tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Various cleanups (#363) 

* Typo fix.

* Style change: always use $(), never ``.

The Lynis code already mostly used $(), but backticks were sprinkled
around.  Converted all of them.

* Lots of minor spelling/typo fixes.

FWIW these were found with:

  find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less

And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
This commit is contained in:
hlein 2017-03-06 00:41:21 -07:00 committed by Michael Boelen
parent b9ae378edb
commit b595cc0fb5
34 changed files with 457 additions and 456 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
extras/build-lynis.sh
View File

@ -82,7 +82,7 @@
#
#########################################################################
#
MYUSER=`whoami`
MYUSER=$(whoami)
if [ "${MYUSER}" = "" ]; then
echo "[X] Could not determine user"
fi
@ -91,7 +91,7 @@
fi
MYWORKDIR=`pwd | awk -F / '{ for (i=1;i<=NF-2;i++){ printf $i"/" }; printf "\n"}' | sed 's./$..'`
MYWORKDIR=$(pwd | awk -F / '{ for (i=1;i<=NF-2;i++){ printf $i"/" }; printf "\n"}' | sed 's./$..')
if [ ! -d ${MYWORKDIR} ]; then
echo "[X] Could not determine workdir (result: ${MYWORKDIR} seems invalid)"
ExitFatal
@ -126,7 +126,7 @@
# Check binaries
GITBUILDPACKAGEBINARY=`which git-buildpackage`
GITBUILDPACKAGEBINARY=$(which git-buildpackage)
if [ ! "${GITBUILDPACKAGEBINARY}" = "" ]; then
echo "[=] git-buildpackage = ${GITBUILDPACKAGEBINARY}"
else
@ -135,7 +135,7 @@
ExitFatal
fi
RPMBUILDBINARY=`which rpmbuild`
RPMBUILDBINARY=$(which rpmbuild)
if [ ! "${RPMBUILDBINARY}" = "" ]; then
echo "[=] rpmbuild = ${RPMBUILDBINARY}"
else
@ -168,7 +168,7 @@
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Create temporary build directory
TMPDIR=`mktemp -d /tmp/lynis-BUILDROOT.XXXXXX`
TMPDIR=$(mktemp -d /tmp/lynis-BUILDROOT.XXXXXX)
if [ $? -eq 0 ]; then
echo "[V] Creating temporary build directory"
#echo " BUILDROOT: ${TMPDIR}"
@ -202,8 +202,8 @@
fi
fi
TARBALL_MD5=`md5sum ${TARBALL}`
TARBALL_SHA1=`sha1sum ${TARBALL}`
TARBALL_MD5=$(md5sum ${TARBALL})
TARBALL_SHA1=$(sha1sum ${TARBALL})
echo "[*] Starting with RPM building process"
@ -212,7 +212,7 @@
if [ -f ${SOURCEFILE_RPM} ]; then
if [ -f lynis.spec ]; then
# adjust version in spec file
VERSION_IN_SPECFILE=`awk '/^Version:/ { print $2 }' lynis.spec`
VERSION_IN_SPECFILE=$(awk '/^Version:/ { print $2 }' lynis.spec)
echo "[=] Found version ${VERSION_IN_SPECFILE}"
if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
echo "[X] Version in specfile is outdated"
@ -241,9 +241,9 @@
echo "[*] Starting with DEB building process"
DEBCHANGELOGFULLVERSION=`head -1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//'`
DEBCHANGELOGVERSION=`echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }'`
DEBCHANGELOGVERSIONREV=`echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }'`
DEBCHANGELOGFULLVERSION=$(head -1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }')
DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }')
if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then
echo "[V] Debian/changelog up-to-date"
else
@ -251,12 +251,12 @@
ExitFatal
fi
# BZRSTATUS=`${BZRBINARY} status . 2>&1 > /dev/null; echo $?`
# BZRSTATUS=$(${BZRBINARY} status . 2>&1 > /dev/null; echo $?)
# if [ "${BZRSTATUS}" = "0" ]; then
# echo "[V] bzr has proper directory tree"
# DEBCHANGELOGFULLVERSION=`head -1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//'`
# DEBCHANGELOGVERSION=`echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }'`
# DEBCHANGELOGVERSIONREV=`echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }'`
# DEBCHANGELOGFULLVERSION=$(head -1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
# DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }')
# DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }')
# echo "[=] Version in Debian changelog: ${DEBCHANGELOGVERSION} (revision: ${DEBCHANGELOGVERSIONREV})"
# if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then
# echo "[V] Debian/changelog up-to-date"
@ -343,7 +343,7 @@ Exit
if [ ! -f ${OPTION_BINARY_FILE} ]; then echo "BAD (can't find ${OPTION_BINARY_FILE})"; exit 1; fi
# Check script
FIND=`sh -n ${OPTION_BINARY_FILE} ; echo $?`
FIND=$(sh -n ${OPTION_BINARY_FILE} ; echo $?)
if [ $FIND -eq 0 ]; then
echo "OK"
else
@ -354,7 +354,7 @@ Exit
# Create SHA1 hashes
echo -n "- Create SHA1 hashes "
SHA1HASH_LYNIS=`grep -v '^#' ${OPTION_BINARY_FILE} | sha1`
SHA1HASH_LYNIS=$(grep -v '^#' ${OPTION_BINARY_FILE} | sha1)
echo "DONE"
echo " Lynis (SHA1): ${SHA1HASH_LYNIS}"
@ -372,16 +372,16 @@ Exit
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
echo -n "- Creating MD5 hashes..."
PACKAGE_LIST_FILES=`grep "^file:" files.dat | cut -d ':' -f3`
PACKAGE_LIST_FILES=$(grep "^file:" files.dat | cut -d ':' -f3)
for I in ${PACKAGE_LIST_FILES}; do
echo -n "${I} "
#FULLNAME=`grep ":file:include:" files.dat
#FULLNAME=$(grep ":file:include:" files.dat)
#echo "${FULLNAME}" >> ${OPENBSD_CONTENTS}
echo "${I}" >> ${OPENBSD_CONTENTS}
FILE="../${I}"
MD5HASH=`md5 -q ${FILE}`
MD5HASH=$(md5 -q ${FILE})
echo "@md5 ${MD5HASH}" >> ${OPENBSD_CONTENTS}
echo "@size 0000" >> ${OPENBSD_CONTENTS}
done

38
include/binaries
View File

@ -64,7 +64,7 @@
fi
# Add a space to make sure we discover a related directory if it was already scanned
FIND=`echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}"`
FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}")
if [ ! "${FIND}" = "" ]; then
SKIPDIR=1; LogText "Result: Skipping this directory as it was already scanned"
fi
@ -72,7 +72,7 @@
if [ ${SKIPDIR} -eq 0 ]; then
BINARY_PATHS_FOUND="${BINARY_PATHS_FOUND}, ${SCANDIR}"
LogText "Directory ${SCANDIR} exists. Starting directory scanning..."
FIND=`ls ${SCANDIR}`
FIND=$(ls ${SCANDIR})
for I in ${FIND}; do
N=$((N + 1))
BINARY="${SCANDIR}/${I}"
@ -114,7 +114,7 @@
chkrootkit) CHKROOTKITFOUND=1; CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;;
comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;;
csum) CSUMFOUND=1; CSUMBINARY="${BINARY}"; LogText " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;;
curl) CURLFOUND=1; CURLBINARY="${BINARY}"; CURLVERSION=`${BINARY} --version | grep "^curl" | awk '{ if ($1=="curl") { print $2 }}'`; LogText " Found known binary: curl (browser) - ${BINARY}" ;;
curl) CURLFOUND=1; CURLBINARY="${BINARY}"; CURLVERSION=$(${BINARY} --version | grep "^curl" | awk '{ if ($1=="curl") { print $2 }}'); LogText " Found known binary: curl (browser) - ${BINARY}" ;;
cut) CUTBINARY="${BINARY}"
LogText " Found known binary: cut (text stream editor) - ${BINARY}"
;;
@ -127,14 +127,14 @@
domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;;
egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;;
exim) EXIMFOUND=1; EXIMBINARY="${BINARY}"; EXIMVERSION=`${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs`; LogText "Found ${BINARY} (version ${EXIMVERSION})" ;;
exim) EXIMFOUND=1; EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "Found ${BINARY} (version ${EXIMVERSION})" ;;
fail2ban-server) FAIL2BANFOUND=1; FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;;
file) FILEBINARY="${BINARY}"
LogText " Found known binary: file (file type detection) - ${BINARY}"
;;
find) FINDFOUND=1; FINDBINARY="${BINARY}"; LogText " Found known binary: find (search tool) - ${BINARY}" ;;
g++) GPLUSPLUSFOUND=1; GPLUSPLUSBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: g++ (compiler) - ${BINARY}" ;;
# additional file check due to existance /usr/libexec/gcc (directory)
# additional file check due to existence /usr/libexec/gcc (directory)
gcc) if [ -f ${BINARY} ]; then GCCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: gcc (compiler) - ${BINARY}"; fi ;;
getent) GETENT_BINARY="${BINARY}"
LogText " Found known binary: getent (query tool for name service switch libraries) - ${BINARY}"
@ -173,7 +173,7 @@
lsattr) LSATTRFOUND=1; LSATTRBINARY="${BINARY}"; LogText " Found known binary: lsattr (file attributes) - ${BINARY}" ;;
lsmod) LSMODFOUND=1; LSMODBINARY="${BINARY}"; LogText " Found known binary: lsmod (kernel modules) - ${BINARY}" ;;
lsof) LSOFFOUND=1; LSOFBINARY="${BINARY}"; LogText " Found known binary: lsof (open files) - ${BINARY}" ;;
lynx) LYNXFOUND=1; LYNXBINARY="${BINARY}"; LYNXVERSION=`${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3`; LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;;
lynx) LYNXFOUND=1; LYNXBINARY="${BINARY}"; LYNXVERSION=$(${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3); LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;;
maldet) LMDFOUND=1; LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;;
md5) MD5FOUND=1; MD5BINARY="${BINARY}"; LogText " Found known binary: md5 (hash tool) - ${BINARY}" ;;
md5sum) MD5FOUND=1; MD5BINARY="${BINARY}"; LogText " Found known binary: md5sum (hash tool) - ${BINARY}" ;;
@ -182,17 +182,17 @@
LogText " Found known binary: mount (disk utility) - ${BINARY}"
;;
mtree) MTREEFOUND=1; MTREEBINARY="${BINARY}"; LogText " Found known binary: mtree (mapping directory tree) - ${BINARY}" ;;
mysql) MYSQLCLIENTFOUND=1; MYSQLCLIENTBINARY="${BINARY}"; MYSQLCLIENTVERSION=`${BINARY} -V | awk '{ if ($4=="Distrib") { print $5 }}' | sed 's/,//g'` ; LogText "Found ${BINARY} (version: ${MYSQLCLIENTVERSION})" ;;
mysql) MYSQLCLIENTFOUND=1; MYSQLCLIENTBINARY="${BINARY}"; MYSQLCLIENTVERSION=$(${BINARY} -V | awk '{ if ($4=="Distrib") { print $5 }}' | sed 's/,//g') ; LogText "Found ${BINARY} (version: ${MYSQLCLIENTVERSION})" ;;
netstat) NETSTATFOUND=1; NETSTATBINARY="${BINARY}"; LogText " Found known binary: netstat (network statistics) - ${BINARY}" ;;
nft) NFTFOUND=1; NFTBINARY="${BINARY}"; LogText " Found known binary: nft (nftables client) - ${BINARY}" ;;
nmap) NMAPFOUND=1; NMAPBINARY="${BINARY}"; NMAPVERSION=`${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'`; LogText "Found ${BINARY} (version ${NMAPVERSION})" ;;
nmap) NMAPFOUND=1; NMAPBINARY="${BINARY}"; NMAPVERSION=$(${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${NMAPVERSION})" ;;
ntpq) NTPQFOUND=1; NTPQBINARY="${BINARY}"; LogText " Found known binary ntpq (time daemon client) - ${BINARY}" ;;
osiris) OSIRISFOUND=1; OSIRISBINARY="${BINARY}"; LogText " Found known binary: osiris - ${BINARY}" ;;
openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; LogText "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=$(${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs); LogText "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; LogText " Found known binary: pacman (package manager) - ${BINARY}" ;;
perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; LogText "Found ${BINARY} (version ${PERLVERSION})" ;;
perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=$(${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs); LogText "Found ${BINARY} (version ${PERLVERSION})" ;;
pgrep) PGREPBINARY=${BINARY}; LogText " Found known binary: pgrep (search in process list) - ${BINARY}" ;;
php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; LogText "Found known binary: php (programming language intrepreter) - ${BINARY} (version ${PHPVERSION})" ;;
php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=$(${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1); LogText "Found known binary: php (programming language interpreter) - ${BINARY} (version ${PHPVERSION})" ;;
pkg)
PKG_BINARY="${BINARY}"
LogText " Found known binary: pkg (software package administration) - ${BINARY}"
@ -205,9 +205,9 @@
ps) PSFOUND=1; PSBINARY="${BINARY}"; LogText " Found known binary: ps (process listing) - ${BINARY}" ;;
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; LogText " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; LogText " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=`${BINARY} --version 2>&1 | sed 's/^Python //'`; LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=`${BINARY} --version 2>&1 | sed 's/^Python //'`; LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=`${BINARY} --version 2>&1 | sed 's/^Python //'`; LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
@ -223,21 +223,21 @@
;;
sestatus) SESTATUSFOUND=1; SESTATUSBINARY="${BINARY}"; LogText " Found known binary: sestatus (SELinux client) - ${BINARY}" ;;
slocate) LOCATEFOUND=1; LOCATEBINARY="${BINARY}"; LogText " Found known binary: slocate (file database) - ${BINARY}" ;;
smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=`${BINARY} -V | grep "^Version" | awk '{ print $2 }'`; fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;;
smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;;
smtpctl) SMTPCTLBINARY="${BINARY}"; LogText " Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;;
showmount) SHOWMOUNTFOUND=1; SHOWMOUNTBINARY="${BINARY}"; LogText " Found known binary: showmount (NFS mounts) - ${BINARY}" ;;
sockstat) SOCKSTATFOUND=1; SOCKSTATBINARY="${BINARY}"; LogText " Found known binary: sockstat (open network sockets) - ${BINARY}" ;;
sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;;
squid) SQUIDFOUND=1; SQUIDBINARY="${BINARY}"; LogText " Found known binary: squid (proxy) - ${BINARY}" ;;
ss) SSFOUND=1; SSBINARY="${BINARY}"; LogText " Found known binary: ss (show sockets) - ${BINARY}" ;;
sshd) SSHDFOUND=1; SSHDBINARY="${BINARY}"; SSHDVERSION=`${BINARY} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | tr -d ',' | tr -d '\r'`; LogText "Found ${BINARY} (version ${SSHDVERSION})" ;;
sshd) SSHDFOUND=1; SSHDBINARY="${BINARY}"; SSHDVERSION=$(${BINARY} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | tr -d ',' | tr -d '\r'); LogText "Found ${BINARY} (version ${SSHDVERSION})" ;;
stat) STATFOUND=1; STATBINARY="${BINARY}"; LogText " Found known binary: stat (file information) - ${BINARY}" ;;
strings) STRINGSFOUND=1; STRINGSBINARY="${BINARY}"; LogText " Found known binary: strings (text strings search) - ${BINARY}" ;;
sha1|sha1sum|shasum) SHA1SUMFOUND=1; SHA1SUMBINARY="${BINARY}"; LogText " Found known binary: sha1/sha1sum/shasum (crypto hashing) - ${BINARY}" ;;
sha256|sha256sum) SHA256SUMFOUND=1; SHA256SUMBINARY="${BINARY}"; LogText " Found known binary: sha256/sha256sum (crypto hashing) - ${BINARY}" ;;
ssh-keyscan) SSHKEYSCANFOUND=1; SSHKEYSCANBINARY="${BINARY}"; LogText " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;;
sysctl) SYSCTLFOUND=1; SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;;
syslog-ng) SYSLOGNGFOUND=1; SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=`${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'`; LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;;
syslog-ng) SYSLOGNGFOUND=1; SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;;
systemctl) SYSTEMCTLFOUND=1; SYSTEMCTLBINARY="${BINARY}"; SERVICE_MANAGER="systemd"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;;
timedatectl) TIMEDATECTLFOUND=1; TIMEDATECTL="${BINARY}"; LogText " Found known binary: timedatectl (timedate client) - ${BINARY}" ;;
tr) TRFOUND=1; TRBINARY="${BINARY}"; LogText " Found known binary: tr (text transformation) - ${BINARY}" ;;
@ -254,7 +254,7 @@
wc) WCBINARY="${BINARY}"
LogText " Found known binary: wc (word count) - ${BINARY}"
;;
wget) WGETFOUND=1; WGETBINARY="${BINARY}"; WGETVERSION=`${BINARY} -V | grep "^GNU Wget" | awk '{ print $3 }'`; LogText "Found ${BINARY} (version ${WGETVERSION})" ;;
wget) WGETFOUND=1; WGETBINARY="${BINARY}"; WGETVERSION=$(${BINARY} -V | grep "^GNU Wget" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${WGETVERSION})" ;;
yum) YUMFOUND=1; YUMBINARY="${BINARY}"; LogText " Found known binary: yum (package manager) - ${BINARY}" ;;
xargs) XARGSBINARY="${BINARY}"
LogText " Found known binary: xargs (command output redirection) - ${BINARY}"
@ -271,7 +271,7 @@
LogText "Result: Directory ${SCANDIR} does NOT exist"
fi
done
BINARY_PATHS_FOUND=`echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g'`
BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g')
LogText "Discovered directories: ${BINARY_PATHS_FOUND}"
Report "binary_paths=${BINARY_PATHS_FOUND}"
BINARY_SCAN_FINISHED=1

