tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Replaced text strings to allow translations

This commit is contained in:
Michael Boelen 2016-06-18 11:14:01 +02:00
parent 9c093f7a97
commit 983e293eb1
40 changed files with 736 additions and 736 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
include/tests_accounting
View File

@ -35,11 +35,11 @@
Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --description "Check for available FreeBSD accounting information"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /var/account/acct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
LogText "Result: /var/account/acct available"
AddHP 3 3
else
Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: No accounting information available"
LogText "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"
@ -54,11 +54,11 @@
Register --test-no ACCT-2760 --os OpenBSD --weight L --network NO --description "Check for available OpenBSD accounting information"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /var/account/acct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
LogText "Result: /var/account/acct available"
AddHP 3 3
else
Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: No accounting information available"
LogText "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"
@ -75,19 +75,19 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check accounting information"
if [ -f /var/account/pacct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
LogText "Result: /var/account/pacct available"
AddHP 3 3
elif [ -f /var/log/account/pacct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
LogText "Result: /var/log/account/pacct available"
AddHP 3 3
elif [ -f /var/log/pacct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
LogText "Result: /var/log/pacct available"
AddHP 3 3
else
Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: No accounting information available (/var/account/pacct, /var/log/account/pact nor /var/log/pact exist)"
LogText "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"
@ -107,25 +107,25 @@
FIND=`grep "^ENABLED" /etc/default/sysstat | grep -i true`
if [ ! "${FIND}" = "" ]; then
LogText "Result: sysstat enabled via /etc/default/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: sysstat disabled via /etc/default/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)"
fi
elif [ -f /etc/cron.d/sysstat ]; then
FIND=`grep -v '^[[:space:]]*\(#\|$\)' /etc/cron.d/sysstat`
if [ ! "${FIND}" = "" ]; then
LogText "Result: sysstat enabled via /etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: sysstat disabled via /etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)"
fi
else
LogText "Result: sysstat not found via /etc/default/sysstat or /etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)"
fi
fi
@ -142,7 +142,7 @@
IsRunning auditd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: auditd running"
Display --indent 2 --text "- Checking auditd" --result ENABLED --color GREEN
Display --indent 2 --text "- Checking auditd" --result "${STATUS_ENABLED}" --color GREEN
LINUX_AUDITD_RUNNING=1
AUDIT_DAEMON_RUNNING=1
Report "audit_trail_tool[]=auditd"
@ -150,7 +150,7 @@
AddHP 4 4
else
LogText "Result: auditd not active"
Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking auditd" --result "${STATUS_NOT_FOUND}" --color WHITE
if [ ! "${VMTYPE}" = "openvz" ]; then
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
fi
@ -170,12 +170,12 @@
FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"`
if [ "${FIND}" = "" ]; then
LogText "Result: auditd rules empty"
Display --indent 4 --text "- Checking audit rules" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking audit rules" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 0 2
ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules"
else
LogText "Result: found auditd rules"
Display --indent 4 --text "- Checking audit rules" --result OK --color GREEN
Display --indent 4 --text "- Checking audit rules" --result "${STATUS_OK}" --color GREEN
# Log audit daemon rules
FIND=`${AUDITCTLBINARY} -l | sed 's/ /!space!/g'`
for I in ${FIND}; do
@ -203,10 +203,10 @@
done
# Check if we discovered the configuration file. It should be there is the binaries are available and process is running
if [ ! "${AUDITD_CONF_FILE}" = "" ]; then
Display --indent 4 --text "- Checking audit configuration file" --result OK --color GREEN
Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: could not find auditd configuration file"
Display --indent 4 --text "- Checking audit configuration file" --result WARNING --color RED
Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file"
fi
fi
@ -225,16 +225,16 @@
LogText "Defined value: ${FIND}"
if [ -f ${FIND} ]; then
LogText "Result: log file ${FIND} exists on disk"
Display --indent 4 --text "- Checking auditd log file" --result FOUND --color GREEN
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_FOUND}" --color GREEN
Report "logfile[]=${FIND}"
else
LogText "Result: can't find log file ${FIND} on disk"
Display --indent 4 --text "- Checking auditd log file" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check auditd log file location"
fi
else
LogText "Result: no log file found"
Display --indent 4 --text "- Checking auditd log file" --result WARNING --color RED
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "Auditd log file is defined but can not be found on disk"
fi
fi
@ -248,7 +248,7 @@
FILE="/lib/snoopy.so"
if [ -f ${FILE} ]; then
LogText "Result: found ${FILE}"
Display --indent 2 --text "- Checking Snoopy" --result FOUND --color GREEN
Display --indent 2 --text "- Checking Snoopy" --result "${STATUS_FOUND}" --color GREEN
if [ -f /etc/ld.so.preload ]; then
LogText "Result: found /etc/ld.so.preload, testing if snoopy.so is listed"
FIND=`grep ${FILE} /etc/ld.so.preload`
@ -258,13 +258,13 @@
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
Report "audit_trail_tool[]=snoopy"
else
Display --indent 6 --text "- Library in ld.so.preload" --result "NOT FOUND" --color YELLOW
Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via /etc/ld.so.preload"
AddHP 3 3
fi
else
LogText "Result: /etc/ld.so.preload does not exist"
Display --indent 6 --text "- Library in ld.so.preload" --result "UNKNOWN" --color PURPLE
Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_UNKNOWN}" --color PURPLE
ReportException "${TEST_NO}:1" "Unsure how Snoopy might be loaded as ld.so.preload does not exist"
fi
fi
@ -282,10 +282,10 @@
LogText "Result: Solaris audit daemon is running"
SOLARIS_AUDITD_RUNNING=1
AUDIT_DAEMON_RUNNING=1
Display --indent 2 --text "- Checking Solaris audit daemon status" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking Solaris audit daemon status" --result "${STATUS_RUNNING}" --color GREEN
else
LogText "Result: Solaris audit daemon is not running"
Display --indent 2 --text "- Checking Solaris audit daemon status" --result "NOT RUNNING" --color YELLOW
Display --indent 2 --text "- Checking Solaris audit daemon status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
fi
fi
#
@ -300,7 +300,7 @@
FIND=`/usr/bin/svcs svc:/system/auditd:default | grep "^online"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: auditd service is online"
Display --indent 4 --text "- Checking Solaris audit daemon status" --result ONLINE --color GREEN
Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN
else
Display --indent 4 --text "- Checking Solaris audit daemon status" --result "NOT ONLINE" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check status of audit daemon"
@ -319,9 +319,9 @@
FIND=`grep 'set c2audit:audit_load = 1' /etc/system`
if [ ! "${FIND}" = "" ]; then
LogText "Result: BSM is enabled in /etc/system"
Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result ENABLED --color GREEN
Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "${STATUS_ENABLED}" --color GREEN
else
Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
else
LogText "Result: /etc/system does not exist"
@ -340,10 +340,10 @@
FIND=`/usr/sbin/modinfo | grep c2audit`
if [ ! "${FIND}" = "" ]; then
LogText "Result: c2audit found in modinfo output"
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result ENABLED --color GREEN
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: c2audit not found in modinfo output"
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
else
LogText "Result: /usr/sbin/modinfo does not exist, skipping test"
@ -366,20 +366,20 @@
LogText "Test: Checking if location is a valid directory"
if [ -d ${FIND} ]; then
LogText "Result: location ${FIND} is valid"
Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN
Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: location ${FIND} does not exist"
Display --indent 4 --text "- Checking Solaris audit location" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available"
fi
else
LogText "Result: unknown event location"
Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW
Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured"
fi
else
LogText "Result: could not find /etc/security/audit_control"
Display --indent 4 --text "- Checking Solaris audit location" --result SKIPPED --color YELLOW
Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_SKIPPED}" --color YELLOW
fi
fi
#
@ -396,10 +396,10 @@
for I in ${FIND}; do
LogText "Output: ${I}"
done
Display --indent 4 --text "- Checking Solaris audit statistics" --result DONE --color GREEN
Display --indent 4 --text "- Checking Solaris audit statistics" --result "${STATUS_DONE}" --color GREEN
else
LogText "Result: /usr/sbin/auditstat not found, skipping test"
Display --indent 4 --text "- Checking Solaris audit statistics" --result SKIPPED --color YELLOW
Display --indent 4 --text "- Checking Solaris audit statistics" --result "${STATUS_SKIPPED}" --color YELLOW
fi
fi
#

150
include/tests_authentication
View File

@ -42,7 +42,7 @@
LogText "Test: Searching accounts with UID 0"
FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED
Display --indent 2 --text "- Search administrator accounts" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found more than one administrator accounts"
ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file"
for I in ${FIND}; do
@ -54,7 +54,7 @@
fi
done
else
Display --indent 2 --text "- Search administrator accounts" --result OK --color GREEN
Display --indent 2 --text "- Search administrator accounts" --result "${STATUS_OK}" --color GREEN
LogText "Result: No accounts found with UID 0 other than root."
fi
fi
@ -75,16 +75,16 @@
if [ -f ${PASSWD_FILE} ]; then
FIND=`grep -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for non-unique UIDs" --result OK --color GREEN
Display --indent 2 --text "- Checking for non-unique UIDs" --result "${STATUS_OK}" --color GREEN
LogText "Result: all accounts found in ${PASSWD_FILE} are unique"
else
Display --indent 2 --text "- Checking for non-unique UIDs" --result WARNING --color RED
Display --indent 2 --text "- Checking for non-unique UIDs" --result "${STATUS_WARNING}" --color RED
LogText "Result: found multiple accounts with same UID"
LogText "Output (non-unique UIDs): ${FIND}"
ReportWarning ${TEST_NO} "Multiple accounts found with same UID"
fi
else
Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE
Display --indent 2 --text "- Checking UIDs" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: test skipped, ${PASSWD_FILE} file not available"
fi
LogText "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake"
@ -97,15 +97,15 @@
if [ -f /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking chkgrp tool" --result FOUND --color GREEN
Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)."
LogText "Test: Testing consistency of /etc/group file"
FIND=`/usr/sbin/chkgrp | grep -v 'is fine'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking consistency of /etc/group file" --result OK --color GREEN
Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_OK}" --color GREEN
LogText "Result: chkgrp test performed, Group file seems to be ok."
else
Display --indent 4 --text "- Checking consistency of /etc/group file" --result WARNING --color RED
Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_WARNING}" --color RED
LogText "Result: chkgrp found some errors. Run the tool manually to see details."
LogText "chkgrp output: ${FIND}"
ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file"
@ -139,10 +139,10 @@
# Check exit-code
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking consistency of group files (grpck)" --result OK --color GREEN
Display --indent 2 --text "- Checking consistency of group files (grpck)" --result "${STATUS_OK}" --color GREEN
LogText "Result: grpck binary didn't find any errors in the group files"
else
Display --indent 2 --text "- Checking consistency of group files (grpck)" --result WARNING --color RED
Display --indent 2 --text "- Checking consistency of group files (grpck)" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files"
ReportSuggestion ${TEST_NO} "Run grpck manually and check your group files"
fi
@ -161,9 +161,9 @@
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=`grep "[a-z]:\*:" /etc/master.passwd | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking login shells" --result OK --color GREEN
Display --indent 2 --text "- Checking login shells" --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Checking login shells" --result WARNING --color RED
Display --indent 2 --text "- Checking login shells" --result "${STATUS_WARNING}" --color RED
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
J=`echo ${I} | awk -F: '{ print $10 }'`
@ -186,7 +186,7 @@
fi
fi
else
Display --indent 2 --text "- Checking login shells" --result SKIPPED --color WHITE
Display --indent 2 --text "- Checking login shells" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: No /etc/master.passwd file found"
fi
fi
@ -200,10 +200,10 @@
LogText "Test: Checking for non unique group ID's in /etc/group"
FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group ID's" --result OK --color GREEN
Display --indent 2 --text "- Checking non unique group ID's" --result "${STATUS_OK}" --color GREEN
LogText "Result: All group ID's are unique"
else
Display --indent 2 --text "- Checking non unique group ID's" --result WARNING --color RED
Display --indent 2 --text "- Checking non unique group ID's" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found the same group ID multiple times"
LogText "Output: ${FIND}"
ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID"
@ -221,10 +221,10 @@
LogText "Test: Checking for non unique group names in /etc/group"
FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group names" --result OK --color GREEN
Display --indent 2 --text "- Checking non unique group names" --result "${STATUS_OK}" --color GREEN
LogText "Result: All group names are unique"
else
Display --indent 2 --text "- Checking non unique group names" --result WARNING --color WARNING
Display --indent 2 --text "- Checking non unique group names" --result "${STATUS_WARNING}" --color WARNING
LogText "Result: Found the same group name multiple times"
LogText "Output: ${FIND}"
ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)"
@ -257,11 +257,11 @@
esac
# Only display if this test has been executed
if [ ${TESTED} -eq 1 -a "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
Display --indent 2 --text "- Checking password file consistency" --result "${STATUS_OK}" --color GREEN
LogText "Result: pwck check didn't find any problems"
AddHP 2 2
else
Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
Display --indent 2 --text "- Checking password file consistency" --result "${STATUS_WARNING}" --color RED
LogText "Result: pwck found one or more errors/warnings in the password file."
ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
@ -318,9 +318,9 @@
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "Result: No users found/unknown result"
LogText "Result: Querying of system users skipped"
Display --indent 2 --text "- Query system users (non daemons)" --result UNKNOWN --color YELLOW
Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_UNKNOWN}" --color YELLOW
else
Display --indent 2 --text "- Query system users (non daemons)" --result DONE --color GREEN
Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_DONE}" --color GREEN
for I in ${FIND}; do
LogText "Real user: ${I}"
Report "real_user[]=${I}"
@ -344,7 +344,7 @@
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"`
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
LogText "Result: NIS+ authentication enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN
Display --indent 2 --text "- Checking NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
@ -371,7 +371,7 @@
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
LogText "Result: NIS authentication enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN
Display --indent 2 --text "- Checking NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: NIS authentication not enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
@ -401,10 +401,10 @@
done
if [ ${FOUND} -eq 1 ]; then
LogText "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN
Display --indent 2 --text "- Checking sudoers file" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: sudoers file NOT found"
Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
#
@ -420,10 +420,10 @@
LogText "Result: Found file permissions: ${FIND}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
LogText "Result: file ${SUDOERS_FILE} has correct permissions"
Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN
Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: file has possibly unsafe file permissions"
Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED
Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_WARNING}" --color RED
fi
fi
#
@ -436,12 +436,12 @@
FIND=`logins -p | awk '{ print $1 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: no passwordless accounts found"
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN
else
for I in ${FIND}; do
ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
done
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result WARNING --color RED
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result "${STATUS_WARNING}" --color RED
fi
fi
#
@ -504,12 +504,12 @@
fi
if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking PAM password strength tools" --result "SUGGESTION" --color YELLOW
Display --indent 2 --text "- Checking PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: no PAM modules for password strength testing found"
ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
AddHP 0 3
else
Display --indent 2 --text "- Checking PAM password strength tools" --result OK --color GREEN
Display --indent 2 --text "- Checking PAM password strength tools" --result "${STATUS_OK}" --color GREEN
LogText "Result: found at least one PAM module for password strength testing"
AddHP 3 3
fi
@ -524,7 +524,7 @@
LogText "Test: Checking file /etc/pam.conf"
if [ -f /etc/pam.conf ]; then
LogText "Result: file /etc/pam.conf exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN
Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files"
FIND=`grep -v "^#" /etc/pam.conf | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'`
if [ "${FIND}" = "" ]; then
@ -538,7 +538,7 @@
fi
else
LogText "Result: file /etc/pam.conf could not be found"
Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -551,7 +551,7 @@
LogText "Test: Checking directory /etc/pam.d"
if [ -d /etc/pam.d ]; then
LogText "Result: directory /etc/pam.d exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files"
FIND=`find /etc/pam.d -type f -print | sort`
for I in ${FIND}; do
@ -559,7 +559,7 @@
done
else
LogText "Result: directory /etc/pam.d could not be found"
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -590,10 +590,10 @@
done
# Check if we found at least one module
if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking PAM modules" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking PAM modules" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: no PAM modules found"
else
Display --indent 2 --text "- Checking PAM modules" --result FOUND --color GREEN
Display --indent 2 --text "- Checking PAM modules" --result "${STATUS_FOUND}" --color GREEN
fi
fi
#
@ -611,12 +611,12 @@
if [ ! "${FIND}" = "" ]; then
LogText "Result: LDAP module present"
LogText "Output: ${FIND}"
Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN
Display --indent 2 --text "- Checking LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN
LDAP_AUTH_ENABLED=1
LDAP_PAM_ENABLED=1
else
LogText "Result: LDAP module not found"
Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
else
LogText "Result: file /etc/pam.d/common-auth not found, skipping test"
@ -660,13 +660,13 @@
LogText "Test: Checking Linux version and password expire date status"
if [ "${FIND}" = "" ]; then
LogText "Result: all accounts seem to have an expire date"
Display --indent 2 --text "- Checking accounts without expire date" --result OK --color GREEN
Display --indent 2 --text "- Checking accounts without expire date" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found one or more accounts with expire date set"
for I in ${FIND}; do
LogText "Account without expire date: ${I}"
done
Display --indent 2 --text "- Checking accounts without expire date" --result SUGGESTION --color YELLOW
Display --indent 2 --text "- Checking accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts"
fi
fi
@ -677,14 +677,14 @@
LogText "Test: Checking passwordless accounts"
if [ "${FIND2}" = "" ]; then
LogText "Result: all accounts seem to have a password"
Display --indent 2 --text "- Checking accounts without password" --result OK --color GREEN
Display --indent 2 --text "- Checking accounts without password" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found one or more accounts without password"
for I in ${FIND2}; do
LogText "Account without password: ${I}"
Report "account_without_password=${I}"
done
Display --indent 2 --text "- Checking accounts without password" --result WARNING --color RED
Display --indent 2 --text "- Checking accounts without password" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found accounts without password"
fi
fi
@ -702,7 +702,7 @@
FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'`
if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then
LogText "Result: password minimum age is not configured"
Display --indent 2 --text "- Checking user password aging (minimum)" --result DISABLED --color YELLOW
Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW
ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs"
AddHP 0 1
else
@ -716,7 +716,7 @@
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
LogText "Result: password aging limits are not configured"
Display --indent 2 --text "- Checking user password aging (maximum)" --result DISABLED --color YELLOW
Display --indent 2 --text "- Checking user password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW
ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs"
AddHP 0 1
else
@ -747,15 +747,15 @@
Report "account_password_expired[]=${ACCOUNT}"
done
AddHP 0 10
Display --indent 2 --text "- Checking expired passwords" --result FOUND --color RED
Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_FOUND}" --color RED
ReportSuggestion "${TEST_NO}" "Delete accounts which are no longer used"
else
LogText "Result: good, no passwords have been expired"
Display --indent 2 --text "- Checking expired passwords" --result OK --color GREEN
Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_OK}" --color GREEN
AddHP 10 10
fi
else
Display --indent 2 --text "- Checking expired passwords" --result SKIPPED --color YELLOW
Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_SKIPPED}" --color YELLOW
fi
fi
#
@ -773,11 +773,11 @@
FIND=`grep "^PASSREQ=NO" /etc/default/sulogin`
if [ "${FIND}" = "" ]; then
LogText "Result: option not present or configured to request a password at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_OK}" --color GREEN
AddHP 1 1
else
LogText "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "H" "No password needed for single user mode login"
AddHP 0 1
fi
@ -803,11 +803,11 @@
FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default`
if [ "${FIND}" = "" ]; then
LogText "Result: option not set, password is needed at boot"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN
Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_OK}" --color GREEN
AddHP 1 1
else
LogText "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW
Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Set password for system boot"
AddHP 0 1
fi
@ -886,13 +886,13 @@
if [ ${TEST_PERFORMED} -eq 1 ]; then
if [ ${FOUND} -eq 0 ]; then
LogText "Result: option not set, no password needed at single user mode boot"
Display --indent 2 --text "- Checking Linux single user mode authentication" --result WARNING --color RED
Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "No password set for single mode"
ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface"
AddHP 0 2
else
LogText "Result: option set, password is needed at single user mode boot"
Display --indent 2 --text "- Checking Linux single user mode authentication" --result OK --color GREEN
Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
fi
else
@ -952,17 +952,17 @@
if [ ${FOUND_UMASK} -eq 1 ]; then
if [ ${WEAK_UMASK} -eq 0 ]; then
Display --indent 4 --text "- Checking umask (/etc/profile)" --result OK --color GREEN
Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
Display --indent 4 --text "- Checking umask (/etc/profile)" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/profile could be more strict like 027"
AddHP 0 2
fi
else
# Some operating systems don't have a default umask defined in /etc/profile (Debian)
LogText "Result: found no umask. Please check if this is correct"
Display --indent 4 --text "- Checking umask (/etc/profile)" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
else
LogText "Result: file /etc/profile does not exist"
@ -989,16 +989,16 @@
FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: umask value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
LogText "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result OK --color GREEN
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027"
AddHP 0 2
fi
@ -1014,14 +1014,14 @@
FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: umask is not configured"
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result NONE --color WHITE
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
LogText "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result OK --color GREEN
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 0 2
fi
else
@ -1036,16 +1036,16 @@
FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
LogText "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result OK --color GREEN
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027"
AddHP 0 2
fi
@ -1078,14 +1078,14 @@
fi
if [ ${FOUND} -eq 1 ]; then
if [ ${WEAK_UMASK} -eq 0 ]; then
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result OK --color GREEN
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "${STATUS_OK}" --color GREEN
else
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027"
fi
else
LogText "Result: no umask setting found in /etc/login.conf, which is unexpected"
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result NONE --color YELLOW
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "${STATUS_NONE}" --color YELLOW
fi
fi
@ -1099,16 +1099,16 @@
FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'`
if [ "${FIND2}" = "" ]; then
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2
elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then
LogText "Result: umask is ${FIND2}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result OK --color GREEN
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: found umask ${FIND2}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027"
AddHP 0 2
fi
@ -1167,7 +1167,7 @@
fi
fi
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking account locking" --result "ENABLED" --color GREEN
Display --indent 2 --text "- Checking account locking" --result "${STATUS_ENABLED}" --color GREEN
else
Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW
fi
@ -1186,7 +1186,7 @@
Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE
else
LogText "Result: LDAP authentication enabled"
Display --indent 2 --text "- Checking LDAP authentication support" --result "ENABLED" --color GREEN
Display --indent 2 --text "- Checking LDAP authentication support" --result "${STATUS_ENABLED}" --color GREEN
LDAP_AUTH_ENABLED=1
fi
else
@ -1233,11 +1233,11 @@
if [ "${FIND}" = "yes" ]; then
AUTH_FAILED_LOGINS_LOGGED=1
LogText "Result: failed login attempts are logged in /var/log/faillog"
Display --indent 2 --text "- Logging failed login attempts" --result ENABLED --color GREEN
Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3
else
LogText "Result: failed login attempts are not logged"
Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW
Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_DISABLED}" --color YELLOW
#ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog"
AddHP 0 1
fi

