display --indent 4 --text "- Checking slapd.conf" --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi fi
fi fi
# #

60
include/tests_logging
View File

@ -45,13 +45,13 @@
LogText "Test: Searching for a logging daemon" LogText "Test: Searching for a logging daemon"
FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"` FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for a running log daemon" --result WARNING --color RED Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured." ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
ReportWarning ${TEST_NO} "H" "No syslog daemon found" ReportWarning ${TEST_NO} "H" "No syslog daemon found"
AddHP 0 3 AddHP 0 3
else else
Display --indent 2 --text "- Checking for a running log daemon" --result OK --color GREEN Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found a logging daemon" LogText "Result: Found a logging daemon"
SYSLOG_DAEMON_PRESENT=1 SYSLOG_DAEMON_PRESENT=1
SYSLOG_DAEMON_RUNNING=1 SYSLOG_DAEMON_RUNNING=1
@ -69,12 +69,12 @@
IsRunning syslog-ng IsRunning syslog-ng
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: Found syslog-ng in process list" LogText "Result: Found syslog-ng in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result FOUND --color GREEN Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1 SYSLOG_DAEMON_PRESENT=1
SYSLOG_NG_RUNNING=1 SYSLOG_NG_RUNNING=1
else else
LogText "Result: Syslog-ng NOT found in process list" LogText "Result: Syslog-ng NOT found in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -88,10 +88,10 @@
FIND=`${SYSLOGNGBINARY} -s; echo $?` FIND=`${SYSLOGNGBINARY} -s; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: Syslog-NG configuration file seems to be consistent" LogText "Result: Syslog-NG configuration file seems to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result OK --color GREEN Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: Syslog-NG configuration file seems NOT to be consistent" LogText "Result: Syslog-NG configuration file seems NOT to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result WARNING --color RED Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file" ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file"
ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s" ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
fi fi
@ -106,10 +106,10 @@
LogText "Test: Searching for systemd journal daemon in process list" LogText "Test: Searching for systemd journal daemon in process list"
IsRunning systemd-journal IsRunning systemd-journal
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
Display --indent 4 --text "- Checking systemd journal status" --result FOUND --color GREEN Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_FOUND}" --color GREEN
SYSTEMD_JOURNAL_RUNNING=1 SYSTEMD_JOURNAL_RUNNING=1
else else
Display --indent 4 --text "- Checking systemd journal status" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -123,12 +123,12 @@
IsRunning metalog IsRunning metalog
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: Found metalog in process list" LogText "Result: Found metalog in process list"
Display --indent 4 --text "- Checking Metalog status" --result FOUND --color GREEN Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1 SYSLOG_DAEMON_PRESENT=1
METALOG_RUNNING=1 METALOG_RUNNING=1
else else
LogText "Result: metalog NOT found in process list" LogText "Result: metalog NOT found in process list"
Display --indent 4 --text "- Checking Metalog status" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -142,12 +142,12 @@
IsRunning rsyslogd IsRunning rsyslogd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: Found rsyslogd in process list" LogText "Result: Found rsyslogd in process list"
Display --indent 4 --text "- Checking RSyslog status" --result FOUND --color GREEN Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1 SYSLOG_DAEMON_PRESENT=1
RSYSLOG_RUNNING=1 RSYSLOG_RUNNING=1
else else
LogText "Result: rsyslogd NOT found in process list" LogText "Result: rsyslogd NOT found in process list"
Display --indent 4 --text "- Checking RSyslog status" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -161,12 +161,12 @@
IsRunning rfc3195d IsRunning rfc3195d
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: Found rfc3195d in process list" LogText "Result: Found rfc3195d in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result FOUND --color GREEN Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1 SYSLOG_DAEMON_PRESENT=1
RFC3195D_RUNNING=1 RFC3195D_RUNNING=1
else else
LogText "Result: rfc3195d NOT found in process list" LogText "Result: rfc3195d NOT found in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -187,10 +187,10 @@
IsRunning klogd IsRunning klogd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: klogd running" LogText "Result: klogd running"
Display --indent 4 --text "- Checking klogd" --result FOUND --color GREEN Display --indent 4 --text "- Checking klogd" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: No klogd found" LogText "Result: No klogd found"
Display --indent 4 --text "- Checking klogd" --result "NOT FOUND" --color RED Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED
ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files" ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files"
fi fi
else else
@ -208,10 +208,10 @@
# Search for minilogd. It shouldn't be running normally, if another syslog daemon is started # Search for minilogd. It shouldn't be running normally, if another syslog daemon is started
IsRunning minilogd IsRunning minilogd
if [ ${RUNNING} -eq 0 ]; then if [ ${RUNNING} -eq 0 ]; then
Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: No minilogd is running" LogText "Result: No minilogd is running"
else else
Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED
LogText "Result: minilogd found in process list" LogText "Result: minilogd found in process list"
# minilogd daemon seems to be running # minilogd daemon seems to be running
ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running" ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running"
@ -241,10 +241,10 @@
LogText "Result: /etc/logrotate.conf found" LogText "Result: /etc/logrotate.conf found"
fi fi
if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking logrotate presence" --result OK --color GREEN Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_OK}" --color GREEN
LogText "Result: logrotate configuration found" LogText "Result: logrotate configuration found"
else else
Display --indent 2 --text "- Checking logrotate presence" --result WARNING --color RED Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_WARNING}" --color RED
LogText "Result: No logrotate configuration found" LogText "Result: No logrotate configuration found"
ReportSuggestion ${TEST_NO} "Check if files are properly rotated by a some tool instead of logrotate" ReportSuggestion ${TEST_NO} "Check if files are properly rotated by a some tool instead of logrotate"
fi fi
@ -323,9 +323,9 @@
if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then
LogText "Result: loghost entry found and most likely used to send syslog messages" LogText "Result: loghost entry found and most likely used to send syslog messages"
Display --indent 2 --text "- Checking loghost entry" --result OK --color GREEN Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_OK}" --color GREEN
else else
Display --indent 2 --text "- Checking loghost entry" --result WARNING --color RED Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED
LogText "Result: No loghost entry found" LogText "Result: No loghost entry found"
ReportWarning ${TEST_NO} "L" "No loghost entry found" ReportWarning ${TEST_NO} "L" "No loghost entry found"
ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services" ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services"
@ -369,7 +369,7 @@
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
else else
AddHP 5 5 AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN
fi fi
else else
LogText "Result: test skipped, file ${SYSLOGD_CONF} not found" LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"
@ -384,7 +384,7 @@
Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf" Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Result: /etc/newsyslog.conf found" LogText "Result: /etc/newsyslog.conf found"
Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result FOUND --color GREEN Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result "${STATUS_FOUND}" --color GREEN
LOGROTATE_CONFIG_FOUND=1 LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="newsyslog" LOGROTATE_TOOL="newsyslog"
fi fi
@ -406,7 +406,7 @@
LogText "Result: Item ${I} is not a directory" LogText "Result: Item ${I} is not a directory"
fi fi
done done
Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result DONE --color GREEN Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result "${STATUS_DONE}" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -425,7 +425,7 @@
LogText "Result: Item ${I} is not a file" LogText "Result: Item ${I} is not a file"
fi fi
done done
Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result DONE --color GREEN Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result "${STATUS_DONE}" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -443,7 +443,7 @@
LogText "Result: directory ${I} can't be found" LogText "Result: directory ${I} can't be found"
fi fi
done done
Display --indent 2 --text "- Checking log directories (static list)" --result DONE --color GREEN Display --indent 2 --text "- Checking log directories (static list)" --result "${STATUS_DONE}" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -459,10 +459,10 @@
LogText "Found logfile: ${I}" LogText "Found logfile: ${I}"
Report "open_logfile[]=${I}" Report "open_logfile[]=${I}"
done done
Display --indent 2 --text "- Checking open log files" --result DONE --color GREEN Display --indent 2 --text "- Checking open log files" --result "${STATUS_DONE}" --color GREEN
else else
LogText "Result: lsof not installed, skipping test" LogText "Result: lsof not installed, skipping test"
Display --indent 2 --text "- Checking open log files" --result SKIPPED --color YELLOW Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color YELLOW
# Add suggestion # Add suggestion
fi fi
fi fi
@ -497,7 +497,7 @@
ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why." ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why."
else else
LogText "Result: no deleted files found" LogText "Result: no deleted files found"
Display --indent 2 --text "- Checking deleted files in use" --result DONE --color GREEN Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_DONE}" --color GREEN
fi fi
fi fi
# #

34
include/tests_mac_frameworks
View File

@ -34,11 +34,11 @@
if [ "${AASTATUSBINARY}" = "" ]; then if [ "${AASTATUSBINARY}" = "" ]; then
APPARMORFOUND=0 APPARMORFOUND=0
LogText "Result: aa-status binary not found, AppArmor not installed" LogText "Result: aa-status binary not found, AppArmor not installed"
Display --indent 2 --text "- Checking presence AppArmor" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_NOT_FOUND}" --color WHITE
else else
APPARMORFOUND=1 APPARMORFOUND=1
LogText "Result: aa-status binary found, AppArmor is installed" LogText "Result: aa-status binary found, AppArmor is installed"
Display --indent 2 --text "- Checking presence AppArmor" --result FOUND --color GREEN Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_FOUND}" --color GREEN
fi fi
fi fi
# #
@ -60,22 +60,22 @@
if [ ${FIND} -eq 0 ]; then if [ ${FIND} -eq 0 ]; then
MAC_FRAMEWORK_ACTIVE=1 MAC_FRAMEWORK_ACTIVE=1
LogText "Result: AppArmor is enabled and a policy is loaded" LogText "Result: AppArmor is enabled and a policy is loaded"
Display --indent 4 --text "- Checking AppArmor status" --result "ENABLED" --color GREEN Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_ENABLED}" --color GREEN
elif [ ${FIND} -eq 4 ]; then elif [ ${FIND} -eq 4 ]; then
LogText "Result: Can not determine status, most likely due to lacking permissions" LogText "Result: Can not determine status, most likely due to lacking permissions"
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
elif [ ${FIND} -eq 3 ]; then elif [ ${FIND} -eq 3 ]; then
LogText "Result: Can not check control files" LogText "Result: Can not check control files"
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
elif [ ${FIND} -eq 2 ]; then elif [ ${FIND} -eq 2 ]; then
LogText "Result: AppArmor is enabled, but no policy is loaded" LogText "Result: AppArmor is enabled, but no policy is loaded"
ReportSuggestion ${TEST_NO} "Disable AppArmor or load a policy" ReportSuggestion ${TEST_NO} "Disable AppArmor or load a policy"
Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
elif [ ${FIND} -eq 1 ]; then elif [ ${FIND} -eq 1 ]; then
LogText "Result: AppArmor is disabled" LogText "Result: AppArmor is disabled"
Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_DISABLED}" --color YELLOW
else else
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected" ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected"
fi fi
fi fi
@ -90,10 +90,10 @@
LogText "Test: checking if we have sestatus binary" LogText "Test: checking if we have sestatus binary"
if [ ! "${SESTATUSBINARY}" = "" ]; then if [ ! "${SESTATUSBINARY}" = "" ]; then
LogText "Result: found sestatus binary (${SESTATUSBINARY})" LogText "Result: found sestatus binary (${SESTATUSBINARY})"
Display --indent 2 --text "- Checking presence SELinux" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: sestatus binary NOT found" LogText "Result: sestatus binary NOT found"
Display --indent 2 --text "- Checking presence SELinux" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -111,7 +111,7 @@
LogText "Result: SELinux framework is enabled" LogText "Result: SELinux framework is enabled"
Report "selinux_status=1" Report "selinux_status=1"
SELINUXFOUND=1 SELINUXFOUND=1
Display --indent 4 --text "- Checking SELinux status" --result "ENABLED" --color GREEN Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN
FIND=`${SESTATUSBINARY} | grep "^Current mode" | awk '{ print $3 }'` FIND=`${SESTATUSBINARY} | grep "^Current mode" | awk '{ print $3 }'`
Report "selinux_mode=${FIND}" Report "selinux_mode=${FIND}"
FIND2=`${SESTATUSBINARY} | grep "^Mode from config file" | awk '{ print $5 }'` FIND2=`${SESTATUSBINARY} | grep "^Mode from config file" | awk '{ print $5 }'`
@ -119,16 +119,16 @@
LogText "Result: mode configured in config file is ${FIND2}" LogText "Result: mode configured in config file is ${FIND2}"
if [ "${FIND}" = "${FIND2}" ]; then if [ "${FIND}" = "${FIND2}" ]; then
LogText "Result: Current SELinux mode is the same as in config file." LogText "Result: Current SELinux mode is the same as in config file."
Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
fi fi
Display --indent 8 --text "Current SELinux mode: ${FIND}" Display --indent 8 --text "Current SELinux mode: ${FIND}"
else else
LogText "Result: SELinux framework is disabled" LogText "Result: SELinux framework is disabled"
Display --indent 4 --text "- Checking SELinux status" --result "DISABLED" --color YELLOW Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW
fi fi
fi fi
# #
@ -150,10 +150,10 @@
fi fi
fi fi
if [ ${GRSEC_FOUND} -eq 1 ]; then if [ ${GRSEC_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking presence grsecurity" --result FOUND --color GREEN Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
Display --indent 2 --text "- Checking presence grsecurity" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -164,11 +164,11 @@
Register --test-no MACF-6290 --weight L --network NO --description "Check for implemented MAC framework" Register --test-no MACF-6290 --weight L --network NO --description "Check for implemented MAC framework"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then
Display --indent 2 --text "- Checking for implemented MAC framework" --result OK --color GREEN Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_OK}" --color GREEN
AddHP 3 3 AddHP 3 3
LogText "Result: found implemented MAC framework" LogText "Result: found implemented MAC framework"
else else
Display --indent 2 --text "- Checking for implemented MAC framework" --result NONE --color YELLOW Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_NONE}" --color YELLOW
AddHP 2 3 AddHP 2 3
LogText "Result: found no implemented MAC framework" LogText "Result: found no implemented MAC framework"
fi fi

30
include/tests_mail_messaging
View File

@ -44,12 +44,12 @@
IsRunning exim IsRunning exim
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found running Exim process" LogText "Result: found running Exim process"
Display --indent 2 --text "- Checking Exim status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking Exim status" --result "${STATUS_RUNNING}" --color GREEN
EXIM_RUNNING=1 EXIM_RUNNING=1
SMTP_DAEMON="exim" SMTP_DAEMON="exim"
else else
LogText "Result: no running Exim processes found" LogText "Result: no running Exim processes found"
Display --indent 2 --text "- Checking Exim status" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Exim status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -67,12 +67,12 @@
#FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"` #FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
if [ ! "${FIND1}" = "" ]; then if [ ! "${FIND1}" = "" ]; then
LogText "Result: found running Postfix process" LogText "Result: found running Postfix process"
Display --indent 2 --text "- Checking Postfix status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_RUNNING}" --color GREEN
POSTFIX_RUNNING=1 POSTFIX_RUNNING=1
SMTP_DAEMON="postfix" SMTP_DAEMON="postfix"
else else
LogText "Result: no running Postfix processes found" LogText "Result: no running Postfix processes found"
Display --indent 2 --text "- Checking Postfix status" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -83,7 +83,7 @@
if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration" Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking Postfix configuration" --result FOUND --color GREEN Display --indent 2 --text "- Checking Postfix configuration" --result "${STATUS_FOUND}" --color GREEN
POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | grep '^config_directory' | awk '{ print $3 }'` POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | grep '^config_directory' | awk '{ print $3 }'`
POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf" POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}" LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
@ -110,11 +110,11 @@
if [ ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then if [ ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then
SHOWWARNING=1 SHOWWARNING=1
else else
Display --indent 4 --text "- Checking Postfix banner" --result OK --color GREEN Display --indent 4 --text "- Checking Postfix banner" --result "${STATUS_OK}" --color GREEN
fi fi
fi fi
if [ ${SHOWWARNING} -eq 1 ]; then if [ ${SHOWWARNING} -eq 1 ]; then
Display --indent 4 --text "- Checking Postfix banner" --result WARNING --color RED Display --indent 4 --text "- Checking Postfix banner" --result "${STATUS_WARNING}" --color RED
LogText "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'." LogText "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'" ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'"
ReportSuggestion ${TEST_NO} "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})" ReportSuggestion ${TEST_NO} "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
@ -131,13 +131,13 @@
IsRunning dovecot IsRunning dovecot
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found running dovecot process" LogText "Result: found running dovecot process"
Display --indent 2 --text "- Checking Dovecot status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking Dovecot status" --result "${STATUS_RUNNING}" --color GREEN
DOVECOT_RUNNING=1 DOVECOT_RUNNING=1
IMAP_DAEMON="dovecot" IMAP_DAEMON="dovecot"
POP3_DAEMON="dovecot" POP3_DAEMON="dovecot"
else else
LogText "Result: dovecot not found" LogText "Result: dovecot not found"
Display --indent 2 --text "- Checking Dovecot status" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Dovecot status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -151,12 +151,12 @@
IsRunning qmail-smtpd IsRunning qmail-smtpd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found running Qmail process" LogText "Result: found running Qmail process"
Display --indent 2 --text "- Checking Qmail status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking Qmail status" --result "${STATUS_RUNNING}" --color GREEN
QMAIL_RUNNING=1 QMAIL_RUNNING=1
SMTP_DAEMON="qmail" SMTP_DAEMON="qmail"
else else
LogText "Result: no running Qmail processes found" LogText "Result: no running Qmail processes found"
Display --indent 2 --text "- Checking Qmail status" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Qmail status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -170,12 +170,12 @@
IsRunning sendmail IsRunning sendmail
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found running Sendmail process" LogText "Result: found running Sendmail process"
Display --indent 2 --text "- Checking Sendmail status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking Sendmail status" --result "${STATUS_RUNNING}" --color GREEN
SENDMAIL_RUNNING=1 SENDMAIL_RUNNING=1
SMTP_DAEMON="sendmail" SMTP_DAEMON="sendmail"
else else
LogText "Result: no running Sendmail processes found" LogText "Result: no running Sendmail processes found"
Display --indent 2 --text "- Checking Sendmail status" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Sendmail status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -190,12 +190,12 @@
FIND=`${PSBINARY} ax | egrep "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | grep -v "grep"` FIND=`${PSBINARY} ax | egrep "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found running smtpd process" LogText "Result: found running smtpd process"
Display --indent 2 --text "- Checking OpenSMTPD status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN
OPENSMTPD_RUNNING=1 OPENSMTPD_RUNNING=1
SMTP_DAEMON="opensmtpd" SMTP_DAEMON="opensmtpd"
else else
LogText "Result: smtpd not found" LogText "Result: smtpd not found"
Display --indent 2 --text "- Checking OpenSMTPD status" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #

24
include/tests_malware
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Software: Malware scanners" InsertSection "Software: ${SECTION_MALWARE}"
# #
################################################################################# #################################################################################
# #
@ -42,7 +42,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence chkrootkit" LogText "Test: checking presence chkrootkit"
if [ ! "${CHKROOTKITBINARY}" = "" ]; then if [ ! "${CHKROOTKITBINARY}" = "" ]; then
Display --indent 2 --text "- Checking chkrootkit" --result "FOUND" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CHKROOTKITBINARY}" LogText "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
AddHP 2 2 AddHP 2 2
@ -60,7 +60,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence Rootkit Hunter" LogText "Test: checking presence Rootkit Hunter"
if [ ! "${RKHUNTERBINARY}" = "" ]; then if [ ! "${RKHUNTERBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Rootkit Hunter" --result "FOUND" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${RKHUNTERBINARY}" LogText "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
AddHP 2 2 AddHP 2 2
@ -78,7 +78,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence LMD" LogText "Test: checking presence LMD"
if [ ! "${LMDBINARY}" = "" ]; then if [ ! "${LMDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking LMD (Linux Malware Detect)" --result "FOUND" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} LMD (Linux Malware Detect)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${LMDBINARY}" LogText "Result: Found ${LMDBINARY}"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
AddHP 2 2 AddHP 2 2
@ -101,7 +101,7 @@
IsRunning esets_daemon IsRunning esets_daemon
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
FOUND=1 FOUND=1
Display --indent 2 --text "- Checking ESET daemon" --result "FOUND" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found ESET security product" LogText "Result: found ESET security product"
ESET_DAEMON_RUNNING=1 ESET_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
@ -121,7 +121,7 @@
fi fi
if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1 FOUND=1
Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} McAfee" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found McAfee" LogText "Result: Found McAfee"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
AddHP 2 2 AddHP 2 2
@ -142,7 +142,7 @@
SOPHOS_SCANNER_RUNNING=1 SOPHOS_SCANNER_RUNNING=1
fi fi
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} Sophos" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found Sophos" LogText "Result: Found Sophos"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
AddHP 2 2 AddHP 2 2
@ -162,7 +162,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence clamscan" LogText "Test: checking presence clamscan"
if [ ! "${CLAMSCANBINARY}" = "" ]; then if [ ! "${CLAMSCANBINARY}" = "" ]; then
Display --indent 2 --text "- Checking ClamAV scanner" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking ClamAV scanner" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CLAMSCANBINARY}" LogText "Result: Found ${CLAMSCANBINARY}"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1 CLAMSCAN_INSTALLED=1
@ -181,7 +181,7 @@
LogText "Test: checking running ClamAV daemon (clamd)" LogText "Test: checking running ClamAV daemon (clamd)"
IsRunning clamd IsRunning clamd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking ClamAV daemon" --result "FOUND" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} ClamAV daemon" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running clamd process" LogText "Result: found running clamd process"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
CLAMD_RUNNING=1 CLAMD_RUNNING=1
@ -201,11 +201,11 @@
IsRunning freshclam IsRunning freshclam
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
FRESHCLAM_DAEMON_RUNNING=1 FRESHCLAM_DAEMON_RUNNING=1
Display --indent 4 --text "- Checking freshclam" --result "FOUND" --color GREEN Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running freshclam process" LogText "Result: found running freshclam process"
AddHP 2 2 AddHP 2 2
else else
Display --indent 4 --text "- Checking freshclam" --result "SUGGESTION" --color YELLOW Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: freshclam is not running" LogText "Result: freshclam is not running"
ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database" ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
fi fi
@ -221,7 +221,7 @@
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'` CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
if [ ! "${CLAMSCANBINARY}" = "" ]; then if [ ! "${CLAMSCANBINARY}" = "" ]; then
LogText "Result: Found ClamXav clamscan installed" LogText "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1 CLAMSCAN_INSTALLED=1
AddHP 3 3 AddHP 3 3

16
include/tests_memory_processes
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Memory and processes" InsertSection "${SECTION_MEMORY_AND_PROCESSES}"
# #
################################################################################# #################################################################################
# #
@ -32,7 +32,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /proc/meminfo ]; then if [ -f /proc/meminfo ]; then
LogText "Result: found /proc/meminfo" LogText "Result: found /proc/meminfo"
Display --indent 2 --text "- Checking /proc/meminfo" --result FOUND --color GREEN Display --indent 2 --text "- Checking /proc/meminfo" --result "${STATUS_FOUND}" --color GREEN
FIND=`awk '/^MemTotal/ { print $2, $3 }' /proc/meminfo` FIND=`awk '/^MemTotal/ { print $2, $3 }' /proc/meminfo`
MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'` MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'`
MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'` MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'`
@ -52,14 +52,14 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching /usr/sbin/prtconf" LogText "Test: Searching /usr/sbin/prtconf"
if [ -x /usr/sbin/prtconf ]; then if [ -x /usr/sbin/prtconf ]; then
Display --indent 2 --text "- Querying prtconf for installed memory" --result DONE --color GREEN Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_DONE}" --color GREEN
MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3` MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3`
MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4` MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4`
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}" Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}" Report "memory_units=${MEMORY_UNITS}"
else else
Display --indent 2 --text "- Querying prtconf for installed memory" --result SKIPPED --color WHITE Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: /usr/sbin/prtconf not found" LogText "Result: /usr/sbin/prtconf not found"
fi fi
fi fi
@ -79,11 +79,11 @@
fi fi
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: no zombie processes found" LogText "Result: no zombie processes found"
Display --indent 2 --text "- Searching for dead/zombie processes" --result OK --color GREEN Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: found one or more dead or zombie processes" LogText "Result: found one or more dead or zombie processes"
LogText "Output: PIDs ${FIND}" LogText "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for dead/zombie processes" --result WARNING --color RED Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes" ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes"
fi fi
fi fi
@ -103,12 +103,12 @@
fi fi
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: No processes were waiting for IO requests to be handled first" LogText "Result: No processes were waiting for IO requests to be handled first"
Display --indent 2 --text "- Searching for IO waiting processes" --result OK --color GREEN Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: found one or more processes which were waiting to get IO requests handled first" LogText "Result: found one or more processes which were waiting to get IO requests handled first"
LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured." LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
LogText "Output: PIDs ${FIND}" LogText "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for IO waiting processes" --result WARNING --color RED Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests" ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests"
fi fi
fi fi

86
include/tests_nameservices
View File

@ -49,12 +49,12 @@
FIND=`awk '/^domain/ { print $2 }' /etc/resolv.conf` FIND=`awk '/^domain/ { print $2 }' /etc/resolv.conf`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: no default domain found" LogText "Result: no default domain found"
if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result NONE --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_NONE}" --color WHITE; fi
else else
LogText "Result: found default domain" LogText "Result: found default domain"
LogText "Output: ${FIND}" LogText "Output: ${FIND}"
Report "resolv_conf_domain=${FIND}" Report "resolv_conf_domain=${FIND}"
Display --indent 2 --text "- Checking default DNS search domain" --result FOUND --color GREEN Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_FOUND}" --color GREEN
RESOLV_DOMAINNAME="${FIND}" RESOLV_DOMAINNAME="${FIND}"
fi fi
fi fi
@ -83,16 +83,16 @@
# Warn if we have more than 6 search domains, which is maximum in most resolvers # Warn if we have more than 6 search domains, which is maximum in most resolvers
if [ ${N} -gt 6 ]; then if [ ${N} -gt 6 ]; then
LogText "Result: Found ${N} search domains" LogText "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains" --result WARNING --color YELLOW Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers" ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
else else
LogText "Result: Found ${N} search domains" LogText "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains" --result FOUND --color GREEN Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
fi fi
fi fi
else else
LogText "Result: /etc/resolv.conf does not exist, skipping test" LogText "Result: /etc/resolv.conf does not exist, skipping test"
Display --indent 2 --text "- Checking search domains" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking search domains" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi fi
# Check amount of search domains (max 1) # Check amount of search domains (max 1)
@ -118,7 +118,7 @@
FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'` FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: no specific other options configured in /etc/resolv.conf" LogText "Result: no specific other options configured in /etc/resolv.conf"
if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NONE" --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi
else else
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found option: ${I}" LogText "Found option: ${I}"
@ -126,11 +126,11 @@
#rotate --> add performance tune point #rotate --> add performance tune point
#timeout <3 --> add performe tune point #timeout <3 --> add performe tune point
done done
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN
fi fi
else else
LogText "Result: /etc/resolv.conf not found, test skipped" LogText "Result: /etc/resolv.conf not found, test skipped"
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi fi
fi fi
# #
@ -142,7 +142,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`uname -n` FIND=`uname -n`
LogText "Result: 'uname -n' returned ${FIND}" LogText "Result: 'uname -n' returned ${FIND}"
Display --indent 2 --text "- Checking uname -n output" --result DONE --color GREEN Display --indent 2 --text "- Checking uname -n output" --result "${STATUS_DONE}" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -157,7 +157,7 @@
LogText "Result: file /etc/nodename exists" LogText "Result: file /etc/nodename exists"
FIND=`cat /etc/nodename` FIND=`cat /etc/nodename`
LogText "Output: ${FIND}" LogText "Output: ${FIND}"
Display --indent 2 --text "- Checking /etc/nodename" --result "DONE" --color GREEN Display --indent 2 --text "- Checking /etc/nodename" --result "${STATUS_DONE}" --color GREEN
else else
LogText "Result: file /etc/nodename could not be found" LogText "Result: file /etc/nodename could not be found"
Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW
@ -216,10 +216,10 @@
if [ ! "${DOMAINNAME}" = "" ]; then if [ ! "${DOMAINNAME}" = "" ]; then
LogText "Result: found domain name" LogText "Result: found domain name"
Report "domainname=${DOMAINNAME}" Report "domainname=${DOMAINNAME}"
Display --indent 2 --text "- Searching DNS domain name" --result "FOUND" --color GREEN Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN
Display --indent 6 --text "Domain name: ${DOMAINNAME}" Display --indent 6 --text "Domain name: ${DOMAINNAME}"
else else
Display --indent 2 --text "- Searching DNS domain name" --result "UNKNOWN" --color YELLOW Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name" ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name"
fi fi
fi fi
@ -235,10 +235,10 @@
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
NAME_CACHE_USED=1 NAME_CACHE_USED=1
LogText "Result: nscd is running" LogText "Result: nscd is running"
Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking nscd status" --result "${STATUS_RUNNING}" --color GREEN
else else
LogText "Result: nscd is not running" LogText "Result: nscd is not running"
if IsVerbose; then Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Checking nscd status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -254,10 +254,10 @@
UNBOUND_RUNNING=1 UNBOUND_RUNNING=1
NAME_CACHE_USED=1 NAME_CACHE_USED=1
LogText "Result: Unbound daemon is running" LogText "Result: Unbound daemon is running"
Display --indent 2 --text "- Checking Unbound status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_RUNNING}" --color GREEN
else else
LogText "Result: Unbound daemon is not running" LogText "Result: Unbound daemon is not running"
if IsVerbose; then Display --indent 2 --text "- Checking Unbound status" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -276,7 +276,7 @@
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
UNBOUND_CONFIG_OK=1 UNBOUND_CONFIG_OK=1
LogText "Result: Configuration is fine" LogText "Result: Configuration is fine"
Display --indent 2 --text "- Checking configuration file" --result OK --color GREEN Display --indent 2 --text "- Checking configuration file" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: Unbound daemon is not running" LogText "Result: Unbound daemon is not running"
Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW
@ -297,11 +297,11 @@
IsRunning named IsRunning named
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found BIND process" LogText "Result: found BIND process"
Display --indent 2 --text "- Checking BIND status" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking BIND status" --result "${STATUS_FOUND}" --color GREEN
BIND_RUNNING=1 BIND_RUNNING=1
else else
LogText "Result: BIND not running" LogText "Result: BIND not running"
if IsVerbose; then Display --indent 2 --text "- Checking BIND status" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Checking BIND status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -320,9 +320,9 @@
fi fi
done done
if [ ! "${BIND_CONFIG_LOCATION}" = "" ]; then if [ ! "${BIND_CONFIG_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking BIND configuration file" --result "FOUND" --color GREEN Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN
else else
Display --indent 4 --text "- Checking BIND configuration file" --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi fi
fi fi
# #
@ -339,10 +339,10 @@
FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?` FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine" LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
Display --indent 4 --text "- Checking BIND configuration consistency" --result "OK" --color GREEN Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}" LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
Display --indent 4 --text "- Checking BIND configuration consistency" --result WARNING --color RED Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file" ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
fi fi
else else
@ -368,11 +368,11 @@
FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"` FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: no useful information in banner found" LogText "Result: no useful information in banner found"
Display --indent 4 --text "- Checking BIND version in banner" --result "OK" --color GREEN Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
else else
LogText "Result: possible BIND version available in version banner" LogText "Result: possible BIND version available in version banner"
Display --indent 4 --text "- Checking BIND version in banner" --result WARNING --color RED Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "Found BIND version in banner" ReportWarning ${TEST_NO} "M" "Found BIND version in banner"
ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file" ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file"
AddHP 0 2 AddHP 0 2
@ -410,11 +410,11 @@
IsRunning pdns_server IsRunning pdns_server
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found PowerDNS process" LogText "Result: found PowerDNS process"
Display --indent 2 --text "- Checking PowerDNS status" --result "RUNNING" --color GREEN Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_RUNNING}" --color GREEN
POWERDNS_RUNNING=1 POWERDNS_RUNNING=1
else else
LogText "Result: PowerDNS not running" LogText "Result: PowerDNS not running"
if IsVerbose; then Display --indent 2 --text "- Checking PowerDNS status" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -433,9 +433,9 @@
fi fi
done done
if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "FOUND" --color GREEN Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_FOUND}" --color GREEN
else else
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi fi
fi fi
# #
@ -461,10 +461,10 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found backend: ${I}" LogText "Found backend: ${I}"
done done
Display --indent 4 --text "- Checking PowerDNS backends" --result "FOUND" --color GREEN Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: no PowerDNS backends found" LogText "Result: no PowerDNS backends found"
Display --indent 4 --text "- Checking PowerDNS backends" --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi fi
fi fi
# #
@ -507,18 +507,18 @@
IsRunning ypbind IsRunning ypbind
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: ypbind is running" LogText "Result: ypbind is running"
Display --indent 2 --text "- Checking ypbind status" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_FOUND}" --color GREEN
YPBIND_RUNNING=1 YPBIND_RUNNING=1
IsRunning ypldap IsRunning ypldap
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: ypldap is running" LogText "Result: ypldap is running"
Display --indent 2 --text "- Checking ypldap status" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN
else else
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead" ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
fi fi
else else
LogText "Result: ypbind is not active" LogText "Result: ypbind is not active"
if IsVerbose; then Display --indent 2 --text "- Checking ypbind status" --result "NOT FOUND" --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi fi
fi fi
# #
@ -579,10 +579,10 @@
if [ ! "${NISDOMAIN}" = "" ]; then if [ ! "${NISDOMAIN}" = "" ]; then
LogText "Found NIS domain: ${NISDOMAIN}" LogText "Found NIS domain: ${NISDOMAIN}"
Report "nisdomain=${NISDOMAIN}" Report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: No NIS domain found" LogText "Result: No NIS domain found"
Display --indent 4 --text "- Checking NIS domain" --result "UNKNOWN" --color YELLOW Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_UNKNOWN}" --color YELLOW
fi fi
fi fi
# #
@ -601,16 +601,16 @@
sFIND=`egrep -v '^(#|$)' /etc/hosts | awk '{ print $1, $2 }' | sort | uniq -d` sFIND=`egrep -v '^(#|$)' /etc/hosts | awk '{ print $1, $2 }' | sort | uniq -d`
if [ "${sFIND}" = "" ]; then if [ "${sFIND}" = "" ]; then
LogText "Result: OK, no duplicate lines found" LogText "Result: OK, no duplicate lines found"
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result OK --color GREEN Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN
else else
LogText "Found duplicate line: ${sFIND}" LogText "Found duplicate line: ${sFIND}"
LogText "Result: found duplicate line" LogText "Result: found duplicate line"
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Remove duplicate lines in /etc/hosts" ReportSuggestion "${TEST_NO}" "Remove duplicate lines in /etc/hosts"
fi fi
else else
LogText "Result: /etc/hosts not found, test skipped" LogText "Result: /etc/hosts not found, test skipped"
Display --indent 4 --text "Searching duplicate line" --result "SKIPPED" --color YELLOW Display --indent 4 --text "Searching duplicate line" --result "${STATUS_SKIPPED}" --color YELLOW
fi fi
fi fi
# #
@ -626,10 +626,10 @@
sFIND=`egrep -v '^(#|$|^::1\s|localhost)' /etc/hosts | grep -i ${HOSTNAME}` sFIND=`egrep -v '^(#|$|^::1\s|localhost)' /etc/hosts | grep -i ${HOSTNAME}`
if [ "${sFIND}" != "" ]; then if [ "${sFIND}" != "" ]; then
LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts" LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: No entry found for ${HOSTNAME} in /etc/hosts" LogText "Result: No entry found for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving" ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving"
LogText "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections" LogText "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections"
fi fi
@ -648,12 +648,12 @@
if [ ! "${sFIND}" = "" ]; then if [ ! "${sFIND}" = "" ]; then
LogText "Result: Found this server hostname mapped to a local address" LogText "Result: Found this server hostname mapped to a local address"
LogText "Output: ${sFIND}" LogText "Output: ${sFIND}"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface." LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface."
ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system" ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system"
else else
LogText "Result: this server hostname is not mapped to a local address" LogText "Result: this server hostname is not mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result OK --color GREEN Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_OK}" --color GREEN
fi fi
fi fi
# #