184
include/functions
View File

@ -190,11 +190,11 @@
else
# If 'file' is an directory, use -d
if [ -d ${CHECKFILE} ]; then
FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10`
PROFILEVALUE=`grep '^permdir' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3`
FILEVALUE=$(ls -d -l ${CHECKFILE} | cut -c 2-10)
PROFILEVALUE=$(grep '^permdir' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3)
else
FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10`
PROFILEVALUE=`grep '^permfile' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3`
FILEVALUE=$(ls -l ${CHECKFILE} | cut -c 2-10)
PROFILEVALUE=$(grep '^permfile' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3)
fi
if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi
fi
@ -218,7 +218,7 @@
if [ ! "${REPORTFILE}" = "/dev/null" ]; then
# Check if we can find the main type (with or without brackets)
LogText "Test: search string $2 in earlier discovered results"
FIND=`egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2"`
FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2")
if [ ! "${FIND}" = "" ]; then
ITEM_FOUND=1
RETVAL=0
@ -298,7 +298,7 @@
ContainsString() {
RETVAL=1
if [ $# -ne 2 ]; then ReportException "ContainsString" "Incorrect number of arguments for ContainsStrings function"; fi
FIND=`echo "$2" | egrep "$1"`
FIND=$(echo "$2" | egrep "$1")
if [ ! "${FIND}" = "" ]; then RETVAL=0; fi
return ${RETVAL}
}
@ -334,11 +334,11 @@
CreateTempFile() {
TEMP_FILE=""
if [ "${OS}" = "AIX" ]; then
RANDOMSTRING1=`echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')`
RANDOMSTRING1=$(echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}'))
TEMP_FILE="/tmp/${RANDOMSTRING1}"
touch ${TEMP_FILE}
else
TEMP_FILE=`mktemp /tmp/lynis.XXXXXXXXXX` || exit 1
TEMP_FILE=$(mktemp /tmp/lynis.XXXXXXXXXX) || exit 1
fi
if [ ! "${TEMP_FILE}" = "" ]; then
LogText "Action: created temporary file ${TEMP_FILE}"
@ -398,7 +398,7 @@
VALUE=$1
LogText "Value is now: ${VALUE}"
if [ ! "${AWKBINARY}" = "" ]; then
VALUE=`echo ${VALUE} | grep -Eo '[0-9]{1,}'`
VALUE=$(echo ${VALUE} | grep -Eo '[0-9]{1,}')
fi
LogText "Returning value: ${VALUE}"
}
@ -454,7 +454,7 @@
echo "Search paths used --> ${tPROFILE_TARGETS}"
ExitCustom 66
else
PROFILES=`echo ${PROFILES} | sed 's/^ //'`
PROFILES=$(echo ${PROFILES} | sed 's/^ //')
fi
}
@ -525,7 +525,7 @@
# Display:
# - counting with -m instead of -c, to support language locale
# - wc needs LANG to deal with multi-bytes characters but LANG has been unset in include/consts...
LINESIZE=`export LC_ALL= ; export LANG="${DISPLAY_LANG}";echo "${TEXT}" | wc -m | tr -d ' '`
LINESIZE=$(export LC_ALL= ; export LANG="${DISPLAY_LANG}";echo "${TEXT}" | wc -m | tr -d ' ')
if [ ${SHOWDEBUG} -eq 1 ]; then DEBUGTEXT=" [${PURPLE}DEBUG${NORMAL}]"; else DEBUGTEXT=""; fi
if [ ${INDENT} -gt 0 ]; then SPACES=$((62 - INDENT - LINESIZE)); fi
if [ ${SPACES} -lt 0 ]; then SPACES=0; fi
@ -793,18 +793,18 @@
"AIX")
# Common interfaces: en0 en1 en2, ent0 ent1 ent2
FIND=`entstat en0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }'`
FIND=$(entstat en0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }')
if [ "${FIND}" = "" ]; then
FIND=`entstat ent0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }'`
FIND=$(entstat ent0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }')
fi
if [ ! "${FIND}" = "" ]; then
# We have a MAC address, now hashing it
if [ ! "${SHA1SUMBINARY}" = "" ]; then
HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'`
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
elif [ ! "${CSUMBINARY}" = "" ]; then
HOSTID=`echo ${FIND} | ${CSUMBINARY} -h SHA1 - | awk '{ print $1 }'`
HOSTID=$(echo ${FIND} | ${CSUMBINARY} -h SHA1 - | awk '{ print $1 }')
elif [ ! "${OPENSSLBINARY}" = "" ]; then
HOSTID=`echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }'`
HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }')
else
ReportException "GetHostID" "No sha1, sha1sum, csum or openssl binary available on AIX"
fi
@ -814,9 +814,9 @@
;;
"DragonFly" | "FreeBSD")
FIND=`${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then
HOSTID=`echo ${FIND} | sha1`
HOSTID=$(echo ${FIND} | sha1)
else
ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD"
fi
@ -829,20 +829,20 @@
# Only use ifconfig if no ip binary has been found
if [ ! "${IFCONFIGBINARY}" = "" ]; then
# Determine if we have ETH0 at all (not all Linux distro have this, e.g. Arch)
HASETH0=`${IFCONFIGBINARY} | grep "^eth0"`
HASETH0=$(${IFCONFIGBINARY} | grep "^eth0")
# Check if we can find it with HWaddr on the line
FIND=`${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]'`
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
# If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch)
if [ "${FIND}" = "" ]; then
FIND=`${IFCONFIGBINARY} 2> /dev/null | grep HWaddr`
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr)
if [ "${FIND}" = "" ]; then
# If possible directly address eth0 to avoid risking gathering the incorrect MAC address.
# If not, then falling back to getting first interface. Better than nothing.
if [ ! "${HASETH0}" = "" ]; then
FIND=`${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
else
FIND=`${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]'`
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]')
if [ "${FIND}" = "" ]; then
ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
else
@ -850,7 +850,7 @@
fi
fi
else
FIND=`${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]'`
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
LogText "GetHostID: No eth0 found (but HWaddr was found), using first network interface to determine hostid, with ifconfig"
fi
fi
@ -858,10 +858,10 @@
# See if we can use ip binary instead
if [ ! "${IPBINARY}" = "" ]; then
# Determine if we have the common available eth0 interface
FIND=`${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ "${FIND}" = "" ]; then
# Determine the MAC address of first interface with the ip command
FIND=`${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
FIND=$(${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ "${FIND}" = "" ]; then
ReportException "GetHostID" "Can't create hostid (no MAC addresses found)"
fi
@ -874,7 +874,7 @@
# Check if we found a HostID
if [ ! "${FIND}" = "" ]; then
LogText "Info: using hardware address ${FIND} to create ID"
HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'`
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
LogText "Result: Found HostID: ${HOSTID}"
else
ReportException "GetHostID" "Can't create HOSTID, command ip not found"
@ -904,18 +904,18 @@
;;
"NetBSD")
FIND=`${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then
HOSTID=`echo ${FIND} | sha1`
HOSTID=$(echo ${FIND} | sha1)
else
ReportException "GetHostID" "No MAC address returned on NetBSD"
fi
;;
"OpenBSD")
FIND=`${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then
HOSTID=`echo ${FIND} | sha1`
HOSTID=$(echo ${FIND} | sha1)
else
ReportException "GetHostID" "No MAC address returned on OpenBSD"
fi
@ -925,17 +925,17 @@
INTERFACES_TO_TEST="e1000g1 net0"
FOUND=0
for I in ${INTERFACES_TO_TEST}; do
FIND=`${IFCONFIGBINARY} -a | grep "^${I}"`
FIND=$(${IFCONFIGBINARY} -a | grep "^${I}")
if [ ! "${FIND}" = "" ]; then
FOUND=1; LogText "Found interface ${I} on Solaris"
fi
done
if [ ${FOUND} -eq 1 ]; then
FIND=`${IFCONFIGBINARY} ${I} | grep ether | awk '{ if ($1=="ether") { print $2 }}'`
FIND=$(${IFCONFIGBINARY} ${I} | grep ether | awk '{ if ($1=="ether") { print $2 }}')
if [ ! "${SHA1SUMBINARY}" = "" ]; then
HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'`
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
elif [ ! "${OPENSSLBINARY}" = "" ]; then
HOSTID=`echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }'`
HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }')
else
ReportException "GetHostID" "Can not find sha1/sha1sum or openssl"
fi
@ -966,7 +966,7 @@
# Optional: DBUS creates ID as well with dbus-uuidgen and is stored in /var/lib/dbus-machine-id (might be symlinked to /etc/machine-id)
sMACHINEIDFILE="/etc/machine-id"
if [ -f ${sMACHINEIDFILE} ]; then
FIND=`head -1 ${sMACHINEIDFILE} | grep "^[a-f0-9]"`
FIND=$(head -1 ${sMACHINEIDFILE} | grep "^[a-f0-9]")
if [ "${FIND}" = "" ]; then
MACHINEID="${FIND}"
fi
@ -982,7 +982,7 @@
if [ -f /etc/ssh/${I} ]; then
LogText "Result: found ${I} in /etc/ssh"
if [ ! "${SHA1SUMBINARY}" = "" ]; then
HOSTID=`cat /etc/ssh/${I} | ${SHA1SUMBINARY} | awk '{ print $1 }'`
HOSTID=$(cat /etc/ssh/${I} | ${SHA1SUMBINARY} | awk '{ print $1 }')
LogText "result: Created HostID with SSH key ($I): ${HOSTID}"
else
ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing"
@ -1159,7 +1159,7 @@
RUNNING=0
PSOPTIONS=""
if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then PSOPTIONS=" ax"; fi
FIND=`${PSBINARY} ${PSOPTIONS} | egrep "( |/)$1" | grep -v "grep"`
FIND=$(${PSBINARY} ${PSOPTIONS} | egrep "( |/)$1" | grep -v "grep")
if [ ! "${FIND}" = "" ]; then
RUNNING=1
LogText "IsRunning: process '$1' found (${FIND})"
@ -1201,18 +1201,18 @@
FILE="$1"
case $OS in
"AIX")
if [ ! "${ISTATBINARY}" = "" ]; then PERMS=`${ISTATBINARY} ${FILE} | sed "s/Owner: //" | sed "s/[a-zA-Z() ]//g"`; fi
if [ ! "${ISTATBINARY}" = "" ]; then PERMS=$(${ISTATBINARY} ${FILE} | sed "s/Owner: //" | sed "s/[a-zA-Z() ]//g"); fi
;;
"Linux")
if [ ! "${STATBINARY}" = "" ]; then PERMS=`${STATBINARY} -c "%u:%g" ${FILE}`; fi
if [ ! "${STATBINARY}" = "" ]; then PERMS=$(${STATBINARY} -c "%u:%g" ${FILE}); fi
;;
"FreeBSD")
if [ ! "${STATBINARY}" = "" ]; then PERMS=`${STATBINARY} -f "%u:%g" ${FILE}`; fi
if [ ! "${STATBINARY}" = "" ]; then PERMS=$(${STATBINARY} -f "%u:%g" ${FILE}); fi
;;
esac
# Fallback with ls (for other platforms, or when a test did not reveal any output)
if [ "${PERMS}" = "" ]; then
PERMS=`ls -n ${FILE} | ${AWKBINARY} '{ print $3":"$4 }'`
PERMS=$(ls -n ${FILE} | ${AWKBINARY} '{ print $3":"$4 }')
fi
else
ReportException "IsOwnedByRoot" "Functions needs 1 argument"
@ -1255,9 +1255,9 @@
# facter
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/facter ] || [ -x /usr/local/bin/facter ]; then
case "`facter is_virtual`" in
case "$(facter is_virtual)" in
"true")
SHORT=`facter virtual`
SHORT=$(facter virtual)
LogText "Result: found ${SHORT}"
;;
"false")
@ -1275,7 +1275,7 @@
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/systemd-detect-virt ]; then
LogText "Test: trying to guess virtualization technology with systemd-detect-virt"
FIND=`/usr/bin/systemd-detect-virt`
FIND=$(/usr/bin/systemd-detect-virt)
if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${FIND}"
SHORT="${FIND}"
@ -1292,7 +1292,7 @@
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/lscpu ]; then
LogText "Test: trying to guess virtualization with lscpu"
FIND=`lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g'`
FIND=$(lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${FIND}"
SHORT="${FIND}"
@ -1315,7 +1315,7 @@
fi
if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then
LogText "Test: trying to guess virtualization with dmidecode"
FIND=`/usr/sbin/dmidecode -s system-product-name | awk '{ print $1 }'`
FIND=$(/usr/sbin/dmidecode -s system-product-name | awk '{ print $1 }')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${FIND}"
SHORT="${FIND}"
@ -1370,7 +1370,7 @@
# FreeBSD: hw.hv_vendor (remains empty for VirtualBox)
# NetBSD: machdep.dmi.system-product
# OpenBSD: hw.product
FIND=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'`
FIND=$(sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }')
if [ ! "${FIND}" = "" ]; then
SHORT="${FIND}"
fi
@ -1383,7 +1383,7 @@
if [ ${PRIVILEGED} -eq 1 ]; then
if [ -x /usr/bin/lshw ]; then
LogText "Test: trying to guess virtualization with lshw"
FIND=`lshw -quiet -class system 2> /dev/null | awk '{ if ($1=="product:") { print $2 }}'`
FIND=$(lshw -quiet -class system 2> /dev/null | awk '{ if ($1=="product:") { print $2 }}')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${FIND}"
SHORT="${FIND}"
@ -1398,10 +1398,10 @@
LogText "Result: skipped lshw test, as we already found machine type"
fi
# Check if we catched some string along all tests
# Check if we caught some string along all tests
if [ ! "${SHORT}" = "" ]; then
# Lowercase and see if we found a match
SHORT=`echo ${SHORT} | awk '{ print $1 }' | tr [[:upper:]] [[:lower:]]`
SHORT=$(echo ${SHORT} | awk '{ print $1 }' | tr [[:upper:]] [[:lower:]])
case ${SHORT} in
amazon-ec2) ISVIRTUALMACHINE=1; VMTYPE="amazon-ec2"; VMFULLTYPE="Amazon AWS EC2 Instance" ;;
@ -1455,7 +1455,7 @@
if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi
fi
if [ -f ${sFILE} -o -d ${sFILE} ]; then
FINDVAL=`ls -ld ${sFILE} | cut -c 8`
FINDVAL=$(ls -ld ${sFILE} | cut -c 8)
if [ "${FINDVAL}" = "r" ]; then return 0; else return 1; fi
else
return 255
@ -1481,7 +1481,7 @@
if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi
fi
if [ -f ${sFILE} -o -d ${sFILE} ]; then
FINDVAL=`ls -l ${sFILE} | cut -c 10`
FINDVAL=$(ls -l ${sFILE} | cut -c 10)
if [ "${FINDVAL}" = "x" ]; then return 0; else return 1; fi
else
return 255
@ -1504,7 +1504,7 @@
# Only check if target is a file or directory
if [ -f ${sFILE} -o -d ${sFILE} ]; then
FINDVAL=`ls -ld ${sFILE} | cut -c 9`
FINDVAL=$(ls -ld ${sFILE} | cut -c 9)
if IsDeveloperMode; then Debug "File mode of ${sFILE} is ${FINDVAL}"; fi
if [ "${FINDVAL}" = "w" ]; then return 0; else return 1; fi
else
@ -1637,9 +1637,9 @@
FIND=$(cat ${TMP_NGINX_FILE} | sed 's/ /:space:/g')
DEPTH=0
for I in ${FIND}; do
I=`echo ${I} | sed 's/:space:/ /g' | sed 's/;$//' | sed 's/ #.*$//'`
OPTION=`echo ${I} | awk '{ print $1 }'`
VALUE=`echo ${I}| cut -d' ' -f2-`
I=$(echo ${I} | sed 's/:space:/ /g' | sed 's/;$//' | sed 's/ #.*$//')
OPTION=$(echo ${I} | awk '{ print $1 }')
VALUE=$(echo ${I}| cut -d' ' -f2-)
LogText "Result: found option ${OPTION} in ${CONFIG_FILE} with value '${VALUE}'"
STORE_SETTING=1
case ${OPTION} in
@ -1679,7 +1679,7 @@
else
if [ ! "${VALUE}" = "" ]; then
# If multiple values follow, select first one
VALUE=`echo ${VALUE} | awk '{ print $1 }'`
VALUE=$(echo ${VALUE} | awk '{ print $1 }')
if [ ! -f ${VALUE} ]; then
LogText "Result: could not find referenced log file ${VALUE} in nginx configuration"
NGINX_ACCESS_LOG_MISSING=1
@ -1689,8 +1689,8 @@
;;
# Headers
add_header)
HEADER=`echo ${VALUE} | awk '{ print $1 }'`
HEADER_VALUE=`echo ${VALUE} | cut -d' ' -f2-`
HEADER=$(echo ${VALUE} | awk '{ print $1 }')
HEADER_VALUE=$(echo ${VALUE} | cut -d' ' -f2-)
LogText "Result: found header ${HEADER} with value ${HEADER_VALUE}"
#Report "nginx_header[]=${HEADER}|${HEADER_VALUE}|"
;;
@ -1710,12 +1710,12 @@
;;
error_log)
# Check if debug is appended
FIND=`echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}'`
FIND=$(echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}')
if [ ${FIND} -eq 1 ]; then
NGINX_ERROR_LOG_DEBUG=1
fi
# Check if log file exists
FILE=`echo ${VALUE} | awk '{ print $1 }'`
FILE=$(echo ${VALUE} | awk '{ print $1 }')
if [ ! "${FILE}" = "" ]; then
if [ ! -f ${FILE} ]; then
NGINX_ERROR_LOG_MISSING=1
@ -1759,7 +1759,7 @@
listen)
NGINX_LISTEN_FOUND=1
# Test for ssl on listen statement
FIND_SSL=`echo ${VALUE} | grep ssl`
FIND_SSL=$(echo ${VALUE} | grep ssl)
if [ ! "${FIND_SSL}" = "" ]; then NGINX_SSL_ON=1; fi
;;
location)
@ -1789,7 +1789,7 @@
;;
ssl_protocols)
NGINX_SSL_PROTOCOLS=1
VALUE=`echo ${VALUE} | sed 's/;$//' | tr '[:upper:]' '[:lower:]'`
VALUE=$(echo ${VALUE} | sed 's/;$//' | tr '[:upper:]' '[:lower:]')
for ITEM in ${VALUE}; do
LogText "Result: found protocol ${ITEM}"
case ${ITEM} in
@ -1835,7 +1835,7 @@
else
if [ $# -eq 2 ] && [ $1 = "TCP" -o $1 = "UDP" ]; then
LogText "Test: find service listening on $1:$2"
if [ $1 = "TCP" ]; then FIND=`${LSOFBINARY} -i${1} -s${1}:LISTEN -P -n | grep ":${2} "`; else FIND=`${LSOFBINARY} -i${1} -P -n | grep ":${2} "`; fi
if [ $1 = "TCP" ]; then FIND=$(${LSOFBINARY} -i${1} -s${1}:LISTEN -P -n | grep ":${2} "); else FIND=$(${LSOFBINARY} -i${1} -P -n | grep ":${2} "); fi
if [ ! "${FIND}" = "" ]; then
LogText "Result: found service listening on port $2 ($1)"
return 0
@ -1895,7 +1895,7 @@
fi
if [ $# -eq 0 ]; then SIZE=16; else SIZE=$1; fi
CSIZE=$((SIZE / 2))
RANDOMSTRING=`head -c ${CSIZE} /dev/urandom | od -An -x | tr -d ' ' | cut -c 1-${SIZE}`
RANDOMSTRING=$(head -c ${CSIZE} /dev/urandom | od -An -x | tr -d ' ' | cut -c 1-${SIZE})
}
@ -1975,13 +1975,13 @@
# Skip test if it's configured in profile (old style)
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`echo "${TEST_SKIP_ALWAYS}" | grep "${TEST_NO}" | tr '[:lower:]' '[:upper:]'`
FIND=$(echo "${TEST_SKIP_ALWAYS}" | grep "${TEST_NO}" | tr '[:lower:]' '[:upper:]')
if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi
fi
# Check if this test is on the list to skip
if [ ${SKIPTEST} -eq 0 ]; then
VALUE=`echo ${TEST_NO} | tr '[:lower:]' '[:upper:]'`
VALUE=$(echo ${TEST_NO} | tr '[:lower:]' '[:upper:]')
for I in ${SKIP_TESTS}; do
if [ "${I}" = "${VALUE}" ]; then SKIPTEST=1; SKIPREASON="Skipped by profile setting (skip-test)"; fi
done
@ -1989,7 +1989,7 @@
# Skip if test is not in the list
if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then
FIND=`echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}"`
FIND=$(echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}")
if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi
fi
@ -2109,7 +2109,7 @@
# Clean up temp files
for FILE in ${TEMP_FILES}; do
# Temporary files should be in /tmp
TMPFILE=`echo ${FILE} | egrep "^/tmp/lynis" | grep -v "\.\."`
TMPFILE=$(echo ${FILE} | egrep "^/tmp/lynis" | grep -v "\.\.")
if [ ! "${TMPFILE}" = "" ]; then
if [ -f ${TMPFILE} ]; then
LogText "Action: removing temporary file ${TMPFILE}"
@ -2300,17 +2300,17 @@
PERMS_OK=0
LogText "Checking permissions of $1"
if [ $# -eq 1 ]; then
IS_PARAMETERS_FILE=`echo $1 | grep "/parameters"`
IS_PARAMETERS_FILE=$(echo $1 | grep "/parameters")
# Check file permissions
if [ ! -f "$1" ]; then
LogText "Fatal error: file $1 does not exist. Quitting."
echo "Fatal error: file $1 does not exist"
ExitFatal
else
PERMS=`ls -l $1`
PERMS=$(ls -l $1)
# Owner permissions
OWNER=`echo ${PERMS} | awk -F" " '{ print $3 }'`
OWNERID=`ls -n $1 | awk -F" " '{ print $3 }'`
OWNER=$(echo ${PERMS} | awk -F" " '{ print $3 }')
OWNERID=$(ls -n $1 | awk -F" " '{ print $3 }')
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
echo "Fatal error: file $1 should be owned by user 'root' when running it as root (found: ${OWNER})."
@ -2318,8 +2318,8 @@
fi
fi
# Group permissions
GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'`
GROUPID=`ls -n $1 | awk -F" " '{ print $4 }'`
GROUP=$(echo ${PERMS} | awk -F" " '{ print $4 }')
GROUPID=$(ls -n $1 | awk -F" " '{ print $4 }')
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
@ -2329,21 +2329,21 @@
fi
# Owner permissions
OWNER_PERMS=`echo ${PERMS} | cut -c2-4`
OWNER_PERMS=$(echo ${PERMS} | cut -c2-4)
if [ ! "${OWNER_PERMS}" = "rw-" -a ! "${OWNER_PERMS}" = "r--" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod 600 $1"
ExitFatal
fi
# Owner permissions
GROUP_PERMS=`echo ${PERMS} | cut -c5-7`
GROUP_PERMS=$(echo ${PERMS} | cut -c5-7)
if [ ! "${GROUP_PERMS}" = "rw-" -a ! "${GROUP_PERMS}" = "r--" -a ! "${GROUP_PERMS}" = "---" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod 600 $1"
ExitFatal
fi
# Other permissions
OTHER_PERMS=`echo ${PERMS} | cut -c8-10`
OTHER_PERMS=$(echo ${PERMS} | cut -c8-10)
if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only. Change with: chmod 600 $1"
ExitFatal
@ -2401,7 +2401,7 @@
if [ -f ${FILE} ]; then
# Check if we can find the main type (with or without brackets)
LogText "Test: search string ${STRING} in file ${FILE}"
FIND=`egrep "${STRING}" ${FILE}`
FIND=$(egrep "${STRING}" ${FILE})
if [ ! "${FIND}" = "" ]; then
ITEM_FOUND=1
LogText "Result: found search string '${STRING}'"
@ -2547,25 +2547,25 @@
if [ "${OS}" = "macOS" ]; then
# If a Python binary is found, use the one in path
if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${PYTHONBINARY}" = "" ]; then
FIND=`which python 2> /dev/null`
FIND=$(which python 2> /dev/null)
if [ ! "${FIND}" = "" ]; then LogText "Setting temporary pythonbinary variable"; PYTHONBINARY="${FIND}"; fi
fi
if [ ! "${PYTHONBINARY}" = "" ]; then
SYMLINK_USE_PYTHON=1
LogText "Note: using Python to determine symlinks"
tFILE=`python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" $1`
tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" $1)
fi
else
if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${READLINKBINARY}" = "" ]; then
FIND=`which readlink 2> /dev/null`
FIND=$(which readlink 2> /dev/null)
if [ ! "${FIND}" = "" ]; then LogText "Setting temporary readlinkbinary variable"; READLINKBINARY="${FIND}"; fi
fi
if [ ! "${READLINKBINARY}" = "" ]; then
SYMLINK_USE_READLINK=1
LogText "Note: Using real readlink binary to determine symlink on ${sFILE}"
tFILE=`${READLINKBINARY} -f ${sFILE}`
tFILE=$(${READLINKBINARY} -f ${sFILE})
LogText "Result: readlink shows ${tFILE} as output"
fi
fi
@ -2590,15 +2590,15 @@
FOUNDPATH=1
else
# Check the full path of the symlink, strip the filename, copy the path and linked filename together
tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'`
tDIR=$(echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}')
tFILE="${tDIR}/${tFILE}"
if [ -L ${tFILE} ]; then
LogText "Result: this symlink links to another symlink"
# Ensure that we use a second try with the right tool as well
if [ ${SYMLINK_USE_PYTHON} -eq 1 ]; then
tFILE=`python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" ${tFILE}`
tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" ${tFILE})
elif [ ${SYMLINK_USE_READLINK} -eq 1 ]; then
tFILE=`${READLINKBINARY} -f ${tFILE}`
tFILE=$(${READLINKBINARY} -f ${tFILE})
fi
# Check if we now have a normal file
if [ -f ${tFILE} ]; then
@ -2656,7 +2656,7 @@
RETVAL=1
# Check if this test is on the list to skip
for I in ${SKIP_TESTS}; do
STRING=`echo $1 | tr '[:lower:]' '[:upper:]'`
STRING=$(echo $1 | tr '[:lower:]' '[:upper:]')
if [ "${I}" = "${STRING}" ]; then RETVAL=0; LogText "Atomic test ($1) skipped by configuration (skip-test)"; fi
done
else
@ -2768,13 +2768,13 @@
# Apply the related function
case ${FUNCTION} in
"contains")
FIND=`echo ${VALUE} | egrep "${SEARCH}"`
FIND=$(echo ${VALUE} | egrep "${SEARCH}")
if [ "${FIND}" = "" ]; then RETVAL=1; else RETVAL=0; fi
;;
#"gt" | "greater-than") COLOR=$GREEN ;;
"equals")
CMP1=`echo ${SEARCH} | tr '[:upper:]' '[:lower:']`
CMP2=`echo ${VALUE} | tr '[:upper:]' '[:lower:']`
CMP1=$(echo ${SEARCH} | tr '[:upper:]' '[:lower:'])
CMP2=$(echo ${VALUE} | tr '[:upper:]' '[:lower:'])
if [ "${CMP1}" = "${CMP2}" ]; then RETVAL=0; else RETVAL=1; fi
;;
#"not-equal") COLOR=$WHITE ;;
@ -2819,7 +2819,7 @@
ViewGroups() {
if [ ! "${INCLUDEDIR}" = "" ]; then
InsertSection "Available test groups"
for I in `ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"`; do
for I in $(ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"); do
echo "${I}"
done
fi