30
include/tests_banners
View File

@ -37,26 +37,26 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT"
if [ -f /COPYRIGHT ]; then
Display --indent 2 --text "- /COPYRIGHT" --result FOUND --color GREEN
Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s /COPYRIGHT ]; then
LogText "Result: /COPYRIGHT available and contains text"
else
LogText "Result: /COPYRIGHT available, but empty"
fi
else
Display --indent 2 --text "- /COPYRIGHT" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: /COPYRIGHT not found"
fi
if [ -f /etc/COPYRIGHT ]; then
Display --indent 2 --text "- /etc/COPYRIGHT" --result FOUND --color GREEN
Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s /etc/COPYRIGHT ]; then
LogText "Result: /etc/COPYRIGHT available and contains text"
else
LogText "Result: /etc/COPYRIGHT available, but empty"
fi
else
Display --indent 2 --text "- /etc/COPYRIGHT" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: /etc/COPYRIGHT not found"
fi
fi
@ -70,14 +70,14 @@
# LogText "Test: Testing existence /etc/motd"
# if [ -f /etc/motd ]; then
# LogText "Result: file /etc/motd exists"
# Display --indent 2 --text "- /etc/motd" --result FOUND --color GREEN
# Display --indent 2 --text "- /etc/motd" --result "${STATUS_FOUND}" --color GREEN
# if [ ! -L /etc/motd ]; then
# if IsWorldWritable /etc/motd; then
# Display --indent 4 --text "- /etc/motd permissions" --result WARNING --color RED
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_WARNING}" --color RED
# LogText "Result: /etc/motd is world writable. Users can change this file!"
# ReportWarning ${TEST_NO} "H" "/etc/motd is world writable"
# else
# Display --indent 4 --text "- /etc/motd permissions" --result OK --color GREEN
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_OK}" --color GREEN
# LogText "Result: /etc/motd is not world writable."
# fi
# else
@ -85,7 +85,7 @@
# fi
# else
# LogText "Result: File /etc/motd not found"
# Display --indent 2 --text "- /etc/motd" --result "NOT FOUND" --color WHITE
# Display --indent 2 --text "- /etc/motd" --result "${STATUS_NOT_FOUND}" --color WHITE
# fi
#fi
#
@ -109,7 +109,7 @@
# # Check if we have 5 or more key words
# if [ ${N} -gt 4 ]; then
# LogText "Result: Found ${N} key words, to warn unauthorized users"
# Display --indent 4 --text "- /etc/motd contents" --result OK --color GREEN
# Display --indent 4 --text "- /etc/motd contents" --result "${STATUS_OK}" --color GREEN
# AddHP 2 2
# else
# LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
@ -132,11 +132,11 @@
LogText "Result: file /etc/issue exists (symlink)"
Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN
else
Display --indent 2 --text "- /etc/issue" --result FOUND --color GREEN
Display --indent 2 --text "- /etc/issue" --result "${STATUS_FOUND}" --color GREEN
fi
else
LogText "Result: file /etc/issue does not exist"
Display --indent 2 --text "- /etc/issue" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- /etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -160,7 +160,7 @@
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
LogText "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users"
Display --indent 4 --text "- /etc/issue contents" --result OK --color GREEN
Display --indent 4 --text "- /etc/issue contents" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased"
@ -184,11 +184,11 @@
Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN
else
LogText "Result: file /etc/issue.net exists"
Display --indent 2 --text "- /etc/issue.net" --result FOUND --color GREEN
Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_FOUND}" --color GREEN
fi
else
LogText "Result: file /etc/issue.net does not exist"
Display --indent 2 --text "- /etc/issue.net" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -212,7 +212,7 @@
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
LogText "Result: Found ${N} key words, to warn unauthorized users"
Display --indent 4 --text "- /etc/issue.net contents" --result OK --color GREEN
Display --indent 4 --text "- /etc/issue.net contents" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"

74
include/tests_boot_services
View File

@ -45,12 +45,12 @@
FIND=`/usr/sbin/bootinfo -b`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found boot device ${FIND}"
Display --indent 2 --text "- Checking boot device (bootinfo)" --result FOUND --color GREEN
Display --indent 2 --text "- Checking boot device (bootinfo)" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="ROS"
BOOT_LOADER_FOUND=1
else
LogText "Result: no data received from bootinfo, most likely boot device not found"
#Display --indent 4 --text "- Checking boot device (bootinfo)" --result "NOT FOUND" --color YELLOW
#Display --indent 4 --text "- Checking boot device (bootinfo)" --result "${STATUS_NOT_FOUND}" --color YELLOW
#ReportSuggestion ${TEST_NO} "Only use root (not sudo account) to query properly boot device"
fi
fi
@ -126,7 +126,7 @@
esac
LogText "Result: service manager found = ${SERVICE_MANAGER}"
if [ "${SERVICE_MANAGER}" = "" -o "${SERVICE_MANAGER}" = "unknown" ]; then
Display --indent 2 --text "- Service Manager" --result "UNKNOWN" --color YELLOW
Display --indent 2 --text "- Service Manager" --result "${STATUS_UNKNOWN}" --color YELLOW
else
Display --indent 2 --text "- Service Manager" --result "${SERVICE_MANAGER}" --color GREEN
fi
@ -193,15 +193,15 @@
;;
esac
if [ ${UEFI_BOOTED} -eq 1 ]; then
Display --indent 2 --text "- Checking UEFI boot" --result ENABLED --color GREEN
Display --indent 2 --text "- Checking UEFI boot" --result "${STATUS_ENABLED}" --color GREEN
if [ ${UEFI_BOOTED_SECURE} -eq 1 ]; then
Display --indent 2 --text "- Checking Secure Boot" --result ENABLED --color GREEN
Display --indent 2 --text "- Checking Secure Boot" --result "${STATUS_ENABLED}" --color GREEN
else
Display --indent 2 --text "- Checking Secure Boot" --result DISABLED --color YELLOW
Display --indent 2 --text "- Checking Secure Boot" --result "${STATUS_DISABLED}" --color YELLOW
fi
else
if [ ${UEFI_TESTS_PERFORMED} -eq 1 ]; then
Display --indent 2 --text "- Checking UEFI boot" --result DISABLED --color WHITE
Display --indent 2 --text "- Checking UEFI boot" --result "${STATUS_DISABLED}" --color WHITE
fi
fi
fi
@ -220,7 +220,7 @@
BOOT_LOADER="GRUB"
BOOT_LOADER_FOUND=1
GRUB_VERSION=1
Display --indent 2 --text "- Checking presence GRUB" --result "OK" --color GREEN
Display --indent 2 --text "- Checking presence GRUB" --result "${STATUS_OK}" --color GREEN
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
fi
@ -230,7 +230,7 @@
BOOT_LOADER="GRUB2"
BOOT_LOADER_FOUND=1
GRUB_VERSION=2
Display --indent 2 --text "- Checking presence GRUB2" --result FOUND --color GREEN
Display --indent 2 --text "- Checking presence GRUB2" --result "${STATUS_FOUND}" --color GREEN
if [ -f /boot/grub/grub.cfg ]; then
GRUBCONFFILE="/boot/grub/grub.cfg"
elif [ -f /boot/grub2/grub.cfg ]; then
@ -277,11 +277,11 @@
FOUND=1
fi
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking for password protection" --result OK --color GREEN
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN
LogText "Result: GRUB has password protection."
AddHP 4 4
else
Display --indent 4 --text "- Checking for password protection" --result WARNING --color RED
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_WARNING}" --color RED
LogText "Result: Didn't find hashed password line in GRUB boot file!"
ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
AddHP 0 2
@ -300,7 +300,7 @@
BOOT_LOADER_SEARCHED=1
if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then
LogText "Result: found boot1, boot2 and loader files in /boot"
Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN
Display --indent 2 --text "- Checking presence FreeBSD loader" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="FreeBSD"
BOOT_LOADER_FOUND=1
else
@ -317,7 +317,7 @@
BOOT_LOADER_SEARCHED=1
if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then
LogText "Result: found NetBSD secondary bootstrap"
Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN
Display --indent 2 --text "- Checking presence NetBSD loader" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="NetBSD"
BOOT_LOADER_FOUND=1
else
@ -341,18 +341,18 @@
if [ ${CANREAD} -eq 1 ]; then
BOOT_LOADER="LILO"
BOOT_LOADER_FOUND=1
Display --indent 2 --text "- Checking presence LILO" --result "OK" --color GREEN
Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN
LogText "Checking password option LILO"
FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | grep -v "^#"`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Password option presence " --result "WARNING" --color RED
Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED
LogText "Result: no password set for LILO. Bootloader is unprotected to"
LogText "dropping to single user mode or unauthorized access to devices/data."
ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader"
AddHP 0 2
else
Display --indent 4 --text "- Password option presence " --result "OK" --color GREEN
Display --indent 4 --text "- Password option presence " --result "${STATUS_OK}" --color GREEN
LogText "Result: LILO password option set"
AddHP 4 4
fi
@ -373,7 +373,7 @@
BOOT_LOADER_SEARCHED=1
if [ -f /etc/silo.conf ]; then
LogText "Result: Found SILO configuration file (/etc/silo.conf)"
Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN
Display --indent 2 --text "- Checking boot loader SILO" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="SILO"
BOOT_LOADER_FOUND=1
else
@ -392,11 +392,11 @@
# FIND=`/sbin/silo | grep "appears to be valid"`
# if [ ! "${FIND}" = "" ]; then
# LogText "Result: Found SILO configuration file (/etc/silo.conf)"
# Display --indent 6 --text "- Checking SILO consistency" --result OK --color GREEN
# Display --indent 6 --text "- Checking SILO consistency" --result "${STATUS_OK}" --color GREEN
# else
# LogText "Result: no positive result received from silo binary"
# ReportWarning ${TEST_NO} "Possible issue with boot loader (SILO)"
# Display --indent 6 --text "- Checking SILO consistency" --result WARNING --color RED
# Display --indent 6 --text "- Checking SILO consistency" --result "${STATUS_WARNING}" --color RED
# fi
# fi
# fi
@ -411,7 +411,7 @@
LogText "Test: Check for /etc/yaboot.conf"
if [ -f /etc/yaboot.conf ]; then
LogText "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN
Display --indent 4 --text "- Checking boot loader YABOOT" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="YABOOT"
BOOT_LOADER_FOUND=1
else
@ -437,18 +437,18 @@
# Configuration file
if [ -f /etc/boot.conf ]; then
FOUND=1
Display --indent 2 --text "- Checking /etc/boot.conf" --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking /etc/boot.conf" --result "${STATUS_FOUND}" --color GREEN
FIND=`grep '^boot' /etc/boot.conf`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking boot option" --result WARNING --color RED
Display --indent 4 --text "- Checking boot option" --result "${STATUS_WARNING}" --color RED
#ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password"
else
Display --indent 4 --text "- Checking boot option" --result OK --color GREEN
Display --indent 4 --text "- Checking boot option" --result "${STATUS_OK}" --color GREEN
LogText "Ok, boot option is enabled."
fi
else
Display --indent 2 --text "- Checking /etc/boot.conf" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking /etc/boot.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: no /etc/boot.conf found. When using the default boot loader, physical"
LogText "access to the server can be used to possibly enter single user mode."
ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time."
@ -491,7 +491,7 @@
Report "boottask[]=${I}"
N=$((N + 1))
done
Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "DONE" --color GREEN
Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "${STATUS_DONE}" --color GREEN
Display --indent 6 --text "Result: found $N services/options set"
LogText "Found $N services/options to run at startup"
fi
@ -519,7 +519,7 @@
N=$((N + 1))
done
LogText "Note: Run systemctl --full --type=service to see all services"
Display --indent 2 --text "- Check running services (systemctl)" --result "DONE" --color GREEN
Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found $N running services"
LogText "Result: Found $N enabled services"
@ -534,7 +534,7 @@
N=$((N + 1))
done
LogText "Note: Run systemctl list-unit-files --type=service to see all services"
Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "DONE" --color GREEN
Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found $N enabled services"
LogText "Result: Found $N running services"
@ -552,7 +552,7 @@
N=$((N + 1))
done
LogText "Hint: Run chkconfig --list to see all services and disable unneeded services"
Display --indent 2 --text "- Check services at startup (chkconfig)" --result "DONE" --color GREEN
Display --indent 2 --text "- Check services at startup (chkconfig)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found $N services"
LogText "Result: Found $N services at startup"
else
@ -581,7 +581,7 @@
LogText "Found service (at boot, runlevel 2): ${I}"
N=$((N + 1))
done
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "${STATUS_DONE}" --color WHITE
Display --indent 4 --text "Result: found $N services"
LogText "Result: found $N services"
fi
@ -667,12 +667,12 @@
# Check results
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Check startup files (permissions)" --result "WARNING" --color RED
Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-"
LogText "Result: found one or more scripts which are possibly writable by other users"
AddHP 0 3
else
Display --indent 2 --text "- Check startup files (permissions)" --result "OK" --color GREEN
Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
fi
fi
@ -691,7 +691,7 @@
if [ -f /proc/uptime ]; then
FIND=`cat /proc/uptime | cut -d ' ' -f1 | cut -d '.' -f1`
else
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:1" "No uptime test available for this operating system (/proc/uptime missing)"
fi
;;
@ -700,7 +700,7 @@
if [ ! "${SYSCTLBINARY}" = "" ]; then
FIND=`${SYSCTLBINARY} kern.boottime | awk '{ print $5 }' | sed -e 's/,//' | grep "[0-9]"`
else
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
fi
;;
@ -717,7 +717,7 @@
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
fi
else
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
fi
;;
@ -726,13 +726,13 @@
if [ ! "${KSTATBINARY}" = "" ]; then
FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | grep "^unix" | awk '{print $2}' | cut -d "." -f1`
else
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)"
fi
;;
*)
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
# Want to help improving Lynis? Share your operating system and a way to determine the uptime (in seconds)
ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system"
@ -769,7 +769,7 @@
else
LogText "Result: did not find sulogin in rescue.service"
AddHP 1 3
Display --indent 2 --text "- Checking sulogin in rescue.service" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking sulogin in rescue.service" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Protect rescue.service by using sulogin"
fi
else

12
include/tests_containers
View File

@ -50,7 +50,7 @@
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
LogText "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
Display --indent 2 --text "- Checking Solaris Zones" --result "${STATUS_NONE}" --color WHITE
fi
fi
#
@ -82,7 +82,7 @@
Report "docker_daemon_running=1"
DOCKER_DAEMON_RUNNING=1
Display --indent 4 --text "- Docker"
Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN
Display --indent 6 --text "- Docker daemon" --result "${STATUS_RUNNING}" --color GREEN
fi
fi
#
@ -109,7 +109,7 @@
AddHP 3 4
else
LogText "Result: no warnings found from 'docker info' output"
Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN
Display --indent 8 --text "- Docker info output (warnings)" --result "${STATUS_NONE}" --color GREEN
AddHP 1 1
fi
fi
@ -136,7 +136,7 @@
if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then
LogText "Result: difference detected, which is unexpected"
ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers"
Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED
Display --indent 8 --text "- Total containers" --result "${STATUS_UNKNOWN}" --color RED
else
Display --indent 8 --text "- Total containers" --result "${DOCKER_CONTAINERS_TOTAL}" --color WHITE
fi
@ -190,10 +190,10 @@
fi
done
if [ ${DOCKER_FILE_PERMISSIONS_WARNINGS} -gt 0 ]; then
Display --indent 4 --text "- File permissions" --result WARNINGS --color YELLOW
Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}"S --color YELLOW
AddHP 0 5
else
Display --indent 4 --text "- File permissions" --result OK --color GREEN
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
AddHP 5 5
fi
fi

4
include/tests_crypto
View File

@ -78,9 +78,9 @@
done
if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking for expired SSL certificates" --result NONE --color GREEN
Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_NONE}" --color GREEN
else
Display --indent 2 --text "- Checking for expired SSL certificates" --result FOUND --color RED
Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
fi
fi