40
include/tests_networking
View File

@ -87,20 +87,20 @@
LogText "Result: IPV6 mode is ${IPV6_MODE}" LogText "Result: IPV6 mode is ${IPV6_MODE}"
if [ ${IPV6_CONFIGURED} -eq 1 ]; then if [ ${IPV6_CONFIGURED} -eq 1 ]; then
Display --indent 2 --text "- Checking IPv6 configuration" --result "ENABLED" --color WHITE Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE
STATUS=`echo ${IPV6_MODE} | tr '[:lower:]' '[:upper:]'` STATUS=`echo ${IPV6_MODE} | tr '[:lower:]' '[:upper:]'`
Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE
if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi
LogText "Result: IPv6 only configuration: ${STATUS}" LogText "Result: IPv6 only configuration: ${STATUS}"
Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE
else else
Display --indent 2 --text "- Checking IPv6 configuration" --result "DISABLED" --color WHITE Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_DISABLED}" --color WHITE
fi fi
# Configuration errors # Configuration errors
if [ ${IPV6_MISCONFIGURED_MTU} -eq 1 ]; then if [ ${IPV6_MISCONFIGURED_MTU} -eq 1 ]; then
IPV6_MISCONFIGURED=1 IPV6_MISCONFIGURED=1
LogText "Result: MTU of IPv6 interfaces should be 1280 or higher" LogText "Result: MTU of IPv6 interfaces should be 1280 or higher"
Display --indent 6 --text "Error: MTU is too low" --result "WARNING" --color RED Display --indent 6 --text "Error: MTU is too low" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Check your MTU configuration of IPv6 interfaces" ReportSuggestion "${TEST_NO}" "Check your MTU configuration of IPv6 interfaces"
fi fi
@ -138,7 +138,7 @@
# 0=good, other=bad # 0=good, other=bad
DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?` DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?`
if [ "${DNSRESPONSE}" = "0" ]; then if [ "${DNSRESPONSE}" = "0" ]; then
Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN Display --indent 8 --text "Nameserver: ${I}" --result "${STATUS_OK}" --color GREEN
LogText "Nameserver ${I} seems to respond to queries from this host." LogText "Nameserver ${I} seems to respond to queries from this host."
# Count responsive nameservers # Count responsive nameservers
NUMBERACTIVENS=$((NUMBERACTIVENS + 1)) NUMBERACTIVENS=$((NUMBERACTIVENS + 1))
@ -151,7 +151,7 @@
fi fi
else else
LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed" LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed"
Display --indent 6 --text "Nameserver: ${I}" --result SKIPPED --color YELLOW Display --indent 6 --text "Nameserver: ${I}" --result "${STATUS_SKIPPED}" --color YELLOW
fi fi
done done
fi fi
@ -167,19 +167,19 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DIGBINARY}" = "" ]; then if [ ! "${DIGBINARY}" = "" ]; then
if [ ${NUMBERACTIVENS} -lt 2 ]; then if [ ${NUMBERACTIVENS} -lt 2 ]; then
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result WARNING --color RED Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
LogText "Result: less than 2 responsive nameservers found" LogText "Result: less than 2 responsive nameservers found"
ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers" ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers"
LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc." LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible" ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
AddHP 1 2 AddHP 1 2
else else
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result OK --color GREEN Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_OK}" --color GREEN
LogText "Result: found at least 2 responsive nameservers" LogText "Result: found at least 2 responsive nameservers"
AddHP 3 3 AddHP 3 3
fi fi
else else
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result SKIPPED --color YELLOW Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_SKIPPED}" --color YELLOW
LogText "Result: dig not installed, test can't be fully performed" LogText "Result: dig not installed, test can't be fully performed"
fi fi
else else
@ -201,7 +201,7 @@
LogText "Result: Found default gateway ${I}" LogText "Result: Found default gateway ${I}"
Report "default_gateway[]=${I}" Report "default_gateway[]=${I}"
done done
Display --indent 2 --text "- Checking default gateway" --result DONE --color GREEN Display --indent 2 --text "- Checking default gateway" --result "${STATUS_DONE}" --color GREEN
else else
LogText "Result: No default gateway found" LogText "Result: No default gateway found"
Display --indent 2 --text "- Checking default gateway" --result "NONE FOUND" --color WHITE Display --indent 2 --text "- Checking default gateway" --result "NONE FOUND" --color WHITE
@ -455,9 +455,9 @@
done done
fi fi
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result SKIPPED --color YELLOW Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW
else else
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result DONE --color GREEN Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN
Display --indent 6 --text "* Found ${N} ports" Display --indent 6 --text "* Found ${N} ports"
fi fi
fi fi
@ -497,10 +497,10 @@
# Show result # Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
LogText "Result: No promiscuous interfaces found" LogText "Result: No promiscuous interfaces found"
else else
Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
fi fi
fi fi
# #
@ -533,10 +533,10 @@
# Show result # Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
LogText "Result: No promiscuous interfaces found" LogText "Result: No promiscuous interfaces found"
else else
Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
fi fi
fi fi
# #
@ -576,10 +576,10 @@
if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})" ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})"
else else
Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_OK}" --color GREEN
LogText "Result: ${FIND} connections are in WAIT state" LogText "Result: ${FIND} connections are in WAIT state"
fi fi
fi fi
@ -592,7 +592,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
IsRunning dhclient IsRunning dhclient
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE
DHCP_CLIENT_RUNNING=1 DHCP_CLIENT_RUNNING=1
else else
Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
@ -608,9 +608,9 @@
IsRunning arpwatch IsRunning arpwatch
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
ARPWATCH_RUNNING=1 ARPWATCH_RUNNING=1
Display --indent 2 --text "- Checking for ARP monitoring software" --result RUNNING --color GREEN Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
else else
Display --indent 2 --text "- Checking for ARP monitoring software" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Install ARP monitoring software like arpwatch" ReportSuggestion ${TEST_NO} "Install ARP monitoring software like arpwatch"
fi fi
fi fi

28
include/tests_php
View File

@ -79,11 +79,11 @@
done done
if [ ! "${PHPINIFILE}" = "" ]; then if [ ! "${PHPINIFILE}" = "" ]; then
Display --indent 2 --text "- Checking PHP" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking PHP" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: using single file ${PHPINIFILE} for main php.ini tests" LogText "Result: using single file ${PHPINIFILE} for main php.ini tests"
LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests" LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
else else
Display --indent 2 --text "- Checking PHP" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking PHP" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: no php.ini file found" LogText "Result: no php.ini file found"
fi fi
fi fi
@ -116,13 +116,13 @@
done done
if [ ${FOUND} -eq 0 ]; then if [ ${FOUND} -eq 0 ]; then
LogText "Result: all PHP functions can be executed" LogText "Result: all PHP functions can be executed"
Display --indent 4 --text "- Checking PHP disabled functions" --result "NONE" --color YELLOW Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_NONE}" --color YELLOW
ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions" ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions"
LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)" LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
AddHP 0 1 AddHP 0 1
else else
LogText "Result: one or more PHP functions are disabled/blacklisted" LogText "Result: one or more PHP functions are disabled/blacklisted"
Display --indent 4 --text "- Checking PHP disabled functions" --result "FOUND" --color GREEN Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi
@ -154,13 +154,13 @@
LogText "Test: Checking PHP register_globals option" LogText "Test: Checking PHP register_globals option"
FIND=`egrep -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;'` FIND=`egrep -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking register_globals option" --result WARNING --color RED Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off" ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting." LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
AddHP 1 2 AddHP 1 2
else else
Display --indent 4 --text "- Checking register_globals option" --result OK --color GREEN Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_OK}" --color GREEN
LogText "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value." LogText "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value."
ReportManual ${TEST_NO}:01 ReportManual ${TEST_NO}:01
AddHP 2 2 AddHP 2 2
@ -178,13 +178,13 @@
LogText "Test: Checking expose_php option" LogText "Test: Checking expose_php option"
FIND=`egrep -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` FIND=`egrep -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking expose_php option" --result ON --color RED Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED
ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers." ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off" ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
Report "Result: expose_php option is turned on, which can expose useful information for an attacker" Report "Result: expose_php option is turned on, which can expose useful information for an attacker"
AddHP 1 2 AddHP 1 2
else else
Display --indent 4 --text "- Checking expose_php option" --result OFF --color GREEN Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'expose_php' in disabled state (0, no, or off)" LogText "Result: Found 'expose_php' in disabled state (0, no, or off)"
AddHP 2 2 AddHP 2 2
fi fi
@ -202,12 +202,12 @@
LogText "Test: Checking PHP enable_dl option" LogText "Test: Checking PHP enable_dl option"
FIND=`egrep -i 'enable_dl.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` FIND=`egrep -i 'enable_dl.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking enable_dl option" --result ON --color YELLOW Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
Report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP" Report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP" ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP"
AddHP 0 1 AddHP 0 1
else else
Display --indent 4 --text "- Checking enable_dl option" --result OFF --color GREEN Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'enable_dl' in disabled state (0, no, or off)" LogText "Result: Found 'enable_dl' in disabled state (0, no, or off)"
AddHP 2 2 AddHP 2 2
fi fi
@ -225,12 +225,12 @@
LogText "Test: Checking PHP allow_url_fopen option" LogText "Test: Checking PHP allow_url_fopen option"
FIND=`egrep -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` FIND=`egrep -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option" --result ON --color YELLOW Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
Report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP" Report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
AddHP 0 1 AddHP 0 1
else else
Display --indent 4 --text "- Checking allow_url_fopen option" --result OFF --color GREEN Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)" LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
AddHP 2 2 AddHP 2 2
fi fi
@ -248,12 +248,12 @@
LogText "Test: Checking PHP allow_url_include option" LogText "Test: Checking PHP allow_url_include option"
FIND=`egrep -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` FIND=`egrep -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_include option" --result ON --color YELLOW Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP" Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
AddHP 0 1 AddHP 0 1
else else
Display --indent 4 --text "- Checking allow_url_include option" --result OFF --color GREEN Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'allow_url_include' in disabled state (0, no, or off)" LogText "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
AddHP 2 2 AddHP 2 2
fi fi