32
include/helper_audit_dockerfile
View File

@ -24,7 +24,7 @@ if [ $# -eq 0 ]; then
Display --text " "; Display --text " "
ExitFatal
else
FILE=`echo $1 | egrep "^http|https"`
FILE=$(echo $1 | egrep "^http|https")
if [ ! "${FILE}" = "" ] ; then
CreateTempFile
TMP_FILE="${TEMP_FILE}"
@ -59,12 +59,12 @@ fi
InsertSection "Image"
PKGMGR=""
FIND=`grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g'`
FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g')
for I in ${FIND}; do
IMAGE=`echo ${I} | sed 's/:space:/ /g' | awk '{ if ($1=="FROM") { print $2 }}'`
IMAGE=$(echo ${I} | sed 's/:space:/ /g' | awk '{ if ($1=="FROM") { print $2 }}')
Display --indent 2 --text "Found image:" --result "${IMAGE}"
IS_UBUNTU=`echo ${IMAGE} | grep -i ubuntu`
IS_UBUNTU=$(echo ${IMAGE} | grep -i ubuntu)
if [ ! "${IS_DEBIAN}" = "" ]; then IMAGE="debian"; fi
if [ ! "${IS_FEDORA}" = "" ]; then IMAGE="fedora"; fi
if [ ! "${IS_UBUNTU}" = "" ]; then IMAGE="ubuntu"; fi
@ -95,11 +95,11 @@ fi
InsertSection "Basics"
FIND=`egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g'`
FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g')
if [ "${FIND}" = "" ]; then
ReportWarning "dockerfile" "No maintainer found. Unclear who created this file."
else
MAINTAINER=`echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}'`
MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}')
Display --indent 2 --text "Maintainer" --result "${MAINTAINER}"
fi
@ -111,7 +111,7 @@ InsertSection "Basics"
case $PKGMGR in
"apt")
FIND=`egrep "apt-get(.*) install" ${AUDIT_FILE}`
FIND=$(egrep "apt-get(.*) install" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then
LogText "Found installation via apt-get"
else
@ -123,14 +123,14 @@ InsertSection "Basics"
;;
esac
FIND=`egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#"`
FIND=$(egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#")
if [ ! "${FIND}" = "" ]; then
ReportWarning "dockerfile" "Possible development utilities found, which is not advised for production environment"
LogText "Details: ${FIND}"
fi
# SSH
FIND_OPENSSH=`grep openssh ${AUDIT_FILE}`
FIND_OPENSSH=$(grep openssh ${AUDIT_FILE})
if [ ! "${FIND_OPENSSH}" = "" ]; then
Display --indent 2 --text "OpenSSH" --result "FOUND" --color RED
ReportSuggestion "dockerfile" "Don't use OpenSSH in container, use 'docker exec' instead"
@ -143,21 +143,21 @@ InsertSection "Basics"
FILE_DOWNLOAD=0
LogText "Checking usage of cURL"
FIND_CURL=`grep curl ${AUDIT_FILE}`
FIND_CURL=$(grep curl ${AUDIT_FILE})
if [ ! "${FIND_CURL}" = "" ]; then
Display --indent 4 --text "Download tool" --result "curl"
FILE_DOWNLOAD=1
fi
LogText "Checking usage of wget"
FIND_WGET=`grep wget ${AUDIT_FILE}`
FIND_WGET=$(grep wget ${AUDIT_FILE})
if [ ! "${FIND_WGET}" = "" ]; then
Display --indent 4 --text "Download tool" --result "wget"
FILE_DOWNLOAD=1
fi
FIND=`grep "^ADD http" ${AUDIT_FILE}`
FIND=$(grep "^ADD http" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then
FILE_DOWNLOAD=1
ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
@ -166,7 +166,7 @@ InsertSection "Basics"
if [ ${FILE_DOWNLOAD} -eq 1 ]; then
SSL_USED_FIND=`egrep "(https)" ${AUDIT_FILE}`
SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE})
if [ ! "${SSL_USED_FIND}" = "" ]; then
SSL_USED="YES"
@ -177,9 +177,9 @@ InsertSection "Basics"
ReportSuggestion "Use SSL downloads when possible to increase security (DNSSEC, HTTPS, validation of domain, avoid MitM)"
fi
Display --indent 2 --text "Integrity testing performed" --result "${SSL_USED}" --color ${COLOR}
HASHING_USED=`egrep "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE}`
HASHING_USED=$(egrep "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE})
Display --indent 2 --text "Hashing" --result "${HASHING_USED}"
KEYS_USED=`egrep "(apt-key adv)" ${AUDIT_FILE}`
KEYS_USED=$(egrep "(apt-key adv)" ${AUDIT_FILE})
Display --indent 2 --text "Signing keys used" --result ${SSL_USED}
Display --indent 2 --text "All downloads properly checked" --result "?"
else
@ -191,7 +191,7 @@ InsertSection "Basics"
#
InsertSection "Permissions"
FIND=`grep -i "chmod 777" ${AUDIT_FILE}`
FIND=$(grep -i "chmod 777" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then
ReportWarning "dockerfile" "Warning: chmod 777 found"
fi