14
include/tests_custom.template
View File

@ -23,9 +23,9 @@
# --text text to be displayed on screen
# --result text at end of line
# --color color of result text
Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN
Display --indent 4 --text "This shows one level deeper " --result NOTICE --color YELLOW
Display --indent 6 --text "And even deeper" --result WARNING --color RED
Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_OK}" --color GREEN
Display --indent 4 --text "This shows one level deeper " --result "${STATUS_NO}"TICE --color YELLOW
Display --indent 6 --text "And even deeper" --result "${STATUS_WARNING}" --color RED
# Here we could add specific tests, like testing for a directory
# Most tests use the "if-then-else". If something is true, take one step, otherwise the other.
@ -54,12 +54,12 @@
# Only match one value
"Linux")
LogText "Found Linux"
Display --indent 2 --text "OS: Linux" --result OK --color GREEN
Display --indent 2 --text "OS: Linux" --result "${STATUS_OK}" --color GREEN
;;
# Matching several platforms
"FreeBSD" | "NetBSD" | "OpenBSD")
LogText "Found an operating system based on BSD"
Display --indent 2 --text "OS: *BSD" --result OK --color GREEN
Display --indent 2 --text "OS: *BSD" --result "${STATUS_OK}" --color GREEN
;;
# Catch-all for unknown values
*)
@ -96,9 +96,9 @@
fi
if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN
Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Checking if everything is OK..." --result WARNING --color RED
Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "This is a suggestion"
fi
fi

20
include/tests_databases
View File

@ -37,10 +37,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "NOT FOUND" --color WHITE --debug; fi
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: MySQL process not active"
else
Display --indent 2 --text "- MySQL process status" --result "FOUND" --color GREEN
Display --indent 2 --text "- MySQL process status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: MySQL is active"
MYSQL_RUNNING=1
Report "mysql_running=${MYSQL_RUNNING}"
@ -76,11 +76,11 @@
if [ "${FIND}" = "0" ]; then
LogText "Result: Login succeeded, no MySQL root password set!"
ReportWarning ${TEST_NO} "H" "No MySQL root password set"
Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED
Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED
AddHP 0 5
else
LogText "Result: Login did not succeed, so a MySQL root password is set"
Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN
Display --indent 4 --text "- Checking MySQL root password" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
fi
else
@ -94,12 +94,12 @@
Register --test-no DBS-1826 --weight L --network NO --description "Checking active PostgreSQL processes"
if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning "postgres:"; then
Display --indent 2 --text "- PostgreSQL processes status" --result "FOUND" --color GREEN
Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: PostgreSQL is active"
POSTGRESQL_RUNNING=1
Report "postgresql_running=${POSTGRESQL_RUNNING}"
else
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "NOT FOUND" --color WHITE --debug; fi
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: PostgreSQL process not active"
fi
fi
@ -120,10 +120,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "NOT FOUND" --color WHITE --debug; fi
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: Oracle process(es) not active"
else
Display --indent 2 --text "- Oracle processes status" --result "FOUND" --color GREEN
Display --indent 2 --text "- Oracle processes status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Oracle is active"
ORACLE_RUNNING=1
Report "oracle_running=${ORACLE_RUNNING}"
@ -148,12 +148,12 @@
Register --test-no DBS-1860 --weight L --network NO --description "Checking active DB2 instances"
if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning db2sysc; then
Display --indent 2 --text "- DB2 instance running" --result "FOUND" --color GREEN
Display --indent 2 --text "- DB2 instance running" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: At least one DB2 instance is running"
DB2_RUNNING=1
Report "db2_running=${DB2_RUNNING}"
else
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- DB2 instance running" --result "NOT FOUND" --color WHITE --debug; fi
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- DB2 instance running" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: No DB2 instances are running"
fi
fi

62
include/tests_file_integrity
View File

@ -39,10 +39,10 @@
Report "file_integrity_tool[]=afick"
FILE_INT_TOOL="afick"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK" --result FOUND --color GREEN
Display --indent 4 --text "- AFICK" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: AFICK is not installed"
if IsVerbose; then Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 4 --text "- AFICK" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -58,10 +58,10 @@
Report "file_integrity_tool[]=aide"
FILE_INT_TOOL="aide"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE" --result FOUND --color GREEN
Display --indent 4 --text "- AIDE" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: AIDE is not installed"
if IsVerbose; then Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 4 --text "- AIDE" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -81,14 +81,14 @@
fi
done
if [ "${AIDECONFIG}" = "" ]; then
Display --indent 6 --text "- AIDE config file" --result "NOT FOUND" --color YELLOW
Display --indent 6 --text "- AIDE config file" --result "${STATUS_NOT_FOUND}" --color YELLOW
else
LogText "Checking configuration file ${AIDECONFIG} for errors"
FIND=$(${AIDEBINARY} --config=${AIDECONFIG} -D)
if [ $? -eq 0 ]; then
Display --indent 6 --text "- AIDE config file" --result FOUND --color GREEN
Display --indent 6 --text "- AIDE config file" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 6 --text "- AIDE config file" --result WARNING --color YELLOW
Display --indent 6 --text "- AIDE config file" --result "${STATUS_WARNING}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check the AIDE configuratio file as it may contain errors"
fi
fi
@ -106,10 +106,10 @@
Report "file_integrity_tool[]=osiris"
FILE_INT_TOOL="osiris"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris" --result FOUND --color GREEN
Display --indent 4 --text "- Osiris" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Osiris is not installed"
if IsVerbose; then Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 4 --text "- Osiris" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -125,10 +125,10 @@
Report "file_integrity_tool[]=samhain"
FILE_INT_TOOL="samhain"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain" --result FOUND --color GREEN
Display --indent 4 --text "- Samhain" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Samhain is not installed"
if IsVerbose; then Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 4 --text "- Samhain" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -144,10 +144,10 @@
Report "file_integrity_tool[]=tripwire"
FILE_INT_TOOL="tripwire"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN
Display --indent 4 --text "- Tripwire" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Tripwire is not installed"
if IsVerbose; then Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 4 --text "- Tripwire" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -164,10 +164,10 @@
Report "file_integrity_tool[]=ossec"
FILE_INT_TOOL="ossec-syscheck"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN
Display --indent 4 --text "- OSSEC (syscheck)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: syscheck (OSSEC) not installed"
if IsVerbose; then Display --indent 4 --text "- OSSEC" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 4 --text "- OSSEC" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -184,10 +184,10 @@
Report "file_integrity_tool[]=mtree"
FILE_INT_TOOL="mtree"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree" --result FOUND --color GREEN
Display --indent 4 --text "- mtree" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: mtree is not installed"
if IsVerbose; then Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 4 --text "- mtree" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -198,16 +198,16 @@
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN
Display --indent 4 --text "- lfd (CSF)" --result "${STATUS_FOUND}" --color GREEN
IsRunning 'lfd '
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: lfd daemon is running (CSF)"
Report "file_integrity_tool[]=csf-lfd"
Display --indent 6 --text "- LFD (CSF) daemon" --result RUNNING --color GREEN
Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_RUNNING}" --color GREEN
FILE_INT_TOOL="csf-lfd"
FILE_INT_TOOL_FOUND=1
else
Display --indent 6 --text "- LFD (CSF) daemon" --result "NOT RUNNING" --color YELLOW
Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_NOT_RUNNING}" --color YELLOW
fi
fi
#
@ -222,24 +222,24 @@
ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}`
if [ ! "${ENABLED}" = "" ]; then
LogText "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN
Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: lfd service is configured NOT to run"
Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW
Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: lfd directory watching is disabled"
Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
Display --indent 6 --text "- Directory/File watches" --result ENABLED --color GREEN
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
else
Display --indent 6 --text "- Directory/File watches" --result DISABLED --color YELLOW
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW
fi
fi
#
@ -256,10 +256,10 @@
Report "file_integrity_tool[]=osquery"
FILE_INT_TOOL="osquery"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- osquery daemon (syscheck)" --result FOUND --color GREEN
Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: syscheck (osquery) not installed"
if IsVerbose; then Display --indent 4 --text "- osquery daemon (syscheck)" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -278,7 +278,7 @@
AddHP 1 3
else
LogText "Result: Found SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result OK --color GREEN
Display --indent 6 --text "- AIDE config (Checksum)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
fi
fi
@ -292,11 +292,11 @@
LogText "Test: Check if at least on file integrity tool is available/installed"
if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then
LogText "Result: found at least one file integrity tool"
Display --indent 2 --text "- Checking presence integrity tool" --result FOUND --color GREEN
Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_FOUND}" --color GREEN
AddHP 5 5
else
LogText "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
AddHP 0 5
fi

6
include/tests_file_permissions
View File

@ -42,11 +42,11 @@
LogText " Actual permissions: ${FILEVALUE}"
LogText " Result: $PERMS"
if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then
Display --indent 4 --text "${I}" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "${I}" --result "${STATUS_NOT_FOUND}" --color WHITE
elif [ "${PERMS}" = "OK" ]; then
Display --indent 4 --text "${I}" --result OK --color GREEN
Display --indent 4 --text "${I}" --result "${STATUS_OK}" --color GREEN
elif [ "${PERMS}" = "BAD" ]; then
Display --indent 4 --text "${I}" --result WARNING --color RED
Display --indent 4 --text "${I}" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "Incorrect permissions for file ${I}"
else
LogText "UNKNOWN status for file"

46
include/tests_filesystems
View File

@ -51,11 +51,11 @@
FIND=`mount | grep "${I}"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${I} as a separated mount point"
Display --indent 4 --text "- Checking ${I} mount point" --result OK --color GREEN
Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_OK}" --color GREEN
AddHP 10 10
else
LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system"
Display --indent 4 --text "- Checking ${I} mount point" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition"
AddHP 9 10
fi
@ -92,10 +92,10 @@
Report "lvm_volume_group[]=${I}"
done
LVM_VG_USED=1
Display --indent 2 --text "- Checking LVM volume groups" --result FOUND --color GREEN
Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: no LVM volume groups found"
if IsVerbose; then Display --indent 2 --text "- Checking LVM volume groups" --result NONE --color WHITE; fi
if IsVerbose; then Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_NONE}" --color WHITE; fi
fi
fi
#
@ -125,10 +125,10 @@
LogText "Found LVM volume: ${I}"
Report "lvm_volume[]=${I}"
done
Display --indent 4 --text "- Checking LVM volumes" --result FOUND --color GREEN
Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: no LVM volume groups found"
Display --indent 4 --text "- Checking LVM volumes" --result NONE --color WHITE
Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_NONE}" --color WHITE
fi
fi
#
@ -172,10 +172,10 @@
LogText "Test: Query /etc/fstab for available FFS/UFS mount points"
FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab`
if [ "${FIND}" = "" ]; then
if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result NONE --color WHITE; fi
if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_NONE}" --color WHITE; fi
LogText "Result: unable to find any single mount point (FFS/UFS)"
else
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result FOUND --color GREEN
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_FOUND}" --color GREEN
Report "filesystem[]=ufs"
for I in ${FIND}; do
LogText "FFS/UFS mount found: ${I}"
@ -193,10 +193,10 @@
LogText "Test: Query /etc/fstab for available ZFS mount points"
FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result NONE --color WHITE
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
LogText "Result: unable to find any single mount point (ZFS)"
else
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result FOUND --color GREEN
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_FOUND}" --color GREEN
Report "filesystem[]=zfs"
for I in ${FIND}; do
LogText "ZFS mount found: ${I}"
@ -257,9 +257,9 @@
Report "swap_partition[]=${I},${REAL},"
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN
Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Query swap partitions (fstab)" --result NONE --color YELLOW
Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_NONE}" --color YELLOW
LogText "Result: no swap partitions found in /etc/fstab"
fi
fi
@ -278,7 +278,7 @@
#FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`
FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN
Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_OK}" --color GREEN
LogText "Result: all swap partitions have correct options (sw or swap)"
else
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
@ -300,10 +300,10 @@
# Search for files only in /tmp, with an access time older than X days
FIND=`find /tmp -xdev -type f -atime +${TMP_OLD_DAYS} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN
LogText "Result: no files found in /tmp which are older than 3 months"
else
Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED
N=0
for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'`
@ -329,11 +329,11 @@
# Depending on OS, number of field with 'tmp' differs
FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10`
if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then
Display --indent 2 --text "- Checking /tmp sticky bit" --result OK --color GREEN
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_OK}" --color GREEN
LogText "Result: Sticky bit (${FIND}) found on /tmp directory"
AddHP 3 3
else
Display --indent 2 --text "- Checking /tmp sticky bit" --result WARNING --color RED
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!"
ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory."
AddHP 0 3
@ -402,11 +402,11 @@
LogText "Result: ACL option NOT enabled on root file system"
LogText "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option"
LogText "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file"
Display --indent 2 --text "- ACL support root file system" --result DISABLED --color YELLOW
Display --indent 2 --text "- ACL support root file system" --result "${STATUS_DISABLED}" --color YELLOW
AddHP 0 1
else
LogText "Result: ACL option enabled on root file system"
Display --indent 2 --text "- ACL support root file system" --result ENABLED --color GREEN
Display --indent 2 --text "- ACL support root file system" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3
fi
fi
@ -427,7 +427,7 @@
if [ ! "${FIND}" = "" ]; then
LogText "Result: mount system / is configured with options: ${FIND}"
if [ "${FIND}" = "defaults" ]; then
Display --indent 2 --text "- Mount options of /" --result OK --color GREEN
Display --indent 2 --text "- Mount options of /" --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Mount options of /" --result "NON DEFAULT" --color YELLOW
fi
@ -522,7 +522,7 @@
if [ ! "${FIND}" = "" ]; then
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
if [ "${BIND}" = "YES" ]; then
Display --indent 2 --text "- /var/tmp is bound to /tmp" --result OK --color GREEN
Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN
LogText "Result : /var/tmp is bind to /tmp"
else
Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "NON DEFAULT" --color YELLOW
@ -599,11 +599,11 @@
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking Locate database" --result FOUND --color GREEN
Display --indent 2 --text "- Checking Locate database" --result "${STATUS_FOUND}" --color GREEN
Report "locate_db=${LOCATE_DB}"
else
LogText "Result: database not found"
Display --indent 2 --text "- Checking Locate database" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking Locate database" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
fi
fi

52
include/tests_firewalls
View File

@ -46,13 +46,13 @@
FIREWALL_SOFTWARE="iptables"
IPTABLES_ACTIVE=1
IPTABLES_MODULE_ACTIVE=1
Display --indent 2 --text "- Checking iptables kernel module" --result FOUND --color GREEN
Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found iptables in loaded kernel modules"
for I in ${FIND}; do
LogText "Found module: ${I}"
done
else
Display --indent 2 --text "- Checking iptables kernel module" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_NOT_FOUND}" --color WHITE
# If we can't find an active module, try to find the Linux configuration file and check that
if [ -f /proc/config.gz ]; then
@ -80,13 +80,13 @@
IPTABLES_INKERNEL_ACTIVE=1
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="iptables"
Display --indent 2 --text "- Checking iptables in config file" --result FOUND --color GREEN
Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: no iptables found in Linux kernel config file"
fi
else
LogText "Result: no Linux configuration file found"
Display --indent 2 --text "- Checking iptables in config file" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
fi
@ -102,7 +102,7 @@
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check used policies of iptables chains"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Checking iptables policies of chains" --result FOUND --color GREEN
Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN
TABLES="filter"
for TABLE in ${TABLES}; do
LogText "Test: gathering information from table ${TABLE}"
@ -155,11 +155,11 @@
# Firewall is active, but clearly needs configuration
FIREWALL_EMPTY_RULESET=1
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
else
LogText "Result: one or more rules are available (${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
fi
fi
fi
@ -173,10 +173,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN
LogText "Result: There are no unused rules present"
else
Display --indent 4 --text "- Checking for unused rules" --result FOUND --color YELLOW
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW
LogText "Result: Found one or more possible unused rules"
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
@ -201,17 +201,17 @@
if [ ! "${PFCTLBINARY}" = "" ]; then
FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'`
if [ "${FIND}" = "Enabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result ENABLED --color GREEN
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_ENABLED}" --color GREEN
LogText "Result: pf is enabled"
PFFOUND=1
AddHP 3 3
else
if [ "${FIND}" = "Disabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result DISABLED --color RED
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED
LogText "Result: pf is disabled"
AddHP 0 3
else
Display --indent 2 --text "- Checking pf status (pfctl)" --result UNKNOWN --color YELLOW
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportException ${TEST_NO} "Unknown status of pf firewall"
fi
fi
@ -236,7 +236,7 @@
IsRunning pflogd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found pflog daemon in process list"
Display --indent 4 --text "- Checking pflogd status" --result ACTIVE --color GREEN
Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN
PFFOUND=1
PFLOGDFOUND=1
else
@ -267,10 +267,10 @@
# Check results from pfctl
PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'`
if [ "${PFWARNINGS}" = "" ]; then
Display --indent 4 --text "- Checking pf configuration consistency" --result OK --color GREEN
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN
LogText "Result: no pf filter warnings found"
else
Display --indent 4 --text "- Checking pf configuration consistency" --result WARNING --color RED
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
LogText "Result: found one or more warnings in the pf filter rules"
ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file"
ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
@ -298,7 +298,7 @@
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="csf"
Report "firewall_software[]=csf"
Display --indent 2 --text "- Checking CSF status (configuration file)" --result FOUND --color GREEN
Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: ${FILE} does NOT exist"
fi
@ -313,13 +313,13 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'`
if [ "${FIND}" = "yes" ]; then
Display --indent 4 --text "- Checking ipf status" --result RUNNING --color GREEN
Display --indent 4 --text "- Checking ipf status" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: ipf is enabled and running"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipf"
Report "firewall_software[]=ipf"
else
Display --indent 4 --text "- Checking ipf status" --result "NOT RUNNING" --color YELLOW
Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
LogText "Result: ipf is not running"
fi
fi
@ -334,25 +334,25 @@
# For now, only check for IPv4.
FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'`
if [ "${FIND}" = "1" ]; then
Display --indent 2 --text "- Checking IPFW status" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: IPFW is running for IPv4"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipfw"
Report "firewall_software[]=ipfw"
IPFW_ENABLED=`service -e | grep -o ipfw`
if [ "${IPFW_ENABLED}" = "ipfw" ]; then
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result YES --color GREEN
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN
LogText "Result: IPFW is enabled at start-up for IPv4"
else
Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW
Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW
LogText "Result: IPFW is disabled at start-up for IPv4"
fi
else
Display --indent 2 --text "- Checking IPFW status" --result "NOT RUNNING" --color YELLOW
Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
LogText "Result: IPFW is not running for IPv4"
fi
else
Display --indent 2 --text "- Checking IPFW" --result SKIPPED --color YELLOW
Display --indent 2 --text "- Checking IPFW" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)"
fi
fi
@ -366,13 +366,13 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | grep "Firewall is enabled"`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result ENABLED --color GREEN
Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3
LogText "Result: application firewall of Mac OS X is enabled"
APPLICATION_FIREWALL_ACTIVE=1
Report "app_fw[]=macosx-app-fw"
else
Display --indent 2 --text "- Checking IPFW" --result DISABLED --color YELLOW
Display --indent 2 --text "- Checking IPFW" --result "${STATUS_DISABLED}" --color YELLOW
AddHP 1 3
LogText "Result: application firewall of Mac OS X is disabled"
fi
@ -422,7 +422,7 @@
Register --test-no FIRE-4590 --weight L --network NO --description "Check firewall status"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then
Display --indent 2 --text "- Checking host based firewall" --result ACTIVE --color GREEN
Display --indent 2 --text "- Checking host based firewall" --result "ACTIVE" --color GREEN
LogText "Result: host based firewall or packet filter is active"
Report "manual[]=Verify if there is a formal process for testing and applying firewall rules"
Report "manual[]=Verify all traffic is filtered the right way between the different security zones"

