tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Code cleanup

This commit is contained in:
mboelen 2014-09-19 00:35:24 +02:00
parent 8a637d588b
commit a145b0091a
1 changed files with 198 additions and 200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

398
include/tests_authentication
View File

@ -257,17 +257,17 @@
# if [ -x /usr/bin/usrck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi # if [ -x /usr/bin/usrck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9229 --os AIX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" # Register --test-no AUTH-9229 --os AIX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking password file consistency (usrck)" # logtext "Test: Checking password file consistency (usrck)"
# FIND=`/usr/bin/usrck -n ALL 2>; echo $?` # FIND=`/usr/bin/usrck -n ALL 2>; echo $?`
# if [ "${FIND}" = "0" ]; then # if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN # Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
# logtext "Result: usrck finished didn't find problems" # logtext "Result: usrck finished didn't find problems"
# else # else
# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED # Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
# logtext "Result: usrck found one or more errors/warnings in the password file." # logtext "Result: usrck found one or more errors/warnings in the password file."
# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file" # ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file"
# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues." # ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues."
# fi # fi
# fi # fi
# #
################################################################################# #################################################################################
@ -298,17 +298,17 @@
# if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi # if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9231 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" # Register --test-no AUTH-9231 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking password file consistency (pwck)" # logtext "Test: Checking password file consistency (pwck)"
# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` # FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
# if [ "${FIND}" = "0" ]; then # if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN # Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
# logtext "Result: pwck finished didn't find problems" # logtext "Result: pwck finished didn't find problems"
# else # else
# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED # Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
# logtext "Result: pwck found one or more errors/warnings in the password file." # logtext "Result: pwck found one or more errors/warnings in the password file."
# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" # ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." # ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
# fi # fi
# fi # fi
# #
################################################################################# #################################################################################
@ -318,17 +318,17 @@
# if [ -x /usr/sbin/grpck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi # if [ -x /usr/sbin/grpck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9232 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" # Register --test-no AUTH-9232 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking group file consistency (grpck)" # logtext "Test: Checking group file consistency (grpck)"
# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?` # FIND=`/usr/sbin/grpck 2> /dev/null; echo $?`
# if [ "${FIND}" = "0" ]; then # if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN # Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN
# logtext "Result: grpck finished didn't find problems" # logtext "Result: grpck finished didn't find problems"
# else # else
# Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED # Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED
# logtext "Result: grpck found one or more errors/warnings in the group file." # logtext "Result: grpck found one or more errors/warnings in the group file."
# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file" # ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file"
# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues." # ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues."
# fi # fi
# fi # fi
# #
################################################################################# #################################################################################
@ -1030,108 +1030,107 @@
logtext "Test: Checking /etc/login.defs" logtext "Test: Checking /etc/login.defs"
if [ -f /etc/login.defs ]; then if [ -f /etc/login.defs ]; then
logtext "Result: file /etc/profile exists" logtext "Result: file /etc/profile exists"
logtext "Test: Checking UMASK value in /etc/login.defs" logtext "Test: Checking umask value in /etc/login.defs"
FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'` FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)" logtext "Result: umask value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2 AddHP 1 2
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
logtext "Result: umask is ${FIND}, which is fine" logtext "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result OK --color GREEN Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result OK --color GREEN
AddHP 2 2 AddHP 2 2
else else
logtext "Result: found umask ${FIND}, which could be improved" logtext "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027"
AddHP 0 2 AddHP 0 2
fi fi
else else
logtext "Result: file /etc/login.defs does not exist" logtext "Result: file /etc/login.defs does not exist"
fi fi
# Red Hat /etc/init.d/functions # Red Hat /etc/init.d/functions
logtext "Test: Checking /etc/init.d/functions" logtext "Test: Checking /etc/init.d/functions"