4
include/helper_system_remote_scan
View File

@ -49,8 +49,8 @@
# Enable screen output again
QUIET=0
SCP_BINARY=`which scp 2> /dev/null`
SSH_BINARY=`which ssh 2> /dev/null`
SCP_BINARY=$(which scp 2> /dev/null)
SSH_BINARY=$(which ssh 2> /dev/null)
if [ "${SCP_BINARY}" = "" ]; then echo "Could not find scp binary"; ExitFatal; fi
if [ "${SSH_BINARY}" = "" ]; then echo "Could not find ssh binary"; ExitFatal; fi

2
include/helper_update
View File

@ -51,7 +51,7 @@ if [ "$1" = "release" ]; then
elif [ "$1" = "info" ]; then
# CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g'`
PROGRAM_AC=$(echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g')
PROGRAM_LV=0
CheckUpdates

2
include/parameters
View File

@ -287,7 +287,7 @@
--plugindir | --plugin-dir | --plugins-dir)
shift
PLUGINDIR=$1
LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'`
LASTCHAR=$(echo $1 | awk '{ print substr($0, length($0))}')
if [ "${LASTCHAR}" = "/" ]; then
echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}"
ExitCustom 65

12
include/report
View File

@ -140,7 +140,7 @@
fi
# Show suggestions from logfile
SSUGGESTIONS=`grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g'`
SSUGGESTIONS=$(grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g')
if [ "${SSUGGESTIONS}" = "" ]; then
echo " ${OK}No suggestions${NORMAL}"; echo ""
@ -159,7 +159,7 @@
if [ $? -eq 0 ]; then SOLUTION=$(echo ${SEARCH} | sed 's/!space!/ /g' | sed 's/solution://' | sed 's/text://' | tr -d '[]'); fi
fi
done
IS_CUSTOM=`echo ${ADDLINK} | grep "^CUST"`
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}"
if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
@ -228,7 +228,7 @@
if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
# Determine if the quality of the program can be increased by filtering out the exceptions
FIND=`${GREPBINARY} "^exception" ${REPORTFILE}`
FIND=$(${GREPBINARY} "^exception" ${REPORTFILE})
if [ ! "${FIND}" = "" ]; then
echo ""
echo " ${RED}${NOTE_EXCEPTIONS_FOUND}${NORMAL}"
@ -248,12 +248,12 @@
echo ""
echo " ${PURPLE}${NOTE_SKIPPED_TESTS_NON_PRIVILEGED}${NORMAL}"
FIND=`echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g'`
FIND=$(echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g')
# Split entries
FIND=`echo ${FIND} | sed 's/====/ /g'`
FIND=$(echo ${FIND} | sed 's/====/ /g')
# Display found entries
for I in ${FIND}; do
J=`echo ${I} | sed 's/:space:/ /g'`
J=$(echo ${I} | sed 's/:space:/ /g')
echo " ${J}"
done
echo ""

38
include/tests_authentication
View File

@ -102,7 +102,7 @@
Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)."
LogText "Test: Testing consistency of /etc/group file"
FIND=`/usr/sbin/chkgrp | ${GREPBINARY} -v 'is fine'`
FIND=$(/usr/sbin/chkgrp | ${GREPBINARY} -v 'is fine')
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_OK}" --color GREEN
LogText "Result: chkgrp test performed, Group file seems to be ok."
@ -158,7 +158,7 @@
LogText "Test: Checking login shells"
if [ -f /etc/master.passwd ]; then
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=`${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g'`
FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
else
@ -202,7 +202,7 @@
LogText "Test: Checking login shells"
if [ -f /etc/master.passwd ]; then
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=`${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g'`
FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
else
@ -488,7 +488,7 @@
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions"
FIND=`ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10`
FIND=$(ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: Found file permissions: ${FIND}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
LogText "Result: file ${SUDOERS_FILE} has correct permissions"
@ -650,7 +650,7 @@
if [ -d ${DIR} -a ! -L ${DIR} ]; then
LogText "Result: directory ${DIR} exists"
# Search in the specified directory
FIND=`find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort`
FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort)
if [ ! "${FIND}" = "" ]; then FOUND=1; fi
for FILE in ${FIND}; do
LogText "Found file: ${FILE}"
@ -680,7 +680,7 @@
if [ -f /etc/pam.d/common-auth ]; then
LogText "Result: file /etc/pam.d/common-auth exists"
LogText "Test: checking presence LDAP module"
FIND=`${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth`
FIND=$(${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth)
if [ ! "${FIND}" = "" ]; then
LogText "Result: LDAP module present"
LogText "Output: ${FIND}"
@ -809,7 +809,7 @@
Register --test-no AUTH-9288 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Checking for expired passwords"
if [ ${SKIPTEST} -eq 0 ]; then
if FileIsReadable /etc/shadow; then
DAYS_SINCE_EPOCH=$((`date --utc +%s`/86400))
DAYS_SINCE_EPOCH=$(($(date --utc +%s)/86400))
LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}"
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
@ -921,7 +921,7 @@
TEST_PERFORMED=1
LogText "Result: file /etc/sysconfig/init exists"
LogText "Test: checking presence sulogin for single user mode"
FIND=`${GREPBINARY} "^SINGLE=/sbin/sulogin" /etc/sysconfig/init`
FIND=$(${GREPBINARY} "^SINGLE=/sbin/sulogin" /etc/sysconfig/init)
if [ ! "${FIND}" = "" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
@ -943,7 +943,7 @@
# Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support)
TEST_PERFORMED=1
LogText "Result: found target ${I}"
FIND=`${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "/sulogin"`
FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "/sulogin")
if [ "${FIND}" = "" ]; then
LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication"
else
@ -1075,7 +1075,7 @@
if [ -f /etc/passwd ]; then
LogText "Result: file /etc/passwd exists"
LogText "Test: Checking umask value in /etc/passwd"
FIND=`${GREPBINARY} "umask=" /etc/passwd`
FIND=$(${GREPBINARY} "umask=" /etc/passwd)
if [ "${FIND}" = "" ]; then
ReportManual "AUTH-9328:03"
fi
@ -1088,7 +1088,7 @@
if [ -f /etc/login.defs ]; then
LogText "Result: file /etc/login.defs exists"
LogText "Test: Checking umask value in /etc/login.defs"
FIND=`${GREPBINARY} "^UMASK" /etc/login.defs | ${AWKBINARY} '{ print $2 }'`
FIND=$(${GREPBINARY} "^UMASK" /etc/login.defs | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then
LogText "Result: umask value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
@ -1113,7 +1113,7 @@
if [ -f /etc/init.d/functions ]; then
LogText "Result: file /etc/init.d/functions exists"
LogText "Test: Checking umask value in /etc/init.d/functions"
FIND=`${GREPBINARY} "^umask" /etc/init.d/functions | ${AWKBINARY} '{ print $2 }'`
FIND=$(${GREPBINARY} "^umask" /etc/init.d/functions | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then
LogText "Result: umask is not configured"
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE
@ -1135,7 +1135,7 @@
if [ -f /etc/init.d/rc ]; then
LogText "Result: file /etc/init.d/rc exists"
LogText "Test: Checking UMASK value in /etc/init.d/rc"
FIND=`${GREPBINARY} -i "^UMASK" /etc/init.d/rc | ${AWKBINARY} '{ print $2 }'`
FIND=$(${GREPBINARY} -i "^UMASK" /etc/init.d/rc | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
@ -1160,7 +1160,7 @@
FOUND=0
WEAK_UMASK=0
LogText "Result: file /etc/login.conf exists"
FIND=`${GREPBINARY} "umask" /etc/login.conf | ${SEDBINARY} 's/#.*//' | ${SEDBINARY} -E 's/^[[:cntrl:]]//' | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $2}' | ${AWKBINARY} -F= '{ if ($1=="umask") { print $2 }}'`
FIND=$(${GREPBINARY} "umask" /etc/login.conf | ${SEDBINARY} 's/#.*//' | ${SEDBINARY} -E 's/^[[:cntrl:]]//' | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $2}' | ${AWKBINARY} -F= '{ if ($1=="umask") { print $2 }}')
if [ ! "${FIND}" = "" ]; then
for UMASK_VALUE in ${FIND}; do
case ${UMASK_VALUE} in
@ -1196,9 +1196,9 @@
if [ -f /etc/init.d/rcS ]; then
LogText "Result: file /etc/init.d/rcS exists"
LogText "Test: Checking if script runs another script."
FIND=`${GREPBINARY} -i "^exec " /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }'`
FIND=$(${GREPBINARY} -i "^exec " /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then
FIND2=`${GREPBINARY} -i "^UMASK" /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }'`
FIND2=$(${GREPBINARY} -i "^UMASK" /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }')
if [ "${FIND2}" = "" ]; then
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
@ -1234,7 +1234,7 @@
FOUND=0
if [ -f /etc/security/policy.conf ]; then
LogText "Result: found /etc/security/policy.conf"
FIND=`${GREPBINARY} "^LOCK_AFTER_RETRIES" /etc/security/policy.conf`
FIND=$(${GREPBINARY} "^LOCK_AFTER_RETRIES" /etc/security/policy.conf)
if [ ! "${FIND}" = "" ]; then
FOUND=1
LogText "Result: account locking option set"
@ -1254,7 +1254,7 @@
LogText "Test: checking /etc/default/login"
if [ -f /etc/default/login ]; then
LogText "Result: file /etc/default/login exists"
FIND=`${GREPBINARY} "^RETRIES" /etc/default/login`
FIND=$(${GREPBINARY} "^RETRIES" /etc/default/login)
if [ ! "${FIND}" = "" ]; then
FOUND=1
LogText "Result: retries option configured"
@ -1331,7 +1331,7 @@
Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Logging of failed login attempts via /etc/login.defs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking FAILLOG_ENAB option in /etc/login.defs "
FIND=`${GREPBINARY} "^FAILLOG_ENAB" /etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }'`
FIND=$(${GREPBINARY} "^FAILLOG_ENAB" /etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }')
# Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
if [ "${FIND}" = "yes" ]; then
AUTH_FAILED_LOGINS_LOGGED=1

4
include/tests_banners
View File

@ -100,7 +100,7 @@
# N=0
# LogText "Test: Checking file /etc/motd contents for legal key words"
# for I in ${LEGAL_BANNER_STRINGS}; do
# FIND=`${GREPBINARY} -i "${I}" /etc/motd`
# FIND=$(${GREPBINARY} -i "${I}" /etc/motd)
# if [ ! "${FIND}" = "" ]; then
# LogText "Result: found string '${I}'"
# N=$((N + 1))
@ -205,7 +205,7 @@
N=0
LogText "Test: Checking file /etc/issue.net contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=`${GREPBINARY} -i "${I}" /etc/issue.net`
FIND=$(${GREPBINARY} -i "${I}" /etc/issue.net)
if [ ! "${FIND}" = "" ]; then
LogText "Result: found string '${I}'"
N=$((N + 1))

3
include/tests_boot_services
View File

@ -99,6 +99,7 @@
;;
*)
CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd")
if [ ! -z "${CONTAINS_SYSTEMD}" ]; then
SERVICE_MANAGER="systemd"
else
@ -259,7 +260,7 @@
# Some OSes like Gentoo do not have /boot mounted by default
# TODO: root directory and rewrite ls statement
if [ -d /boot ]; then
if [ "`ls /boot/* 2> /dev/null`" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then
if [ "$(ls /boot/* 2> /dev/null)" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then
BOOT_LOADER_FOUND=1
LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW

6
include/tests_containers
View File

@ -65,10 +65,10 @@
#Register --test-no CONT-1906 --weight L --network NO --category security --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | ${AWKBINARY} '$1 != "Name|Domain-0" {print $1","$2}'`
#FIND=$(xm list | ${AWKBINARY} '$1 != "Name|Domain-0" {print $1","$2}')
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | ${CUTBINARY} -d ':' -f1`
#XENGUESTID=`echo ${I} | ${CUTBINARY} -d ':' -f2`
#XENGUESTNAME=$(echo ${I} | ${CUTBINARY} -d ':' -f1)
#XENGUESTID=$(echo ${I} | ${CUTBINARY} -d ':' -f2)
#LogText "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi

4
include/tests_databases
View File

@ -37,7 +37,7 @@
# Description : Check if MySQL is being used
Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | ${EGREPBINARY} "mysqld|mysqld_safe" | ${GREPBINARY} -v "grep"`
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
if [ "${FIND}" = "" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: MySQL process not active"
@ -209,7 +209,7 @@
#Register --test-no DBS-1842 --weight L --network NO --category security --description "Checking Oracle home paths"
#if [ ${SKIPTEST} -eq 0 ]; then
# if [ -f /etc/oratab ]; then
# FIND=`${GREPBINARY} -v "#" /etc/oratab | ${AWKBINARY} -F: "{ print $2 }"`
# FIND=$(${GREPBINARY} -v "#" /etc/oratab | ${AWKBINARY} -F: "{ print $2 }")
# fi
#fi
#

10
include/tests_filesystems
View File

@ -247,9 +247,9 @@
# Can be ^/dev/partition
# Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>)
HAS_UUID=`echo ${I} | ${GREPBINARY} "^UUID="`
HAS_UUID=$(echo ${I} | ${GREPBINARY} "^UUID=")
if [ ! -z "${HAS_UUID}" ]; then
UUID=`echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }'`
UUID=$(echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }')
LogText "Result: Using ${UUID} as UUID"
if [ ! -z "${BLKIDBINARY}" ]; then
FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//')
@ -303,7 +303,7 @@
else
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
#ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap parition (${FIND})"
#ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap partition (${FIND})"
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options"
LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)"
fi
@ -429,7 +429,7 @@
FIND1="${ROOTDIR}dev/root"
else
# Only determine device if it is EXT2/3/4
#FIND1=`mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}'`
#FIND1=$(mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}')
FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }')
fi
# Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
@ -538,7 +538,7 @@
PARTIALLY_HARDENED=0
FULLY_HARDENED=1
for FLAG in ${EXPECTED_FLAGS}; do
FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG}`
FLAG_AVAILABLE=$(echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG})
if [ "${FLAG_AVAILABLE}" = "" ]; then
LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
FULLY_HARDENED=0