10
include/tests_hardening
View File

@ -33,11 +33,11 @@
LogText "Test: Check if one or more compilers can be found on the system"
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
LogText "Result: no compilers found"
Display --indent 4 --text "- Installed compiler(s)" --result "NOT FOUND" --color GREEN
Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 3 3
else
LogText "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'"
Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED
Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
AddHP 1 3
fi
fi
@ -84,7 +84,7 @@
fi
#YYY check if compilers have a specific group (like compiler, or NOT root/wheel)
# Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED
# Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
# /usr/bin/*cc*
# /usr/bin/*++*
# /usr/bin/ld
@ -101,11 +101,11 @@
LogText "Test: Check if a malware scanner is installed"
if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
LogText "Result: found at least one malware scanner"
Display --indent 4 --text "- Installed malware scanner" --result "FOUND" --color GREEN
Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
LogText "Result: no malware scanner found"
Display --indent 4 --text "- Installed malware scanner" --result "NOT FOUND" --color RED
Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Harden the system by installing at least one malware scanner, to perform periodic file system scans"
AddHP 1 3
fi

6
include/tests_homedirs
View File

@ -63,10 +63,10 @@
FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" ! -type f -print`
fi
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking shell history files" --result OK --color GREEN
Display --indent 2 --text "- Checking shell history files" --result "${STATUS_OK}" --color GREEN
LogText "Result: Ok, history files are type 'file'."
else
Display --indent 2 --text "- Checking shell history files" --result WARNING --color RED
Display --indent 2 --text "- Checking shell history files" --result "${STATUS_WARNING}" --color RED
LogText "Result: the following files seem to be of the wrong file type:"
LogText "Output: ${FIND}"
LogText "Info: above files could be redirected files to avoid logging and should be investigated"
@ -74,7 +74,7 @@
fi
LogText "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful."
else
Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE
Display --indent 2 --text "- Checking shell history files" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: Homedirs is empty, test will be skipped"
fi
fi

14
include/tests_insecure_services
View File

@ -40,7 +40,7 @@
IsRunning inetd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: inetd is running"
Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN
Display --indent 2 --text "- Checking inetd status" --result "ACTIVE" --color GREEN
INETD_ACTIVE=1
else
LogText "Result: inetd is NOT running"
@ -59,10 +59,10 @@
LogText "Test: Searching for file ${INETD_CONFIG_FILE}"
if [ -f ${INETD_CONFIG_FILE} ]; then
LogText "Result: ${INETD_CONFIG_FILE} exists"
Display --indent 4 --text "- Checking inetd.conf" --result FOUND --color WHITE
Display --indent 4 --text "- Checking inetd.conf" --result "${STATUS_FOUND}" --color WHITE
else
LogText "Result: ${INETD_CONFIG_FILE} does not exist"
Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking inetd.conf" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -77,9 +77,9 @@
LogText "Test: check if all services are disabled if inetd is disabled"
FIND=`grep -v "^#" ${INETD_CONFIG_FILE} | grep -v "^$"`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking inetd.conf services" --result OK --color GREEN
Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN
else
Display --indent 4 --text "- Checking inetd.conf services" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}"
fi
fi
@ -95,11 +95,11 @@
FIND=`grep "^telnet" ${INETD_CONFIG_FILE}`
if [ "${FIND}" = "" ]; then
LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)" --result "NOT FOUND" --color GREEN
Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 3 3
else
LogText "Result: telnet enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)" --result WARNING --color RED
Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Disable telnet in inetd configuration and use SSH instead"
AddHP 1 3
fi

50
include/tests_kernel
View File

@ -61,7 +61,7 @@
fi
else
LogText "Result: No readlink binary, can't determine where symlink is pointing to"
Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW
Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
fi
else
LogText "Result: no systemd found, so trying inittab"
@ -71,7 +71,7 @@
LogText "Test: Checking default Linux run level"
FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW
Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: Can't determine default run level from /etc/inittab"
else
Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN
@ -89,7 +89,7 @@
Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN
else
LogText "Result: Can't determine default run level from who -r"
Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW
Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
fi
fi
fi
@ -140,13 +140,13 @@
fi
fi
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result FOUND --color GREEN
Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result NONE --color YELLOW
Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result "${STATUS_NONE}" --color YELLOW
ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
fi
else
Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result SKIPPED --color YELLOW
Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result "${STATUS_SKIPPED}" --color YELLOW
LogText "Result: /proc/cpuinfo not found"
fi
fi
@ -172,7 +172,7 @@
LINUX_KERNEL_VERSION=`uname -v`
Report "linux_kernel_version=${LINUX_KERNEL_VERSION}"
LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}"
Display --indent 2 --text "- Checking kernel version and release" --result DONE --color GREEN
Display --indent 2 --text "- Checking kernel version and release" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
@ -185,7 +185,7 @@
LogText "Test: checking if kernel is monolithic or modular"
# Checking if any modules are loaded
FIND=`${LSMODBINARY} | grep -v "^Module" | wc -l | tr -s ' ' | tr -d ' '`
Display --indent 2 --text "- Checking kernel type" --result DONE --color GREEN
Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN
if [ "${FIND}" = "0" ]; then
LogText "Result: Found monolithic kernel"
Report "linux_kernel_type=monolithic"
@ -208,7 +208,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
FIND=`${LSMODBINARY} | awk '{ if ($1!="Module") print $1 }' | sort`
Display --indent 2 --text "- Checking loaded kernel modules" --result DONE --color GREEN
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
if [ ! "${FIND}" = "" ]; then
LogText "Loaded modules according lsmod:"
N=0
@ -237,15 +237,15 @@
if [ -f ${CHECKFILE} ]; then
LINUXCONFIGFILE="${CHECKFILE}"
LogText "Result: found config (${LINUXCONFIGFILE})"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
elif [ -f /proc/config.gz ]; then
LINUXCONFIGFILE="${CHECKFILE}"
LINUXCONFIGFILE_ZIPPED=1
LogText "Result: found config: /proc/config.gz (compressed)"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: no Linux kernel configuration file found in /boot"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
if [ ! "${LINUXCONFIGFILE}" = "" ]; then
Report "linux_config_file=${LINUXCONFIGFILE}"
@ -270,11 +270,11 @@
LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | awk -F= '{ print $2 }' | sed s/\"//g`
if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then
LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result FOUND --color GREEN
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN
Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
else
LogText "Result: no default i/o kernel scheduler found"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
else
ReportException "${TEST_NO}" "No valid grep tool found to search kernel settings"
@ -301,9 +301,9 @@
Report "loaded_kernel_module[]=${I}"
N=$((N + 1))
done
Display --indent 4 --text "Found ${N} kernel modules" --result DONE --color GREEN
Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN
else
Display --indent 4 --text "Test failed" --result WARNING --color RED
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
LogText "Result: Problem with executing kldstat"
fi
else
@ -325,10 +325,10 @@
LogText "Found module: ${I}"
Report "loaded_kernel_module[]=${I}"
done
Display --indent 2 --text "- Checking Solaris active kernel modules" --result DONE --color GREEN
Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_DONE}" --color GREEN
else
LogText "Result: no output"
Display --indent 2 --text "- Checking Solaris active kernel modules" --result UNKNOWN --color YELLOW
Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_UNKNOWN}" --color YELLOW
fi
fi
#
@ -363,7 +363,7 @@
LogText "Kernel installed: ${FINDINST}"
LogText "Kernel candidate: ${FINDCAND}"
if [ "${FINDINST}" = "" ]; then
Display --indent 2 --text "- Checking for available kernel update" --result UNKNOWN --color YELLOW
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: Exception occured, no output from apt-cache policy"
ReportException "${TEST_NO}:01"
LogText "Exception: apt-cache policy did not return an installed kernel version"
@ -375,7 +375,7 @@
LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available"
ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch"
else
Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN
LogText "Result: no kernel update available"
fi
else
@ -403,12 +403,12 @@
FIND2=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'`
if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration" --result ENABLED --color YELLOW
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW
AddSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system"
AddHP 1 2
else
LogText "Result: core dumps (soft and hard) are both disabled"
Display --indent 2 --text "- Checking core dumps configuration" --result DISABLED --color GREEN
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN
CORE_DUMPS_DISABLED=1
AddHP 3 3
fi
@ -583,14 +583,14 @@
# Display discovered status
if [ ${REBOOT_NEEDED} -eq 0 ]; then
Display --indent 2 --text "- Check if reboot is needed" --result NO --color GREEN
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_NO}" --color GREEN
AddHP 5 5
elif [ ${REBOOT_NEEDED} -eq 1 ]; then
Display --indent 2 --text "- Check if reboot is needed" --result YES --color RED
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED
ReportWarning ${TEST_NO} "H" "Reboot of system is most likely needed"
AddHP 0 5
else
Display --indent 2 --text "- Check if reboot is needed" --result UNKNOWN --color YELLOW
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW
fi
fi
#

2
include/tests_kernel_hardening
View File

@ -46,7 +46,7 @@
if [ ! "${tFINDcurvalue}" = "" ]; then
if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then
LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result OK --color GREEN
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN
AddHP ${tFINDhp} ${tFINDhp}
else
LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"

8
include/tests_ldap
View File

@ -39,10 +39,10 @@
#YYY add additional slash
IsRunning slapd
if [ ${RUNNING} -eq 0 ]; then
Display --indent 2 --text "- Checking OpenLDAP instance" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: No running slapd process found."
else
Display --indent 2 --text "- Checking OpenLDAP instance" --result FOUND --color GREEN
Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found running slapd process"
SLAPDFOUND=1
SLAPD_RUNNING=1
@ -67,9 +67,9 @@
done
# Check if we found a valid location
if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking slapd.conf" --result FOUND --color GREEN
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 4 --text "- Checking slapd.conf" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
#

60
include/tests_logging
View File

@ -45,13 +45,13 @@
LogText "Test: Searching for a logging daemon"
FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for a running log daemon" --result WARNING --color RED
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
ReportWarning ${TEST_NO} "H" "No syslog daemon found"
AddHP 0 3
else
Display --indent 2 --text "- Checking for a running log daemon" --result OK --color GREEN
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found a logging daemon"
SYSLOG_DAEMON_PRESENT=1
SYSLOG_DAEMON_RUNNING=1
@ -69,12 +69,12 @@
IsRunning syslog-ng
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: Found syslog-ng in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result FOUND --color GREEN
Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
SYSLOG_NG_RUNNING=1
else
LogText "Result: Syslog-ng NOT found in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -88,10 +88,10 @@
FIND=`${SYSLOGNGBINARY} -s; echo $?`
if [ "${FIND}" = "0" ]; then
LogText "Result: Syslog-NG configuration file seems to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result OK --color GREEN
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: Syslog-NG configuration file seems NOT to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result WARNING --color RED
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file"
ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
fi
@ -106,10 +106,10 @@
LogText "Test: Searching for systemd journal daemon in process list"
IsRunning systemd-journal
if [ ${RUNNING} -eq 1 ]; then
Display --indent 4 --text "- Checking systemd journal status" --result FOUND --color GREEN
Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_FOUND}" --color GREEN
SYSTEMD_JOURNAL_RUNNING=1
else
Display --indent 4 --text "- Checking systemd journal status" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -123,12 +123,12 @@
IsRunning metalog
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: Found metalog in process list"
Display --indent 4 --text "- Checking Metalog status" --result FOUND --color GREEN
Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
METALOG_RUNNING=1
else
LogText "Result: metalog NOT found in process list"
Display --indent 4 --text "- Checking Metalog status" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -142,12 +142,12 @@
IsRunning rsyslogd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: Found rsyslogd in process list"
Display --indent 4 --text "- Checking RSyslog status" --result FOUND --color GREEN
Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
RSYSLOG_RUNNING=1
else
LogText "Result: rsyslogd NOT found in process list"
Display --indent 4 --text "- Checking RSyslog status" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -161,12 +161,12 @@
IsRunning rfc3195d
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: Found rfc3195d in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result FOUND --color GREEN
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
RFC3195D_RUNNING=1
else
LogText "Result: rfc3195d NOT found in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -187,10 +187,10 @@
IsRunning klogd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: klogd running"
Display --indent 4 --text "- Checking klogd" --result FOUND --color GREEN
Display --indent 4 --text "- Checking klogd" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: No klogd found"
Display --indent 4 --text "- Checking klogd" --result "NOT FOUND" --color RED
Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED
ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files"
fi
else
@ -208,10 +208,10 @@
# Search for minilogd. It shouldn't be running normally, if another syslog daemon is started
IsRunning minilogd
if [ ${RUNNING} -eq 0 ]; then
Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: No minilogd is running"
else
Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED
LogText "Result: minilogd found in process list"
# minilogd daemon seems to be running
ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running"
@ -241,10 +241,10 @@
LogText "Result: /etc/logrotate.conf found"
fi
if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking logrotate presence" --result OK --color GREEN
Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_OK}" --color GREEN
LogText "Result: logrotate configuration found"
else
Display --indent 2 --text "- Checking logrotate presence" --result WARNING --color RED
Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_WARNING}" --color RED
LogText "Result: No logrotate configuration found"
ReportSuggestion ${TEST_NO} "Check if files are properly rotated by a some tool instead of logrotate"
fi
@ -323,9 +323,9 @@
if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then
LogText "Result: loghost entry found and most likely used to send syslog messages"
Display --indent 2 --text "- Checking loghost entry" --result OK --color GREEN
Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Checking loghost entry" --result WARNING --color RED
Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED
LogText "Result: No loghost entry found"
ReportWarning ${TEST_NO} "L" "No loghost entry found"
ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services"
@ -369,7 +369,7 @@
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
else
AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN
Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN
fi
else
LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"
@ -384,7 +384,7 @@
Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Result: /etc/newsyslog.conf found"
Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result FOUND --color GREEN
Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result "${STATUS_FOUND}" --color GREEN
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="newsyslog"
fi
@ -406,7 +406,7 @@
LogText "Result: Item ${I} is not a directory"
fi
done
Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result DONE --color GREEN
Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
@ -425,7 +425,7 @@
LogText "Result: Item ${I} is not a file"
fi
done
Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result DONE --color GREEN
Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
@ -443,7 +443,7 @@
LogText "Result: directory ${I} can't be found"
fi
done
Display --indent 2 --text "- Checking log directories (static list)" --result DONE --color GREEN
Display --indent 2 --text "- Checking log directories (static list)" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
@ -459,10 +459,10 @@
LogText "Found logfile: ${I}"
Report "open_logfile[]=${I}"
done
Display --indent 2 --text "- Checking open log files" --result DONE --color GREEN
Display --indent 2 --text "- Checking open log files" --result "${STATUS_DONE}" --color GREEN
else
LogText "Result: lsof not installed, skipping test"
Display --indent 2 --text "- Checking open log files" --result SKIPPED --color YELLOW
Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color YELLOW
# Add suggestion
fi
fi
@ -497,7 +497,7 @@
ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why."
else
LogText "Result: no deleted files found"
Display --indent 2 --text "- Checking deleted files in use" --result DONE --color GREEN
Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_DONE}" --color GREEN
fi
fi
#

34
include/tests_mac_frameworks
View File

@ -34,11 +34,11 @@
if [ "${AASTATUSBINARY}" = "" ]; then
APPARMORFOUND=0
LogText "Result: aa-status binary not found, AppArmor not installed"
Display --indent 2 --text "- Checking presence AppArmor" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_NOT_FOUND}" --color WHITE
else
APPARMORFOUND=1
LogText "Result: aa-status binary found, AppArmor is installed"
Display --indent 2 --text "- Checking presence AppArmor" --result FOUND --color GREEN
Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_FOUND}" --color GREEN
fi
fi
#
@ -60,22 +60,22 @@
if [ ${FIND} -eq 0 ]; then
MAC_FRAMEWORK_ACTIVE=1
LogText "Result: AppArmor is enabled and a policy is loaded"
Display --indent 4 --text "- Checking AppArmor status" --result "ENABLED" --color GREEN
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_ENABLED}" --color GREEN
elif [ ${FIND} -eq 4 ]; then
LogText "Result: Can not determine status, most likely due to lacking permissions"
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
elif [ ${FIND} -eq 3 ]; then
LogText "Result: Can not check control files"
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
elif [ ${FIND} -eq 2 ]; then
LogText "Result: AppArmor is enabled, but no policy is loaded"
ReportSuggestion ${TEST_NO} "Disable AppArmor or load a policy"
Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
elif [ ${FIND} -eq 1 ]; then
LogText "Result: AppArmor is disabled"
Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_DISABLED}" --color YELLOW
else
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected"
fi
fi
@ -90,10 +90,10 @@
LogText "Test: checking if we have sestatus binary"
if [ ! "${SESTATUSBINARY}" = "" ]; then
LogText "Result: found sestatus binary (${SESTATUSBINARY})"
Display --indent 2 --text "- Checking presence SELinux" --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: sestatus binary NOT found"
Display --indent 2 --text "- Checking presence SELinux" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -111,7 +111,7 @@
LogText "Result: SELinux framework is enabled"
Report "selinux_status=1"
SELINUXFOUND=1
Display --indent 4 --text "- Checking SELinux status" --result "ENABLED" --color GREEN
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN
FIND=`${SESTATUSBINARY} | grep "^Current mode" | awk '{ print $3 }'`
Report "selinux_mode=${FIND}"
FIND2=`${SESTATUSBINARY} | grep "^Mode from config file" | awk '{ print $5 }'`
@ -119,16 +119,16 @@
LogText "Result: mode configured in config file is ${FIND2}"
if [ "${FIND}" = "${FIND2}" ]; then
LogText "Result: Current SELinux mode is the same as in config file."
Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
else
LogText "Result: SELinux framework is disabled"
Display --indent 4 --text "- Checking SELinux status" --result "DISABLED" --color YELLOW
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW
fi
fi
#
@ -150,10 +150,10 @@
fi
fi
if [ ${GRSEC_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking presence grsecurity" --result FOUND --color GREEN
Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 2 --text "- Checking presence grsecurity" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -164,11 +164,11 @@
Register --test-no MACF-6290 --weight L --network NO --description "Check for implemented MAC framework"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then
Display --indent 2 --text "- Checking for implemented MAC framework" --result OK --color GREEN
Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
LogText "Result: found implemented MAC framework"
else
Display --indent 2 --text "- Checking for implemented MAC framework" --result NONE --color YELLOW
Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_NONE}" --color YELLOW
AddHP 2 3
LogText "Result: found no implemented MAC framework"
fi