if [ -f /etc/init.d/functions ]; then if [ -f /etc/init.d/functions ]; then
logtext "Result: file /etc/init.d/functions exists" logtext "Result: file /etc/init.d/functions exists"
logtext "Test: Checking umask value in /etc/init.d/functions" logtext "Test: Checking umask value in /etc/init.d/functions"
FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'` FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: umask is not configured" logtext "Result: umask is not configured"
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result NONE --color WHITE Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result NONE --color WHITE
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
logtext "Result: umask is ${FIND}, which is fine" logtext "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result OK --color GREEN Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result OK --color GREEN
AddHP 2 2 AddHP 2 2
else else
logtext "Result: found umask ${FIND}, which could be improved" logtext "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result SUGGESTION --color YELLOW
AddHP 0 2 AddHP 0 2
#YYY fi
fi else
else logtext "Result: file /etc/init.d/functions does not exist"
logtext "Result: file /etc/init.d/functions does not exist" fi
fi
# /etc/init.d/rc [T] # /etc/init.d/rc [T]
# Always needed? (YYY) # Always needed? (YYY)
logtext "Test: Checking /etc/init.d/rc" logtext "Test: Checking /etc/init.d/rc"
if [ -f /etc/init.d/rc ]; then if [ -f /etc/init.d/rc ]; then
logtext "Result: file /etc/init.d/rc exists" logtext "Result: file /etc/init.d/rc exists"
logtext "Test: Checking UMASK value in /etc/init.d/rc" logtext "Test: Checking UMASK value in /etc/init.d/rc"
FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'` FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)" logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2 AddHP 1 2
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
logtext "Result: umask is ${FIND}, which is fine" logtext "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result OK --color GREEN Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result OK --color GREEN
AddHP 2 2 AddHP 2 2
else else
logtext "Result: found umask ${FIND}, which could be improved" logtext "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027"
AddHP 0 2 AddHP 0 2
fi fi
else else
logtext "Result: file /etc/init.d/rc does not exist" logtext "Result: file /etc/init.d/rc does not exist"
fi fi
# /etc/init.d/rcS [T] # /etc/init.d/rcS [T]
# Always needed? (YYY) # Always needed? (YYY)
logtext "Test: Checking /etc/init.d/rcS" logtext "Test: Checking /etc/init.d/rcS"
if [ -f /etc/init.d/rcS ]; then if [ -f /etc/init.d/rcS ]; then
logtext "Result: file /etc/init.d/rcS exists" logtext "Result: file /etc/init.d/rcS exists"
logtext "Test: Checking if script runs another script." logtext "Test: Checking if script runs another script."
FIND=`grep -i "^exec " /etc/init.d/rcS | awk '{ print $2 }'` FIND=`grep -i "^exec " /etc/init.d/rcS | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'` FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'`
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)" logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2 AddHP 1 2
elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then
logtext "Result: umask is ${FIND2}, which is fine" logtext "Result: umask is ${FIND2}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result OK --color GREEN Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result OK --color GREEN
AddHP 2 2 AddHP 2 2
else else
logtext "Result: found umask ${FIND2}, which could be improved" logtext "Result: found umask ${FIND2}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027" ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027"
AddHP 0 2 AddHP 0 2
fi fi
else else
# Improve check # Improve check
logtext "Result: exec line present in file, setting of umask not needed in this script" logtext "Result: exec line present in file, setting of umask not needed in this script"
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
fi fi
else else
logtext "Result: file /etc/init.d/rcS does not exist" logtext "Result: file /etc/init.d/rcS does not exist"
fi fi
fi fi
# #
@ -1141,49 +1140,48 @@
# Description : Solaris account locking # Description : Solaris account locking
Register --test-no AUTH-9340 --os Solaris --weight L --network NO --description "Solaris account locking" Register --test-no AUTH-9340 --os Solaris --weight L --network NO --description "Solaris account locking"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
if [ -f /etc/security/policy.conf ]; then if [ -f /etc/security/policy.conf ]; then
logtext "Result: found /etc/security/policy.conf" logtext "Result: found /etc/security/policy.conf"
FIND=`grep "^LOCK_AFTER_RETRIES" /etc/security/policy.conf` FIND=`grep "^LOCK_AFTER_RETRIES" /etc/security/policy.conf`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1 FOUND=1
logtext "Result: account locking option set" logtext "Result: account locking option set"
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
AddHP 2 2 AddHP 2 2
else else
logtext "Result: option LOCK_AFTER_RETRIES not set" logtext "Result: option LOCK_AFTER_RETRIES not set"
AddHP 1 2 AddHP 1 2
fi fi
else else
logtext "Result: /etc/security/policy.conf does not exist" logtext "Result: /etc/security/policy.conf does not exist"
fi fi
# If policy.conf does not exist, we most likely deal with a Solaris version below 10 # If policy.conf does not exist, we most likely deal with a Solaris version below 10
# and we proceed with checking the softer option RETRIES in /etc/default/login # and we proceed with checking the softer option RETRIES in /etc/default/login
# which does not lock account, but discourages brute force password attacks. # which does not lock account, but discourages brute force password attacks.