4
include/tests_firewalls
View File

@ -106,7 +106,7 @@
TABLES="filter"
for TABLE in ${TABLES}; do
LogText "Test: gathering information from table ${TABLE}"
FIND="$FIND""\n"`${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1'`
FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1')
done
echo "${FIND}" | while read line; do
@ -336,7 +336,7 @@
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipfw"
Report "firewall_software[]=ipfw"
IPFW_ENABLED=`service -e | ${GREPBINARY} -o ipfw`
IPFW_ENABLED=$(service -e | ${GREPBINARY} -o ipfw)
if [ "${IPFW_ENABLED}" = "ipfw" ]; then
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN
LogText "Result: IPFW is enabled at start-up for IPv4"

36
include/tests_kernel
View File

@ -43,12 +43,12 @@
if [ -L /etc/systemd/system/default.target ]; then
LogText "Result: symlink found"
if [ ! "${READLINKBINARY}" = "" ]; then
FIND=`${READLINKBINARY} /etc/systemd/system/default.target`
FIND=$(${READLINKBINARY} /etc/systemd/system/default.target)
if [ "${FIND}" = "" ]; then
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
ReportException "${TEST_NO}:01"
else
FIND2=`echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical"`
FIND2=$(echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
if [ ! "${FIND2}" = "" ]; then
LogText "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
@ -69,7 +69,7 @@
if [ -f /etc/inittab ]; then
LogText "Result: file /etc/inittab found"
LogText "Test: Checking default Linux run level"
FIND=`${AWKBINARY} -F: '/^id/ { print $2; }' /etc/inittab | head -n 1`
FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' /etc/inittab | head -n 1)
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: Can't determine default run level from /etc/inittab"
@ -82,7 +82,7 @@
LogText "Result: file /etc/inittab not found"
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then
LogText "Test: Checking run level with who -r, for Debian based systems"
FIND=`who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }'`
FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }')
if [ ! "${FIND}" = "" ]; then
LogText "Result: Found default run level '${FIND}'"
Report "linux_default_runlevel=${FIND}"
@ -109,9 +109,9 @@
if [ -f /proc/cpuinfo ]; then
LogText "Result: found /proc/cpuinfo"
LogText "Test: Checking CPU options (XD/NX/PAE)"
FIND_PAE_NX=`${GREPBINARY} " pae " /proc/cpuinfo | ${GREPBINARY} " nx "`
FIND_PAE=`${GREPBINARY} " pae " /proc/cpuinfo`
FIND_NX=`${GREPBINARY} " nx " /proc/cpuinfo`
FIND_PAE_NX=$(${GREPBINARY} " pae " /proc/cpuinfo | ${GREPBINARY} " nx ")
FIND_PAE=$(${GREPBINARY} " pae " /proc/cpuinfo)
FIND_NX=$(${GREPBINARY} " nx " /proc/cpuinfo)
FOUND=0
if [ ! "${FIND_PAE_NX}" = "" ]; then
LogText "PAE: Yes"
@ -165,11 +165,11 @@
Register --test-no KRNL-5695 --os Linux --weight L --network NO --category security --description "Determine Linux kernel version and release number"
if [ ${SKIPTEST} -eq 0 ]; then
# Kernel number (and suffix)
LINUX_KERNEL_RELEASE=`uname -r`
LINUX_KERNEL_RELEASE=$(uname -r)
Report "linux_kernel_release=${LINUX_KERNEL_RELEASE}"
LogText "Result: found kernel release ${LINUX_KERNEL_RELEASE}"
# Type and build date
LINUX_KERNEL_VERSION=`uname -v`
LINUX_KERNEL_VERSION=$(uname -v)
Report "linux_kernel_version=${LINUX_KERNEL_VERSION}"
LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}"
Display --indent 2 --text "- Checking kernel version and release" --result "${STATUS_DONE}" --color GREEN
@ -184,7 +184,7 @@
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
LogText "Test: checking if kernel is monolithic or modular"
# Checking if any modules are loaded
FIND=`${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' '`
FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ')
Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN
if [ "${FIND}" = "0" ]; then
LogText "Result: Found monolithic kernel"
@ -207,7 +207,7 @@
Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
FIND=`${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort`
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort)
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
if [ ! "${FIND}" = "" ]; then
LogText "Loaded modules according lsmod:"
@ -233,7 +233,7 @@
# Description : Checking for available Linux kernel configuration file in /boot
Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config"
if [ ${SKIPTEST} -eq 0 ]; then
CHECKFILE="/boot/config-`uname -r`"
CHECKFILE="/boot/config-$(uname -r)"
if [ -f ${CHECKFILE} ]; then
LINUXCONFIGFILE="${CHECKFILE}"
LogText "Result: found config (${LINUXCONFIGFILE})"
@ -267,7 +267,7 @@
if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi
if [ ! "${GREPTOOL}" = "" ]; then
LogText "Test: Checking the default I/O kernel scheduler"
LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g`
LINUX_KERNEL_IOSCHED=$(${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g)
if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then
LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN
@ -292,7 +292,7 @@
LogText "Description: View all active kernel modules (including kernel)"
LogText "Test: Checking modules"
if [ -f /sbin/kldstat ]; then
FIND=`kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6`
FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:"
N=0
@ -323,7 +323,7 @@
LogText "Description: View all active kernel modules (including kernel)"
LogText "Test: Checking modules"
if [ -f /sbin/kldstat ]; then
FIND=`kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6`
FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:"
N=0
@ -350,7 +350,7 @@
Register --test-no KRNL-5770 --os Solaris --weight L --network NO --category security --description "Checking active kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching loaded kernel modules"
FIND=`modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort`
FIND=$(modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort)
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
LogText "Found module: ${I}"
@ -394,7 +394,7 @@
LogText "Kernel candidate: ${FINDCAND}"
if [ -z "${FINDINST}" ]; then
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: Exception occured, no output from apt-cache policy"
LogText "Result: Exception occurred, no output from apt-cache policy"
ReportException "${TEST_NO}:01"
LogText "Exception: apt-cache policy did not return an installed kernel version"
ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty"
@ -523,7 +523,7 @@
fi
done
if [ ! -z "${FINDVERSION}" ]; then
CURRENT_KERNEL=`uname -r`
CURRENT_KERNEL=$(uname -r)
if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then
LogText "Result: reboot needed, as current kernel is different than the one loaded"
REBOOT_NEEDED=1

6
include/tests_logging
View File

@ -189,7 +189,7 @@
LogText "Test: Searching kernel logger daemon (klogd)"
if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then
# Search for klogd, but ignore other lines related to klogd (like dd with input/output file)
#FIND=`${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep"`
#FIND=$(${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep")
IsRunning klogd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: klogd running"
@ -285,7 +285,7 @@
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which directories can be found in logrotate configuration"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u`
FIND=$(${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
if [ "${FIND}" = "" ]; then
LogText "Result: nothing found"
else
@ -319,7 +319,7 @@
# Try name resolving if no entry is present in local host file
LogText "Result: Checking for loghost via name resolving"
FIND=`getent hosts loghost | ${GREPBINARY} loghost`
FIND=$(getent hosts loghost | ${GREPBINARY} loghost)
if [ ! -z "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1
LogText "Result: name resolving was succesful"

30
include/tests_nameservices
View File

@ -155,7 +155,7 @@
LogText "Test: checking /etc/nodename"
if [ -f /etc/nodename ]; then
LogText "Result: file /etc/nodename exists"
FIND=`cat /etc/nodename`
FIND=$(cat /etc/nodename)
LogText "Output: ${FIND}"
Display --indent 2 --text "- Checking /etc/nodename" --result "${STATUS_DONE}" --color GREEN
else
@ -176,7 +176,7 @@
#LogText "Test: Checking file /etc/domainname"
#if [ -f /etc/domainname ]; then
# LogText "Result: file /etc/domainname exists"
# FIND2=`cat /etc/domainname`
# FIND2=$(cat /etc/domainname)
# if [ ! "${FIND}" = "" ]; then
# LogText "Found domain name: ${FIND}"
# DOMAINNAME="${FIND}"
@ -267,11 +267,11 @@
if [ ${UNBOUND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Unbound configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`which unbound-checkconf`
FIND=$(which unbound-checkconf)
if [ ! "${FIND}" = "" ]; then
LogText "Test: running unbound-checkconf"
# Don't capture any output, just gather exit code (0 is fine, otherwise bad)
FIND=`unbound-checkconf > /dev/null 2>&1`
FIND=$(unbound-checkconf > /dev/null 2>&1)
if [ $? -eq 0 ]; then
UNBOUND_CONFIG_OK=1
LogText "Result: Configuration is fine"
@ -335,7 +335,7 @@
LogText "Test: searching for named-checkconf binary"
if [ ! "${NAMEDCHECKCONFBINARY}" = "" ]; then
LogText "Result: named-checkconf is installed"
FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?`
FIND=$(${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_OK}" --color GREEN
@ -364,7 +364,7 @@
Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Trying to determine version from banner"
FIND=`${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*"`
FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*")
if [ "${FIND}" = "" ]; then
LogText "Result: no useful information in banner found"
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN
@ -470,29 +470,29 @@
#################################################################################
#
# Test : NAME-4238
# Description : Check PowerDNS authoritive status
# Description : Check PowerDNS authoritative status
if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritive status"
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritative status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for PowerDNS master status"
FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then
LogText "Found master=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive master: YES"
Display --indent 4 --text "- PowerDNS authoritative master: YES"
POWERDNS_AUTH_MASTER=1
else
LogText "Result: most likely not master (no master=yes)"
Display --indent 4 --text "- PowerDNS authoritive master: NO"
Display --indent 4 --text "- PowerDNS authoritative master: NO"
fi
LogText "Test: Checking for PowerDNS slave status"
FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then
LogText "Found slave=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive slave: YES"
Display --indent 4 --text "- PowerDNS authoritative slave: YES"
POWERDNS_AUTH_SLAVE=1
else
LogText "Result: most likely not slave (no slave=yes)"
Display --indent 4 --text "- PowerDNS authoritive slave: NO"
Display --indent 4 --text "- PowerDNS authoritative slave: NO"
fi
fi
#
@ -529,7 +529,7 @@
if [ ${YPBIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking `domainname` for NIS domain value"
LogText "Test: Checking $(domainname) for NIS domain value"
FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)")
if [ ! -z "${FIND}" ]; then
LogText "Value: ${FIND}"
@ -541,7 +541,7 @@
LogText "Test: Checking file ${ROOTDIR}etc/defaultdomain"
if [ -f ${ROOTDIR}etc/defaultdomain ]; then
LogText "Result: file ${ROOTDIR}etc/defaultdomain exists"
FIND2=`cat ${ROOTDIR}etc/defaultdomain`
FIND2=$(cat ${ROOTDIR}etc/defaultdomain)
if [ ! -z "${FIND2}" ]; then
LogText "Output: ${FIND2}"
NISDOMAIN="${FIND2}"
@ -641,7 +641,7 @@
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check server hostname not locally mapped in /etc/hosts"
sFIND=`${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}`
sFIND=$(${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
if [ ! "${sFIND}" = "" ]; then
LogText "Result: Found this server hostname mapped to a local address"
LogText "Output: ${sFIND}"

86
include/tests_networking
View File

@ -46,12 +46,12 @@
IPV6_ONLY=255
IPV6_MISCONFIGURED=0
IPV6_MISCONFIGURED_MTU=0
FIND=`sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/"`
FIND=$(sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/")
if [ ! "${FIND}" = "" ]; then
IPV6_CONFIGURED=1
for I in ${FIND}; do
SYSCTL_KEY=`echo ${I} | ${AWKBINARY} -F= '{ print $1 }'`
SYSCTL_VALUE=`echo ${I} | ${AWKBINARY} -F= '{ print $2 }'`
SYSCTL_KEY=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
SYSCTL_VALUE=$(echo ${I} | ${AWKBINARY} -F= '{ print $2 }')
case ${SYSCTL_KEY} in
"net.ipv6.conf.default.accept_ra")
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_RA=1; else IPV6_ACCEPT_RA=0; fi
@ -89,7 +89,7 @@
LogText "Result: IPV6 mode is ${IPV6_MODE}"
if [ ${IPV6_CONFIGURED} -eq 1 ]; then
Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE
STATUS=`echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]'`
STATUS=$(echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]')
Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE
if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi
LogText "Result: IPv6 only configuration: ${STATUS}"
@ -123,7 +123,7 @@
LogText "Test: Checking /etc/resolv.conf file"
if [ -f /etc/resolv.conf ]; then
LogText "Result: Found /etc/resolv.conf file"
FIND=`${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq`
FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq)
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Testing nameservers"
LogText "Test: Querying nameservers"
@ -137,7 +137,7 @@
if [ ! "${DIGBINARY}" = "" ]; then
# See if we can query something at the nameserver
# 0=good, other=bad
DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?`
DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?)
if [ "${DNSRESPONSE}" = "0" ]; then
Display --indent 8 --text "Nameserver: ${I}" --result "${STATUS_OK}" --color GREEN
LogText "Nameserver ${I} seems to respond to queries from this host."
@ -196,7 +196,7 @@
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then
LogText "Test: Searching default gateway(s)"
FIND=`${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2`
FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
LogText "Result: Found default gateway ${I}"
@ -260,34 +260,34 @@
FIND=""
case ${OS} in
AIX)
FIND=`lscfg -vl ent* | ${GREPBINARY} "Network Address" | ${CUTBINARY} -d"." -f14 | ${AWKBINARY} '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }'`
FIND=$(lscfg -vl ent* | ${GREPBINARY} "Network Address" | ${CUTBINARY} -d"." -f14 | ${AWKBINARY} '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }')
;;
DragonFly|FreeBSD)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u`
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
;;
Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u`
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u)
else
if [ ! "${IPBINARY}" = "" ]; then
LogText "Test: Using ip binary to gather hardware addresses"
FIND=`${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }'`
FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }')
else
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
fi
fi
;;
macOS)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr" || $1=="ether") print $2 }' | ${SORTBINARY} -u`
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr" || $1=="ether") print $2 }' | ${SORTBINARY} -u)
;;
NetBSD)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="address:") print $2 }' | ${SORTBINARY} -u`
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="address:") print $2 }' | ${SORTBINARY} -u)
;;
OpenBSD)
FIND=`${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr") print $2 }' | ${SORTBINARY} -u`
FIND=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr") print $2 }' | ${SORTBINARY} -u)
;;
Solaris)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u`
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
;;
*)
# Having a system currently unsupported? Share your details to determine MAC information
@ -311,39 +311,39 @@
FIND=""; FIND2=""
case ${OS} in
AIX)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'`
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;;
DragonFly|FreeBSD|NetBSD)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'`
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;;
Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2`
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2)
# Version which works for multiple types of ifconfig (e.g. Slackware)
FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'`
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }')
else
if [ ! "${IPBINARY}" = "" ]; then
LogText "Test: Using ip binary to gather IP addresses"
FIND=`${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//'`
FIND2=`${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//'`
FIND=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
FIND2=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
else
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
fi
fi
;;
macOS)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'`
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;;
OpenBSD)
FIND=`${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'`
FIND=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;;
Solaris)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'`
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;;
*)
LogText "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details."
@ -377,7 +377,7 @@
case ${OS} in
DragonFly|FreeBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then
FIND=`${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u`
FIND=$(${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
# To strip off IP's: ${SEDBINARY} 's/|.*:/|/'
else
FIND=""
@ -387,15 +387,15 @@
Linux)
if [ ! "${NETSTATBINARY}" = "" ]; then
# UDP
FIND=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:'`
FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:')
# TCP
FIND2=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:'`
FIND2=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:')
else
if [ ! "${SSBINARY}" = "" ]; then
# UDP
FIND=`${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local`
FIND=$(${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
# TCP
FIND2=`${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local`
FIND2=$(${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
else
ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports"
fi
@ -405,7 +405,7 @@
macOS)
if [ ! "${LSOFBINARY}" = "" ]; then
# UDP and TCP combined
FIND=`${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME"`
FIND=$(${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME")
else
FIND=""
fi
@ -416,7 +416,7 @@
NetBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then
FIND=`${SOCKSTATBINARY} 2> /dev/null | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u`
FIND=$(${SOCKSTATBINARY} 2> /dev/null | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
else
FIND=""
fi
@ -425,9 +425,9 @@
OpenBSD)
if [ ! "${NETSTATBINARY}" = "" ]; then
# UDP
FIND=`${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"||" }'`
FIND=$(${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"||" }')
# TCP
FIND2=`${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"||" }}'`
FIND2=$(${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"||" }}')
else
ReportException "${TEST_NO}:3" "netstat missing to gather listening ports"
fi
@ -472,14 +472,14 @@
Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (BSD)"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (FreeBSD)"
FIND=`${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1`
FIND=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1)
if [ ! "${FIND}" = "" ]; then
LogText "Result: Promiscuous interfaces: ${FIND}"
for I in ${FIND}; do
WHITELISTED=0
for PROFILE in ${PROFILES}; do
Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}"
ISWHITELISTED=`${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}`
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
if [ ! "${ISWHITELISTED}" = "" ]; then
WHITELISTED=1
LogText "Result: this interface was whitelisted in profile (${PROFILE})"
@ -514,13 +514,13 @@
Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (Linux)"
NETWORK=`${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1`
NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
if [ ! "${NETWORK}" = "" ]; then
for I in ${NETWORK}; do
FIND=`${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC`
FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
if [ ! "${FIND}" = "" ]; then
LogText "Result: Promiscuous interface: ${I}"
ISWHITELISTED=`${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}`
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
if [ "${ISWHITELISTED}" = "" ]; then
FOUNDPROMISC=1
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"