30
include/tests_mail_messaging
View File

@ -44,12 +44,12 @@
IsRunning exim
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found running Exim process"
Display --indent 2 --text "- Checking Exim status" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking Exim status" --result "${STATUS_RUNNING}" --color GREEN
EXIM_RUNNING=1
SMTP_DAEMON="exim"
else
LogText "Result: no running Exim processes found"
Display --indent 2 --text "- Checking Exim status" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Exim status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -67,12 +67,12 @@
#FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
if [ ! "${FIND1}" = "" ]; then
LogText "Result: found running Postfix process"
Display --indent 2 --text "- Checking Postfix status" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_RUNNING}" --color GREEN
POSTFIX_RUNNING=1
SMTP_DAEMON="postfix"
else
LogText "Result: no running Postfix processes found"
Display --indent 2 --text "- Checking Postfix status" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -83,7 +83,7 @@
if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking Postfix configuration" --result FOUND --color GREEN
Display --indent 2 --text "- Checking Postfix configuration" --result "${STATUS_FOUND}" --color GREEN
POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | grep '^config_directory' | awk '{ print $3 }'`
POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
@ -110,11 +110,11 @@
if [ ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then
SHOWWARNING=1
else
Display --indent 4 --text "- Checking Postfix banner" --result OK --color GREEN
Display --indent 4 --text "- Checking Postfix banner" --result "${STATUS_OK}" --color GREEN
fi
fi
if [ ${SHOWWARNING} -eq 1 ]; then
Display --indent 4 --text "- Checking Postfix banner" --result WARNING --color RED
Display --indent 4 --text "- Checking Postfix banner" --result "${STATUS_WARNING}" --color RED
LogText "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'"
ReportSuggestion ${TEST_NO} "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
@ -131,13 +131,13 @@
IsRunning dovecot
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found running dovecot process"
Display --indent 2 --text "- Checking Dovecot status" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking Dovecot status" --result "${STATUS_RUNNING}" --color GREEN
DOVECOT_RUNNING=1
IMAP_DAEMON="dovecot"
POP3_DAEMON="dovecot"
else
LogText "Result: dovecot not found"
Display --indent 2 --text "- Checking Dovecot status" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Dovecot status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -151,12 +151,12 @@
IsRunning qmail-smtpd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found running Qmail process"
Display --indent 2 --text "- Checking Qmail status" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking Qmail status" --result "${STATUS_RUNNING}" --color GREEN
QMAIL_RUNNING=1
SMTP_DAEMON="qmail"
else
LogText "Result: no running Qmail processes found"
Display --indent 2 --text "- Checking Qmail status" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Qmail status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -170,12 +170,12 @@
IsRunning sendmail
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found running Sendmail process"
Display --indent 2 --text "- Checking Sendmail status" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking Sendmail status" --result "${STATUS_RUNNING}" --color GREEN
SENDMAIL_RUNNING=1
SMTP_DAEMON="sendmail"
else
LogText "Result: no running Sendmail processes found"
Display --indent 2 --text "- Checking Sendmail status" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Sendmail status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -190,12 +190,12 @@
FIND=`${PSBINARY} ax | egrep "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found running smtpd process"
Display --indent 2 --text "- Checking OpenSMTPD status" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN
OPENSMTPD_RUNNING=1
SMTP_DAEMON="opensmtpd"
else
LogText "Result: smtpd not found"
Display --indent 2 --text "- Checking OpenSMTPD status" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#

24
include/tests_malware
View File

@ -22,7 +22,7 @@
#
#################################################################################
#
InsertSection "Software: Malware scanners"
InsertSection "Software: ${SECTION_MALWARE}"
#
#################################################################################
#
@ -42,7 +42,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence chkrootkit"
if [ ! "${CHKROOTKITBINARY}" = "" ]; then
Display --indent 2 --text "- Checking chkrootkit" --result "FOUND" --color GREEN
Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
@ -60,7 +60,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence Rootkit Hunter"
if [ ! "${RKHUNTERBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Rootkit Hunter" --result "FOUND" --color GREEN
Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
@ -78,7 +78,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence LMD"
if [ ! "${LMDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking LMD (Linux Malware Detect)" --result "FOUND" --color GREEN
Display --indent 2 --text "- ${GEN_CHECKING} LMD (Linux Malware Detect)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${LMDBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
@ -101,7 +101,7 @@
IsRunning esets_daemon
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
Display --indent 2 --text "- Checking ESET daemon" --result "FOUND" --color GREEN
Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found ESET security product"
ESET_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
@ -121,7 +121,7 @@
fi
if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN
Display --indent 2 --text "- ${GEN_CHECKING} McAfee" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found McAfee"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
@ -142,7 +142,7 @@
SOPHOS_SCANNER_RUNNING=1
fi
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN
Display --indent 2 --text "- ${GEN_CHECKING} Sophos" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found Sophos"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
@ -162,7 +162,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence clamscan"
if [ ! "${CLAMSCANBINARY}" = "" ]; then
Display --indent 2 --text "- Checking ClamAV scanner" --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking ClamAV scanner" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CLAMSCANBINARY}"
MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1
@ -181,7 +181,7 @@
LogText "Test: checking running ClamAV daemon (clamd)"
IsRunning clamd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking ClamAV daemon" --result "FOUND" --color GREEN
Display --indent 2 --text "- ${GEN_CHECKING} ClamAV daemon" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running clamd process"
MALWARE_SCANNER_INSTALLED=1
CLAMD_RUNNING=1
@ -201,11 +201,11 @@
IsRunning freshclam
if [ ${RUNNING} -eq 1 ]; then
FRESHCLAM_DAEMON_RUNNING=1
Display --indent 4 --text "- Checking freshclam" --result "FOUND" --color GREEN
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running freshclam process"
AddHP 2 2
else
Display --indent 4 --text "- Checking freshclam" --result "SUGGESTION" --color YELLOW
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: freshclam is not running"
ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
fi
@ -221,7 +221,7 @@
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
if [ ! "${CLAMSCANBINARY}" = "" ]; then
LogText "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN
Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1
AddHP 3 3

16
include/tests_memory_processes
View File

@ -22,7 +22,7 @@
#
#################################################################################
#
InsertSection "Memory and processes"
InsertSection "${SECTION_MEMORY_AND_PROCESSES}"
#
#################################################################################
#
@ -32,7 +32,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /proc/meminfo ]; then
LogText "Result: found /proc/meminfo"
Display --indent 2 --text "- Checking /proc/meminfo" --result FOUND --color GREEN
Display --indent 2 --text "- Checking /proc/meminfo" --result "${STATUS_FOUND}" --color GREEN
FIND=`awk '/^MemTotal/ { print $2, $3 }' /proc/meminfo`
MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'`
MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'`
@ -52,14 +52,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching /usr/sbin/prtconf"
if [ -x /usr/sbin/prtconf ]; then
Display --indent 2 --text "- Querying prtconf for installed memory" --result DONE --color GREEN
Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_DONE}" --color GREEN
MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3`
MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4`
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}"
else
Display --indent 2 --text "- Querying prtconf for installed memory" --result SKIPPED --color WHITE
Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: /usr/sbin/prtconf not found"
fi
fi
@ -79,11 +79,11 @@
fi
if [ "${FIND}" = "" ]; then
LogText "Result: no zombie processes found"
Display --indent 2 --text "- Searching for dead/zombie processes" --result OK --color GREEN
Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found one or more dead or zombie processes"
LogText "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for dead/zombie processes" --result WARNING --color RED
Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes"
fi
fi
@ -103,12 +103,12 @@
fi
if [ "${FIND}" = "" ]; then
LogText "Result: No processes were waiting for IO requests to be handled first"
Display --indent 2 --text "- Searching for IO waiting processes" --result OK --color GREEN
Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found one or more processes which were waiting to get IO requests handled first"
LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
LogText "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for IO waiting processes" --result WARNING --color RED
Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests"
fi
fi

86
include/tests_nameservices
View File

@ -49,12 +49,12 @@
FIND=`awk '/^domain/ { print $2 }' /etc/resolv.conf`
if [ "${FIND}" = "" ]; then
LogText "Result: no default domain found"
if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result NONE --color WHITE; fi
if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_NONE}" --color WHITE; fi
else
LogText "Result: found default domain"
LogText "Output: ${FIND}"
Report "resolv_conf_domain=${FIND}"
Display --indent 2 --text "- Checking default DNS search domain" --result FOUND --color GREEN
Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_FOUND}" --color GREEN
RESOLV_DOMAINNAME="${FIND}"
fi
fi
@ -83,16 +83,16 @@
# Warn if we have more than 6 search domains, which is maximum in most resolvers
if [ ${N} -gt 6 ]; then
LogText "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains" --result WARNING --color YELLOW
Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
else
LogText "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains" --result FOUND --color GREEN
Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
fi
fi
else
LogText "Result: /etc/resolv.conf does not exist, skipping test"
Display --indent 2 --text "- Checking search domains" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking search domains" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
# Check amount of search domains (max 1)
@ -118,7 +118,7 @@
FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: no specific other options configured in /etc/resolv.conf"
if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NONE" --color WHITE; fi
if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi
else
for I in ${FIND}; do
LogText "Found option: ${I}"
@ -126,11 +126,11 @@
#rotate --> add performance tune point
#timeout <3 --> add performe tune point
done
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN
fi
else
LogText "Result: /etc/resolv.conf not found, test skipped"
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
#
@ -142,7 +142,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`uname -n`
LogText "Result: 'uname -n' returned ${FIND}"
Display --indent 2 --text "- Checking uname -n output" --result DONE --color GREEN
Display --indent 2 --text "- Checking uname -n output" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
@ -157,7 +157,7 @@
LogText "Result: file /etc/nodename exists"
FIND=`cat /etc/nodename`
LogText "Output: ${FIND}"
Display --indent 2 --text "- Checking /etc/nodename" --result "DONE" --color GREEN
Display --indent 2 --text "- Checking /etc/nodename" --result "${STATUS_DONE}" --color GREEN
else
LogText "Result: file /etc/nodename could not be found"
Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW
@ -216,10 +216,10 @@
if [ ! "${DOMAINNAME}" = "" ]; then
LogText "Result: found domain name"
Report "domainname=${DOMAINNAME}"
Display --indent 2 --text "- Searching DNS domain name" --result "FOUND" --color GREEN
Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN
Display --indent 6 --text "Domain name: ${DOMAINNAME}"
else
Display --indent 2 --text "- Searching DNS domain name" --result "UNKNOWN" --color YELLOW
Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name"
fi
fi
@ -235,10 +235,10 @@
if [ ${RUNNING} -eq 1 ]; then
NAME_CACHE_USED=1
LogText "Result: nscd is running"
Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking nscd status" --result "${STATUS_RUNNING}" --color GREEN
else
LogText "Result: nscd is not running"
if IsVerbose; then Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 2 --text "- Checking nscd status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -254,10 +254,10 @@
UNBOUND_RUNNING=1
NAME_CACHE_USED=1
LogText "Result: Unbound daemon is running"
Display --indent 2 --text "- Checking Unbound status" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_RUNNING}" --color GREEN
else
LogText "Result: Unbound daemon is not running"
if IsVerbose; then Display --indent 2 --text "- Checking Unbound status" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -276,7 +276,7 @@
if [ $? -eq 0 ]; then
UNBOUND_CONFIG_OK=1
LogText "Result: Configuration is fine"
Display --indent 2 --text "- Checking configuration file" --result OK --color GREEN
Display --indent 2 --text "- Checking configuration file" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: Unbound daemon is not running"
Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW
@ -297,11 +297,11 @@
IsRunning named
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found BIND process"
Display --indent 2 --text "- Checking BIND status" --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking BIND status" --result "${STATUS_FOUND}" --color GREEN
BIND_RUNNING=1
else
LogText "Result: BIND not running"
if IsVerbose; then Display --indent 2 --text "- Checking BIND status" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 2 --text "- Checking BIND status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -320,9 +320,9 @@
fi
done
if [ ! "${BIND_CONFIG_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking BIND configuration file" --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 4 --text "- Checking BIND configuration file" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
#
@ -339,10 +339,10 @@
FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?`
if [ "${FIND}" = "0" ]; then
LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
Display --indent 4 --text "- Checking BIND configuration consistency" --result "OK" --color GREEN
Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
Display --indent 4 --text "- Checking BIND configuration consistency" --result WARNING --color RED
Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
fi
else
@ -368,11 +368,11 @@
FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"`
if [ "${FIND}" = "" ]; then
LogText "Result: no useful information in banner found"
Display --indent 4 --text "- Checking BIND version in banner" --result "OK" --color GREEN
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: possible BIND version available in version banner"
Display --indent 4 --text "- Checking BIND version in banner" --result WARNING --color RED
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "Found BIND version in banner"
ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file"
AddHP 0 2
@ -410,11 +410,11 @@
IsRunning pdns_server
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found PowerDNS process"
Display --indent 2 --text "- Checking PowerDNS status" --result "RUNNING" --color GREEN
Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_RUNNING}" --color GREEN
POWERDNS_RUNNING=1
else
LogText "Result: PowerDNS not running"
if IsVerbose; then Display --indent 2 --text "- Checking PowerDNS status" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -433,9 +433,9 @@
fi
done
if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
#
@ -461,10 +461,10 @@
for I in ${FIND}; do
LogText "Found backend: ${I}"
done
Display --indent 4 --text "- Checking PowerDNS backends" --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: no PowerDNS backends found"
Display --indent 4 --text "- Checking PowerDNS backends" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
#
@ -507,18 +507,18 @@
IsRunning ypbind
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: ypbind is running"
Display --indent 2 --text "- Checking ypbind status" --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_FOUND}" --color GREEN
YPBIND_RUNNING=1
IsRunning ypldap
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: ypldap is running"
Display --indent 2 --text "- Checking ypldap status" --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN
else
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
fi
else
LogText "Result: ypbind is not active"
if IsVerbose; then Display --indent 2 --text "- Checking ypbind status" --result "NOT FOUND" --color WHITE; fi
if IsVerbose; then Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
@ -579,10 +579,10 @@
if [ ! "${NISDOMAIN}" = "" ]; then
LogText "Found NIS domain: ${NISDOMAIN}"
Report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: No NIS domain found"
Display --indent 4 --text "- Checking NIS domain" --result "UNKNOWN" --color YELLOW
Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_UNKNOWN}" --color YELLOW
fi
fi
#
@ -601,16 +601,16 @@
sFIND=`egrep -v '^(#|$)' /etc/hosts | awk '{ print $1, $2 }' | sort | uniq -d`
if [ "${sFIND}" = "" ]; then
LogText "Result: OK, no duplicate lines found"
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result OK --color GREEN
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN
else
LogText "Found duplicate line: ${sFIND}"
LogText "Result: found duplicate line"
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Remove duplicate lines in /etc/hosts"
fi
else
LogText "Result: /etc/hosts not found, test skipped"
Display --indent 4 --text "Searching duplicate line" --result "SKIPPED" --color YELLOW
Display --indent 4 --text "Searching duplicate line" --result "${STATUS_SKIPPED}" --color YELLOW
fi
fi
#
@ -626,10 +626,10 @@
sFIND=`egrep -v '^(#|$|^::1\s|localhost)' /etc/hosts | grep -i ${HOSTNAME}`
if [ "${sFIND}" != "" ]; then
LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: No entry found for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving"
LogText "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections"
fi
@ -648,12 +648,12 @@
if [ ! "${sFIND}" = "" ]; then
LogText "Result: Found this server hostname mapped to a local address"
LogText "Output: ${sFIND}"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface."
ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system"
else
LogText "Result: this server hostname is not mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result OK --color GREEN
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_OK}" --color GREEN
fi
fi
#

40
include/tests_networking
View File

@ -87,20 +87,20 @@
LogText "Result: IPV6 mode is ${IPV6_MODE}"
if [ ${IPV6_CONFIGURED} -eq 1 ]; then
Display --indent 2 --text "- Checking IPv6 configuration" --result "ENABLED" --color WHITE
Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE
STATUS=`echo ${IPV6_MODE} | tr '[:lower:]' '[:upper:]'`
Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE
if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi
LogText "Result: IPv6 only configuration: ${STATUS}"
Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE
else
Display --indent 2 --text "- Checking IPv6 configuration" --result "DISABLED" --color WHITE
Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_DISABLED}" --color WHITE
fi
# Configuration errors
if [ ${IPV6_MISCONFIGURED_MTU} -eq 1 ]; then
IPV6_MISCONFIGURED=1
LogText "Result: MTU of IPv6 interfaces should be 1280 or higher"
Display --indent 6 --text "Error: MTU is too low" --result "WARNING" --color RED
Display --indent 6 --text "Error: MTU is too low" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Check your MTU configuration of IPv6 interfaces"
fi
@ -138,7 +138,7 @@
# 0=good, other=bad
DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?`
if [ "${DNSRESPONSE}" = "0" ]; then
Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN
Display --indent 8 --text "Nameserver: ${I}" --result "${STATUS_OK}" --color GREEN
LogText "Nameserver ${I} seems to respond to queries from this host."
# Count responsive nameservers
NUMBERACTIVENS=$((NUMBERACTIVENS + 1))
@ -151,7 +151,7 @@
fi
else
LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed"
Display --indent 6 --text "Nameserver: ${I}" --result SKIPPED --color YELLOW
Display --indent 6 --text "Nameserver: ${I}" --result "${STATUS_SKIPPED}" --color YELLOW
fi
done
fi
@ -167,19 +167,19 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DIGBINARY}" = "" ]; then
if [ ${NUMBERACTIVENS} -lt 2 ]; then
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result WARNING --color RED
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
LogText "Result: less than 2 responsive nameservers found"
ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers"
LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
AddHP 1 2
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result OK --color GREEN
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_OK}" --color GREEN
LogText "Result: found at least 2 responsive nameservers"
AddHP 3 3
fi
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result SKIPPED --color YELLOW
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_SKIPPED}" --color YELLOW
LogText "Result: dig not installed, test can't be fully performed"
fi
else
@ -201,7 +201,7 @@
LogText "Result: Found default gateway ${I}"
Report "default_gateway[]=${I}"
done
Display --indent 2 --text "- Checking default gateway" --result DONE --color GREEN
Display --indent 2 --text "- Checking default gateway" --result "${STATUS_DONE}" --color GREEN
else
LogText "Result: No default gateway found"
Display --indent 2 --text "- Checking default gateway" --result "NONE FOUND" --color WHITE
@ -455,9 +455,9 @@
done
fi
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result SKIPPED --color YELLOW
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW
else
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result DONE --color GREEN
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN
Display --indent 6 --text "* Found ${N} ports"
fi
fi
@ -497,10 +497,10 @@
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
LogText "Result: No promiscuous interfaces found"
else
Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
fi
fi
#
@ -533,10 +533,10 @@
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
LogText "Result: No promiscuous interfaces found"
else
Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
fi
fi
#
@ -576,10 +576,10 @@
if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})"
else
Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_OK}" --color GREEN
LogText "Result: ${FIND} connections are in WAIT state"
fi
fi
@ -592,7 +592,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning dhclient
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE
Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE
DHCP_CLIENT_RUNNING=1
else
Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
@ -608,9 +608,9 @@
IsRunning arpwatch
if [ ${RUNNING} -eq 1 ]; then
ARPWATCH_RUNNING=1
Display --indent 2 --text "- Checking for ARP monitoring software" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
else
Display --indent 2 --text "- Checking for ARP monitoring software" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Install ARP monitoring software like arpwatch"
fi
fi