122
include/tests_ports_packages
View File

@ -42,7 +42,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`pkg -N 2>&1; echo $?` FIND=`pkg -N 2>&1; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 4 --text "- Searching packages with pkg" --result FOUND --color GREEN Display --indent 4 --text "- Searching packages with pkg" --result "${STATUS_FOUND}" --color GREEN
Report "package_manager[]=pkg" Report "package_manager[]=pkg"
PACKAGE_MGR_PKG=1 PACKAGE_MGR_PKG=1
LogText "Result: Found pkg" LogText "Result: Found pkg"
@ -67,7 +67,7 @@
Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD/NetBSD pkg_info" Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD/NetBSD pkg_info"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
Display --indent 4 --text "- Checking pkg_info" --result FOUND --color GREEN Display --indent 4 --text "- Checking pkg_info" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found pkg_info" LogText "Result: Found pkg_info"
Report "package_manager[]=pkg_info" Report "package_manager[]=pkg_info"
LogText "Test: Querying pkg_info to get package list" LogText "Test: Querying pkg_info to get package list"
@ -93,7 +93,7 @@
if [ ! "${FIND}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${FIND}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query brew package manager" Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query brew package manager"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching brew" --result FOUND --color GREEN Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found brew" LogText "Result: Found brew"
Report "package_manager[]=brew" Report "package_manager[]=brew"
LogText "Test: Querying brew to get package list" LogText "Test: Querying brew to get package list"
@ -115,7 +115,7 @@
if [ -x /usr/bin/emerge -a -x /usr/bin/equery ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -x /usr/bin/emerge -a -x /usr/bin/equery ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Gentoo packages" Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Gentoo packages"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching emerge" --result FOUND --color GREEN Display --indent 4 --text "- Searching emerge" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found Gentoo emerge" LogText "Result: Found Gentoo emerge"
Report "package_manager[]=emerge" Report "package_manager[]=emerge"
LogText "Test: Querying portage to get package list" LogText "Test: Querying portage to get package list"
@ -138,7 +138,7 @@
if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages" Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching pkginfo" --result FOUND --color GREEN Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found Solaris pkginfo" LogText "Result: Found Solaris pkginfo"
Report "package_manager[]=pkginfo" Report "package_manager[]=pkginfo"
LogText "Test: Querying pkginfo to get package list" LogText "Test: Querying pkginfo to get package list"
@ -162,7 +162,7 @@
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with RPM" Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with RPM"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
Display --indent 4 --text "- Searching RPM package manager" --result FOUND --color GREEN Display --indent 4 --text "- Searching RPM package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found rpm binary (${RPMBINARY})" LogText "Result: Found rpm binary (${RPMBINARY})"
Report "package_manager[]=rpm" Report "package_manager[]=rpm"
LogText "Test: Querying 'rpm -qa' to get package list" LogText "Test: Querying 'rpm -qa' to get package list"
@ -195,7 +195,7 @@
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with pacman" Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with pacman"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
Display --indent 4 --text "- Searching pacman package manager" --result FOUND --color GREEN Display --indent 4 --text "- Searching pacman package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found pacman binary (${PACMANBINARY})" LogText "Result: Found pacman binary (${PACMANBINARY})"
Report "package_manager[]=pacman" Report "package_manager[]=pacman"
LogText "Test: Querying 'pacman -Q' to get package list" LogText "Test: Querying 'pacman -Q' to get package list"
@ -309,9 +309,9 @@
FIND=`${ZYPPERBINARY} -n pchk | grep "(0 security patches)"` FIND=`${ZYPPERBINARY} -n pchk | grep "(0 security patches)"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: No security updates found with Zypper" LogText "Result: No security updates found with Zypper"
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result NONE --color GREEN Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
else else
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result WARNING --color RED Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
LogText "Result: Zypper found one or more installed packages which are vulnerable." LogText "Result: Zypper found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed" ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed"
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
@ -335,7 +335,7 @@
Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying dpkg" Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying dpkg"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
Display --indent 4 --text "- Searching dpkg package manager" --result FOUND --color GREEN Display --indent 4 --text "- Searching dpkg package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found dpkg binary" LogText "Result: Found dpkg binary"
Report "package_manager[]=dpkg" Report "package_manager[]=dpkg"
LogText "Test: Querying dpkg -l to get package list" LogText "Test: Querying dpkg -l to get package list"
@ -366,10 +366,10 @@
LogText "Test: Querying dpkg -l to get unpurged packages" LogText "Test: Querying dpkg -l to get unpurged packages"
SPACKAGES=`dpkg -l 2>/dev/null | grep "^rc" | cut -d ' ' -f3 | sort` SPACKAGES=`dpkg -l 2>/dev/null | grep "^rc" | cut -d ' ' -f3 | sort`
if [ "${SPACKAGES}" = "" ]; then if [ "${SPACKAGES}" = "" ]; then
Display --indent 4 --text "- Query unpurged packages" --result NONE --color GREEN Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN
LogText "Result: no packages found with left overs" LogText "Result: no packages found with left overs"
else else
Display --indent 4 --text "- Query unpurged packages" --result FOUND --color YELLOW Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_FOUND}" --color YELLOW
LogText "Result: found one or more packages with left over configuration files, cron jobs etc" LogText "Result: found one or more packages with left over configuration files, cron jobs etc"
LogText "Output:" LogText "Output:"
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
@ -394,10 +394,10 @@
if [ -x /usr/local/sbin/portsclean ]; then if [ -x /usr/local/sbin/portsclean ]; then
FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '` FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '`
if [ ${FIND} -eq 0 ]; then if [ ${FIND} -eq 0 ]; then
Display --indent 2 --text "- Checking presence old distfiles" --result OK --color GREEN Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN
LogText "Result: no unused distfiles found" LogText "Result: no unused distfiles found"
else else
Display --indent 2 --text "- Checking presence old distfiles" --result WARNING --color YELLOW Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_WARNING}" --color YELLOW
LogText "Result: found ${FIND} unused distfiles" LogText "Result: found ${FIND} unused distfiles"
ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD." ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
fi fi
@ -412,7 +412,7 @@
if [ ! "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for installed packages with DNF utility" Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for installed packages with DNF utility"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching DNF package manager" --result FOUND --color GREEN Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})" LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})"
Report "package_manager[]=dnf" Report "package_manager[]=dnf"
Display --indent 6 --text "- Querying DNF package manager" Display --indent 6 --text "- Querying DNF package manager"
@ -448,11 +448,11 @@
AddHP 1 2 AddHP 1 2
done done
ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages. Run: dnf upgrade" ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages. Run: dnf upgrade"
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result WARNING --color RED Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
else else
LogText "Result: no security updates found" LogText "Result: no security updates found"
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result NONE --color GREEN Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 5 5 AddHP 5 5
fi fi
fi fi
@ -490,24 +490,24 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSECANBINARY}" = "" ]; then if [ ! "${DEBSECANBINARY}" = "" ]; then
LogText "Result: debsecan utility is installed" LogText "Result: debsecan utility is installed"
Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN Display --indent 4 --text "- debsecan utility" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3 AddHP 3 3
PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="debsecan" PACKAGE_AUDIT_TOOL="debsecan"
FIND=`find /etc/cron* -name debsecan` FIND=`find /etc/cron* -name debsecan`
if [ ! ${FIND} = "" ]; then if [ ! ${FIND} = "" ]; then
LogText "Result: cron job is configured for debsecan" LogText "Result: cron job is configured for debsecan"
Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
LogText "Result: no cron job is configured for debsecan" LogText "Result: no cron job is configured for debsecan"
Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- debsecan cron job" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 3 AddHP 1 3
ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled" ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
fi fi
else else
LogText "Result: debsecan is not installed." LogText "Result: debsecan is not installed."
Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- debsecan utility" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 0 2 AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages." ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
fi fi
@ -523,17 +523,17 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSUMSBINARY}" = "" ]; then if [ ! "${DEBSUMSBINARY}" = "" ]; then
LogText "Result: debsums utility is installed" LogText "Result: debsums utility is installed"
Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1 AddHP 1 1
# Check in /etc/cron.hourly, daily, weekly, monthly etc # Check in /etc/cron.hourly, daily, weekly, monthly etc
COUNT=`find /etc/cron* -name debsums | wc -l` COUNT=`find /etc/cron* -name debsums | wc -l`
if [ ${COUNT} -gt 0 ]; then if [ ${COUNT} -gt 0 ]; then
LogText "Result: Cron job is configured for debsums utility." LogText "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
LogText "Result: Cron job is not configured for debsums utility." LogText "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 3 AddHP 1 3
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job." ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job."
fi fi
@ -562,9 +562,9 @@
Report "upgrade_available_count=${N}" Report "upgrade_available_count=${N}"
if [ ${N} -eq 0 ]; then if [ ${N} -eq 0 ]; then
LogText "Result: no upgrades found" LogText "Result: no upgrades found"
Display --indent 2 --text "- Checking portmaster for updates" --result NONE --color GREEN Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_NONE}" --color GREEN
else else
Display --indent 2 --text "- Checking portmaster for updates" --result FOUND --color YELLOW Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_FOUND}" --color YELLOW
fi fi
fi fi
# #
@ -581,10 +581,10 @@
FIND=`/usr/sbin/pkg_admin audit` FIND=`/usr/sbin/pkg_admin audit`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: pkg audit results are clean" LogText "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result NONE --color GREEN Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 2 2 AddHP 2 2
else else
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result WARNING --color RED Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable." LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
LogText "List of vulnerable packages/version:" LogText "List of vulnerable packages/version:"
@ -602,7 +602,7 @@
fi fi
else else
Display --indent 2 --text "- pkg_admin audit not installed" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- pkg_admin audit not installed" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: pkg_admin audit not installed, skipping this vulnerability test." LogText "Result: pkg_admin audit not installed, skipping this vulnerability test."
fi fi
fi fi
@ -620,13 +620,13 @@
PACKAGE_AUDIT_TOOL="pkg audit" PACKAGE_AUDIT_TOOL="pkg audit"
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: pkg audit results are clean" LogText "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
else else
LogText "Result: ${FIND}" LogText "Result: ${FIND}"
VULNERABLE_PACKAGES_FOUND=1 VULNERABLE_PACKAGES_FOUND=1
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result FOUND --color YELLOW Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check output of pkg audit" ReportSuggestion ${TEST_NO} "Check output of pkg audit"
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED
#LogText "Result: pkg audit found one or more installed packages which are vulnerable." #LogText "Result: pkg audit found one or more installed packages which are vulnerable."
#ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." #ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
#ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" #ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
@ -639,7 +639,7 @@
#done #done
fi fi
else else
Display --indent 2 --text "- pkg audit not installed" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- pkg audit not installed" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: pkg audit not installed, skipping this vulnerability test." LogText "Result: pkg audit not installed, skipping this vulnerability test."
fi fi
fi fi
@ -656,9 +656,9 @@
FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'` FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: Portaudit results are clean" LogText "Result: Portaudit results are clean"
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result NONE --color GREEN Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
else else
Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result WARNING --color RED Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result "${STATUS_WARNING}" --color RED
LogText "Result: Portaudit found one or more installed packages which are vulnerable." LogText "Result: Portaudit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
@ -685,12 +685,12 @@
sFIND=`${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}'` sFIND=`${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}'`
if [ "$(echo ${sFIND} | egrep "^[0-9]+$")" -a "${sFIND}" = "0" ]; then if [ "$(echo ${sFIND} | egrep "^[0-9]+$")" -a "${sFIND}" = "0" ]; then
LogText "Result: YUM package update management failed" LogText "Result: YUM package update management failed"
Display --indent 2 --text "- Checking YUM package management consistency" --result WARNING --color RED Display --indent 2 --text "- Checking YUM package management consistency" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "YUM is not properly configured or registered for this platform (no repolist found)" ReportWarning ${TEST_NO} "M" "YUM is not properly configured or registered for this platform (no repolist found)"
#ReportSuggestion ${TEST_NO} "Check YUM registration for repository configuration (repolist)" #ReportSuggestion ${TEST_NO} "Check YUM registration for repository configuration (repolist)"
else else
LogText "Result: YUM repository available (${sFIND})" LogText "Result: YUM repository available (${sFIND})"
Display --indent 2 --text "- Checking YUM package management consistency" --result OK --color GREEN Display --indent 2 --text "- Checking YUM package management consistency" --result "${STATUS_OK}" --color GREEN
fi fi
fi fi
# #
@ -708,10 +708,10 @@
FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?` FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: No duplicate packages found" LogText "Result: No duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result OK --color GREEN Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: One or more duplicate packages found" LogText "Result: One or more duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result WARNING --color RED Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed" ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed"
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems" ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems"
fi fi
@ -721,15 +721,15 @@
FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?` FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: No package database problems found" LogText "Result: No package database problems found"
Display --indent 2 --text "- Checking package database for problems" --result OK --color GREEN Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: One or more problems found in package database" LogText "Result: One or more problems found in package database"
Display --indent 2 --text "- Checking package database for problems" --result WARNING --color RED Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database" ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database"
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems" ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems"
fi fi
else else
Display --indent 2 --text "- yum-utils package not installed" --result SUGGESTION --color YELLOW Display --indent 2 --text "- yum-utils package not installed" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: YUM utils package not found" LogText "Result: YUM utils package not found"
ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database" ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database"
fi fi
@ -793,10 +793,10 @@
FIND2=`/usr/bin/yum list-sec security | awk '{ if($2=="security" || $2~"Sec") print $3","$5 }'` FIND2=`/usr/bin/yum list-sec security | awk '{ if($2=="security" || $2~"Sec") print $3","$5 }'`
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
LogText "Result: no vulnerable packages found" LogText "Result: no vulnerable packages found"
Display --indent 2 --text "- Checking missing security packages" --result OK --color GREEN Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: found vulnerable package(s)" LogText "Result: found vulnerable package(s)"
Display --indent 2 --text "- Checking missing security packages" --result WARNING --color RED Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_WARNING}" --color RED
for I in ${FIND2}; do for I in ${FIND2}; do
VULNERABLE_PACKAGES_FOUND=1 VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}" Report "vulnerable_package[]=${I}"
@ -808,7 +808,7 @@
fi fi
else else
LogText "Result: yum-security package not found" LogText "Result: yum-security package not found"
Display --indent 2 --text "- Checking missing security packages" --result SKIPPED --color YELLOW Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_SKIPPED}" --color YELLOW
ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)" ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
fi fi
fi fi
@ -827,9 +827,9 @@
SearchItem "^gpgcheck=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi SearchItem "^gpgcheck=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
LogText "Result: GPG check is enabled" LogText "Result: GPG check is enabled"
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result OK --color GREEN Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN
else else
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result DISABLED --color RED Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED
ReportWarning ${TEST_NO} "M" "No GPG signing option found in yum.conf" ReportWarning ${TEST_NO} "M" "No GPG signing option found in yum.conf"
fi fi
fi fi
@ -849,7 +849,7 @@
FIND=`egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | grep -v '#' | sed 's/ /!space!/g'` FIND=`egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | grep -v '#' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1 FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list file" --result OK --color GREEN Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found security repository in /etc/apt/sources.list" LogText "Result: Found security repository in /etc/apt/sources.list"
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'` I=`echo ${I} | sed 's/!space!/ /g'`
@ -862,7 +862,7 @@
FIND=`egrep -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | grep -v '#' | sed 's/ /!space!/g'` FIND=`egrep -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | grep -v '#' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1 FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result OK --color GREEN Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d" LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'` I=`echo ${I} | sed 's/!space!/ /g'`
@ -874,7 +874,7 @@
LogText "Result: security repository was found" LogText "Result: security repository was found"
AddHP 3 3 AddHP 3 3
else else
Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result WARNING --color RED Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory" ReportWarning ${TEST_NO} "M" "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory"
AddHP 0 3 AddHP 0 3
fi fi
@ -893,11 +893,11 @@
LogText "Test: Package database consistency by running apt-get check" LogText "Test: Package database consistency by running apt-get check"
FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?` FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking APT package database" --result OK --color GREEN Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN
LogText "Result: package database seems to be consistent." LogText "Result: package database seems to be consistent."
else else
LogText "Result: package database is most likely NOT consistent" LogText "Result: package database is most likely NOT consistent"
Display --indent 2 --text "- Checking APT package database" --result WARNING --color RED Display --indent 2 --text "- Checking APT package database" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code." ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code."
ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check." ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check."
fi fi
@ -965,13 +965,13 @@
if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades" ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
Display --indent 2 --text "- Checking vulnerable packages" --result WARNING --color RED Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_WARNING}" --color RED
else else
Display --indent 2 --text "- Checking vulnerable packages" --result OK --color GREEN Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_OK}" --color GREEN
LogText "Result: no vulnerable packages found" LogText "Result: no vulnerable packages found"
fi fi
else else
Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result DONE --color GREEN Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result "${STATUS_DONE}" --color GREEN
LogText "Result: test not fully executed (missing apt-check output)" LogText "Result: test not fully executed (missing apt-check output)"
fi fi
fi fi
@ -1007,10 +1007,10 @@
else else
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result; no vulnerable packages found via glsa-check" LogText "Result; no vulnerable packages found via glsa-check"
Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result OK --color GREEN Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_OK}" --color GREEN
else else
VULNERABLE_PACKAGES_FOUND=1 VULNERABLE_PACKAGES_FOUND=1
Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result FOUND --color RED Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_FOUND}" --color RED
LogText "Result: found ${FIND} security updates with glsa-check" LogText "Result: found ${FIND} security updates with glsa-check"
ReportWarning "${TEST_NO}" "H" "Found ${FIND} security update(s) with glsa-check." ReportWarning "${TEST_NO}" "H" "Found ${FIND} security update(s) with glsa-check."
LogText "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified." LogText "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified."
@ -1037,11 +1037,11 @@
FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'` FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: no packages found which can be upgraded" LogText "Result: no packages found which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages" --result NONE --color GREEN Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
LogText "Result: found one or more packages which can be upgraded" LogText "Result: found one or more packages which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages" --result FOUND --color YELLOW Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_FOUND}" --color YELLOW
# output: program/repository upgradeable from version X to Y # output: program/repository upgradeable from version X to Y
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'` I=`echo ${I} | sed 's/!space!/ /g'`
@ -1050,7 +1050,7 @@
fi fi
else else
LogText "Result: /usr/bin/apt-show-versions not found" LogText "Result: /usr/bin/apt-show-versions not found"
Display --indent 2 --text "- Checking upgradeable packages" --result SKIPPED --color WHITE Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes" ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
fi fi
fi fi
@ -1064,7 +1064,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking for package audit tool" LogText "Test: checking for package audit tool"
if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking package audit tool" --result NONE --color RED Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED
ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages" ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
LogText "Result: no package audit tool found" LogText "Result: no package audit tool found"
else else