74
include/tests_ports_packages
View File

@ -87,7 +87,7 @@
#
# Test : PKGS-7303
# Description : Query brew package manager
FIND=`which brew 2> /dev/null`
FIND=$(which brew 2> /dev/null)
if [ ! "${FIND}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager"
if [ ${SKIPTEST} -eq 0 ]; then
@ -97,7 +97,7 @@
LogText "Test: Querying brew to get package list"
Display --indent 4 --text "- Querying brew for installed packages"
LogText "Output:"; LogText "-----"
GPACKAGES=`brew list`
GPACKAGES=$(brew list)
for J in ${GPACKAGES}; do
LogText "Found package ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
@ -166,7 +166,7 @@
LogText "Test: Querying 'rpm -qa' to get package list"
Display --indent 6 --text "- Querying RPM package manager"
LogText "Output:"; LogText "--------"
SPACKAGES=`${RPMBINARY} -qa --queryformat "%{NAME},%{VERSION}-%{RELEASE}.%{ARCH}\n" 2> /dev/null | sort`
SPACKAGES=$(${RPMBINARY} -qa --queryformat "%{NAME},%{VERSION}-%{RELEASE}.%{ARCH}\n" 2> /dev/null | sort)
if [ "${SPACKAGES}" = "" ]; then
LogText "Result: RPM binary available, but package list seems to be empty"
LogText "Info: looks like the rpm binary is installed, but not used for package installation"
@ -199,15 +199,15 @@
LogText "Test: Querying 'pacman -Q' to get package list"
Display --indent 6 --text "- Querying pacman package manager"
LogText "Output:"; LogText "--------"
SPACKAGES=`${PACMANBINARY} -Q | ${SORTBINARY} | ${SEDBINARY} 's/ /,/g'`
SPACKAGES=$(${PACMANBINARY} -Q | ${SORTBINARY} | ${SEDBINARY} 's/ /,/g')
if [ "${SPACKAGES}" = "" ]; then
LogText "Result: pacman binary available, but package list seems to be empty"
LogText "Info: looks like the pacman binary is installed, but not used for package installation"
else
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=`echo ${J} | ${AWKBINARY} -F, '{ print $1 }'`
PACKAGE_VERSION=`echo ${J} | ${AWKBINARY} -F, '{ print $2 }'`
PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{ print $1 }')
PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{ print $2 }')
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
done
@ -225,7 +225,7 @@
FOUND=0
FIND=$(which checkupdates 2> /dev/null)
if [ ! -z "${FIND}" ]; then
FIND=`checkupdates`
FIND=$(checkupdates)
for I in ${FIND}; do
LogText "Result: update available for ${I}"
Report "available_update[]=${I}"
@ -255,17 +255,17 @@
COUNT=0
# Check configuration options (options start with a capital)
LogText "Test: searching configured options in ${PACMANCONF}"
FIND=`${GREPBINARY} "^[A-Z]" ${PACMANCONF} | ${SORTBINARY} -u | ${SEDBINARY} 's/ /:space:/g'`
FIND=$(${GREPBINARY} "^[A-Z]" ${PACMANCONF} | ${SORTBINARY} -u | ${SEDBINARY} 's/ /:space:/g')
for I in ${FIND}; do
PMOPTION=`echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }'`
PMVALUE=`echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }'`
PMOPTION=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }')
PMVALUE=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }')
LogText "Result: found option ${PMOPTION} configured with value ${PMVALUE}"
Report "pacman_option[]=${PMOPTION}:${PMVALUE}:"
done
# Check software repositories
LogText "Test: checking available repositories"
FIND=`${GREPBINARY} "^\[.*\]$" ${PACMANCONF} | ${TRBINARY} -d '[]'`
FIND=$(${GREPBINARY} "^\[.*\]$" ${PACMANCONF} | ${TRBINARY} -d '[]')
for I in ${FIND}; do
COUNT=$((COUNT + 1))
Report "package_repository[]=${I}"
@ -325,7 +325,7 @@
N=0
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="zypper"
FIND=`${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }'`
FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
N=$((N + 1))
@ -346,7 +346,7 @@
if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)"`
FIND=$(${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)")
if [ ! "${FIND}" = "" ]; then
LogText "Result: No security updates found with Zypper"
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@ -355,7 +355,7 @@
LogText "Result: Zypper found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed"
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
FIND=`${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u`
FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
LogText "List of vulnerable packages/version:"
for I in ${FIND}; do
VULNERABLE_PACKAGES_FOUND=1
@ -381,11 +381,11 @@
LogText "Test: Querying dpkg -l to get package list"
Display --indent 6 --text "- Querying package manager"
LogText "Output:"
SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort`
SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort)
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=`echo ${J} | ${CUTBINARY} -d ',' -f2`
PACKAGE_VERSION=`echo ${J} | ${CUTBINARY} -d ',' -f3`
PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f3)
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
@ -398,13 +398,13 @@
#
# Test : PKGS-7346
# Description : Check packages which are removed, but still own configuration files, cron jobs etc
# Notes : Cleanup: for pkg in `dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3`; do aptitude purge ${pkg}; done
# Notes : Cleanup: for pkg in $(dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3); do aptitude purge ${pkg}; done
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: Querying dpkg -l to get unpurged packages"
SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort`
SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
if [ "${SPACKAGES}" = "" ]; then
Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN
LogText "Result: no packages found with left overs"
@ -432,7 +432,7 @@
Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/local/sbin/portsclean ]; then
FIND=`/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' '`
FIND=$(/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ')
if [ ${FIND} -eq 0 ]; then
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN
LogText "Result: no unused distfiles found"
@ -459,11 +459,11 @@
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="dnf"
SPACKAGES=`${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}'`
SPACKAGES=$(${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}')
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=`echo ${J} | ${CUTBINARY} -d ',' -f1`
PACKAGE_VERSION=`echo ${J} | ${CUTBINARY} -d ',' -f2`
PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1)
PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
@ -477,7 +477,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Check for security updates
LogText "Action: checking updateinfo for security updates"
FIND=`${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}'`
FIND=$(${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}')
if [ ! "${FIND}" = "" ]; then
VULNERABLE_PACKAGES_FOUND=1
LogText "Result: found vulnerable packages, upgrade of system needed."
@ -503,7 +503,7 @@
Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if repoquery plugin is available
FIND=`${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery"`
FIND=$(${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery")
if [ ! "${FIND}" = "" ]; then
LogText "Action: checking integrity of package database"
FIND=$(${DNFBINARY} -q repoquery --duplicated)
@ -511,7 +511,7 @@
LogText "Result: found unexpected result on repoquery --duplicated"
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated"
fi
FIND=`${DNFBINARY} -q repoquery --unsatisfied`
FIND=$(${DNFBINARY} -q repoquery --unsatisfied)
if [ ! "${FIND}" = "" ]; then
LogText "Result: found unexpected result on repoquery --unsatisfied"
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied"
@ -566,7 +566,7 @@
Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
# Check in /etc/cron.hourly, daily, weekly, monthly etc
COUNT=`find /etc/cron* -name debsums | wc -l`
COUNT=$(find /etc/cron* -name debsums | wc -l)
if [ ${COUNT} -gt 0 ]; then
LogText "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
@ -593,7 +593,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: Querying portmaster for possible port upgrades"
UPACKAGES=`/usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }'`
UPACKAGES=$(/usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }')
for J in ${UPACKAGES}; do
N=$((N + 1))
LogText "Upgrade available (new version): ${J}"
@ -618,7 +618,7 @@
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="pkg_admin audit"
if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then
FIND=`/usr/sbin/pkg_admin audit`
FIND=$(/usr/sbin/pkg_admin audit)
if [ "${FIND}" = "" ]; then
LogText "Result: pkg_admin audit results are clean"
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@ -628,7 +628,7 @@
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
LogText "List of vulnerable packages/version:"
for I in `/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u`; do
for I in $(/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
@ -697,7 +697,7 @@
Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit"
if [ ${SKIPTEST} -eq 0 ]; then
PACKAGE_AUDIT_TOOL_FOUND=1
FIND=`/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found'`
FIND=$(/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
if [ "${FIND}" = "" ]; then
LogText "Result: Portaudit results are clean"
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@ -708,7 +708,7 @@
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
LogText "List of vulnerable packages/version:"
for I in `/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u`; do
for I in $(/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
@ -749,7 +749,7 @@
LogText "Result: found YUM utils package (/usr/bin/package-cleanup)"
# Check for duplicates
LogText "Test: Checking for duplicate packages"
FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?`
FIND=$(/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: No duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN
@ -762,7 +762,7 @@
# Check for package database problems
LogText "Test: Checking for database problems"
FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?`
FIND=$(/usr/bin/package-cleanup --problems > /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: No package database problems found"
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN
@ -822,7 +822,7 @@
# Check if it's installed as package (this is old style)
if [ ${DO_TEST} -eq 0 ]; then
FIND=`rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed"`
FIND=$(rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed")
if [ ! "${FIND}" = "" ]; then
LogText "Result: found yum-plugin-security package"
DO_TEST=1
@ -834,7 +834,7 @@
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="yum-security"
LogText "Test: Checking for vulnerable packages"
FIND2=`/usr/bin/yum list-sec security | ${AWKBINARY} '{ if($2=="security" || $2~"Sec") print $3","$5 }'`
FIND2=$(/usr/bin/yum list-sec security | ${AWKBINARY} '{ if($2=="security" || $2~"Sec") print $3","$5 }')
if [ "${FIND2}" = "" ]; then
LogText "Result: no vulnerable packages found"
Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_OK}" --color GREEN
@ -936,7 +936,7 @@
Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Package database consistency by running apt-get check"
FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?`
FIND=$(/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN
LogText "Result: package database seems to be consistent."

16
include/tests_printers_spools
View File

@ -48,7 +48,7 @@
LogText "Result: /usr/sbin/chkprintcap NOT found, test skipped."
else
LogText "Result: /usr/sbin/chkprintcap found"
FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?`
FIND=$(/usr/sbin/chkprintcap > /dev/null ; echo $?)
# Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_OK}" --color GREEN
@ -69,7 +69,7 @@
Register --test-no PRNT-2304 --weight L --network NO --category security --description "Check cupsd status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking cupsd status"
#FIND=`${PSBINARY} ax | ${GREPBINARY} "cupsd" | ${GREPBINARY} -v "grep" | ${GREPBINARY} -v apcupsd`
#FIND=$(${PSBINARY} ax | ${GREPBINARY} "cupsd" | ${GREPBINARY} -v "grep" | ${GREPBINARY} -v apcupsd)
IsRunning cupsd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN
@ -117,7 +117,7 @@
Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking CUPS configuration file permissions"
FIND=`ls -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10`
FIND=$(ls -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: found ${FIND}"
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
@ -139,7 +139,7 @@
FOUND=0
# Checking network addresses
LogText "Test: Checking CUPS daemon listening network addresses"
FIND=`${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }'`
FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
N=0
for I in ${FIND}; do
LogText "Found network address: ${I}"
@ -168,7 +168,7 @@
# Checking sockets
LogText "Test: Checking cups daemon listening sockets"
FIND=`${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }'`
FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }')
for I in ${FIND}; do
LogText "Found socket address: ${I}"
N=$((N + 1))
@ -224,7 +224,7 @@
QDAEMON_CONFIG_FILE="/etc/qconfig"
FileIsReadable ${QDAEMON_CONFIG_FILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=`${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device"`
FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
if [ ! "${FIND}" = "" ]; then
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
@ -271,11 +271,11 @@
LogText "Test: Checking old print jobs"
DirectoryExists /var/spool/lpd/qdir
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=`find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g'`
FIND=$(find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
FILE=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'`
FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found old print job: ${FILE}"
N=$((N + 1))
done

32
include/tests_shells
View File

@ -51,7 +51,7 @@
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking console TTYs"
FIND=`${EGREPBINARY} '^console' /etc/ttys | ${GREPBINARY} -v 'insecure'`
FIND=$(${EGREPBINARY} '^console' /etc/ttys | ${GREPBINARY} -v 'insecure')
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
LogText "Result: console is secured against single user mode without password."
@ -75,7 +75,7 @@
if [ -f /etc/shells ]; then
LogText "Result: Found /etc/shells file"
LogText "Test: Reading available shells from /etc/shells"
SSHELLS=`${GREPBINARY} "^/" /etc/shells`
SSHELLS=$(${GREPBINARY} "^/" /etc/shells)
CSSHELLS=0; CSSHELLS_ALL=0
Display --indent 2 --text "- Checking shells from /etc/shells"
for I in ${SSHELLS}; do
@ -117,9 +117,9 @@
if [ -f /etc/profile ]; then
# Determine if we can find a TMOUT value
FIND=`${GREPBINARY} 'TMOUT=' /etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'`
FIND=$(${GREPBINARY} 'TMOUT=' /etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
# Determine if the value is exported (with export, readonly, or typeset)
FIND2=`${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }'`
FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
if [ ! "${FIND}" = "" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
@ -160,12 +160,12 @@
fi
if [ -d /etc/profile.d ]; then
FIND=`ls /etc/profile.d/*.sh 2> /dev/null`
FIND=$(ls /etc/profile.d/*.sh 2> /dev/null)
if [ ! "${FIND}" = "" ]; then
# Determine if we can find a TMOUT value
FIND=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'`
FIND=$(cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
# Determine if the value is exported (with export, readonly, or typeset)
FIND2=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }'`
FIND2=$(cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
if [ ! "${FIND}" = "" ]; then
N=0; IDLE_TIMEOUT=1
@ -231,7 +231,7 @@
if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists"
FOUND=1
FIND=`${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }'`
FIND=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then
LogText "Result: did not find umask configured in ${FILE}"
Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW
@ -280,10 +280,10 @@
LogText "Test: Check if bash is in the list of shells."
if [ -f /etc/shells ]; then
LogText "Test: checking for bash shell in /etc/shells"
FIND=`${EGREPBINARY} '(/usr)?(/local)?/bin/bash' /etc/shells | ${GREPBINARY} -v "^#" | head -1`
FIND=$(${EGREPBINARY} '(/usr)?(/local)?/bin/bash' /etc/shells | ${GREPBINARY} -v "^#" | head -1)
else
LogText "Test: checking if bash is available via which command"
FIND=`which bash 2> /dev/null | head -1`
FIND=$(which bash 2> /dev/null | head -1)
fi
LogText "Result: command revealed ${FIND} as output"
@ -296,7 +296,7 @@
# CVE-2014-6271
LogText "Test: Check for first exploit (CVE-2014-6271)"
echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}"
@ -313,7 +313,7 @@
# CVE-2014-6278
LogText "Test: Check for CVE-2014-6278"
echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}"
@ -328,7 +328,7 @@
# CVE-2014-7169
LogText "Test: Check for taviso bug CVE-2014-7169"
echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | ${GREPBINARY} ' vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}"
@ -343,7 +343,7 @@
# CVE-2014-7186
LogText "Test: Check for CVE-2014-7186"
echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}"
@ -358,7 +358,7 @@
# CVE-2014-7187
LogText "Test: Check for CVE-2014-7187"
echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}"
@ -373,7 +373,7 @@
# CVE-2014-////
LogText "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)"
echo "env X=' () { }; echo hello' bash -c 'date'| ${GREPBINARY} 'hello'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}"