28
include/tests_php
View File

@ -79,11 +79,11 @@
done
if [ ! "${PHPINIFILE}" = "" ]; then
Display --indent 2 --text "- Checking PHP" --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking PHP" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: using single file ${PHPINIFILE} for main php.ini tests"
LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
else
Display --indent 2 --text "- Checking PHP" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking PHP" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: no php.ini file found"
fi
fi
@ -116,13 +116,13 @@
done
if [ ${FOUND} -eq 0 ]; then
LogText "Result: all PHP functions can be executed"
Display --indent 4 --text "- Checking PHP disabled functions" --result "NONE" --color YELLOW
Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_NONE}" --color YELLOW
ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions"
LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
AddHP 0 1
else
LogText "Result: one or more PHP functions are disabled/blacklisted"
Display --indent 4 --text "- Checking PHP disabled functions" --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
fi
fi
@ -154,13 +154,13 @@
LogText "Test: Checking PHP register_globals option"
FIND=`egrep -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;'`
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking register_globals option" --result WARNING --color RED
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
AddHP 1 2
else
Display --indent 4 --text "- Checking register_globals option" --result OK --color GREEN
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_OK}" --color GREEN
LogText "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value."
ReportManual ${TEST_NO}:01
AddHP 2 2
@ -178,13 +178,13 @@
LogText "Test: Checking expose_php option"
FIND=`egrep -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking expose_php option" --result ON --color RED
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED
ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
Report "Result: expose_php option is turned on, which can expose useful information for an attacker"
AddHP 1 2
else
Display --indent 4 --text "- Checking expose_php option" --result OFF --color GREEN
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'expose_php' in disabled state (0, no, or off)"
AddHP 2 2
fi
@ -202,12 +202,12 @@
LogText "Test: Checking PHP enable_dl option"
FIND=`egrep -i 'enable_dl.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking enable_dl option" --result ON --color YELLOW
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
Report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking enable_dl option" --result OFF --color GREEN
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'enable_dl' in disabled state (0, no, or off)"
AddHP 2 2
fi
@ -225,12 +225,12 @@
LogText "Test: Checking PHP allow_url_fopen option"
FIND=`egrep -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option" --result ON --color YELLOW
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
Report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking allow_url_fopen option" --result OFF --color GREEN
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
AddHP 2 2
fi
@ -248,12 +248,12 @@
LogText "Test: Checking PHP allow_url_include option"
FIND=`egrep -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_include option" --result ON --color YELLOW
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking allow_url_include option" --result OFF --color GREEN
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
AddHP 2 2
fi

122
include/tests_ports_packages
View File

@ -42,7 +42,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`pkg -N 2>&1; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 4 --text "- Searching packages with pkg" --result FOUND --color GREEN
Display --indent 4 --text "- Searching packages with pkg" --result "${STATUS_FOUND}" --color GREEN
Report "package_manager[]=pkg"
PACKAGE_MGR_PKG=1
LogText "Result: Found pkg"
@ -67,7 +67,7 @@
Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD/NetBSD pkg_info"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Checking pkg_info" --result FOUND --color GREEN
Display --indent 4 --text "- Checking pkg_info" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found pkg_info"
Report "package_manager[]=pkg_info"
LogText "Test: Querying pkg_info to get package list"
@ -93,7 +93,7 @@
if [ ! "${FIND}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query brew package manager"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching brew" --result FOUND --color GREEN
Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found brew"
Report "package_manager[]=brew"
LogText "Test: Querying brew to get package list"
@ -115,7 +115,7 @@
if [ -x /usr/bin/emerge -a -x /usr/bin/equery ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Gentoo packages"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching emerge" --result FOUND --color GREEN
Display --indent 4 --text "- Searching emerge" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found Gentoo emerge"
Report "package_manager[]=emerge"
LogText "Test: Querying portage to get package list"
@ -138,7 +138,7 @@
if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching pkginfo" --result FOUND --color GREEN
Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found Solaris pkginfo"
Report "package_manager[]=pkginfo"
LogText "Test: Querying pkginfo to get package list"
@ -162,7 +162,7 @@
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with RPM"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Searching RPM package manager" --result FOUND --color GREEN
Display --indent 4 --text "- Searching RPM package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found rpm binary (${RPMBINARY})"
Report "package_manager[]=rpm"
LogText "Test: Querying 'rpm -qa' to get package list"
@ -195,7 +195,7 @@
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with pacman"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Searching pacman package manager" --result FOUND --color GREEN
Display --indent 4 --text "- Searching pacman package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found pacman binary (${PACMANBINARY})"
Report "package_manager[]=pacman"
LogText "Test: Querying 'pacman -Q' to get package list"
@ -309,9 +309,9 @@
FIND=`${ZYPPERBINARY} -n pchk | grep "(0 security patches)"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: No security updates found with Zypper"
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result NONE --color GREEN
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
else
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result WARNING --color RED
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
LogText "Result: Zypper found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed"
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
@ -335,7 +335,7 @@
Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying dpkg"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Searching dpkg package manager" --result FOUND --color GREEN
Display --indent 4 --text "- Searching dpkg package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found dpkg binary"
Report "package_manager[]=dpkg"
LogText "Test: Querying dpkg -l to get package list"
@ -366,10 +366,10 @@
LogText "Test: Querying dpkg -l to get unpurged packages"
SPACKAGES=`dpkg -l 2>/dev/null | grep "^rc" | cut -d ' ' -f3 | sort`
if [ "${SPACKAGES}" = "" ]; then
Display --indent 4 --text "- Query unpurged packages" --result NONE --color GREEN
Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN
LogText "Result: no packages found with left overs"
else
Display --indent 4 --text "- Query unpurged packages" --result FOUND --color YELLOW
Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_FOUND}" --color YELLOW
LogText "Result: found one or more packages with left over configuration files, cron jobs etc"
LogText "Output:"
for J in ${SPACKAGES}; do
@ -394,10 +394,10 @@
if [ -x /usr/local/sbin/portsclean ]; then
FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '`
if [ ${FIND} -eq 0 ]; then
Display --indent 2 --text "- Checking presence old distfiles" --result OK --color GREEN
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN
LogText "Result: no unused distfiles found"
else
Display --indent 2 --text "- Checking presence old distfiles" --result WARNING --color YELLOW
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_WARNING}" --color YELLOW
LogText "Result: found ${FIND} unused distfiles"
ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
fi
@ -412,7 +412,7 @@
if [ ! "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for installed packages with DNF utility"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching DNF package manager" --result FOUND --color GREEN
Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})"
Report "package_manager[]=dnf"
Display --indent 6 --text "- Querying DNF package manager"
@ -448,11 +448,11 @@
AddHP 1 2
done
ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages. Run: dnf upgrade"
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result WARNING --color RED
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
else
LogText "Result: no security updates found"
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result NONE --color GREEN
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 5 5
fi
fi
@ -490,24 +490,24 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSECANBINARY}" = "" ]; then
LogText "Result: debsecan utility is installed"
Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN
Display --indent 4 --text "- debsecan utility" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="debsecan"
FIND=`find /etc/cron* -name debsecan`
if [ ! ${FIND} = "" ]; then
LogText "Result: cron job is configured for debsecan"
Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN
Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
LogText "Result: no cron job is configured for debsecan"
Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- debsecan cron job" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 3
ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
fi
else
LogText "Result: debsecan is not installed."
Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- debsecan utility" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
fi
@ -523,17 +523,17 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSUMSBINARY}" = "" ]; then
LogText "Result: debsums utility is installed"
Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN
Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
# Check in /etc/cron.hourly, daily, weekly, monthly etc
COUNT=`find /etc/cron* -name debsums | wc -l`
if [ ${COUNT} -gt 0 ]; then
LogText "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
LogText "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 3
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job."
fi
@ -562,9 +562,9 @@
Report "upgrade_available_count=${N}"
if [ ${N} -eq 0 ]; then
LogText "Result: no upgrades found"
Display --indent 2 --text "- Checking portmaster for updates" --result NONE --color GREEN
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_NONE}" --color GREEN
else
Display --indent 2 --text "- Checking portmaster for updates" --result FOUND --color YELLOW
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_FOUND}" --color YELLOW
fi
fi
#
@ -581,10 +581,10 @@
FIND=`/usr/sbin/pkg_admin audit`
if [ "${FIND}" = "" ]; then
LogText "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result NONE --color GREEN
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 2 2
else
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result WARNING --color RED
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
LogText "List of vulnerable packages/version:"
@ -602,7 +602,7 @@
fi
else
Display --indent 2 --text "- pkg_admin audit not installed" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- pkg_admin audit not installed" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: pkg_admin audit not installed, skipping this vulnerability test."
fi
fi
@ -620,13 +620,13 @@
PACKAGE_AUDIT_TOOL="pkg audit"
if [ "${FIND}" = "" ]; then
LogText "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
else
LogText "Result: ${FIND}"
VULNERABLE_PACKAGES_FOUND=1
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result FOUND --color YELLOW
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check output of pkg audit"
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED
#LogText "Result: pkg audit found one or more installed packages which are vulnerable."
#ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
#ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
@ -639,7 +639,7 @@
#done
fi
else
Display --indent 2 --text "- pkg audit not installed" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- pkg audit not installed" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: pkg audit not installed, skipping this vulnerability test."
fi
fi
@ -656,9 +656,9 @@
FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'`
if [ "${FIND}" = "" ]; then
LogText "Result: Portaudit results are clean"
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result NONE --color GREEN
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
else
Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result WARNING --color RED
Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result "${STATUS_WARNING}" --color RED
LogText "Result: Portaudit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
@ -685,12 +685,12 @@
sFIND=`${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}'`
if [ "$(echo ${sFIND} | egrep "^[0-9]+$")" -a "${sFIND}" = "0" ]; then
LogText "Result: YUM package update management failed"
Display --indent 2 --text "- Checking YUM package management consistency" --result WARNING --color RED
Display --indent 2 --text "- Checking YUM package management consistency" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "YUM is not properly configured or registered for this platform (no repolist found)"
#ReportSuggestion ${TEST_NO} "Check YUM registration for repository configuration (repolist)"
else
LogText "Result: YUM repository available (${sFIND})"
Display --indent 2 --text "- Checking YUM package management consistency" --result OK --color GREEN
Display --indent 2 --text "- Checking YUM package management consistency" --result "${STATUS_OK}" --color GREEN
fi
fi
#
@ -708,10 +708,10 @@
FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
LogText "Result: No duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result OK --color GREEN
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: One or more duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result WARNING --color RED
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed"
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems"
fi
@ -721,15 +721,15 @@
FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
LogText "Result: No package database problems found"
Display --indent 2 --text "- Checking package database for problems" --result OK --color GREEN
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: One or more problems found in package database"
Display --indent 2 --text "- Checking package database for problems" --result WARNING --color RED
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database"
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems"
fi
else
Display --indent 2 --text "- yum-utils package not installed" --result SUGGESTION --color YELLOW
Display --indent 2 --text "- yum-utils package not installed" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: YUM utils package not found"
ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database"
fi
@ -793,10 +793,10 @@
FIND2=`/usr/bin/yum list-sec security | awk '{ if($2=="security" || $2~"Sec") print $3","$5 }'`
if [ "${FIND2}" = "" ]; then
LogText "Result: no vulnerable packages found"
Display --indent 2 --text "- Checking missing security packages" --result OK --color GREEN
Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found vulnerable package(s)"
Display --indent 2 --text "- Checking missing security packages" --result WARNING --color RED
Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_WARNING}" --color RED
for I in ${FIND2}; do
VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}"
@ -808,7 +808,7 @@
fi
else
LogText "Result: yum-security package not found"
Display --indent 2 --text "- Checking missing security packages" --result SKIPPED --color YELLOW
Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_SKIPPED}" --color YELLOW
ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
fi
fi
@ -827,9 +827,9 @@
SearchItem "^gpgcheck=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
if [ ${FOUND} -eq 1 ]; then
LogText "Result: GPG check is enabled"
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result OK --color GREEN
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result DISABLED --color RED
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED
ReportWarning ${TEST_NO} "M" "No GPG signing option found in yum.conf"
fi
fi
@ -849,7 +849,7 @@
FIND=`egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | grep -v '#' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list file" --result OK --color GREEN
Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found security repository in /etc/apt/sources.list"
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
@ -862,7 +862,7 @@
FIND=`egrep -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | grep -v '#' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result OK --color GREEN
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
@ -874,7 +874,7 @@
LogText "Result: security repository was found"
AddHP 3 3
else
Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result WARNING --color RED
Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory"
AddHP 0 3
fi
@ -893,11 +893,11 @@
LogText "Test: Package database consistency by running apt-get check"
FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking APT package database" --result OK --color GREEN
Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN
LogText "Result: package database seems to be consistent."
else
LogText "Result: package database is most likely NOT consistent"
Display --indent 2 --text "- Checking APT package database" --result WARNING --color RED
Display --indent 2 --text "- Checking APT package database" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code."
ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check."
fi
@ -965,13 +965,13 @@
if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
Display --indent 2 --text "- Checking vulnerable packages" --result WARNING --color RED
Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_WARNING}" --color RED
else
Display --indent 2 --text "- Checking vulnerable packages" --result OK --color GREEN
Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_OK}" --color GREEN
LogText "Result: no vulnerable packages found"
fi
else
Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result DONE --color GREEN
Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result "${STATUS_DONE}" --color GREEN
LogText "Result: test not fully executed (missing apt-check output)"
fi
fi
@ -1007,10 +1007,10 @@
else
if [ "${FIND}" = "0" ]; then
LogText "Result; no vulnerable packages found via glsa-check"
Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result OK --color GREEN
Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_OK}" --color GREEN
else
VULNERABLE_PACKAGES_FOUND=1
Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result FOUND --color RED
Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_FOUND}" --color RED
LogText "Result: found ${FIND} security updates with glsa-check"
ReportWarning "${TEST_NO}" "H" "Found ${FIND} security update(s) with glsa-check."
LogText "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified."
@ -1037,11 +1037,11 @@
FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
LogText "Result: no packages found which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages" --result NONE --color GREEN
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 3 3
else
LogText "Result: found one or more packages which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages" --result FOUND --color YELLOW
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_FOUND}" --color YELLOW
# output: program/repository upgradeable from version X to Y
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
@ -1050,7 +1050,7 @@
fi
else
LogText "Result: /usr/bin/apt-show-versions not found"
Display --indent 2 --text "- Checking upgradeable packages" --result SKIPPED --color WHITE
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
fi
fi
@ -1064,7 +1064,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking for package audit tool"
if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking package audit tool" --result NONE --color RED
Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED
ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
LogText "Result: no package audit tool found"
else

38
include/tests_printers_spools
View File

@ -44,17 +44,17 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching /usr/sbin/chkprintcap"
if [ ! -f /usr/sbin/chkprintcap ]; then
Display --indent 2 --text "- Checking chkprintcap" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking chkprintcap" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: /usr/sbin/chkprintcap NOT found, test skipped."
else
LogText "Result: /usr/sbin/chkprintcap found"
FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?`
# Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Integrity check of printcap file" --result OK --color GREEN
Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_OK}" --color GREEN
LogText "Result: chkprintcap did NOT gave any warnings"
else
Display --indent 2 --text "- Integrity check of printcap file" --result WARNING --color RED
Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file"
LogText "Output from chkprintcap: ${FIND}"
LogText "Run chkprintcap and check the /etc/printcap file."
@ -72,11 +72,11 @@
#FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd`
IsRunning cupsd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking cups daemon" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: cups daemon running"
CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
else
Display --indent 2 --text "- Checking cups daemon" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: cups daemon not running, cups daemon tests skipped"
fi
fi
@ -96,11 +96,11 @@
fi
done
if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then
Display --indent 2 --text "- Checking CUPS configuration file" --result OK --color GREEN
Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_OK}" --color GREEN
LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})"
CUPSD_FOUND=1
else
Display --indent 2 --text "- Checking CUPS configuration file" --result "NOT FOUND" --color RED
Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_NOT_FOUND}" --color RED
LogText "Result: configuration file not found"
LogText "Development: no CUPS configuration file found"
fi
@ -118,10 +118,10 @@
FIND=`ls -l ${CUPSD_CONFIG_FILE} | cut -c 2-10`
LogText "Result: found ${FIND}"
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
Display --indent 4 --text "- File permissions" --result "OK" --color GREEN
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
AddHP 1 1
else
Display --indent 4 --text "- File permissions" --result "WARNING" --color RED
Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
AddHP 1 2
fi
@ -173,10 +173,10 @@
done
if [ ${N} -eq 0 ]; then
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "NONE" --color WHITE
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_NONE}" --color WHITE
LogText "Result: no addresses found on which CUPS daemon is listening"
else
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: CUPS daemon is listening on network/socket"
fi
fi
@ -190,11 +190,11 @@
LogText "Test: Checking lpd status"
IsRunning lpd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking lp daemon" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: lp daemon running"
LPD_RUNNING=1; PRINTING_DAEMON="lp"
else
Display --indent 2 --text "- Checking lp daemon" --result "NOT RUNNING" --color WHITE
Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
LogText "Result: lp daemon not running"
AddHP 4 4
fi
@ -225,7 +225,7 @@
FIND=`grep -v "^\*" ${QDAEMON_CONFIG_FILE} | egrep "backend|device"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
Display --indent 2 --text "- Checking /etc/qconfig file" --result FOUND --color GREEN
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
QDAEMON_CONFIG_ENABLED=1
else
LogText "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined"
@ -246,16 +246,16 @@
IsRunning qdaemon
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: qdaemon daemon running"
Display --indent 2 --text "- Checking qdaemon daemon" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_RUNNING}" --color GREEN
QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon"
else
if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then
LogText "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "NOT RUNNING" --color RED
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED
ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs"
else
LogText "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "NOT RUNNING" --color WHITE
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
fi
fi
fi
@ -278,12 +278,12 @@
N=$((N + 1))
done
LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result FOUND --color YELLOW
Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
else
LogText "Result: Old print jobs not found in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result "NONE" --color GREEN
Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_NONE}" --color GREEN
fi
fi
fi

18
include/tests_scheduling
View File

@ -169,12 +169,12 @@
# Show warning when an issue shows up. Even if *both* the permissions and ownership are wrong, just show one (prevent overload of warnings).
if [ ${BAD_FILE_PERMISSIONS} -eq 1 ]; then
ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect file permissions (see log for details)"
Display --indent 2 --text "- Checking crontab/cronjob" --result WARNING --color RED
Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED
elif [ ${BAD_FILE_OWNERSHIP} -eq 1 ]; then
ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect ownership (see log for details)"
Display --indent 2 --text "- Checking crontab/cronjob" --result WARNING --color RED
Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED
else
Display --indent 2 --text "- Checking crontab/cronjob" --result DONE --color GREEN
Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_DONE}" --color GREEN
fi
fi
@ -189,12 +189,12 @@
FIND=$(${PSBINARY} ax | grep "/atd" | grep -v "grep")
if [ ! "${FIND}" = "" ]; then
LogText "Result: at daemon active"
Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN
Display --indent 2 --text "- Checking atd status" --result "${STATUS_RUNNING}" --color GREEN
ATD_RUNNING=1
Report "scheduler[]=atd"
else
LogText "Result: at daemon not active"
if IsVerbose; then Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE; fi
if IsVerbose; then Display --indent 2 --text "- Checking atd status" --result "${STATUS_NOT_RUNNING}" --color WHITE; fi
fi
fi
#
@ -259,9 +259,9 @@
AddHP 1 1
fi
fi
Display --indent 4 --text "- Checking at users" --result DONE --color GREEN
Display --indent 4 --text "- Checking at users" --result "${STATUS_DONE}" --color GREEN
else
Display --indent 4 --text "- Checking at users" --result SKIPPED --color YELLOW
Display --indent 4 --text "- Checking at users" --result "${STATUS_SKIPPED}" --color YELLOW
fi
fi
#
@ -280,10 +280,10 @@
VALUE=$(echo ${I} | sed 's/!space!/ /g')
LogText "Found at job: ${VALUE}"
done
Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN
Display --indent 4 --text "- Checking at jobs" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: no pending at jobs"
Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN
Display --indent 4 --text "- Checking at jobs" --result "${STATUS_NONE}" --color GREEN
fi
fi
#