38
include/tests_printers_spools
View File

@ -44,17 +44,17 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching /usr/sbin/chkprintcap" LogText "Test: Searching /usr/sbin/chkprintcap"
if [ ! -f /usr/sbin/chkprintcap ]; then if [ ! -f /usr/sbin/chkprintcap ]; then
Display --indent 2 --text "- Checking chkprintcap" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking chkprintcap" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: /usr/sbin/chkprintcap NOT found, test skipped." LogText "Result: /usr/sbin/chkprintcap NOT found, test skipped."
else else
LogText "Result: /usr/sbin/chkprintcap found" LogText "Result: /usr/sbin/chkprintcap found"
FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?` FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?`
# Only an exit code of zero should come back. Use string instead of integer, due unexpected trash # Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Integrity check of printcap file" --result OK --color GREEN Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_OK}" --color GREEN
LogText "Result: chkprintcap did NOT gave any warnings" LogText "Result: chkprintcap did NOT gave any warnings"
else else
Display --indent 2 --text "- Integrity check of printcap file" --result WARNING --color RED Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file" ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file"
LogText "Output from chkprintcap: ${FIND}" LogText "Output from chkprintcap: ${FIND}"
LogText "Run chkprintcap and check the /etc/printcap file." LogText "Run chkprintcap and check the /etc/printcap file."
@ -72,11 +72,11 @@
#FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd` #FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd`
IsRunning cupsd IsRunning cupsd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking cups daemon" --result RUNNING --color GREEN Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: cups daemon running" LogText "Result: cups daemon running"
CUPSD_RUNNING=1; PRINTING_DAEMON="cups" CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
else else
Display --indent 2 --text "- Checking cups daemon" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: cups daemon not running, cups daemon tests skipped" LogText "Result: cups daemon not running, cups daemon tests skipped"
fi fi
fi fi
@ -96,11 +96,11 @@
fi fi
done done
if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then
Display --indent 2 --text "- Checking CUPS configuration file" --result OK --color GREEN Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_OK}" --color GREEN
LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})" LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})"
CUPSD_FOUND=1 CUPSD_FOUND=1
else else
Display --indent 2 --text "- Checking CUPS configuration file" --result "NOT FOUND" --color RED Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_NOT_FOUND}" --color RED
LogText "Result: configuration file not found" LogText "Result: configuration file not found"
LogText "Development: no CUPS configuration file found" LogText "Development: no CUPS configuration file found"
fi fi
@ -118,10 +118,10 @@
FIND=`ls -l ${CUPSD_CONFIG_FILE} | cut -c 2-10` FIND=`ls -l ${CUPSD_CONFIG_FILE} | cut -c 2-10`
LogText "Result: found ${FIND}" LogText "Result: found ${FIND}"
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
Display --indent 4 --text "- File permissions" --result "OK" --color GREEN Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
AddHP 1 1 AddHP 1 1
else else
Display --indent 4 --text "- File permissions" --result "WARNING" --color RED Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict." ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
AddHP 1 2 AddHP 1 2
fi fi
@ -173,10 +173,10 @@
done done
if [ ${N} -eq 0 ]; then if [ ${N} -eq 0 ]; then
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "NONE" --color WHITE Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_NONE}" --color WHITE
LogText "Result: no addresses found on which CUPS daemon is listening" LogText "Result: no addresses found on which CUPS daemon is listening"
else else
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: CUPS daemon is listening on network/socket" LogText "Result: CUPS daemon is listening on network/socket"
fi fi
fi fi
@ -190,11 +190,11 @@
LogText "Test: Checking lpd status" LogText "Test: Checking lpd status"
IsRunning lpd IsRunning lpd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking lp daemon" --result RUNNING --color GREEN Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: lp daemon running" LogText "Result: lp daemon running"
LPD_RUNNING=1; PRINTING_DAEMON="lp" LPD_RUNNING=1; PRINTING_DAEMON="lp"
else else
Display --indent 2 --text "- Checking lp daemon" --result "NOT RUNNING" --color WHITE Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
LogText "Result: lp daemon not running" LogText "Result: lp daemon not running"
AddHP 4 4 AddHP 4 4
fi fi
@ -225,7 +225,7 @@
FIND=`grep -v "^\*" ${QDAEMON_CONFIG_FILE} | egrep "backend|device"` FIND=`grep -v "^\*" ${QDAEMON_CONFIG_FILE} | egrep "backend|device"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}" LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
Display --indent 2 --text "- Checking /etc/qconfig file" --result FOUND --color GREEN Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
QDAEMON_CONFIG_ENABLED=1 QDAEMON_CONFIG_ENABLED=1
else else
LogText "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined" LogText "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined"
@ -246,16 +246,16 @@
IsRunning qdaemon IsRunning qdaemon
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: qdaemon daemon running" LogText "Result: qdaemon daemon running"
Display --indent 2 --text "- Checking qdaemon daemon" --result RUNNING --color GREEN Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_RUNNING}" --color GREEN
QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon" QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon"
else else
if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then
LogText "Result: qdaemon daemon not running" LogText "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "NOT RUNNING" --color RED Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED
ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs" ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs"
else else
LogText "Result: qdaemon daemon not running" LogText "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "NOT RUNNING" --color WHITE Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
fi fi
fi fi
fi fi
@ -278,12 +278,12 @@
N=$((N + 1)) N=$((N + 1))
done done
LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir" LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result FOUND --color YELLOW Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed" ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed" LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
else else
LogText "Result: Old print jobs not found in /var/spool/lpd/qdir" LogText "Result: Old print jobs not found in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result "NONE" --color GREEN Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_NONE}" --color GREEN
fi fi
fi fi
fi fi

18
include/tests_scheduling
View File

@ -169,12 +169,12 @@
# Show warning when an issue shows up. Even if *both* the permissions and ownership are wrong, just show one (prevent overload of warnings). # Show warning when an issue shows up. Even if *both* the permissions and ownership are wrong, just show one (prevent overload of warnings).
if [ ${BAD_FILE_PERMISSIONS} -eq 1 ]; then if [ ${BAD_FILE_PERMISSIONS} -eq 1 ]; then
ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect file permissions (see log for details)" ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect file permissions (see log for details)"
Display --indent 2 --text "- Checking crontab/cronjob" --result WARNING --color RED Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED
elif [ ${BAD_FILE_OWNERSHIP} -eq 1 ]; then elif [ ${BAD_FILE_OWNERSHIP} -eq 1 ]; then
ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect ownership (see log for details)" ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect ownership (see log for details)"
Display --indent 2 --text "- Checking crontab/cronjob" --result WARNING --color RED Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED
else else
Display --indent 2 --text "- Checking crontab/cronjob" --result DONE --color GREEN Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_DONE}" --color GREEN
fi fi
fi fi
@ -189,12 +189,12 @@
FIND=$(${PSBINARY} ax | grep "/atd" | grep -v "grep") FIND=$(${PSBINARY} ax | grep "/atd" | grep -v "grep")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: at daemon active" LogText "Result: at daemon active"
Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking atd status" --result "${STATUS_RUNNING}" --color GREEN
ATD_RUNNING=1 ATD_RUNNING=1
Report "scheduler[]=atd" Report "scheduler[]=atd"
else else
LogText "Result: at daemon not active" LogText "Result: at daemon not active"
if IsVerbose; then Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Checking atd status" --result "${STATUS_NOT_RUNNING}" --color WHITE; fi
fi fi
fi fi
# #
@ -259,9 +259,9 @@
AddHP 1 1 AddHP 1 1
fi fi
fi fi
Display --indent 4 --text "- Checking at users" --result DONE --color GREEN Display --indent 4 --text "- Checking at users" --result "${STATUS_DONE}" --color GREEN
else else
Display --indent 4 --text "- Checking at users" --result SKIPPED --color YELLOW Display --indent 4 --text "- Checking at users" --result "${STATUS_SKIPPED}" --color YELLOW
fi fi
fi fi
# #
@ -280,10 +280,10 @@
VALUE=$(echo ${I} | sed 's/!space!/ /g') VALUE=$(echo ${I} | sed 's/!space!/ /g')
LogText "Found at job: ${VALUE}" LogText "Found at job: ${VALUE}"
done done
Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN Display --indent 4 --text "- Checking at jobs" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: no pending at jobs" LogText "Result: no pending at jobs"
Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN Display --indent 4 --text "- Checking at jobs" --result "${STATUS_NONE}" --color GREEN
fi fi
fi fi
# #

38
include/tests_shells
View File

@ -53,10 +53,10 @@
LogText "Test: Checking console TTYs" LogText "Test: Checking console TTYs"
FIND=`egrep '^console' /etc/ttys | grep -v 'insecure'` FIND=`egrep '^console' /etc/ttys | grep -v 'insecure'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking console TTYs" --result OK --color GREEN Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
LogText "Result: console is secured against single user mode without password." LogText "Result: console is secured against single user mode without password."
else else
Display --indent 2 --text "- Checking console TTYs" --result WARNING --color RED Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!" LogText "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!"
LogText "Output /etc/ttys:" LogText "Output /etc/ttys:"
LogText "${FIND}" LogText "${FIND}"
@ -208,10 +208,10 @@
fi fi
if [ ${IDLE_TIMEOUT} -eq 1 ]; then if [ ${IDLE_TIMEOUT} -eq 1 ]; then
Display --indent 4 --text "- Session timeout settings/tools" --result "FOUND" --color GREEN Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
Display --indent 4 --text "- Session timeout settings/tools" --result "NONE" --color YELLOW Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_NONE}" --color YELLOW
AddHP 1 3 AddHP 1 3
fi fi
fi fi
@ -234,7 +234,7 @@
FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'` FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: did not find umask configured in ${FILE}" LogText "Result: did not find umask configured in ${FILE}"
Display --indent 4 --text "- Checking default umask in ${FILE}" --result NONE --color YELLOW Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW
else else
for UMASKVALUE in ${FIND}; do for UMASKVALUE in ${FIND}; do
LogText "Result: found umask ${UMASKVALUE} in ${FILE}" LogText "Result: found umask ${UMASKVALUE} in ${FILE}"
@ -249,7 +249,7 @@
esac esac
done done
if [ ${HARDENING_POSSIBLE} -eq 0 ]; then if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
Display --indent 4 --text "- Checking default umask in ${FILE}" --result OK --color GREEN Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_OK}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
Display --indent 4 --text "- Checking default umask in ${FILE}" --result WEAK --color YELLOW Display --indent 4 --text "- Checking default umask in ${FILE}" --result WEAK --color YELLOW
@ -263,7 +263,7 @@
#if [ ${FOUND} -eq 1 ]; then #if [ ${FOUND} -eq 1 ]; then
# if [ ${HARDENING_POSSIBLE} -eq 0 ]; then # if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
# LogText "Result: all shell files found, contain a proper umask" # LogText "Result: all shell files found, contain a proper umask"
# Display --indent 4 --text "- Default umask" --result OK --color GREEN # Display --indent 4 --text "- Default umask" --result "${STATUS_OK}" --color GREEN
# fi # fi
#fi #fi
fi fi
@ -300,11 +300,11 @@
if [ ! "${VULNERABLE}" = "" ]; then if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}" LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to original shellshock (CVE-2014-6271)" LogText "Result: Vulnerable to original shellshock (CVE-2014-6271)"
Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "${STATUS_WARNING}" --color RED
FOUND=1 FOUND=1
else else
LogText "Result: Not vulnerable to original shellshock (CVE-2014-6271)" LogText "Result: Not vulnerable to original shellshock (CVE-2014-6271)"
#Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN #Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "${STATUS_OK}" --color GREEN
fi fi
# CVE-2014-6277 (disabled, as this test was giving too much false positives) # CVE-2014-6277 (disabled, as this test was giving too much false positives)
@ -317,11 +317,11 @@
if [ ! "${VULNERABLE}" = "" ]; then if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}" LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to CVE-2014-6278" LogText "Result: Vulnerable to CVE-2014-6278"
Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "${STATUS_WARNING}" --color RED
FOUND=1 FOUND=1
else else
LogText "Result: Not vulnerable to CVE-2014-6278" LogText "Result: Not vulnerable to CVE-2014-6278"
#Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN #Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "${STATUS_OK}" --color GREEN
fi fi
# CVE-2014-7169 # CVE-2014-7169
@ -332,11 +332,11 @@
if [ ! "${VULNERABLE}" = "" ]; then if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}" LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to taviso bug (CVE-2014-7169)" LogText "Result: Vulnerable to taviso bug (CVE-2014-7169)"
Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "${STATUS_WARNING}" --color RED
FOUND=1 FOUND=1
else else
LogText "Result: Not vulnerable to taviso bug (CVE-2014-7169)" LogText "Result: Not vulnerable to taviso bug (CVE-2014-7169)"
#Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN #Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "${STATUS_OK}" --color GREEN
fi fi
# CVE-2014-7186 # CVE-2014-7186
@ -347,11 +347,11 @@
if [ ! "${VULNERABLE}" = "" ]; then if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}" LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to CVE-2014-7186" LogText "Result: Vulnerable to CVE-2014-7186"
Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "${STATUS_WARNING}" --color RED
FOUND=1 FOUND=1
else else
LogText "Result: Not vulnerable to CVE-2014-7186" LogText "Result: Not vulnerable to CVE-2014-7186"
#Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN #Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "${STATUS_OK}" --color GREEN
fi fi
# CVE-2014-7187 # CVE-2014-7187
@ -362,11 +362,11 @@
if [ ! "${VULNERABLE}" = "" ]; then if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}" LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to CVE-2014-7187" LogText "Result: Vulnerable to CVE-2014-7187"
Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "${STATUS_WARNING}" --color RED
FOUND=1 FOUND=1
else else
LogText "Result: Not vulnerable to CVE-2014-7187" LogText "Result: Not vulnerable to CVE-2014-7187"
#Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN #Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "${STATUS_OK}" --color GREEN
fi fi
# CVE-2014-//// # CVE-2014-////
@ -377,11 +377,11 @@
if [ ! "${VULNERABLE}" = "" ]; then if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}" LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)" LogText "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)"
Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "${STATUS_WARNING}" --color RED
FOUND=1 FOUND=1
else else
LogText "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)" LogText "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)"
#Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "OK" --color GREEN #Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "${STATUS_OK}" --color GREEN
fi fi
else else
LogText "Result: bash binary found, but not executable, or it is symlinked" LogText "Result: bash binary found, but not executable, or it is symlinked"

12
include/tests_snmp
View File

@ -40,10 +40,10 @@
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
SNMP_DAEMON_RUNNING=1 SNMP_DAEMON_RUNNING=1
LogText "Result: SNMP daemon is running" LogText "Result: SNMP daemon is running"
Display --indent 2 --text "- Checking running SNMP daemon" --result FOUND --color GREEN Display --indent 2 --text "- Checking running SNMP daemon" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: No running SNMP daemon found" LogText "Result: No running SNMP daemon found"
Display --indent 2 --text "- Checking running SNMP daemon" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking running SNMP daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -63,10 +63,10 @@
done done
if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then
LogText "Result: No snmpd configuration found" LogText "Result: No snmpd configuration found"
Display --indent 4 --text "- Checking SNMP configuration" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_NOT_FOUND}" --color WHITE
else else
LogText "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}" LogText "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}"
Display --indent 4 --text "- Checking SNMP configuration" --result "FOUND" --color GREEN Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_FOUND}" --color GREEN
fi fi
fi fi
# #
@ -91,10 +91,10 @@
# Check status of test # Check status of test
if [ ${WARN} -eq 0 ]; then if [ ${WARN} -eq 0 ]; then
Display --indent 2 --text "- Checking SNMP community strings" --result OK --color GREEN Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
else else
Display --indent 2 --text "- Checking SNMP community strings" --result WARNING --color RED Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "Found easy guessable SNMP community string" ReportWarning ${TEST_NO} "M" "Found easy guessable SNMP community string"
fi fi
fi fi

8
include/tests_solaris
View File

@ -36,10 +36,10 @@
# if [ ! "${FIND}" = "" ]; then # if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1 # SSH_DAEMON_RUNNING=1
# LogText "Result: Stop-A is disabled" # LogText "Result: Stop-A is disabled"
# Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN # Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN
# else # else
# LogText "Result: Stop-A is NOT disabled" # LogText "Result: Stop-A is NOT disabled"
# Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE # Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
# fi # fi
# fi # fi
# #
@ -55,10 +55,10 @@
# if [ ! "${FIND}" = "" ]; then # if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1 # SSH_DAEMON_RUNNING=1
# LogText "Result: Stop-A is disabled" # LogText "Result: Stop-A is disabled"
# Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN # Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN
# else # else
# LogText "Result: Stop-A is NOT disabled" # LogText "Result: Stop-A is NOT disabled"
# Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE # Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
# fi # fi
# fi # fi