4
include/tests_solaris
View File

@ -32,7 +32,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then
# LogText "Test: Searching for a SSH daemon"
# # Check running processes
# FIND=`${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep"`
# FIND=$(${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep")
# if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1
# LogText "Result: Stop-A is disabled"
@ -51,7 +51,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then
# LogText "Test: Searching for a SSH daemon"
# # Check running processes
# FIND=`${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep"`
# FIND=$(${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep")
# if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1
# LogText "Result: Stop-A is disabled"

32
include/tests_squid
View File

@ -42,7 +42,7 @@
LogText "Test: Searching for a Squid daemon"
FOUND=0
# Check running processes
FIND=`${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep"`
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
if [ ! "${FIND}" = "" ]; then
SQUID_DAEMON_RUNNING=1
LogText "Result: Squid daemon is running"
@ -92,9 +92,9 @@
if [ ! "${SQUIDBINARY}" = "" ]; then
LogText "Result: Squid binary found (${SQUIDBINARY})"
# Skip check if a setuid/setgid bit is found
FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print`
FIND=$(find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print)
if [ "${FIND}" = "" ]; then
FIND2=`${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }'`
FIND2=$(${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }')
Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN
SQUID_VERSION="${FIND2}"
else
@ -114,9 +114,9 @@
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
FIND=`${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g'`
FIND=$(${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
for I in ${FIND}; do
I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'`
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found Squid option: ${I}"
Report "squid_option=${I}"
done
@ -131,7 +131,7 @@
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
if [ ! "${FIND}" = "" ]; then
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
@ -159,7 +159,7 @@
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check auth_param option for authentication methods"
FIND=`${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'`
FIND=$(${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then
LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW
@ -180,7 +180,7 @@
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check external_acl_type option for external authentication helpers"
FIND=`${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG}`
FIND=$(${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG})
if [ "${FIND}" = "" ]; then
LogText "No external_acl_type found"
Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW
@ -203,14 +203,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: checking ACLs"
FIND=`${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g'`
FIND=$(${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then
LogText "Result: No ACLs found"
Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED
else
for I in ${FIND}; do
N=$((N + 1))
I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'`
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found ACL: ${I}"
#Report "squid_acl=${I}"
done
@ -228,14 +228,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: checking ACL Safe_ports http_access option"
FIND=`${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports"`
FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports")
if [ "${FIND}" = "" ]; then
LogText "Result: no Safe_ports found"
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
else
LogText "Result: checking ACL safe ports"
FIND2=`${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }'`
FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }')
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
@ -251,7 +251,7 @@
#SQUID_DAEMON_UNSAFE_PORTS_LIST
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
LogText "Test: Checking port ${I} in Safe_ports list"
FIND2=`${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG})
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 1 1
@ -279,7 +279,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: checking option reply_body_max_size"
FIND=`${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g'`
FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then
LogText "Result: option reply_body_max_size not configured"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
@ -306,10 +306,10 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppresion"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on"`
FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on")
if [ "${FIND}" = "" ]; then
LogText "Result: option httpd_suppress_version_string not configured"
Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 2
ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
else

18
include/tests_ssh
View File

@ -136,18 +136,18 @@
# Go through our list of options
for I in ${SSHOPS}; do
OPTIONNAME=`echo ${I} | ${CUTBINARY} -d ':' -f1`
OPTIONNAME_LOWER=`echo ${I} | ${CUTBINARY} -d ':' -f1 | ${AWKBINARY} '{ print tolower($1) }'`
EXPECTEDVALUE=`echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f1`
MEDIUMSCOREDVALUE=`echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f2`
WEAKVALUE=`echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f3`
TESTTYPE=`echo ${I} | ${CUTBINARY} -d ':' -f3`
OPTIONNAME=$(echo ${I} | ${CUTBINARY} -d ':' -f1)
OPTIONNAME_LOWER=$(echo ${I} | ${CUTBINARY} -d ':' -f1 | ${AWKBINARY} '{ print tolower($1) }')
EXPECTEDVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f1)
MEDIUMSCOREDVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f2)
WEAKVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f3)
TESTTYPE=$(echo ${I} | ${CUTBINARY} -d ':' -f3)
RESULT="NONE"
if ! SkipAtomicTest "${TEST_NO}:${OPTIONNAME_LOWER}"; then
# Get value and use the last occurrence
FOUNDVALUE=`${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1`
FOUNDVALUE=$(${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1)
LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}"
if [ ! "${FOUNDVALUE}" = "" ]; then
@ -262,7 +262,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# AllowUsers
FIND=`${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }'`
FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ ! "${FIND}" = "" ]; then
LogText "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
@ -273,7 +273,7 @@
fi
# AllowGroups
FIND=`${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }'`
FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ ! "${FIND}" = "" ]; then
LogText "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN

22
include/tests_storage
View File

@ -35,10 +35,10 @@
FOUND=0
LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
FIND=$(ls /etc/modprobe.d/* 2> /dev/null)
if [ ! "${FIND}" = "" ]; then
FIND=`${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"`
FIND2=`${EGREPBINARY} -r "^blacklist usb[-_]storage" /etc/modprobe.d/*`
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" /etc/modprobe.d/*)
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
@ -48,7 +48,7 @@
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND=`${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#"`
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
if [ ! "${FIND}" = "" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state"
@ -77,11 +77,11 @@
USBDEVICESPATH="/sys/bus/usb/devices/usb"
for device in "${USBDEVICESPATH}"*; do
if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then
if [ `cat "${device}/authorized_default"` -eq 1 ]; then
if [ $(cat "${device}/authorized_default") -eq 1 ]; then
FOUND=1
LogText "Test: ${device} is authorized by default"
Report "usb_authorized_default_device[]=${device}"
elif [ `cat "${device}/authorized"` -eq 1 ]; then
elif [ $(cat "${device}/authorized") -eq 1 ]; then
FOUND=1
LogText "Test: ${device} is authorized currently"
Report "usb_authorized_device[]=${device}"
@ -112,10 +112,10 @@
FOUND=0
LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
FIND=$(ls /etc/modprobe.d/* 2> /dev/null)
if [ ! "${FIND}" = "" ]; then
FIND1=`${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"`
FIND2=`${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"`
FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#")
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"
@ -125,8 +125,8 @@
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND1=`${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.conf | ${GREPBINARY} -v "#"`
FIND2=`${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} -v "#"`
FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.conf | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} -v "#")
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"

16
include/tests_storage_nfs
View File

@ -37,7 +37,7 @@
Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking rpcinfo registered programs"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${TRBINARY} -s ' ' ','`
FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${TRBINARY} -s ' ' ',')
for I in ${FIND}; do
LogText "rpcinfo: ${I}"
done
@ -52,7 +52,7 @@
Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NFS registered versions"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort`
FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort)
for I in ${FIND}; do
LogText "Found version: ${I}"
done
@ -67,7 +67,7 @@
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NFS registered protocols"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort`
FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort)
for I in ${FIND}; do
LogText "Found protocol: ${I}"
done
@ -77,7 +77,7 @@
# Check port number
LogText "Test: Checking NFS registered ports"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort`
FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort)
for I in ${FIND}; do
LogText "Found port: ${I}"
done
@ -94,7 +94,7 @@
Register --test-no STRG-1920 --weight L --network NO --category security --description "Checking NFS daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking running NFS daemon"
FIND=`${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep"`
FIND=$(${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep")
if [ "${FIND}" = "" ]; then
LogText "Output: NFS daemon is not running"
Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
@ -122,10 +122,10 @@
LogText "Test: check /etc/exports"
if [ -f /etc/exports ]; then
LogText "Result: /etc/exports exists"
FIND=`${GREPBINARY} -v "^$" /etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g'`
FIND=$(${GREPBINARY} -v "^$" /etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g')
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'`
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found line: ${I}"
done
else
@ -161,7 +161,7 @@
Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share"
if [ ${SKIPTEST} -eq 0 ]; then
#LogText "Test: "
sFIND=`${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d'| ${GREPBINARY} "\*"`
sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d'| ${GREPBINARY} "\*")
if [ "${sFIND}" != "" ]; then
LogText "Result: all client are allowed to access a NFS share in /etc/exports"
Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW

12
include/tests_time
View File

@ -46,7 +46,7 @@
# TODO: Skip NTP tests if we are in a DomU xen instance
FIND=$(cat /sys/hypervisor/type)
if [ "${FIND}" = "xen" ]; then PREQS_MET="NO"; else PREQS_MET="YES"; fi
elif [ -f /sbin/sysctl ] && [ "`/sbin/sysctl -n security.jail.jailed 2>/dev/null || echo 0`" -eq 1 ]; then
elif [ -f /sbin/sysctl ] && [ "$(/sbin/sysctl -n security.jail.jailed 2>/dev/null || echo 0)" -eq 1 ]; then
# Skip NTP tests if we're in a FreeBSD jail
PREQS_MET="NO"
else
@ -271,7 +271,7 @@
else
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found one or more high stratum (16) peers)"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for startum 16 peers"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for stratum 16 peers"
fi
fi
fi
@ -281,12 +281,12 @@
# Test : TIME-3120
# Description : Check unreliable peers from peer list
# Notes : Items with # are too far away (network distance)
# Items with - are not chosing due clustering algoritm
# Items with - are not chosen due clustering algorithm
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking unreliable ntp peers"
FIND=`${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g'`
FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN
LogText "Result: No unreliable peers found"
@ -313,7 +313,7 @@
FIND2=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }')
if [ -z "${FIND}" -a ! -z "${FIND2}" ]; then
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN
FIND2=`echo ${FIND2} | ${SEDBINARY} 's/*//g'`
FIND2=$(echo ${FIND2} | ${SEDBINARY} 's/*//g')
LogText "Result: Found selected time source (value: ${FIND2})"
else
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_WARNING}" --color RED
@ -431,7 +431,7 @@
Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN
sFIND=$(${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0')
for I in ${sFIND}; do
FIND=`${GREPBINARY} ^${I} ${FILE} | wc -l`
FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l)
if [ ${FIND} -gt 0 ]; then
LogText "Result: $I exist in ${FILE}"
else

6
include/tests_tooling
View File

@ -221,8 +221,8 @@
# # Check email alert configuration
# LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}"
#
# FIND=`${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}`
# FIND2=`${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}`
# FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
# FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
#
# if [ ! "${FIND}" = "" ]; then
# FAIL2BAN_EMAIL=1
@ -271,7 +271,7 @@
# LogText "Checking for fail2ban iptables chains"
#
# if [ ! "${IPTABLESBINARY}" = "" ]; then
# CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban`
# CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban)
# if [ ! "${CHECK_CHAINS}" = "" ]; then
# LogText "Result: found at least one iptables chain for fail2ban"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN

38
include/tests_webservers
View File

@ -61,7 +61,7 @@
Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE
else
LogText "Test: Scanning for Apache binary"
IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache'`
IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache')
if [ "${IS_APACHE}" = "" ]; then
LogText "Result: ${HTTPDBINARY} is not Apache"
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
@ -69,7 +69,7 @@
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon"
APACHE_INSTALLED=1
APACHE_VERSION=`${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} "^Server version:" | ${AWKBINARY} '{ print $3 }' | ${AWKBINARY} -F/ '{ print $2 }'`
APACHE_VERSION=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} "^Server version:" | ${AWKBINARY} '{ print $3 }' | ${AWKBINARY} -F/ '{ print $2 }')
LogText "Apache version: ${APACHE_VERSION}"
Report "apache_version=${APACHE_VERSION}"
fi
@ -93,7 +93,7 @@
Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
APACHE_CONFIGFILE=""
APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | ${SEDBINARY} 's/[ ]-D SERVER_CONFIG_FILE=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '[:cntrl:]'`
APACHE_TEST=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | ${SEDBINARY} 's/[ ]-D SERVER_CONFIG_FILE=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '[:cntrl:]')
if [ "${APACHE_TEST}" = "" ]; then
LogText "Result: Can't find the configuration file, so skipping some Apache related tests"
@ -104,7 +104,7 @@
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
else
# Probably the prefix is missing, so we are going to search that
APACHE_HTTPDROOT=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | ${SEDBINARY} 's/[ ]-D HTTPD_ROOT=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' '`
APACHE_HTTPDROOT=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | ${SEDBINARY} 's/[ ]-D HTTPD_ROOT=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ')
#echo "Apache root prefix: ${APACHE_HTTPDROOT}"
#echo "Complete path to configuration file: ${APACHE_HTTPDROOT}/${APACHE_TEST}"
APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}"
@ -143,13 +143,13 @@
cVHOSTS=0; tVHOSTS=""
# Check every configuration file
for I in `cat ${TMPFILE}`; do
for I in $(cat ${TMPFILE}); do
LogText "Apache config file: ${I}"
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
# Search Virtual Hosts
for J in `${GREPBINARY} "ServerName" ${I} | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'`; do
for J in $(${GREPBINARY} "ServerName" ${I} | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'); do
if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=$((cVHOSTS + 1))
@ -205,12 +205,12 @@
# for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do
# if [ -f ${APACHE_CONFIGFILE} ]; then
# # Check if option ServerTokens is configured
# SERVERTOKENSTEST=`${GREPBINARY} ServerTokens ${APACHE_CONFIGFILE} | ${GREPBINARY} -v '^#'`
# SERVERTOKENSTEST=$(${GREPBINARY} ServerTokens ${APACHE_CONFIGFILE} | ${GREPBINARY} -v '^#')
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then
# Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_FOUND}" --color WHITE
# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | ${SEDBINARY} 's/ServerTokens//' | ${TRBINARY} -d ' '`
# SERVERTOKENSTEST=$(echo ${SERVERTOKENSTEST} | ${SEDBINARY} 's/ServerTokens//' | ${TRBINARY} -d ' ')
# LogText "Option ServerTokens found: ${SERVERTOKENSTEST}"
# SERVERTOKENSEXPECTED=`${GREPBINARY} 'apache' ${PROFILE} | ${GREPBINARY} 'ServerTokens' | ${CUTBINARY} -d ':' -f3`
# SERVERTOKENSEXPECTED=$(${GREPBINARY} 'apache' ${PROFILE} | ${GREPBINARY} 'ServerTokens' | ${CUTBINARY} -d ':' -f3)
# if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then
# LogText "Result: Value from configuration file yielded the same output as in template"
# SERVERTOKENSFOUND=1
@ -254,7 +254,7 @@
#for I in ${APACHE_MODULES_ENABLED_LOCS}; do
#LogText "Test: checking ${I}"
#if [ -d ${I} ]; then
#FIND=`${GREPBINARY} -r LoadModule ${I}/* | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2":"$3 }'`
#FIND=$(${GREPBINARY} -r LoadModule ${I}/* | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2":"$3 }')
#else
#LogText "Result: ${I} does not exist"
#fi
@ -380,7 +380,7 @@
Register --test-no HTTP-6702 --weight L --network NO --category security --description "Check nginx process"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching running nginx process"
FIND=`${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep"`
FIND=$(${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep")
if [ ! "${FIND}" = "" ]; then
LogText "Result: found running nginx process(es)"
Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN
@ -430,9 +430,9 @@
N=0
${SEDBINARY} -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}
# Search for included configuration files (may include directories and wild cards)
FIND=`${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g'`
FIND=$(${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g')
for I in ${FIND}; do
FIND2=`${LSBINARY} ${I} 2>/dev/null`
FIND2=$(${LSBINARY} ${I} 2>/dev/null)
for J in ${FIND2}; do
# Ensure that we are parsing normal files
if [ -f ${J} ]; then
@ -442,7 +442,7 @@
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
NGINX_CONF_FILES="${NGINX_CONF_FILES} ${J}"
FIND3=`sed -e 's/^[ ]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}`
FIND3=$(sed -e 's/^[ ]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE})
else
ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
fi
@ -451,9 +451,9 @@
done
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
SORTFILE=`${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})"`
SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})")
for I in ${SORTFILE}; do
I=`echo ${I} | ${SEDBINARY} 's/:space:/ /g'`
I=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g')
Report "nginx_config_option[]=${I}";
done
@ -470,7 +470,7 @@
#################################################################################
#
# Test : HTTP-6708
# Description : Check discovered nginx configuration settings for further hardering
# Description : Check discovered nginx configuration settings for further hardening
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_FILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings"
@ -651,7 +651,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# LogText "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}"
# FIND=`${GREPBINARY} "proxy_pass" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/proxy_pass//g' | ${TRBINARY} -d ';'`
# FIND=$(${GREPBINARY} "proxy_pass" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/proxy_pass//g' | ${TRBINARY} -d ';')
# for I in ${FIND}; do
# LogText "Found reverse proxy configuration for: ${I}"
# N=$((N + 1))
@ -675,7 +675,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# LogText "Test: searching nginx virtual hosts"
# FIND=`${GREPBINARY} "server_name" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/server_name//g' | ${TRBINARY} -d ';'`
# FIND=$(${GREPBINARY} "server_name" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/server_name//g' | ${TRBINARY} -d ';')
# for I in ${FIND}; do
# if [ "${I}" = "_" ]; then I="Default virtual host"; fi
# LogText "Found virtual host: ${I}"