38
include/tests_shells
View File

@ -53,10 +53,10 @@
LogText "Test: Checking console TTYs"
FIND=`egrep '^console' /etc/ttys | grep -v 'insecure'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking console TTYs" --result OK --color GREEN
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
LogText "Result: console is secured against single user mode without password."
else
Display --indent 2 --text "- Checking console TTYs" --result WARNING --color RED
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!"
LogText "Output /etc/ttys:"
LogText "${FIND}"
@ -208,10 +208,10 @@
fi
if [ ${IDLE_TIMEOUT} -eq 1 ]; then
Display --indent 4 --text "- Session timeout settings/tools" --result "FOUND" --color GREEN
Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 4 --text "- Session timeout settings/tools" --result "NONE" --color YELLOW
Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_NONE}" --color YELLOW
AddHP 1 3
fi
fi
@ -234,7 +234,7 @@
FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: did not find umask configured in ${FILE}"
Display --indent 4 --text "- Checking default umask in ${FILE}" --result NONE --color YELLOW
Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW
else
for UMASKVALUE in ${FIND}; do
LogText "Result: found umask ${UMASKVALUE} in ${FILE}"
@ -249,7 +249,7 @@
esac
done
if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
Display --indent 4 --text "- Checking default umask in ${FILE}" --result OK --color GREEN
Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
else
Display --indent 4 --text "- Checking default umask in ${FILE}" --result WEAK --color YELLOW
@ -263,7 +263,7 @@
#if [ ${FOUND} -eq 1 ]; then
# if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
# LogText "Result: all shell files found, contain a proper umask"
# Display --indent 4 --text "- Default umask" --result OK --color GREEN
# Display --indent 4 --text "- Default umask" --result "${STATUS_OK}" --color GREEN
# fi
#fi
fi
@ -300,11 +300,11 @@
if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to original shellshock (CVE-2014-6271)"
Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED
Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "${STATUS_WARNING}" --color RED
FOUND=1
else
LogText "Result: Not vulnerable to original shellshock (CVE-2014-6271)"
#Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN
#Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "${STATUS_OK}" --color GREEN
fi
# CVE-2014-6277 (disabled, as this test was giving too much false positives)
@ -317,11 +317,11 @@
if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to CVE-2014-6278"
Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED
Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "${STATUS_WARNING}" --color RED
FOUND=1
else
LogText "Result: Not vulnerable to CVE-2014-6278"
#Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN
#Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "${STATUS_OK}" --color GREEN
fi
# CVE-2014-7169
@ -332,11 +332,11 @@
if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to taviso bug (CVE-2014-7169)"
Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED
Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "${STATUS_WARNING}" --color RED
FOUND=1
else
LogText "Result: Not vulnerable to taviso bug (CVE-2014-7169)"
#Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN
#Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "${STATUS_OK}" --color GREEN
fi
# CVE-2014-7186
@ -347,11 +347,11 @@
if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to CVE-2014-7186"
Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED
Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "${STATUS_WARNING}" --color RED
FOUND=1
else
LogText "Result: Not vulnerable to CVE-2014-7186"
#Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN
#Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "${STATUS_OK}" --color GREEN
fi
# CVE-2014-7187
@ -362,11 +362,11 @@
if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to CVE-2014-7187"
Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED
Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "${STATUS_WARNING}" --color RED
FOUND=1
else
LogText "Result: Not vulnerable to CVE-2014-7187"
#Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN
#Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "${STATUS_OK}" --color GREEN
fi
# CVE-2014-////
@ -377,11 +377,11 @@
if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)"
Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED
Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "${STATUS_WARNING}" --color RED
FOUND=1
else
LogText "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)"
#Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "OK" --color GREEN
#Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "${STATUS_OK}" --color GREEN
fi
else
LogText "Result: bash binary found, but not executable, or it is symlinked"

12
include/tests_snmp
View File

@ -40,10 +40,10 @@
if [ ${RUNNING} -eq 1 ]; then
SNMP_DAEMON_RUNNING=1
LogText "Result: SNMP daemon is running"
Display --indent 2 --text "- Checking running SNMP daemon" --result FOUND --color GREEN
Display --indent 2 --text "- Checking running SNMP daemon" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: No running SNMP daemon found"
Display --indent 2 --text "- Checking running SNMP daemon" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking running SNMP daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -63,10 +63,10 @@
done
if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then
LogText "Result: No snmpd configuration found"
Display --indent 4 --text "- Checking SNMP configuration" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_NOT_FOUND}" --color WHITE
else
LogText "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}"
Display --indent 4 --text "- Checking SNMP configuration" --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_FOUND}" --color GREEN
fi
fi
#
@ -91,10 +91,10 @@
# Check status of test
if [ ${WARN} -eq 0 ]; then
Display --indent 2 --text "- Checking SNMP community strings" --result OK --color GREEN
Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
Display --indent 2 --text "- Checking SNMP community strings" --result WARNING --color RED
Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "M" "Found easy guessable SNMP community string"
fi
fi

8
include/tests_solaris
View File

@ -36,10 +36,10 @@
# if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1
# LogText "Result: Stop-A is disabled"
# Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN
# Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN
# else
# LogText "Result: Stop-A is NOT disabled"
# Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE
# Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
# fi
# fi
#
@ -55,10 +55,10 @@
# if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1
# LogText "Result: Stop-A is disabled"
# Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN
# Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN
# else
# LogText "Result: Stop-A is NOT disabled"
# Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE
# Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
# fi
# fi

44
include/tests_squid
View File

@ -46,10 +46,10 @@
if [ ! "${FIND}" = "" ]; then
SQUID_DAEMON_RUNNING=1
LogText "Result: Squid daemon is running"
Display --indent 2 --text "- Checking running Squid daemon" --result FOUND --color GREEN
Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: No running Squid daemon found"
Display --indent 2 --text "- Checking running Squid daemon" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -75,10 +75,10 @@
done
if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then
LogText "Result: No Squid configuration file found"
Display --indent 4 --text "- Searching Squid configuration file" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Searching Squid configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
else
LogText "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching Squid configuration" --result FOUND --color GREEN
Display --indent 4 --text "- Searching Squid configuration" --result "${STATUS_FOUND}" --color GREEN
fi
fi
#
@ -95,11 +95,11 @@
FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print`
if [ "${FIND}" = "" ]; then
FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'`
Display --indent 4 --text "- Checking Squid version" --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN
SQUID_VERSION="${FIND2}"
else
LogText "Result: test skipped for security reasons, setuid/setgid bit set"
Display --indent 4 --text "- Checking Squid version" --result "SKIPPED" --color RED
Display --indent 4 --text "- Checking Squid version" --result "${STATUS_SKIPPED}" --color RED
fi
else
LogText "Result: no Squid binary found"
@ -120,7 +120,7 @@
LogText "Found Squid option: ${I}"
Report "squid_option=${I}"
done
Display --indent 4 --text "- Checking defined Squid options" --result "DONE" --color GREEN
Display --indent 4 --text "- Checking defined Squid options" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
@ -134,13 +134,13 @@
FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
if [ ! "${FIND}" = "" ]; then
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
Display --indent 4 --text "- Checking Squid configuration file permissions" --result WARNING --color RED
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
AddHP 0 2
else
LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
Display --indent 4 --text "- Checking Squid configuration file permissions" --result OK --color GREEN
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
fi
fi
@ -162,9 +162,9 @@
FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
Display --indent 6 --text "- Checking Squid authentication methods" --result "NONE" --color YELLOW
Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW
else
Display --indent 6 --text "- Checking Squid authentication methods" --result "FOUND" --color GREEN
Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_FOUND}" --color GREEN
for I in ${FIND}; do
LogText "Result: found authentication method ${I}"
Report "squid_auth_method=${I}"
@ -183,9 +183,9 @@
FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND}" = "" ]; then
LogText "No external_acl_type found"
Display --indent 6 --text "- Checking Squid external authentication methods" --result "NONE" --color YELLOW
Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW
else
Display --indent 6 --text "- Checking Squid external authentication methods" --result "FOUND" --color GREEN
Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_FOUND}" --color GREEN
for I in ${FIND}; do
LogText "Result: found external authentication method helper"
LogText "Output: ${FIND}"
@ -206,7 +206,7 @@
FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
LogText "Result: No ACLs found"
Display --indent 6 --text "- Checking Access Control Lists" --result "NONE" --color RED
Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED
else
for I in ${FIND}; do
N=$((N + 1))
@ -231,7 +231,7 @@
FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"`
if [ "${FIND}" = "" ]; then
LogText "Result: no Safe_ports found"
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "NOT FOUND" --color YELLOW
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
else
LogText "Result: checking ACL safe ports"
@ -245,7 +245,7 @@
for I in ${FIND}; do
LogText "Found safe port: ${I}"
done
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "FOUND" --color GREEN
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
fi
#SQUID_DAEMON_UNSAFE_PORTS_LIST
@ -253,10 +253,10 @@
LogText "Test: Checking port ${I} in Safe_ports list"
FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 1 1
else
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "FOUND" --color RED
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED
ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
AddHP 0 1
fi
@ -282,13 +282,13 @@
FIND=`grep "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
LogText "Result: option reply_body_max_size not configured"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "NONE" --color RED
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
AddHP 1 2
ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests."
else
LogText "Result: option reply_body_max_size configured"
LogText "Output: ${FIND}"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "FOUND" --color GREEN
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_FOUND}" --color GREEN
AddHP 2 2
fi
fi
@ -309,13 +309,13 @@
FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"`
if [ "${FIND}" = "" ]; then
LogText "Result: option httpd_suppress_version_string not configured"
Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "NOT FOUND" --color YELLOW
Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 2
ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
else
LogText "Result: option httpd_suppress_version_string configured"
LogText "Output: ${FIND}"
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "FOUND" --color GREEN
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_FOUND}" --color GREEN
AddHP 2 2
fi
fi

24
include/tests_ssh
View File

@ -42,13 +42,13 @@
IsRunning sshd
if [ ${RUNNING} -eq 1 ] || PortIsListening "TCP" 22; then
SSH_DAEMON_RUNNING=1
Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN
Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN
# Store settings in a temporary file
CreateTempFile
SSH_DAEMON_OPTIONS_FILE="${TEMP_FILE}"
${SSHDBINARY} -T 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE}
else
Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -79,11 +79,11 @@
done
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
LogText "Result: No sshd configuration found"
Display --indent 4 --text "- Searching SSH configuration" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Searching SSH configuration" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found"
else
LogText "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching SSH configuration" --result FOUND --color GREEN
Display --indent 4 --text "- Searching SSH configuration" --result "${STATUS_FOUND}" --color GREEN
fi
fi
#
@ -202,19 +202,19 @@
if [ "${RESULT}" = "GOOD" ]; then
LogText "Result: SSH option ${OPTIONNAME} is configured very well"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result OK --color GREEN
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
elif [ "${RESULT}" = "MIDSCORED" ]; then
LogText "Result: SSH option ${OPTIONNAME} is configured reasonably"
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "MEDIUM" --color YELLOW
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 1 3
elif [ "${RESULT}" = "WEAK" ]; then
LogText "Result: SSH option ${OPTIONNAME} is in a weak configuration state and should be fixed"
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result SUGGESTION --color RED
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 0 3
elif [ "${RESULT}" = "UNKNOWN" ]; then
LogText "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)"
@ -222,7 +222,7 @@
Report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|"
else
LogText "Result: Option ${OPTIONNAME} not found in output"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
else
if IsVerbose; then Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "SKIPPED (via config)" --color WHITE; fi
@ -243,22 +243,22 @@
FIND=`egrep -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers" --result FOUND --color GREEN
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
FOUND=1
else
LogText "Result: AllowUsers is not set"
Display --indent 4 --text "- SSH option: AllowUsers" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
# AllowGroups
FIND=`egrep -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups" --result FOUND --color GREEN
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
FOUND=1
else
LogText "Result: AllowGroups is not set"
Display --indent 4 --text "- SSH option: AllowGroups" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
if [ ${FOUND} -eq 1 ]; then

8
include/tests_storage
View File

@ -61,7 +61,7 @@
AddHP 2 3
else
LogText "Result: usb-storage driver is disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "DISABLED" --color GREEN
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3
fi
fi
@ -91,13 +91,13 @@
if [ ${FOUND} -eq 1 ]; then
LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "ENABLED" --color YELLOW
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
# To-Be-Added: create documentation and enable the suggestion
#ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft"
AddHP 0 3
else
LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "DISABLED" --color GREEN
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3
fi
fi
@ -141,7 +141,7 @@
AddHP 2 3
else
LogText "Result: firewire ohci driver is disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "DISABLED" --color GREEN
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3
fi
fi

18
include/tests_storage_nfs
View File

@ -41,7 +41,7 @@
for I in ${FIND}; do
LogText "rpcinfo: ${I}"
done
Display --indent 2 --text "- Query rpc registered programs" --result "DONE" --color GREEN
Display --indent 2 --text "- Query rpc registered programs" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
@ -56,7 +56,7 @@
for I in ${FIND}; do
LogText "Found version: ${I}"
done
Display --indent 2 --text "- Query NFS versions" --result "DONE" --color GREEN
Display --indent 2 --text "- Query NFS versions" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
@ -84,7 +84,7 @@
if [ "${FIND}" = "" ]; then
LogText "Output: no NFS port number found"
fi
Display --indent 2 --text "- Query NFS protocols" --result "DONE" --color GREEN
Display --indent 2 --text "- Query NFS protocols" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
@ -97,10 +97,10 @@
FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
LogText "Output: NFS daemon is not running"
Display --indent 2 --text "- Check running NFS daemon" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
else
LogText "Output: NFS daemon is running"
Display --indent 2 --text "- Check running NFS daemon" --result "FOUND" --color GREEN
Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_FOUND}" --color GREEN
NFS_DAEMON_RUNNING=1
fi
fi
@ -132,10 +132,10 @@
LogText "Result: /etc/exports does not contain exported file systems"
NFS_EXPORTS_EMPTY=1
fi
Display --indent 4 --text "- Checking /etc/exports" --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking /etc/exports" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: file /etc/exports does not exist"
Display --indent 4 --text "- Checking /etc/exports" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking /etc/exports" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -147,7 +147,7 @@
Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
Display --indent 6 --text "- Checking empty /etc/exports" --result SUGGESTION --color YELLOW
Display --indent 6 --text "- Checking empty /etc/exports" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: /etc/exports seems to have no exported file systems"
ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
fi
@ -169,7 +169,7 @@
AddHP 2 3
else
LogText "Result: only some clients are allowed to access a NFS share"
Display --indent 4 --text "- Checking NFS client access" --result OK --color GREEN
Display --indent 4 --text "- Checking NFS client access" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
fi
fi

58
include/tests_time
View File

@ -58,7 +58,7 @@
IsRunning chronyd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN
Display --indent 2 --text "- NTP daemon found: chronyd" --result "${STATUS_FOUND}" --color GREEN
fi
fi
@ -66,7 +66,7 @@
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
Display --indent 2 --text "- NTP daemon found: dntpd" --result "${STATUS_FOUND}" --color GREEN
fi
# Check running processes
@ -75,14 +75,14 @@
FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
NTP_DAEMON="ntpd"
LogText "Result: found running NTP daemon in process list"
Display --indent 2 --text "- NTP daemon found: ntpd" --result FOUND --color GREEN
Display --indent 2 --text "- NTP daemon found: ntpd" --result "${STATUS_FOUND}" --color GREEN
fi
# Check time daemon (eg NetBSD)
IsRunning timed
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timed"
Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN
Display --indent 2 --text "- NTP daemon found: timed" --result "${STATUS_FOUND}" --color GREEN
fi
# Check timedate daemon (systemd)
@ -92,7 +92,7 @@
# Check for systemd-timesyncd
if [ -f /etc/systemd/timesyncd.conf ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "FOUND" --color GREEN
Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN
SYSTEMD_NTP_ENABLED=1
fi
else
@ -109,10 +109,10 @@
FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | grep -v '^#'`
if [ ! "${FIND}" = "" ]; then
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
else
#Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE
#Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: no ntpdate or rdate reference found in crontab file ${I}"
fi
else
@ -144,10 +144,10 @@
done
if [ ${FOUND_IN_CRON} -eq 1 ]; then
Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN
Display --indent 2 --text "- Checking NTP client in cron files" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found ntpdate or rdate in cron directory"
else
#Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
#Display --indent 2 --text "- Checking NTP client in cron.d files" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: no ntpdate or rdate found in cron directories"
fi
@ -157,7 +157,7 @@
LogText "Result: found ntpdate action when network interface comes up"
FOUND=1
NTP_CONFIG_TYPE_EVENTBASED=1
Display --indent 2 --text "- Checking event based ntpdate (if-up)" --result FOUND --color GREEN
Display --indent 2 --text "- Checking event based ntpdate (if-up)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: file /etc/network/if-up.d/ntpdate does not exist"
fi
@ -183,13 +183,13 @@
if [ ${ISVIRTUALMACHINE} -eq 1 ]; then
LogText "Result: Skipping display warning, as virtual machines usually don't need time synchronization in the VM itself"
else
Display --indent 2 --text "- Checking for a running NTP daemon or client" --result WARNING --color RED
Display --indent 2 --text "- Checking for a running NTP daemon or client" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a NTP daemon or client"
ReportSuggestion ${TEST_NO} "Use NTP daemon or NTP client to prevent time issues."
AddHP 0 2
fi
else
Display --indent 2 --text "- Checking for a running NTP daemon or client" --result OK --color GREEN
Display --indent 2 --text "- Checking for a running NTP daemon or client" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found a time syncing daemon/client."
AddHP 3 3
fi
@ -220,10 +220,10 @@
LogText "Test: Checking for NTP association ID's from ntpq peers list"
FIND=`${NTPQBINARY} -p -n | grep "No association ID's returned"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking valid association ID's" --result FOUND --color GREEN
Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found one or more association ID's"
else
Display --indent 2 --text "- Checking valid association ID's" --result WARNING --color RED
Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check ntp.conf for properly configured NTP servers and a correctly functioning name service."
fi
fi
@ -239,7 +239,7 @@
LogText "Test: Checking stratum 16 sources from ntpq peers list"
FIND=`${NTPQBINARY} -p -n | awk '{ if ($3=="16") { print $1 } }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
LogText "Result: All peers are lower than stratum 16"
else
for I in ${FIND}; do
@ -253,10 +253,10 @@
done
# Check if one or more high stratum time servers are found
if [ ${N} -eq 0 ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
LogText "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile"
else
Display --indent 2 --text "- Checking high stratum ntp peers" --result WARNING --color RED
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found one or more high stratum (16) peers)"
ReportSuggestion ${TEST_NO} "Check ntpq peers output"
ReportWarning ${TEST_NO} "L" "Found one or more stratum 16 peers"
@ -276,10 +276,10 @@
LogText "Test: Checking unreliable ntp peers"
FIND=`${NTPQBINARY} -p -n | egrep "^(-|#)" | awk '{ print $1 }' | sed 's/^-//g'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking unreliable ntp peers" --result NONE --color GREEN
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN
LogText "Result: No unreliable peers found"
else
Display --indent 2 --text "- Checking unreliable ntp peers" --result FOUND --color YELLOW
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_FOUND}" --color YELLOW
LogText "Result: Found one or more unreliable peers (marked with a minus or dash sign)"
for I in ${FIND}; do
LogText "Unreliable peer: ${I}"
@ -300,11 +300,11 @@
FIND=`${NTPQBINARY} -p -n | grep '^*' | awk '{ if ($4=="l") { print $1 } }'`
FIND2=`${NTPQBINARY} -p -n | grep '^*' | awk '{ print $1 }'`
if [ "${FIND}" = "" -a ! "${FIND2}" = "" ]; then
Display --indent 2 --text "- Checking selected time source" --result OK --color GREEN
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN
FIND2=`echo ${FIND2} | sed 's/*//g'`
LogText "Result: Found selected time source (value: ${FIND2})"
else
Display --indent 2 --text "- Checking selected time source" --result WARNING --color RED
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with."
LogText "Local source: ${FIND}"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for selected time source"
@ -321,11 +321,11 @@
LogText "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking time source candidates" --result NONE --color YELLOW
Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_NONE}" --color YELLOW
LogText "Result: No other time source candidates found"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates"
else
Display --indent 2 --text "- Checking time source candidates" --result OK --color GREEN
Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found one or more candidates to synchronize time with."
for I in ${FIND}; do
I=`echo ${I} | sed 's/+//g'`
@ -344,10 +344,10 @@
LogText "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^x'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking falsetickers" --result OK --color GREEN
Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN
LogText "Result: No falsetickers found (items preceeding with an 'x')"
else
Display --indent 2 --text "- Checking falsetickers" --result NONE --color YELLOW
Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_NONE}" --color YELLOW
LogText "Result: Found one or more falsetickers (items preceeding with an 'x')"
for I in ${FIND}; do
I=`echo ${I} | sed 's/x//g'`
@ -368,11 +368,11 @@
LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking NTP version" --result UNKNOWN --color YELLOW
Display --indent 2 --text "- Checking NTP version" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: No NTP version found"
ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version"
else
Display --indent 2 --text "- Checking NTP version" --result FOUND --color GREEN
Display --indent 2 --text "- Checking NTP version" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found NTP version ${FIND}"
Report "ntp_version=${FIND}"
fi
@ -404,7 +404,7 @@
ReportSuggestion ${TEST_NO} "Use step-rickers file for quicker time synchronization"
else
LogText "Result: /etc/ntp/step-tickers is not empty, which is fine"
Display --indent 2 --text "- Checking NTP step-tickers file" --result "OK" --color GREEN
Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN
sFIND=`${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0'`
for I in ${sFIND}; do
FIND=`${GREPBINARY} ^${I} ${FILE} | wc -l`
@ -420,7 +420,7 @@
ReportSuggestion ${TEST_NO} "Some time servers missing in step-tickers file"
AddHP 3 4
else
Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result OK --color GREEN
Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "${STATUS_OK}" --color GREEN
LogText "Result: all time servers are in step-tickers file"
AddHP 4 4
fi