44
include/tests_squid
View File

@ -46,10 +46,10 @@
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
SQUID_DAEMON_RUNNING=1 SQUID_DAEMON_RUNNING=1
LogText "Result: Squid daemon is running" LogText "Result: Squid daemon is running"
Display --indent 2 --text "- Checking running Squid daemon" --result FOUND --color GREEN Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: No running Squid daemon found" LogText "Result: No running Squid daemon found"
Display --indent 2 --text "- Checking running Squid daemon" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -75,10 +75,10 @@
done done
if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then
LogText "Result: No Squid configuration file found" LogText "Result: No Squid configuration file found"
Display --indent 4 --text "- Searching Squid configuration file" --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Searching Squid configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
else else
LogText "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}" LogText "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching Squid configuration" --result FOUND --color GREEN Display --indent 4 --text "- Searching Squid configuration" --result "${STATUS_FOUND}" --color GREEN
fi fi
fi fi
# #
@ -95,11 +95,11 @@
FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print` FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'` FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'`
Display --indent 4 --text "- Checking Squid version" --result "FOUND" --color GREEN Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN
SQUID_VERSION="${FIND2}" SQUID_VERSION="${FIND2}"
else else
LogText "Result: test skipped for security reasons, setuid/setgid bit set" LogText "Result: test skipped for security reasons, setuid/setgid bit set"
Display --indent 4 --text "- Checking Squid version" --result "SKIPPED" --color RED Display --indent 4 --text "- Checking Squid version" --result "${STATUS_SKIPPED}" --color RED
fi fi
else else
LogText "Result: no Squid binary found" LogText "Result: no Squid binary found"
@ -120,7 +120,7 @@
LogText "Found Squid option: ${I}" LogText "Found Squid option: ${I}"
Report "squid_option=${I}" Report "squid_option=${I}"
done done
Display --indent 4 --text "- Checking defined Squid options" --result "DONE" --color GREEN Display --indent 4 --text "- Checking defined Squid options" --result "${STATUS_DONE}" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -134,13 +134,13 @@
FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
Display --indent 4 --text "- Checking Squid configuration file permissions" --result WARNING --color RED Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access" ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive" ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
AddHP 0 2 AddHP 0 2
else else
LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions" LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
Display --indent 4 --text "- Checking Squid configuration file permissions" --result OK --color GREEN Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_OK}" --color GREEN
AddHP 2 2 AddHP 2 2
fi fi
fi fi
@ -162,9 +162,9 @@
FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'` FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
Display --indent 6 --text "- Checking Squid authentication methods" --result "NONE" --color YELLOW Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW
else else
Display --indent 6 --text "- Checking Squid authentication methods" --result "FOUND" --color GREEN Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_FOUND}" --color GREEN
for I in ${FIND}; do for I in ${FIND}; do
LogText "Result: found authentication method ${I}" LogText "Result: found authentication method ${I}"
Report "squid_auth_method=${I}" Report "squid_auth_method=${I}"
@ -183,9 +183,9 @@
FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}` FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "No external_acl_type found" LogText "No external_acl_type found"
Display --indent 6 --text "- Checking Squid external authentication methods" --result "NONE" --color YELLOW Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW
else else
Display --indent 6 --text "- Checking Squid external authentication methods" --result "FOUND" --color GREEN Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_FOUND}" --color GREEN
for I in ${FIND}; do for I in ${FIND}; do
LogText "Result: found external authentication method helper" LogText "Result: found external authentication method helper"
LogText "Output: ${FIND}" LogText "Output: ${FIND}"
@ -206,7 +206,7 @@
FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: No ACLs found" LogText "Result: No ACLs found"
Display --indent 6 --text "- Checking Access Control Lists" --result "NONE" --color RED Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED
else else
for I in ${FIND}; do for I in ${FIND}; do
N=$((N + 1)) N=$((N + 1))
@ -231,7 +231,7 @@
FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"` FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: no Safe_ports found" LogText "Result: no Safe_ports found"
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "NOT FOUND" --color YELLOW Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
else else
LogText "Result: checking ACL safe ports" LogText "Result: checking ACL safe ports"
@ -245,7 +245,7 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found safe port: ${I}" LogText "Found safe port: ${I}"
done done
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "FOUND" --color GREEN Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1 AddHP 1 1
fi fi
#SQUID_DAEMON_UNSAFE_PORTS_LIST #SQUID_DAEMON_UNSAFE_PORTS_LIST
@ -253,10 +253,10 @@
LogText "Test: Checking port ${I} in Safe_ports list" LogText "Test: Checking port ${I} in Safe_ports list"
FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 1 1 AddHP 1 1
else else
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "FOUND" --color RED Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED
ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}" ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
AddHP 0 1 AddHP 0 1
fi fi
@ -282,13 +282,13 @@
FIND=`grep "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` FIND=`grep "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: option reply_body_max_size not configured" LogText "Result: option reply_body_max_size not configured"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "NONE" --color RED Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
AddHP 1 2 AddHP 1 2
ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests." ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests."
else else
LogText "Result: option reply_body_max_size configured" LogText "Result: option reply_body_max_size configured"
LogText "Output: ${FIND}" LogText "Output: ${FIND}"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "FOUND" --color GREEN Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_FOUND}" --color GREEN
AddHP 2 2 AddHP 2 2
fi fi
fi fi
@ -309,13 +309,13 @@
FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"` FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: option httpd_suppress_version_string not configured" LogText "Result: option httpd_suppress_version_string not configured"
Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "NOT FOUND" --color YELLOW Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 2 AddHP 1 2
ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version." ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
else else
LogText "Result: option httpd_suppress_version_string configured" LogText "Result: option httpd_suppress_version_string configured"
LogText "Output: ${FIND}" LogText "Output: ${FIND}"
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "FOUND" --color GREEN Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_FOUND}" --color GREEN
AddHP 2 2 AddHP 2 2
fi fi
fi fi

24
include/tests_ssh
View File

@ -42,13 +42,13 @@
IsRunning sshd IsRunning sshd
if [ ${RUNNING} -eq 1 ] || PortIsListening "TCP" 22; then if [ ${RUNNING} -eq 1 ] || PortIsListening "TCP" 22; then
SSH_DAEMON_RUNNING=1 SSH_DAEMON_RUNNING=1
Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN
# Store settings in a temporary file # Store settings in a temporary file
CreateTempFile CreateTempFile
SSH_DAEMON_OPTIONS_FILE="${TEMP_FILE}" SSH_DAEMON_OPTIONS_FILE="${TEMP_FILE}"
${SSHDBINARY} -T 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE} ${SSHDBINARY} -T 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE}
else else
Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -79,11 +79,11 @@
done done
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
LogText "Result: No sshd configuration found" LogText "Result: No sshd configuration found"
Display --indent 4 --text "- Searching SSH configuration" --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Searching SSH configuration" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found" ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found"
else else
LogText "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" LogText "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching SSH configuration" --result FOUND --color GREEN Display --indent 4 --text "- Searching SSH configuration" --result "${STATUS_FOUND}" --color GREEN
fi fi
fi fi
# #
@ -202,19 +202,19 @@
if [ "${RESULT}" = "GOOD" ]; then if [ "${RESULT}" = "GOOD" ]; then
LogText "Result: SSH option ${OPTIONNAME} is configured very well" LogText "Result: SSH option ${OPTIONNAME} is configured very well"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result OK --color GREEN Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_OK}" --color GREEN
AddHP 3 3 AddHP 3 3
elif [ "${RESULT}" = "MIDSCORED" ]; then elif [ "${RESULT}" = "MIDSCORED" ]; then
LogText "Result: SSH option ${OPTIONNAME} is configured reasonably" LogText "Result: SSH option ${OPTIONNAME} is configured reasonably"
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}" ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "MEDIUM" --color YELLOW Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 1 3 AddHP 1 3
elif [ "${RESULT}" = "WEAK" ]; then elif [ "${RESULT}" = "WEAK" ]; then
LogText "Result: SSH option ${OPTIONNAME} is in a weak configuration state and should be fixed" LogText "Result: SSH option ${OPTIONNAME} is in a weak configuration state and should be fixed"
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}" ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result SUGGESTION --color RED Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 0 3 AddHP 0 3
elif [ "${RESULT}" = "UNKNOWN" ]; then elif [ "${RESULT}" = "UNKNOWN" ]; then
LogText "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)" LogText "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)"
@ -222,7 +222,7 @@
Report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|" Report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|"
else else
LogText "Result: Option ${OPTIONNAME} not found in output" LogText "Result: Option ${OPTIONNAME} not found in output"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
else else
if IsVerbose; then Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "SKIPPED (via config)" --color WHITE; fi if IsVerbose; then Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "SKIPPED (via config)" --color WHITE; fi
@ -243,22 +243,22 @@
FIND=`egrep -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'` FIND=`egrep -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: AllowUsers set, with value ${FIND}" LogText "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers" --result FOUND --color GREEN Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
FOUND=1 FOUND=1
else else
LogText "Result: AllowUsers is not set" LogText "Result: AllowUsers is not set"
Display --indent 4 --text "- SSH option: AllowUsers" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
# AllowGroups # AllowGroups
FIND=`egrep -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'` FIND=`egrep -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: AllowUsers set ${FIND}" LogText "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups" --result FOUND --color GREEN Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
FOUND=1 FOUND=1
else else
LogText "Result: AllowGroups is not set" LogText "Result: AllowGroups is not set"
Display --indent 4 --text "- SSH option: AllowGroups" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then

8
include/tests_storage
View File

@ -61,7 +61,7 @@
AddHP 2 3 AddHP 2 3
else else
LogText "Result: usb-storage driver is disabled" LogText "Result: usb-storage driver is disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "DISABLED" --color GREEN Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi
@ -91,13 +91,13 @@
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system" LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "ENABLED" --color YELLOW Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
# To-Be-Added: create documentation and enable the suggestion # To-Be-Added: create documentation and enable the suggestion
#ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft" #ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft"
AddHP 0 3 AddHP 0 3
else else
LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system" LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "DISABLED" --color GREEN Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi
@ -141,7 +141,7 @@
AddHP 2 3 AddHP 2 3
else else
LogText "Result: firewire ohci driver is disabled" LogText "Result: firewire ohci driver is disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "DISABLED" --color GREEN Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi

18
include/tests_storage_nfs
View File

@ -41,7 +41,7 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "rpcinfo: ${I}" LogText "rpcinfo: ${I}"
done done
Display --indent 2 --text "- Query rpc registered programs" --result "DONE" --color GREEN Display --indent 2 --text "- Query rpc registered programs" --result "${STATUS_DONE}" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -56,7 +56,7 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found version: ${I}" LogText "Found version: ${I}"
done done
Display --indent 2 --text "- Query NFS versions" --result "DONE" --color GREEN Display --indent 2 --text "- Query NFS versions" --result "${STATUS_DONE}" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -84,7 +84,7 @@
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Output: no NFS port number found" LogText "Output: no NFS port number found"
fi fi
Display --indent 2 --text "- Query NFS protocols" --result "DONE" --color GREEN Display --indent 2 --text "- Query NFS protocols" --result "${STATUS_DONE}" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -97,10 +97,10 @@
FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Output: NFS daemon is not running" LogText "Output: NFS daemon is not running"
Display --indent 2 --text "- Check running NFS daemon" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
else else
LogText "Output: NFS daemon is running" LogText "Output: NFS daemon is running"
Display --indent 2 --text "- Check running NFS daemon" --result "FOUND" --color GREEN Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_FOUND}" --color GREEN
NFS_DAEMON_RUNNING=1 NFS_DAEMON_RUNNING=1
fi fi
fi fi
@ -132,10 +132,10 @@
LogText "Result: /etc/exports does not contain exported file systems" LogText "Result: /etc/exports does not contain exported file systems"
NFS_EXPORTS_EMPTY=1 NFS_EXPORTS_EMPTY=1
fi fi
Display --indent 4 --text "- Checking /etc/exports" --result "FOUND" --color GREEN Display --indent 4 --text "- Checking /etc/exports" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: file /etc/exports does not exist" LogText "Result: file /etc/exports does not exist"
Display --indent 4 --text "- Checking /etc/exports" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking /etc/exports" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -147,7 +147,7 @@
Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports" Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
Display --indent 6 --text "- Checking empty /etc/exports" --result SUGGESTION --color YELLOW Display --indent 6 --text "- Checking empty /etc/exports" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: /etc/exports seems to have no exported file systems" LogText "Result: /etc/exports seems to have no exported file systems"
ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system" ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
fi fi
@ -169,7 +169,7 @@
AddHP 2 3 AddHP 2 3
else else
LogText "Result: only some clients are allowed to access a NFS share" LogText "Result: only some clients are allowed to access a NFS share"
Display --indent 4 --text "- Checking NFS client access" --result OK --color GREEN Display --indent 4 --text "- Checking NFS client access" --result "${STATUS_OK}" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi

58
include/tests_time
View File

@ -58,7 +58,7 @@
IsRunning chronyd IsRunning chronyd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd" FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN Display --indent 2 --text "- NTP daemon found: chronyd" --result "${STATUS_FOUND}" --color GREEN
fi fi
fi fi
@ -66,7 +66,7 @@
IsRunning dntpd IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd" FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN Display --indent 2 --text "- NTP daemon found: dntpd" --result "${STATUS_FOUND}" --color GREEN
fi fi
# Check running processes # Check running processes
@ -75,14 +75,14 @@
FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1 FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
NTP_DAEMON="ntpd" NTP_DAEMON="ntpd"
LogText "Result: found running NTP daemon in process list" LogText "Result: found running NTP daemon in process list"
Display --indent 2 --text "- NTP daemon found: ntpd" --result FOUND --color GREEN Display --indent 2 --text "- NTP daemon found: ntpd" --result "${STATUS_FOUND}" --color GREEN
fi fi
# Check time daemon (eg NetBSD) # Check time daemon (eg NetBSD)
IsRunning timed IsRunning timed
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timed" FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timed"
Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN Display --indent 2 --text "- NTP daemon found: timed" --result "${STATUS_FOUND}" --color GREEN
fi fi
# Check timedate daemon (systemd) # Check timedate daemon (systemd)
@ -92,7 +92,7 @@
# Check for systemd-timesyncd # Check for systemd-timesyncd
if [ -f /etc/systemd/timesyncd.conf ]; then if [ -f /etc/systemd/timesyncd.conf ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "FOUND" --color GREEN Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN
SYSTEMD_NTP_ENABLED=1 SYSTEMD_NTP_ENABLED=1
fi fi
else else
@ -109,10 +109,10 @@
FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | grep -v '^#'` FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | grep -v '^#'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found ntpdate or rdate reference in crontab file ${I}" LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
else else
#Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: no ntpdate or rdate reference found in crontab file ${I}" LogText "Result: no ntpdate or rdate reference found in crontab file ${I}"
fi fi
else else
@ -144,10 +144,10 @@
done done
if [ ${FOUND_IN_CRON} -eq 1 ]; then if [ ${FOUND_IN_CRON} -eq 1 ]; then
Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN Display --indent 2 --text "- Checking NTP client in cron files" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found ntpdate or rdate in cron directory" LogText "Result: found ntpdate or rdate in cron directory"
else else
#Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE #Display --indent 2 --text "- Checking NTP client in cron.d files" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: no ntpdate or rdate found in cron directories" LogText "Result: no ntpdate or rdate found in cron directories"
fi fi
@ -157,7 +157,7 @@
LogText "Result: found ntpdate action when network interface comes up" LogText "Result: found ntpdate action when network interface comes up"
FOUND=1 FOUND=1
NTP_CONFIG_TYPE_EVENTBASED=1 NTP_CONFIG_TYPE_EVENTBASED=1
Display --indent 2 --text "- Checking event based ntpdate (if-up)" --result FOUND --color GREEN Display --indent 2 --text "- Checking event based ntpdate (if-up)" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: file /etc/network/if-up.d/ntpdate does not exist" LogText "Result: file /etc/network/if-up.d/ntpdate does not exist"
fi fi
@ -183,13 +183,13 @@
if [ ${ISVIRTUALMACHINE} -eq 1 ]; then if [ ${ISVIRTUALMACHINE} -eq 1 ]; then
LogText "Result: Skipping display warning, as virtual machines usually don't need time synchronization in the VM itself" LogText "Result: Skipping display warning, as virtual machines usually don't need time synchronization in the VM itself"
else else
Display --indent 2 --text "- Checking for a running NTP daemon or client" --result WARNING --color RED Display --indent 2 --text "- Checking for a running NTP daemon or client" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a NTP daemon or client" LogText "Result: Could not find a NTP daemon or client"
ReportSuggestion ${TEST_NO} "Use NTP daemon or NTP client to prevent time issues." ReportSuggestion ${TEST_NO} "Use NTP daemon or NTP client to prevent time issues."
AddHP 0 2 AddHP 0 2
fi fi
else else
Display --indent 2 --text "- Checking for a running NTP daemon or client" --result OK --color GREEN Display --indent 2 --text "- Checking for a running NTP daemon or client" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found a time syncing daemon/client." LogText "Result: Found a time syncing daemon/client."
AddHP 3 3 AddHP 3 3
fi fi
@ -220,10 +220,10 @@
LogText "Test: Checking for NTP association ID's from ntpq peers list" LogText "Test: Checking for NTP association ID's from ntpq peers list"
FIND=`${NTPQBINARY} -p -n | grep "No association ID's returned"` FIND=`${NTPQBINARY} -p -n | grep "No association ID's returned"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking valid association ID's" --result FOUND --color GREEN Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found one or more association ID's" LogText "Result: Found one or more association ID's"
else else
Display --indent 2 --text "- Checking valid association ID's" --result WARNING --color RED Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check ntp.conf for properly configured NTP servers and a correctly functioning name service." ReportSuggestion ${TEST_NO} "Check ntp.conf for properly configured NTP servers and a correctly functioning name service."
fi fi
fi fi
@ -239,7 +239,7 @@
LogText "Test: Checking stratum 16 sources from ntpq peers list" LogText "Test: Checking stratum 16 sources from ntpq peers list"
FIND=`${NTPQBINARY} -p -n | awk '{ if ($3=="16") { print $1 } }'` FIND=`${NTPQBINARY} -p -n | awk '{ if ($3=="16") { print $1 } }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
LogText "Result: All peers are lower than stratum 16" LogText "Result: All peers are lower than stratum 16"
else else
for I in ${FIND}; do for I in ${FIND}; do
@ -253,10 +253,10 @@
done done
# Check if one or more high stratum time servers are found # Check if one or more high stratum time servers are found
if [ ${N} -eq 0 ]; then if [ ${N} -eq 0 ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
LogText "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile" LogText "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile"
else else
Display --indent 2 --text "- Checking high stratum ntp peers" --result WARNING --color RED Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found one or more high stratum (16) peers)" LogText "Result: Found one or more high stratum (16) peers)"
ReportSuggestion ${TEST_NO} "Check ntpq peers output" ReportSuggestion ${TEST_NO} "Check ntpq peers output"
ReportWarning ${TEST_NO} "L" "Found one or more stratum 16 peers" ReportWarning ${TEST_NO} "L" "Found one or more stratum 16 peers"
@ -276,10 +276,10 @@
LogText "Test: Checking unreliable ntp peers" LogText "Test: Checking unreliable ntp peers"
FIND=`${NTPQBINARY} -p -n | egrep "^(-|#)" | awk '{ print $1 }' | sed 's/^-//g'` FIND=`${NTPQBINARY} -p -n | egrep "^(-|#)" | awk '{ print $1 }' | sed 's/^-//g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking unreliable ntp peers" --result NONE --color GREEN Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN
LogText "Result: No unreliable peers found" LogText "Result: No unreliable peers found"
else else
Display --indent 2 --text "- Checking unreliable ntp peers" --result FOUND --color YELLOW Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_FOUND}" --color YELLOW
LogText "Result: Found one or more unreliable peers (marked with a minus or dash sign)" LogText "Result: Found one or more unreliable peers (marked with a minus or dash sign)"
for I in ${FIND}; do for I in ${FIND}; do
LogText "Unreliable peer: ${I}" LogText "Unreliable peer: ${I}"
@ -300,11 +300,11 @@
FIND=`${NTPQBINARY} -p -n | grep '^*' | awk '{ if ($4=="l") { print $1 } }'` FIND=`${NTPQBINARY} -p -n | grep '^*' | awk '{ if ($4=="l") { print $1 } }'`
FIND2=`${NTPQBINARY} -p -n | grep '^*' | awk '{ print $1 }'` FIND2=`${NTPQBINARY} -p -n | grep '^*' | awk '{ print $1 }'`
if [ "${FIND}" = "" -a ! "${FIND2}" = "" ]; then if [ "${FIND}" = "" -a ! "${FIND2}" = "" ]; then
Display --indent 2 --text "- Checking selected time source" --result OK --color GREEN Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN
FIND2=`echo ${FIND2} | sed 's/*//g'` FIND2=`echo ${FIND2} | sed 's/*//g'`
LogText "Result: Found selected time source (value: ${FIND2})" LogText "Result: Found selected time source (value: ${FIND2})"
else else
Display --indent 2 --text "- Checking selected time source" --result WARNING --color RED Display --indent 2 --text "- Checking selected time source" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with." LogText "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with."
LogText "Local source: ${FIND}" LogText "Local source: ${FIND}"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for selected time source" ReportSuggestion ${TEST_NO} "Check ntpq peers output for selected time source"
@ -321,11 +321,11 @@
LogText "Test: Checking preferred time source" LogText "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'` FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking time source candidates" --result NONE --color YELLOW Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_NONE}" --color YELLOW
LogText "Result: No other time source candidates found" LogText "Result: No other time source candidates found"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates" ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates"
else else
Display --indent 2 --text "- Checking time source candidates" --result OK --color GREEN Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found one or more candidates to synchronize time with." LogText "Result: Found one or more candidates to synchronize time with."
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/+//g'` I=`echo ${I} | sed 's/+//g'`
@ -344,10 +344,10 @@
LogText "Test: Checking preferred time source" LogText "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^x'` FIND=`${NTPQBINARY} -p -n | grep '^x'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking falsetickers" --result OK --color GREEN Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN
LogText "Result: No falsetickers found (items preceeding with an 'x')" LogText "Result: No falsetickers found (items preceeding with an 'x')"
else else
Display --indent 2 --text "- Checking falsetickers" --result NONE --color YELLOW Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_NONE}" --color YELLOW
LogText "Result: Found one or more falsetickers (items preceeding with an 'x')" LogText "Result: Found one or more falsetickers (items preceeding with an 'x')"
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/x//g'` I=`echo ${I} | sed 's/x//g'`
@ -368,11 +368,11 @@
LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)" LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'` FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking NTP version" --result UNKNOWN --color YELLOW Display --indent 2 --text "- Checking NTP version" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: No NTP version found" LogText "Result: No NTP version found"
ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version" ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version"
else else
Display --indent 2 --text "- Checking NTP version" --result FOUND --color GREEN Display --indent 2 --text "- Checking NTP version" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found NTP version ${FIND}" LogText "Result: Found NTP version ${FIND}"
Report "ntp_version=${FIND}" Report "ntp_version=${FIND}"
fi fi
@ -404,7 +404,7 @@
ReportSuggestion ${TEST_NO} "Use step-rickers file for quicker time synchronization" ReportSuggestion ${TEST_NO} "Use step-rickers file for quicker time synchronization"
else else
LogText "Result: /etc/ntp/step-tickers is not empty, which is fine" LogText "Result: /etc/ntp/step-tickers is not empty, which is fine"
Display --indent 2 --text "- Checking NTP step-tickers file" --result "OK" --color GREEN Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN
sFIND=`${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0'` sFIND=`${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0'`
for I in ${sFIND}; do for I in ${sFIND}; do
FIND=`${GREPBINARY} ^${I} ${FILE} | wc -l` FIND=`${GREPBINARY} ^${I} ${FILE} | wc -l`
@ -420,7 +420,7 @@
ReportSuggestion ${TEST_NO} "Some time servers missing in step-tickers file" ReportSuggestion ${TEST_NO} "Some time servers missing in step-tickers file"
AddHP 3 4 AddHP 3 4
else else
Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result OK --color GREEN Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "${STATUS_OK}" --color GREEN
LogText "Result: all time servers are in step-tickers file" LogText "Result: all time servers are in step-tickers file"
AddHP 4 4 AddHP 4 4
fi fi

46
include/tests_tooling
View File

@ -54,7 +54,7 @@
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1 CFENGINE_AGENT_FOUND=1
Report "automation_tool_running[]=cf-agent" Report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN Display --indent 4 --text "Found: Cfengine (cfagent)" --result "${STATUS_FOUND}" --color GREEN
fi fi
OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin" OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin"
for I in ${OTHER_CFENGINE_LOCATIONS}; do for I in ${OTHER_CFENGINE_LOCATIONS}; do
@ -64,7 +64,7 @@
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1 CFENGINE_AGENT_FOUND=1
Report "automation_tool_running[]=cf-agent" Report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: CFEngine (cf-agent)" --result FOUND --color GREEN Display --indent 4 --text "Found: CFEngine (cf-agent)" --result "${STATUS_FOUND}" --color GREEN
fi fi
IsRunning "cf-server" IsRunning "cf-server"
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
@ -72,7 +72,7 @@
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
CFENGINE_SERVER_RUNNING=1 CFENGINE_SERVER_RUNNING=1
Report "automation_tool_running[]=cf-server" Report "automation_tool_running[]=cf-server"
Display --indent 4 --text "Found: CFEngine (cf-server)" --result FOUND --color GREEN Display --indent 4 --text "Found: CFEngine (cf-server)" --result "${STATUS_FOUND}" --color GREEN
fi fi
fi fi
done done
@ -85,7 +85,7 @@
CHEFCLIENTBINARY="${I}/chef-client" CHEFCLIENTBINARY="${I}/chef-client"
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=chef-client" Report "automation_tool_running[]=chef-client"
Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN Display --indent 4 --text "Found: Chef client (chef-client)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found chef-client (chef client daemon) in ${I}" LogText "Result: found chef-client (chef client daemon) in ${I}"
fi fi
if [ -f ${I}/erchef ]; then if [ -f ${I}/erchef ]; then
@ -93,7 +93,7 @@
LogText "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})" LogText "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=chef-server" Report "automation_tool_running[]=chef-server"
Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN Display --indent 4 --text "Found: Chef Server (erchef)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found erchef (chef server daemon) in ${I}" LogText "Result: found erchef (chef server daemon) in ${I}"
fi fi
fi fi
@ -104,14 +104,14 @@
LogText "Result: Puppet is installed (${PUPPETBINARY})" LogText "Result: Puppet is installed (${PUPPETBINARY})"
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=puppet-agent" Report "automation_tool_running[]=puppet-agent"
Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN Display --indent 4 --text "Found: Puppet (agent)" --result "${STATUS_FOUND}" --color GREEN
fi fi
IsRunning "puppet master" IsRunning "puppet master"
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found puppet master" LogText "Result: found puppet master"
PUPPET_MASTER_RUNNING=1 PUPPET_MASTER_RUNNING=1
Report "automation_tool_running[]=puppet-master" Report "automation_tool_running[]=puppet-master"
Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN Display --indent 4 --text "Found: Puppet (master)" --result "${STATUS_FOUND}" --color GREEN
fi fi
# SaltStack # SaltStack
@ -120,14 +120,14 @@
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
SALT_MINION_RUNNING=1 SALT_MINION_RUNNING=1
Report "automation_tool_running[]=saltstack-minion" Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result FOUND --color GREEN Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN
fi fi
if [ ! "${SALTMASTERBINARY}" = "" ]; then if [ ! "${SALTMASTERBINARY}" = "" ]; then
LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})" LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1 SALT_MASTER_RUNNING=1
Report "automation_tool_running[]=saltstack-minion" Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN Display --indent 4 --text "Found: SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN
else else
IsRunning "salt-master" IsRunning "salt-master"
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
@ -135,14 +135,14 @@
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1 SALT_MASTER_RUNNING=1
Report "automation_tool_running[]=saltstack-master" Report "automation_tool_running[]=saltstack-master"
Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN Display --indent 4 --text "Found: SaltStack (master)" --result "${STATUS_FOUND}" --color GREEN
fi fi
fi fi
if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Automation tooling" --result FOUND --color GREEN Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN
else else
Display --indent 2 --text "- Automation tooling" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management" ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
fi fi
fi fi
@ -164,7 +164,7 @@
IDS_IPS_TOOL_FOUND=1 IDS_IPS_TOOL_FOUND=1
LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})" LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
Report "ids_ips_tooling[]=fail2ban" Report "ids_ips_tooling[]=fail2ban"
Display --indent 2 --text "- Checking presence of Fail2ban" --result FOUND --color GREEN Display --indent 2 --text "- Checking presence of Fail2ban" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: Fail2ban not present (fail2ban-server not found)" LogText "Result: Fail2ban not present (fail2ban-server not found)"
fi fi
@ -202,14 +202,14 @@
if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
LogText "No registered actions found in ${FAIL2BAN_CONFIG}" LogText "No registered actions found in ${FAIL2BAN_CONFIG}"
Display --indent 4 --text "- Checking Fail2ban actions" --result NONE --color RED Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color RED
ReportWarning "${TEST_NO}" "M" "${FAIL2BAN_CONFIG}" "There are no actions configured for Fail2ban." ReportWarning "${TEST_NO}" "M" "${FAIL2BAN_CONFIG}" "There are no actions configured for Fail2ban."
AddHP 0 3 AddHP 0 3
fi fi
if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
LogText "All actions in ${FAIL2BAN_CONFIG} are configured to send email alerts" LogText "All actions in ${FAIL2BAN_CONFIG} are configured to send email alerts"
Display --indent 4 --text "- Checking Fail2ban actions" --result OK --color GREEN Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_OK}" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
@ -222,7 +222,7 @@
if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
LogText "None of the actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts" LogText "None of the actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts"
Display --indent 4 --text "- Checking Fail2ban actions" --result NONE --color YELLOW Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color YELLOW
ReportSuggestion "${TEST_NO}" "None of the Fail2ban jails are configured to send email notifications. Consider changing these to emailed alerts." ReportSuggestion "${TEST_NO}" "None of the Fail2ban jails are configured to send email notifications. Consider changing these to emailed alerts."
AddHP 1 3 AddHP 1 3
fi fi
@ -233,11 +233,11 @@
FIND=`egrep "^enabled\s*=\s*true" ${FAIL2BAN_CONFIG}` FIND=`egrep "^enabled\s*=\s*true" ${FAIL2BAN_CONFIG}`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found at least one enabled jail" LogText "Result: found at least one enabled jail"
Display --indent 4 --text "- Checking Fail2ban jails" --result ENABLED --color GREEN Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
LogText "Result: Fail2ban installed but completely disabled" LogText "Result: Fail2ban installed but completely disabled"
Display --indent 4 --text "- Checking Fail2ban jails" --result DISABLED --color RED Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_DISABLED}" --color RED
AddHP 0 3 AddHP 0 3
ReportWarning "${TEST_NO}" "M" "All jails in Fail2ban are disabled" "${FAIL2BAN_CONFIG}" ReportWarning "${TEST_NO}" "M" "All jails in Fail2ban are disabled" "${FAIL2BAN_CONFIG}"
fi fi
@ -250,15 +250,15 @@
CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | grep fail2ban` CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | grep fail2ban`
if [ ! "${CHECK_CHAINS}" = "" ]; then if [ ! "${CHECK_CHAINS}" = "" ]; then
LogText "Result: found at least one iptables chain for fail2ban" LogText "Result: found at least one iptables chain for fail2ban"
Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result OK --color GREEN Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work" LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work"
Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result WARNING --color RED Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
AddHP 0 3 AddHP 0 3
ReportSuggestion "${TEST_NO}" "M" "Check config to see why iptables does not have a fail2ban chain" "${FAIL2BAN_CONFIG}" ReportSuggestion "${TEST_NO}" "M" "Check config to see why iptables does not have a fail2ban chain" "${FAIL2BAN_CONFIG}"
fi fi
else else
Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result WARNING --color RED Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "H" "iptables doesn't seem to be installed; Fail2ban will not work. Remove Fail2ban or install iptables" "${FAIL2BAN_CONFIG}" ReportSuggestion "${TEST_NO}" "H" "iptables doesn't seem to be installed; Fail2ban will not work. Remove Fail2ban or install iptables" "${FAIL2BAN_CONFIG}"
fi fi
fi fi
@ -272,10 +272,10 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result FOUND --color GREEN Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result "${STATUS_FOUND}" --color GREEN
AddHP 2 2 AddHP 2 2
else else
Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result NONE --color YELLOW Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result "${STATUS_NONE}" --color YELLOW
#ReportSuggestion ${TEST_NO} "Ensure that automatic intrusion detection/prevention tools are installed" #ReportSuggestion ${TEST_NO} "Ensure that automatic intrusion detection/prevention tools are installed"
AddHP 0 2 AddHP 0 2
fi fi