2
include/tool_tips
View File

@ -31,7 +31,7 @@
for I in ${ETC_PATHS}; do
if [ -d ${I}/bash-completion.d ]; then
if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
Display "This system has a bash_completition directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis"
Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis"
fi
fi
done

14
lynis
View File

@ -61,7 +61,7 @@
#################################################################################
#
# Work directory
WORKDIR=`pwd`
WORKDIR=$(pwd)
# Test from which directories we can use all functions and tests
@ -248,7 +248,7 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
#################################################################################
#
# CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g'`
PROGRAM_AC=$(echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g')
PROGRAM_LV=0
#
#################################################################################
@ -299,7 +299,7 @@ ${NORMAL}
#################################################################################
#
# Decide where to write our PID file. For unprivileged users this will be in their home directory, or /tmp if their
# home directory isn't set. For root it will be /var/run, or the current workign directory if /var/run doesn't exist.
# home directory isn't set. For root it will be /var/run, or the current working directory if /var/run doesn't exist.
MYHOMEDIR=$(echo ~ 2> /dev/null)
if [ "${MYHOMEDIR}" = "" ]; then MYHOMEDIR="/tmp"; fi
@ -815,14 +815,14 @@ ${NORMAL}
LogText "Found plugin file: ${PLUGIN_FILE}"
# Double check if output is a valid file name
if [ -f ${PLUGIN_FILE} ]; then
FIND2=`grep "^# PLUGIN_NAME=" ${PLUGIN_FILE} | awk -F= '{ print $2 }'`
FIND2=$(grep "^# PLUGIN_NAME=" ${PLUGIN_FILE} | awk -F= '{ print $2 }')
if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then
if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=$((${N_PLUGIN} + 1)); fi
# Check if the plugin is enabled in any of the profiles
PLUGIN_ENABLED_STATE=0
for PROFILE in ${PROFILES}; do
LogText "Action: checking plugin status in profile: ${PROFILE}"
FIND3=`grep "^plugin=${FIND2}" ${PROFILE}`
FIND3=$(grep "^plugin=${FIND2}" ${PROFILE})
if [ ! "${FIND3}" = "" ]; then
LogText "Result: plugin enabled in profile (${PROFILE})"
PLUGIN_ENABLED_STATE=1
@ -832,8 +832,8 @@ ${NORMAL}
LogText "Result: plugin ${FIND2} is enabled"
PLUGINFILE="${PLUGINDIR}/plugin_${FIND2}_phase${PLUGIN_PHASE}"
if [ -f ${PLUGINFILE} ]; then
PLUGIN_VERSION=`grep "^# PLUGIN_VERSION=" ${PLUGIN_FILE} | awk -F= '{ print $2 }'`
PLUGIN_VERSION_NODOTS=`echo ${PLUGIN_VERSION} | sed 's/.//g'`
PLUGIN_VERSION=$(grep "^# PLUGIN_VERSION=" ${PLUGIN_FILE} | awk -F= '{ print $2 }')
PLUGIN_VERSION_NODOTS=$(echo ${PLUGIN_VERSION} | sed 's/.//g')
if SafePerms ${PLUGINFILE}; then
LogText "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})"
Report "plugin_enabled_phase${PLUGIN_PHASE}[]=${FIND2}|${PLUGIN_VERSION}|"

50
plugins/plugin_pam_phase1
View File

@ -68,25 +68,25 @@
# Check if the PAM directory structure exists
if [ -d ${PAM_DIRECTORY} ]; then
LogText "Result: /etc/pam.d exists"
FIND_FILES=`find ${PAM_DIRECTORY} -type f -print`
FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print)
# First check /etc/pam.conf if it exists.
#if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi
for PAM_FILE in ${FIND_FILES}; do
LogText "Now checking PAM file ${PAM_FILE}"
while read line; do
# Strip empty lines, commented lines, tabs, line breaks (\), then finally remove all double spaces
LINE=`echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//'`
LINE=$(echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//')
if [ ! "${LINE}" = "" ]; then
PAM_SERVICE=`echo ${PAM_FILE} | awk -F/ '{ print $NF }'`
PAM_SERVICE=$(echo ${PAM_FILE} | awk -F/ '{ print $NF }')
PAM_CONTROL_FLAG="-"
PAM_CONTROL_OPTIONS="-"
PAM_MODULE="-"
PAM_MODULE_OPTIONS="-"
PAM_TYPE=`echo ${LINE} | awk '{ print $1 }'`
PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }')
PARSELINE=0
case ${PAM_TYPE} in
"@include")
FILE=`echo ${LINE} | awk '{ print $2 }'`
FILE=$(echo ${LINE} | awk '{ print $2 }')
Debug "Result: Found @include in ${PAM_FILE}. Does include PAM settings from file ${FILE} (which is individually processed)"
;;
"account")
@ -106,16 +106,16 @@
;;
esac
if [ ${PARSELINE} -eq 1 ]; then
MULTIPLE_OPTIONS=`echo ${LINE} | awk '$2 ~ /^\[/'`
MULTIPLE_OPTIONS=$(echo ${LINE} | awk '$2 ~ /^\[/')
if [ ! "${MULTIPLE_OPTIONS}" = "" ]; then
# Needs more parsing, depending on the options found
PAM_CONTROL_OPTIONS=`echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//"`
PAM_CONTROL_OPTIONS=$(echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//")
LogText "Result: Found brackets in line, indicating multiple options for control flags: ${PAM_CONTROL_OPTIONS}"
LINE=`echo ${LINE} | sed "s/ \[.*\] / other /"`
LINE=$(echo ${LINE} | sed "s/ \[.*\] / other /")
fi
PAM_MODULE=`echo ${LINE} | awk '{ print $3 }'`
PAM_MODULE_OPTIONS=`echo ${LINE} | cut -d ' ' -f 4-`
PAM_CONTROL_FLAG=`echo ${LINE} | awk '{ print $2 }'`
PAM_MODULE=$(echo ${LINE} | awk '{ print $3 }')
PAM_MODULE_OPTIONS=$(echo ${LINE} | cut -d ' ' -f 4-)
PAM_CONTROL_FLAG=$(echo ${LINE} | awk '{ print $2 }')
case ${PAM_CONTROL_FLAG} in
"optional"|"required"|"requisite"|"sufficient")
#Debug "Found a common control flag: ${PAM_CONTROL_FLAG} for ${PAM_MODULE}"
@ -135,7 +135,7 @@
LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) without options configured"
fi
PAM_MODULE_NAME=`echo ${PAM_MODULE} | sed 's/.so$//'`
PAM_MODULE_NAME=$(echo ${PAM_MODULE} | sed 's/.so$//')
#
# Specific PAMs are commonly seen on these platforms:
#
@ -202,8 +202,8 @@
if [ "${PAM_PASSWORD_PWHISTORY_AMOUNT}" = "" ]; then PAM_PASSWORD_PWHISTORY_AMOUNT=10; fi
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do
OPTION=`echo ${I} | awk -F= '{ print $1 }'`
VALUE=`echo ${I} | awk -F= '{ print $2 }'`
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0
case ${OPTION} in
remember)
@ -231,8 +231,8 @@
LogText "Result: found ${PAM_MODULE} module (generic)"
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do
OPTION=`echo ${I} | awk -F= '{ print $1 }'`
VALUE=`echo ${I} | awk -F= '{ print $2 }'`
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0
case ${OPTION} in
remember)
@ -268,9 +268,9 @@
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
Debug "Module options configured"
for I in ${PAM_MODULE_OPTIONS}; do
OPTION=`echo ${I} | awk -F= '{ print $1 }'`
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
Debug ${OPTION}
VALUE=`echo ${I} | awk -F= '{ print $2 }'`
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0
case ${OPTION} in
minlen)
@ -286,7 +286,7 @@
MAX_PASSWORD_RETRY=${VALUE}
;;
minclass)
# Minimum number of class required out of upper, lower, digit and oters
# Minimum number of class required out of upper, lower, digit and others
LogText "Result: Min number of password class is configured"
MIN_PASSWORD_CLASS=${VALUE}
;;
@ -318,8 +318,8 @@
fi
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do
OPTION=`echo ${I} | awk -F= '{ print $1 }'`
VALUE=`echo ${I} | awk -F= '{ print $2 }'`
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
case ${OPTION} in
deny)
AUTH_BLOCK_BAD_LOGIN_ATTEMPTS="${VALUE}"
@ -402,7 +402,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Digits
if [ ${CREDITS_D_PASSWORD} -lt 0 ]; then
CREDITS_D_PASSWORD=`echo ${CREDITS_D_PASSWORD} | cut -b 2-`
CREDITS_D_PASSWORD=$(echo ${CREDITS_D_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Digital characters required: ${CREDITS_D_PASSWORD}"
Report "password_min_digital_required=${CREDITS_D_PASSWORD}"
elif [ ${CREDITS_D_PASSWORD} -ge 0 ]; then
@ -412,7 +412,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Lowercase
if [ ${CREDITS_L_PASSWORD} -lt 0 ]; then
CREDITS_L_PASSWORD=`echo ${CREDITS_L_PASSWORD} | cut -b 2-`
CREDITS_L_PASSWORD=$(echo ${CREDITS_L_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Lowercase characters required: ${CREDITS_L_PASSWORD}"
Report "password_min_l_required=${CREDITS_L_PASSWORD}"
elif [ ${CREDITS_L_PASSWORD} -ge 0 ]; then
@ -422,7 +422,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Other characters
if [ ${CREDITS_O_PASSWORD} -lt 0 ]; then
CREDITS_O_PASSWORD=`echo ${CREDITS_O_PASSWORD} | cut -b 2-`
CREDITS_O_PASSWORD=$(echo ${CREDITS_O_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Other characters required: ${CREDITS_O_PASSWORD}"
Report "password_min_other_required=${CREDITS_O_PASSWORD}"
elif [ ${CREDITS_O_PASSWORD} -ge 0 ]; then
@ -432,7 +432,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Uppercase
if [ ${CREDITS_U_PASSWORD} -lt 0 ]; then
CREDITS_U_PASSWORD=`echo ${CREDITS_U_PASSWORD} | cut -b 2-`
CREDITS_U_PASSWORD=$(echo ${CREDITS_U_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Uppercase characters required: ${CREDITS_U_PASSWORD}"
Report "password_min_u_required=${CREDITS_U_PASSWORD}"
elif [ ${CREDITS_U_PASSWORD} -ge 0 ]; then

36
plugins/plugin_systemd_phase1
View File

@ -39,7 +39,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3800 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemctl exit code" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} > /dev/null`
FIND=$(${SYSTEMCTLBINARY} > /dev/null)
if [ $? -gt 0 ]; then
Report "systemctl_error_message=${FIND}"
else
@ -57,13 +57,13 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3802 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd version and options" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1`
FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1)
if [ ! "${FIND}" = "" ]; then
SYSTEMD_VERSION=${FIND}
Report "systemd_version=${FIND}"
LogText "Result: found systemd version ${FIND}"
fi
FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1`
FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1)
if [ ! "${FIND}" = "" ]; then
Report "systemd_builtin_components=${FIND}"
LogText "Result: found builtin components list"
@ -77,7 +77,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'`
FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found systemd unit files via systemctl list-unit-files"
for I in ${FIND}; do
@ -94,7 +94,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'`
FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found systemd unit files via systemctl list-unit-files"
for I in ${FIND}; do
@ -111,7 +111,7 @@
if [ -f /etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3808 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd machine ID" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`cat /etc/machine-id | head -1`
FIND=$(cat /etc/machine-id | head -1)
if [ ! "${FIND}" = "" ]; then
SYSTEMD_MACHINEID="${FIND}"
LogText "Result: found machine ID: ${SYSTEMD_MACHINEID}"
@ -125,7 +125,7 @@
if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|"`
FIND=$(find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
if [ ! "${FIND}" = "" ]; then
Report "systemd_binaries=${FIND}"
LogText "Result: found systemd binaries in /usr/lib/systemd"
@ -141,10 +141,10 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3812 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${JOURNALCTLBINARY} --list-boots | wc -l`
FIND=$(${JOURNALCTLBINARY} --list-boots | wc -l)
LogText "Output: number of boots listed in journal is ${FIND}"
if [ ! "${FIND}" = "" ]; then Report "journal_bootlogs=${FIND}"; fi
FIND=`${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }'`
FIND=$(${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }')
LogText "Output: oldest boot date in journal is ${FIND}"
if [ ! "${FIND}" = "" ]; then Report "journal_oldest_bootdate=${FIND}"; fi
fi
@ -156,11 +156,11 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3814 --preqs-met ${PREQS_MET} --weight L --network NO --description "Verify journal integrity" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${JOURNALCTLBINARY} --verify 2>&1 | grep FAIL | sed 's/[[:space:]]/:space:/g'`
FIND=$(${JOURNALCTLBINARY} --verify 2>&1 | grep FAIL | sed 's/[[:space:]]/:space:/g')
if [ ! "${FIND}" = "" ]; then
Report "journal_contains_errors=1"
for I in ${FIND}; do
LINE=`echo ${I} | sed 's/:space:/ /g'`
LINE=$(echo ${I} | sed 's/:space:/ /g')
LogText "Output (fails): ${LINE}"
done
else
@ -176,7 +176,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'`
FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}')
Report "journal_disk_size=${FIND}"
LogText "Result: journals are ${FIND} in size"
fi
@ -188,7 +188,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'`
FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g')
Report "journal_meta_data=${FIND}"
fi
#
@ -214,7 +214,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3830 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1`
FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1)
if [ ! "${FIND}" = "" ]; then
Report "systemd_status=${FIND}"
LogText "Result: found systemd status = ${FIND}"
@ -228,7 +228,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'`
FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }')
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
Report "systemd_unit_not_found[]=${I}"
@ -243,7 +243,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'`
FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found one or more services with faulty state"
for I in ${FIND}; do
@ -261,7 +261,7 @@
Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
if [ ${SKIPTEST} -eq 0 ]; then
SYSTEMD_COREDUMP_USED=1
FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump`
FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump)
if [ ! "${FIND}" = "" ]; then
LogText "Result: systemd uses systemd-coredump to handle coredumps"
Report "systemd_coredump_used=1"
@ -281,7 +281,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3860 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${JOURNALCTLBINARY} SYSLOG_IDENTIFIER=systemd-coredump --since=yesterday -o cat 2> /dev/null`
FIND=$(${JOURNALCTLBINARY} SYSLOG_IDENTIFIER=systemd-coredump --since=yesterday -o cat 2> /dev/null)
if [ ! "${FIND}" = "" ]; then
Report "journal_coredumps_lastday=1"
LogText "Result: found recent coredumps"