46
include/tests_tooling
View File

@ -54,7 +54,7 @@
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
Report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN
Display --indent 4 --text "Found: Cfengine (cfagent)" --result "${STATUS_FOUND}" --color GREEN
fi
OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin"
for I in ${OTHER_CFENGINE_LOCATIONS}; do
@ -64,7 +64,7 @@
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
Report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: CFEngine (cf-agent)" --result FOUND --color GREEN
Display --indent 4 --text "Found: CFEngine (cf-agent)" --result "${STATUS_FOUND}" --color GREEN
fi
IsRunning "cf-server"
if [ ${RUNNING} -eq 1 ]; then
@ -72,7 +72,7 @@
AUTOMATION_TOOL_FOUND=1
CFENGINE_SERVER_RUNNING=1
Report "automation_tool_running[]=cf-server"
Display --indent 4 --text "Found: CFEngine (cf-server)" --result FOUND --color GREEN
Display --indent 4 --text "Found: CFEngine (cf-server)" --result "${STATUS_FOUND}" --color GREEN
fi
fi
done
@ -85,7 +85,7 @@
CHEFCLIENTBINARY="${I}/chef-client"
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=chef-client"
Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN
Display --indent 4 --text "Found: Chef client (chef-client)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found chef-client (chef client daemon) in ${I}"
fi
if [ -f ${I}/erchef ]; then
@ -93,7 +93,7 @@
LogText "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=chef-server"
Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN
Display --indent 4 --text "Found: Chef Server (erchef)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found erchef (chef server daemon) in ${I}"
fi
fi
@ -104,14 +104,14 @@
LogText "Result: Puppet is installed (${PUPPETBINARY})"
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=puppet-agent"
Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN
Display --indent 4 --text "Found: Puppet (agent)" --result "${STATUS_FOUND}" --color GREEN
fi
IsRunning "puppet master"
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found puppet master"
PUPPET_MASTER_RUNNING=1
Report "automation_tool_running[]=puppet-master"
Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN
Display --indent 4 --text "Found: Puppet (master)" --result "${STATUS_FOUND}" --color GREEN
fi
# SaltStack
@ -120,14 +120,14 @@
AUTOMATION_TOOL_FOUND=1
SALT_MINION_RUNNING=1
Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result FOUND --color GREEN
Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN
fi
if [ ! "${SALTMASTERBINARY}" = "" ]; then
LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN
Display --indent 4 --text "Found: SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN
else
IsRunning "salt-master"
if [ ${RUNNING} -eq 1 ]; then
@ -135,14 +135,14 @@
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
Report "automation_tool_running[]=saltstack-master"
Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN
Display --indent 4 --text "Found: SaltStack (master)" --result "${STATUS_FOUND}" --color GREEN
fi
fi
if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Automation tooling" --result FOUND --color GREEN
Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 2 --text "- Automation tooling" --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
fi
fi
@ -164,7 +164,7 @@
IDS_IPS_TOOL_FOUND=1
LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
Report "ids_ips_tooling[]=fail2ban"
Display --indent 2 --text "- Checking presence of Fail2ban" --result FOUND --color GREEN
Display --indent 2 --text "- Checking presence of Fail2ban" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Fail2ban not present (fail2ban-server not found)"
fi
@ -202,14 +202,14 @@
if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
LogText "No registered actions found in ${FAIL2BAN_CONFIG}"
Display --indent 4 --text "- Checking Fail2ban actions" --result NONE --color RED
Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color RED
ReportWarning "${TEST_NO}" "M" "${FAIL2BAN_CONFIG}" "There are no actions configured for Fail2ban."
AddHP 0 3
fi
if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
LogText "All actions in ${FAIL2BAN_CONFIG} are configured to send email alerts"
Display --indent 4 --text "- Checking Fail2ban actions" --result OK --color GREEN
Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
fi
@ -222,7 +222,7 @@
if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
LogText "None of the actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts"
Display --indent 4 --text "- Checking Fail2ban actions" --result NONE --color YELLOW
Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color YELLOW
ReportSuggestion "${TEST_NO}" "None of the Fail2ban jails are configured to send email notifications. Consider changing these to emailed alerts."
AddHP 1 3
fi
@ -233,11 +233,11 @@
FIND=`egrep "^enabled\s*=\s*true" ${FAIL2BAN_CONFIG}`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found at least one enabled jail"
Display --indent 4 --text "- Checking Fail2ban jails" --result ENABLED --color GREEN
Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3
else
LogText "Result: Fail2ban installed but completely disabled"
Display --indent 4 --text "- Checking Fail2ban jails" --result DISABLED --color RED
Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_DISABLED}" --color RED
AddHP 0 3
ReportWarning "${TEST_NO}" "M" "All jails in Fail2ban are disabled" "${FAIL2BAN_CONFIG}"
fi
@ -250,15 +250,15 @@
CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | grep fail2ban`
if [ ! "${CHECK_CHAINS}" = "" ]; then
LogText "Result: found at least one iptables chain for fail2ban"
Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result OK --color GREEN
Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work"
Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result WARNING --color RED
Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
AddHP 0 3
ReportSuggestion "${TEST_NO}" "M" "Check config to see why iptables does not have a fail2ban chain" "${FAIL2BAN_CONFIG}"
fi
else
Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result WARNING --color RED
Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "H" "iptables doesn't seem to be installed; Fail2ban will not work. Remove Fail2ban or install iptables" "${FAIL2BAN_CONFIG}"
fi
fi
@ -272,10 +272,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result FOUND --color GREEN
Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result "${STATUS_FOUND}" --color GREEN
AddHP 2 2
else
Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result NONE --color YELLOW
Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result "${STATUS_NONE}" --color YELLOW
#ReportSuggestion ${TEST_NO} "Ensure that automatic intrusion detection/prevention tools are installed"
AddHP 0 2
fi

4
include/tests_virtualization
View File

@ -40,9 +40,9 @@
# if [ ! "${VMWARETOOLSBINARY}" = "" ]; then
# LogText "Result: VMware tools binary found"
# VMWARE_GUEST=1
# Display --indent 4 --text "- Checking VMware tools daemon" --result FOUND --color GREEN
# Display --indent 4 --text "- Checking VMware tools daemon" --result "${STATUS_FOUND}" --color GREEN
# else
# Display --indent 4 --text "- Checking VMware tools daemon" --result "NOT FOUND" --color WHITE
# Display --indent 4 --text "- Checking VMware tools daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
# fi
#
# fi

80
include/tests_webservers
View File

@ -56,7 +56,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then HTTPDBINARY=""; fi
if [ "${HTTPDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE
else
LogText "Test: Scanning for Apache binary"
IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | egrep '[aA]pache'`
@ -64,7 +64,7 @@
LogText "Result: ${HTTPDBINARY} is not Apache"
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
else
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon"
APACHE_INSTALLED=1
APACHE_VERSION=`${HTTPDBINARY} -v 2> /dev/null | grep "^Server version:" | awk '{ print $3 }' | awk -F/ '{ print $2 }'`
@ -205,7 +205,7 @@
# # Check if option ServerTokens is configured
# SERVERTOKENSTEST=`grep ServerTokens ${APACHE_CONFIGFILE} | grep -v '^#'`
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then
# Display --indent 4 --text "- Checking option ServerTokens" --result FOUND --color WHITE
# Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_FOUND}" --color WHITE
# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '`
# LogText "Option ServerTokens found: ${SERVERTOKENSTEST}"
# SERVERTOKENSEXPECTED=`grep 'apache' ${PROFILE} | grep 'ServerTokens' | cut -d ':' -f3`
@ -218,7 +218,7 @@
# LogText "Expected: ${SERVERTOKENSEXPECTED}"
# fi
# else
# Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE
# Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_NOT_FOUND}" --color WHITE
# fi
#
# else
@ -229,9 +229,9 @@
#
# # Display results from checks
# if [ ${SERVERTOKENSFOUND} -eq 1 ]; then
# Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN
# Display --indent 6 --text "- Value of ServerTokens" --result "${STATUS_OK}" --color GREEN
# else
# Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED
# Display --indent 6 --text "- Value of ServerTokens" --result "${STATUS_WARNING}" --color RED
# ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template"
# fi
# fi
@ -280,10 +280,10 @@
fi
done
if [ ${N} -eq 0 ]; then
Display --indent 4 --text "* Loadable modules" --result "NONE" --color WHITE
Display --indent 4 --text "* Loadable modules" --result "${STATUS_NONE}" --color WHITE
ReportException "${TEST_NO}:1" "No loadable Apache modules found"
else
Display --indent 4 --text "* Loadable modules" --result "FOUND" --color GREEN
Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND}" --color GREEN
Display --indent 8 --text "- Found ${N} loadable modules"
fi
fi
@ -298,10 +298,10 @@
# Check modules, module
CheckItem "apache_module" "/mod_evasive([0-9][0-9])?.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result FOUND --color GREEN
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "NOT FOUND" --color WHITE
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_NOT_FOUND}" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
fi
@ -317,10 +317,10 @@
# Check modules, module
CheckItem "apache_module" "/mod_qos.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "mod_qos: anti-Slowloris" --result FOUND --color GREEN
Display --indent 10 --text "mod_qos: anti-Slowloris" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 10 --text "mod_qos: anti-Slowloris" --result "NOT FOUND" --color WHITE
Display --indent 10 --text "mod_qos: anti-Slowloris" --result "${STATUS_NOT_FOUND}" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_qos to guard webserver against Slowloris attacks"
fi
@ -337,10 +337,10 @@
# # Check modules, module
# CheckItem "apache_module" "/mod_spamhaus.so"
# if [ ${ITEM_FOUND} -eq 1 ]; then
# Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result FOUND --color GREEN
# Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "${STATUS_FOUND}" --color GREEN
# AddHP 3 3
# else
# Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "NOT FOUND" --color WHITE
# Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "${STATUS_NOT_FOUND}" --color WHITE
# AddHP 2 3
# ReportSuggestion ${TEST_NO} "Install Apache mod_spamhaus to guard webserver against spammers"
# fi
@ -356,10 +356,10 @@
# Check modules, module
CheckItem "apache_module" "/mod_security2.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "ModSecurity: web application firewall" --result FOUND --color GREEN
Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 10 --text "ModSecurity: web application firewall" --result "NOT FOUND" --color WHITE
Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_NOT_FOUND}" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks"
fi
@ -381,11 +381,11 @@
FIND=`${PSBINARY} ax | grep "/nginx" | grep "master" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found running nginx process(es)"
Display --indent 2 --text "- Checking nginx" --result FOUND --color GREEN
Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN
NGINX_RUNNING=1
else
LogText "Result: no running nginx process found"
Display --indent 2 --text "- Checking nginx" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking nginx" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -406,10 +406,10 @@
if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then
LogText "Result: found nginx configuration file"
Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN
Display --indent 4 --text "- Searching nginx configuration file" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: no nginx configuration file found"
Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Searching nginx configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -486,39 +486,39 @@
NGINX_SSL_SUGGESTION=0
if [ ${NGINX_SSL_ON} -eq 1 ]; then
LogText "Result: SSL is configured in nginx on one or more virtual hosts"
Display --indent 6 --text "- SSL configured" --result "YES" --color GREEN
Display --indent 6 --text "- SSL configured" --result "${STATUS_YES}" --color GREEN
AddHP 5 5
# Cipher tests
if [ ${NGINX_SSL_CIPHERS} -eq 1 ]; then
Display --indent 8 --text "- Ciphers configured" --result "YES" --color GREEN
Display --indent 8 --text "- Ciphers configured" --result "${STATUS_YES}" --color GREEN
else
Display --indent 8 --text "- Ciphers configured" --result "NO" --color RED
Display --indent 8 --text "- Ciphers configured" --result "${STATUS_NO}" --color RED
NGINX_SSL_SUGGESTION=1
fi
if [ ${NGINX_SSL_PREFER_SERVER_CIPHERS} -eq 1 ]; then
Display --indent 8 --text "- Prefer server ciphers" --result "YES" --color GREEN
Display --indent 8 --text "- Prefer server ciphers" --result "${STATUS_YES}" --color GREEN
else
Display --indent 8 --text "- Prefer server ciphers" --result "NO" --color RED
Display --indent 8 --text "- Prefer server ciphers" --result "${STATUS_NO}" --color RED
NGINX_SSL_SUGGESTION=1
fi
if [ ${NGINX_SSL_PROTOCOLS} -eq 1 ]; then
Display --indent 8 --text "- Protocols configured" --result "YES" --color GREEN
Display --indent 8 --text "- Protocols configured" --result "${STATUS_YES}" --color GREEN
if [ ${NGINX_WEAK_SSL_PROTOCOL_FOUND} -eq 0 ]; then
Display --indent 10 --text "- Insecure protocols found" --result "NO" --color GREEN
Display --indent 10 --text "- Insecure protocols found" --result "${STATUS_NO}" --color GREEN
else
Display --indent 10 --text "- Insecure protocols found" --result "YES" --color RED
Display --indent 10 --text "- Insecure protocols found" --result "${STATUS_YES}" --color RED
ReportSuggestion "${TEST_NO}" "Disable weak protocol in nginx configuration"
fi
else
Display --indent 8 --text "- Protocols configured" --result "NO" --color RED
Display --indent 8 --text "- Protocols configured" --result "${STATUS_NO}" --color RED
NGINX_SSL_SUGGESTION=1
fi
else
LogText "Result: No SSL configuration found"
Display --indent 6 --text "- SSL configured" --result "NO" --color RED
Display --indent 6 --text "- SSL configured" --result "${STATUS_NO}" --color RED
NGINX_SSL_SUGGESTION=1
AddHP 1 5
fi
@ -542,19 +542,19 @@
# Check for missing access log
if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
Display --indent 8 --text "- Missing log files (access_log)" --result "YES" --color RED
Display --indent 8 --text "- Missing log files (access_log)" --result "${STATUS_YES}" --color RED
else
Display --indent 8 --text "- Missing log files (access_log)" --result "NO" --color GREEN
Display --indent 8 --text "- Missing log files (access_log)" --result "${STATUS_NO}" --color GREEN
fi
# Access log disabled
if [ ${NGINX_ACCESS_LOG_DISABLED} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
LogText "Result: found one or more virtual hosts which have their access log disabled"
Display --indent 8 --text "- Disabled access logging" --result "YES" --color RED
Display --indent 8 --text "- Disabled access logging" --result "${STATUS_YES}" --color RED
AddHP 2 3
else
LogText "Result: no virtual hosts found which have their access log disabled"
Display --indent 8 --text "- Disabled access logging" --result "NO" --color GREEN
Display --indent 8 --text "- Disabled access logging" --result "${STATUS_NO}" --color GREEN
AddHP 3 3
fi
# Report suggestion
@ -574,9 +574,9 @@
# Check for missing access log
if [ ${NGINX_ERROR_LOG_MISSING} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
Display --indent 8 --text "- Missing log files (error_log)" --result "YES" --color RED
Display --indent 8 --text "- Missing log files (error_log)" --result "${STATUS_YES}" --color RED
else
Display --indent 8 --text "- Missing log files (error_log)" --result "NO" --color GREEN
Display --indent 8 --text "- Missing log files (error_log)" --result "${STATUS_NO}" --color GREEN
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
@ -596,11 +596,11 @@
if [ ${NGINX_ERROR_LOG_DEBUG} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
LogText "Result: found one or more virtual hosts which have their error log in debug mode"
Display --indent 8 --text "- Debugging mode on error_log" --result "YES" --color RED
Display --indent 8 --text "- Debugging mode on error_log" --result "${STATUS_YES}" --color RED
AddHP 2 3
else
LogText "Result: no virtual hosts found which have their access log disabled"
Display --indent 8 --text "- Debugging mode on error_log" --result "NO" --color GREEN
Display --indent 8 --text "- Debugging mode on error_log" --result "${STATUS_NO}" --color GREEN
AddHP 3 3
fi
# Report suggestion
@ -626,7 +626,7 @@
# done
# if [ ${N} -eq 0 ]; then
# LogText "Result: no reverse proxying functionality found"
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "NOT FOUND" --color WHITE
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "${STATUS_NOT_FOUND}" --color WHITE
# else
# LogText "Result: found ${N} addresses for which nginx will be a reverse proxy"
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "${N} FOUND" --color GREEN
@ -652,7 +652,7 @@
# done
# if [ ${N} -eq 0 ]; then
# LogText "Result: no virtual hosts found"
# Display --indent 4 --text "- Searching virtual hosts" --result "NOT FOUND" --color WHITE
# Display --indent 4 --text "- Searching virtual hosts" --result "${STATUS_NOT_FOUND}" --color WHITE
# else
# LogText "Result: found ${N} virtual hosts"
# Display --indent 4 --text "- Searching virtual hosts" --result "${N} FOUND" --color GREEN