4
include/tests_virtualization
View File

@ -40,9 +40,9 @@
# if [ ! "${VMWARETOOLSBINARY}" = "" ]; then # if [ ! "${VMWARETOOLSBINARY}" = "" ]; then
# LogText "Result: VMware tools binary found" # LogText "Result: VMware tools binary found"
# VMWARE_GUEST=1 # VMWARE_GUEST=1
# Display --indent 4 --text "- Checking VMware tools daemon" --result FOUND --color GREEN # Display --indent 4 --text "- Checking VMware tools daemon" --result "${STATUS_FOUND}" --color GREEN
# else # else
# Display --indent 4 --text "- Checking VMware tools daemon" --result "NOT FOUND" --color WHITE # Display --indent 4 --text "- Checking VMware tools daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
# fi # fi
# #
# fi # fi

80
include/tests_webservers
View File

@ -56,7 +56,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then HTTPDBINARY=""; fi if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then HTTPDBINARY=""; fi
if [ "${HTTPDBINARY}" = "" ]; then if [ "${HTTPDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE
else else
LogText "Test: Scanning for Apache binary" LogText "Test: Scanning for Apache binary"
IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | egrep '[aA]pache'` IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | egrep '[aA]pache'`
@ -64,7 +64,7 @@
LogText "Result: ${HTTPDBINARY} is not Apache" LogText "Result: ${HTTPDBINARY} is not Apache"
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
else else
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon" LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon"
APACHE_INSTALLED=1 APACHE_INSTALLED=1
APACHE_VERSION=`${HTTPDBINARY} -v 2> /dev/null | grep "^Server version:" | awk '{ print $3 }' | awk -F/ '{ print $2 }'` APACHE_VERSION=`${HTTPDBINARY} -v 2> /dev/null | grep "^Server version:" | awk '{ print $3 }' | awk -F/ '{ print $2 }'`
@ -205,7 +205,7 @@
# # Check if option ServerTokens is configured # # Check if option ServerTokens is configured
# SERVERTOKENSTEST=`grep ServerTokens ${APACHE_CONFIGFILE} | grep -v '^#'` # SERVERTOKENSTEST=`grep ServerTokens ${APACHE_CONFIGFILE} | grep -v '^#'`
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then # if [ ! "${SERVERTOKENSTEST}" = "" ]; then
# Display --indent 4 --text "- Checking option ServerTokens" --result FOUND --color WHITE # Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_FOUND}" --color WHITE
# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '` # SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '`
# LogText "Option ServerTokens found: ${SERVERTOKENSTEST}" # LogText "Option ServerTokens found: ${SERVERTOKENSTEST}"
# SERVERTOKENSEXPECTED=`grep 'apache' ${PROFILE} | grep 'ServerTokens' | cut -d ':' -f3` # SERVERTOKENSEXPECTED=`grep 'apache' ${PROFILE} | grep 'ServerTokens' | cut -d ':' -f3`
@ -218,7 +218,7 @@
# LogText "Expected: ${SERVERTOKENSEXPECTED}" # LogText "Expected: ${SERVERTOKENSEXPECTED}"
# fi # fi
# else # else
# Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE # Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_NOT_FOUND}" --color WHITE
# fi # fi
# #
# else # else
@ -229,9 +229,9 @@
# #
# # Display results from checks # # Display results from checks
# if [ ${SERVERTOKENSFOUND} -eq 1 ]; then # if [ ${SERVERTOKENSFOUND} -eq 1 ]; then
# Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN # Display --indent 6 --text "- Value of ServerTokens" --result "${STATUS_OK}" --color GREEN
# else # else
# Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED # Display --indent 6 --text "- Value of ServerTokens" --result "${STATUS_WARNING}" --color RED
# ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template" # ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template"
# fi # fi
# fi # fi
@ -280,10 +280,10 @@
fi fi
done done
if [ ${N} -eq 0 ]; then if [ ${N} -eq 0 ]; then
Display --indent 4 --text "* Loadable modules" --result "NONE" --color WHITE Display --indent 4 --text "* Loadable modules" --result "${STATUS_NONE}" --color WHITE
ReportException "${TEST_NO}:1" "No loadable Apache modules found" ReportException "${TEST_NO}:1" "No loadable Apache modules found"
else else
Display --indent 4 --text "* Loadable modules" --result "FOUND" --color GREEN Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND}" --color GREEN
Display --indent 8 --text "- Found ${N} loadable modules" Display --indent 8 --text "- Found ${N} loadable modules"
fi fi
fi fi
@ -298,10 +298,10 @@
# Check modules, module # Check modules, module
CheckItem "apache_module" "/mod_evasive([0-9][0-9])?.so" CheckItem "apache_module" "/mod_evasive([0-9][0-9])?.so"
if [ ${ITEM_FOUND} -eq 1 ]; then if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result FOUND --color GREEN Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "NOT FOUND" --color WHITE Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_NOT_FOUND}" --color WHITE
AddHP 2 3 AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts" ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
fi fi
@ -317,10 +317,10 @@
# Check modules, module # Check modules, module
CheckItem "apache_module" "/mod_qos.so" CheckItem "apache_module" "/mod_qos.so"
if [ ${ITEM_FOUND} -eq 1 ]; then if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "mod_qos: anti-Slowloris" --result FOUND --color GREEN Display --indent 10 --text "mod_qos: anti-Slowloris" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
Display --indent 10 --text "mod_qos: anti-Slowloris" --result "NOT FOUND" --color WHITE Display --indent 10 --text "mod_qos: anti-Slowloris" --result "${STATUS_NOT_FOUND}" --color WHITE
AddHP 2 3 AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_qos to guard webserver against Slowloris attacks" ReportSuggestion ${TEST_NO} "Install Apache mod_qos to guard webserver against Slowloris attacks"
fi fi
@ -337,10 +337,10 @@
# # Check modules, module # # Check modules, module
# CheckItem "apache_module" "/mod_spamhaus.so" # CheckItem "apache_module" "/mod_spamhaus.so"
# if [ ${ITEM_FOUND} -eq 1 ]; then # if [ ${ITEM_FOUND} -eq 1 ]; then
# Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result FOUND --color GREEN # Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "${STATUS_FOUND}" --color GREEN
# AddHP 3 3 # AddHP 3 3
# else # else
# Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "NOT FOUND" --color WHITE # Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "${STATUS_NOT_FOUND}" --color WHITE
# AddHP 2 3 # AddHP 2 3
# ReportSuggestion ${TEST_NO} "Install Apache mod_spamhaus to guard webserver against spammers" # ReportSuggestion ${TEST_NO} "Install Apache mod_spamhaus to guard webserver against spammers"
# fi # fi
@ -356,10 +356,10 @@
# Check modules, module # Check modules, module
CheckItem "apache_module" "/mod_security2.so" CheckItem "apache_module" "/mod_security2.so"
if [ ${ITEM_FOUND} -eq 1 ]; then if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "ModSecurity: web application firewall" --result FOUND --color GREEN Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3 AddHP 3 3
else else
Display --indent 10 --text "ModSecurity: web application firewall" --result "NOT FOUND" --color WHITE Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_NOT_FOUND}" --color WHITE
AddHP 2 3 AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks" ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks"
fi fi
@ -381,11 +381,11 @@
FIND=`${PSBINARY} ax | grep "/nginx" | grep "master" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "/nginx" | grep "master" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found running nginx process(es)" LogText "Result: found running nginx process(es)"
Display --indent 2 --text "- Checking nginx" --result FOUND --color GREEN Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN
NGINX_RUNNING=1 NGINX_RUNNING=1
else else
LogText "Result: no running nginx process found" LogText "Result: no running nginx process found"
Display --indent 2 --text "- Checking nginx" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking nginx" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -406,10 +406,10 @@
if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then
LogText "Result: found nginx configuration file" LogText "Result: found nginx configuration file"
Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}" Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN Display --indent 4 --text "- Searching nginx configuration file" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: no nginx configuration file found" LogText "Result: no nginx configuration file found"
Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Searching nginx configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
@ -486,39 +486,39 @@
NGINX_SSL_SUGGESTION=0 NGINX_SSL_SUGGESTION=0
if [ ${NGINX_SSL_ON} -eq 1 ]; then if [ ${NGINX_SSL_ON} -eq 1 ]; then
LogText "Result: SSL is configured in nginx on one or more virtual hosts" LogText "Result: SSL is configured in nginx on one or more virtual hosts"
Display --indent 6 --text "- SSL configured" --result "YES" --color GREEN Display --indent 6 --text "- SSL configured" --result "${STATUS_YES}" --color GREEN
AddHP 5 5 AddHP 5 5
# Cipher tests # Cipher tests
if [ ${NGINX_SSL_CIPHERS} -eq 1 ]; then if [ ${NGINX_SSL_CIPHERS} -eq 1 ]; then
Display --indent 8 --text "- Ciphers configured" --result "YES" --color GREEN Display --indent 8 --text "- Ciphers configured" --result "${STATUS_YES}" --color GREEN
else else
Display --indent 8 --text "- Ciphers configured" --result "NO" --color RED Display --indent 8 --text "- Ciphers configured" --result "${STATUS_NO}" --color RED
NGINX_SSL_SUGGESTION=1 NGINX_SSL_SUGGESTION=1
fi fi
if [ ${NGINX_SSL_PREFER_SERVER_CIPHERS} -eq 1 ]; then if [ ${NGINX_SSL_PREFER_SERVER_CIPHERS} -eq 1 ]; then
Display --indent 8 --text "- Prefer server ciphers" --result "YES" --color GREEN Display --indent 8 --text "- Prefer server ciphers" --result "${STATUS_YES}" --color GREEN
else else
Display --indent 8 --text "- Prefer server ciphers" --result "NO" --color RED Display --indent 8 --text "- Prefer server ciphers" --result "${STATUS_NO}" --color RED
NGINX_SSL_SUGGESTION=1 NGINX_SSL_SUGGESTION=1
fi fi
if [ ${NGINX_SSL_PROTOCOLS} -eq 1 ]; then if [ ${NGINX_SSL_PROTOCOLS} -eq 1 ]; then
Display --indent 8 --text "- Protocols configured" --result "YES" --color GREEN Display --indent 8 --text "- Protocols configured" --result "${STATUS_YES}" --color GREEN
if [ ${NGINX_WEAK_SSL_PROTOCOL_FOUND} -eq 0 ]; then if [ ${NGINX_WEAK_SSL_PROTOCOL_FOUND} -eq 0 ]; then
Display --indent 10 --text "- Insecure protocols found" --result "NO" --color GREEN Display --indent 10 --text "- Insecure protocols found" --result "${STATUS_NO}" --color GREEN
else else
Display --indent 10 --text "- Insecure protocols found" --result "YES" --color RED Display --indent 10 --text "- Insecure protocols found" --result "${STATUS_YES}" --color RED
ReportSuggestion "${TEST_NO}" "Disable weak protocol in nginx configuration" ReportSuggestion "${TEST_NO}" "Disable weak protocol in nginx configuration"
fi fi
else else
Display --indent 8 --text "- Protocols configured" --result "NO" --color RED Display --indent 8 --text "- Protocols configured" --result "${STATUS_NO}" --color RED
NGINX_SSL_SUGGESTION=1 NGINX_SSL_SUGGESTION=1
fi fi
else else
LogText "Result: No SSL configuration found" LogText "Result: No SSL configuration found"
Display --indent 6 --text "- SSL configured" --result "NO" --color RED Display --indent 6 --text "- SSL configured" --result "${STATUS_NO}" --color RED
NGINX_SSL_SUGGESTION=1 NGINX_SSL_SUGGESTION=1
AddHP 1 5 AddHP 1 5
fi fi
@ -542,19 +542,19 @@
# Check for missing access log # Check for missing access log
if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1 NGINX_LOG_SUGGESTION=1
Display --indent 8 --text "- Missing log files (access_log)" --result "YES" --color RED Display --indent 8 --text "- Missing log files (access_log)" --result "${STATUS_YES}" --color RED
else else
Display --indent 8 --text "- Missing log files (access_log)" --result "NO" --color GREEN Display --indent 8 --text "- Missing log files (access_log)" --result "${STATUS_NO}" --color GREEN
fi fi
# Access log disabled # Access log disabled
if [ ${NGINX_ACCESS_LOG_DISABLED} -eq 1 ]; then if [ ${NGINX_ACCESS_LOG_DISABLED} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1 NGINX_LOG_SUGGESTION=1
LogText "Result: found one or more virtual hosts which have their access log disabled" LogText "Result: found one or more virtual hosts which have their access log disabled"
Display --indent 8 --text "- Disabled access logging" --result "YES" --color RED Display --indent 8 --text "- Disabled access logging" --result "${STATUS_YES}" --color RED
AddHP 2 3 AddHP 2 3
else else
LogText "Result: no virtual hosts found which have their access log disabled" LogText "Result: no virtual hosts found which have their access log disabled"
Display --indent 8 --text "- Disabled access logging" --result "NO" --color GREEN Display --indent 8 --text "- Disabled access logging" --result "${STATUS_NO}" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
# Report suggestion # Report suggestion
@ -574,9 +574,9 @@
# Check for missing access log # Check for missing access log
if [ ${NGINX_ERROR_LOG_MISSING} -eq 1 ]; then if [ ${NGINX_ERROR_LOG_MISSING} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1 NGINX_LOG_SUGGESTION=1
Display --indent 8 --text "- Missing log files (error_log)" --result "YES" --color RED Display --indent 8 --text "- Missing log files (error_log)" --result "${STATUS_YES}" --color RED
else else
Display --indent 8 --text "- Missing log files (error_log)" --result "NO" --color GREEN Display --indent 8 --text "- Missing log files (error_log)" --result "${STATUS_NO}" --color GREEN
fi fi
# Report suggestion # Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
@ -596,11 +596,11 @@
if [ ${NGINX_ERROR_LOG_DEBUG} -eq 1 ]; then if [ ${NGINX_ERROR_LOG_DEBUG} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1 NGINX_LOG_SUGGESTION=1
LogText "Result: found one or more virtual hosts which have their error log in debug mode" LogText "Result: found one or more virtual hosts which have their error log in debug mode"
Display --indent 8 --text "- Debugging mode on error_log" --result "YES" --color RED Display --indent 8 --text "- Debugging mode on error_log" --result "${STATUS_YES}" --color RED
AddHP 2 3 AddHP 2 3
else else
LogText "Result: no virtual hosts found which have their access log disabled" LogText "Result: no virtual hosts found which have their access log disabled"
Display --indent 8 --text "- Debugging mode on error_log" --result "NO" --color GREEN Display --indent 8 --text "- Debugging mode on error_log" --result "${STATUS_NO}" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
# Report suggestion # Report suggestion
@ -626,7 +626,7 @@
# done # done
# if [ ${N} -eq 0 ]; then # if [ ${N} -eq 0 ]; then
# LogText "Result: no reverse proxying functionality found" # LogText "Result: no reverse proxying functionality found"
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "NOT FOUND" --color WHITE # Display --indent 4 --text "- Searching reverse proxy functionality" --result "${STATUS_NOT_FOUND}" --color WHITE
# else # else
# LogText "Result: found ${N} addresses for which nginx will be a reverse proxy" # LogText "Result: found ${N} addresses for which nginx will be a reverse proxy"
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "${N} FOUND" --color GREEN # Display --indent 4 --text "- Searching reverse proxy functionality" --result "${N} FOUND" --color GREEN
@ -652,7 +652,7 @@
# done # done
# if [ ${N} -eq 0 ]; then # if [ ${N} -eq 0 ]; then
# LogText "Result: no virtual hosts found" # LogText "Result: no virtual hosts found"
# Display --indent 4 --text "- Searching virtual hosts" --result "NOT FOUND" --color WHITE # Display --indent 4 --text "- Searching virtual hosts" --result "${STATUS_NOT_FOUND}" --color WHITE
# else # else
# LogText "Result: found ${N} virtual hosts" # LogText "Result: found ${N} virtual hosts"
# Display --indent 4 --text "- Searching virtual hosts" --result "${N} FOUND" --color GREEN # Display --indent 4 --text "- Searching virtual hosts" --result "${N} FOUND" --color GREEN