if [ ${FOUND} -eq 0 ]; then if [ ${FOUND} -eq 0 ]; then
logtext "Test: checking /etc/default/login" logtext "Test: checking /etc/default/login"
if [ -f /etc/default/login ]; then if [ -f /etc/default/login ]; then
logtext "Result: file /etc/default/login exists" logtext "Result: file /etc/default/login exists"
FIND=`grep "^RETRIES" /etc/default/login` FIND=`grep "^RETRIES" /etc/default/login`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1 FOUND=1
logtext "Result: retries option configured" logtext "Result: retries option configured"
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
AddHP 2 2 AddHP 2 2
else else
logtext "Result: retries option not configured" logtext "Result: retries option not configured"
AddHP 1 2 AddHP 1 2
fi fi
else else
logtext "Result: file /etc/default/login does not exist" logtext "Result: file /etc/default/login does not exist"
fi fi
fi fi
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking account locking" --result "ENABLED" --color GREEN Display --indent 2 --text "- Checking account locking" --result "ENABLED" --color GREEN
else else
Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -1222,19 +1220,19 @@
# Description : Query LDAP authentication support # Description : Query LDAP authentication support
Register --test-no AUTH-9402 --weight L --network NO --description "Query LDAP authentication support" Register --test-no AUTH-9402 --weight L --network NO --description "Query LDAP authentication support"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then if [ -f /etc/nsswitch.conf ]; then
FIND=`egrep "^passwd" /etc/nsswitch.conf | grep "ldap"` FIND=`egrep "^passwd" /etc/nsswitch.conf | grep "ldap"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: LDAP authentication not enabled" logtext "Result: LDAP authentication not enabled"
Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE
else else
logtext "Result: LDAP authentication enabled" logtext "Result: LDAP authentication enabled"
Display --indent 2 --text "- Checking LDAP authentication support" --result "ENABLED" --color GREEN Display --indent 2 --text "- Checking LDAP authentication support" --result "ENABLED" --color GREEN
LDAP_AUTH_ENABLED=1 LDAP_AUTH_ENABLED=1
fi fi
else else
logtext "Result: /etc/nsswitch.conf not found" logtext "Result: /etc/nsswitch.conf not found"
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -1269,22 +1267,22 @@
if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration" Register --test-no AUTH-9406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking ldap.conf options" logtext "Test: checking ldap.conf options"
for I in ${LDAP_CONF_LOCATIONS}; do for I in ${LDAP_CONF_LOCATIONS}; do
logtext "Test: checking ${I}" logtext "Test: checking ${I}"
if [ -f ${I} ]; then if [ -f ${I} ]; then
logtext "Result: file ${I} exists" logtext "Result: file ${I} exists"
logtext "Test: checking LDAP servers in file ${I}" logtext "Test: checking LDAP servers in file ${I}"
FIND2=`egrep "^host " ${I} | awk '{ print $2 }'` FIND2=`egrep "^host " ${I} | awk '{ print $2 }'`
for I in ${FIND2}; do for I in ${FIND2}; do
Display --indent 6 --text "LDAP server: ${I}" Display --indent 6 --text "LDAP server: ${I}"
logtext "Result: found LDAP server ${I}" logtext "Result: found LDAP server ${I}"
# YYY check if host(s) are reachable/respond to queries # YYY check if host(s) are reachable/respond to queries
done done
else else
logtext "Result: ${I} does NOT exist" logtext "Result: ${I} does NOT exist"
fi fi
done done
fi fi
# #
################################################################################# #################################################################################