tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-30 17:24:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Various cleanups (#363)

Browse Source 
* Typo fix.

* Style change: always use $(), never ``.

The Lynis code already mostly used $(), but backticks were sprinkled
around.  Converted all of them.

* Lots of minor spelling/typo fixes.

FWIW these were found with:

  find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less

And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
This commit is contained in:
hlein 2017-03-06 00:41:21 -07:00 committed by Michael Boelen
parent b9ae378edb
commit b595cc0fb5
34 changed files with 457 additions and 456 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
extras/build-lynis.sh
View File

@ -82,7 +82,7 @@
# #
######################################################################### #########################################################################
# #
MYUSER=`whoami` MYUSER=$(whoami)
if [ "${MYUSER}" = "" ]; then if [ "${MYUSER}" = "" ]; then
echo "[X] Could not determine user" echo "[X] Could not determine user"
fi fi
@ -91,7 +91,7 @@
fi fi
MYWORKDIR=`pwd | awk -F / '{ for (i=1;i<=NF-2;i++){ printf $i"/" }; printf "\n"}' | sed 's./$..'` MYWORKDIR=$(pwd | awk -F / '{ for (i=1;i<=NF-2;i++){ printf $i"/" }; printf "\n"}' | sed 's./$..')
if [ ! -d ${MYWORKDIR} ]; then if [ ! -d ${MYWORKDIR} ]; then
echo "[X] Could not determine workdir (result: ${MYWORKDIR} seems invalid)" echo "[X] Could not determine workdir (result: ${MYWORKDIR} seems invalid)"
ExitFatal ExitFatal
@ -126,7 +126,7 @@
# Check binaries # Check binaries
GITBUILDPACKAGEBINARY=`which git-buildpackage` GITBUILDPACKAGEBINARY=$(which git-buildpackage)
if [ ! "${GITBUILDPACKAGEBINARY}" = "" ]; then if [ ! "${GITBUILDPACKAGEBINARY}" = "" ]; then
echo "[=] git-buildpackage = ${GITBUILDPACKAGEBINARY}" echo "[=] git-buildpackage = ${GITBUILDPACKAGEBINARY}"
else else
@ -135,7 +135,7 @@
ExitFatal ExitFatal
fi fi
RPMBUILDBINARY=`which rpmbuild` RPMBUILDBINARY=$(which rpmbuild)
if [ ! "${RPMBUILDBINARY}" = "" ]; then if [ ! "${RPMBUILDBINARY}" = "" ]; then
echo "[=] rpmbuild = ${RPMBUILDBINARY}" echo "[=] rpmbuild = ${RPMBUILDBINARY}"
else else
@ -168,7 +168,7 @@
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Create temporary build directory # Create temporary build directory
TMPDIR=`mktemp -d /tmp/lynis-BUILDROOT.XXXXXX` TMPDIR=$(mktemp -d /tmp/lynis-BUILDROOT.XXXXXX)
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "[V] Creating temporary build directory" echo "[V] Creating temporary build directory"
#echo " BUILDROOT: ${TMPDIR}" #echo " BUILDROOT: ${TMPDIR}"
@ -202,8 +202,8 @@
fi fi
fi fi
TARBALL_MD5=`md5sum ${TARBALL}` TARBALL_MD5=$(md5sum ${TARBALL})
TARBALL_SHA1=`sha1sum ${TARBALL}` TARBALL_SHA1=$(sha1sum ${TARBALL})
echo "[*] Starting with RPM building process" echo "[*] Starting with RPM building process"
@ -212,7 +212,7 @@
if [ -f ${SOURCEFILE_RPM} ]; then if [ -f ${SOURCEFILE_RPM} ]; then
if [ -f lynis.spec ]; then if [ -f lynis.spec ]; then
# adjust version in spec file # adjust version in spec file
VERSION_IN_SPECFILE=`awk '/^Version:/ { print $2 }' lynis.spec` VERSION_IN_SPECFILE=$(awk '/^Version:/ { print $2 }' lynis.spec)
echo "[=] Found version ${VERSION_IN_SPECFILE}" echo "[=] Found version ${VERSION_IN_SPECFILE}"
if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
echo "[X] Version in specfile is outdated" echo "[X] Version in specfile is outdated"
@ -241,9 +241,9 @@
echo "[*] Starting with DEB building process" echo "[*] Starting with DEB building process"
DEBCHANGELOGFULLVERSION=`head -1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//'` DEBCHANGELOGFULLVERSION=$(head -1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
DEBCHANGELOGVERSION=`echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }'` DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }')
DEBCHANGELOGVERSIONREV=`echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }'` DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }')
if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then
echo "[V] Debian/changelog up-to-date" echo "[V] Debian/changelog up-to-date"
else else
@ -251,12 +251,12 @@
ExitFatal ExitFatal
fi fi
# BZRSTATUS=`${BZRBINARY} status . 2>&1 > /dev/null; echo $?` # BZRSTATUS=$(${BZRBINARY} status . 2>&1 > /dev/null; echo $?)
# if [ "${BZRSTATUS}" = "0" ]; then # if [ "${BZRSTATUS}" = "0" ]; then
# echo "[V] bzr has proper directory tree" # echo "[V] bzr has proper directory tree"
# DEBCHANGELOGFULLVERSION=`head -1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//'` # DEBCHANGELOGFULLVERSION=$(head -1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
# DEBCHANGELOGVERSION=`echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }'` # DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }')
# DEBCHANGELOGVERSIONREV=`echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }'` # DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }')
# echo "[=] Version in Debian changelog: ${DEBCHANGELOGVERSION} (revision: ${DEBCHANGELOGVERSIONREV})" # echo "[=] Version in Debian changelog: ${DEBCHANGELOGVERSION} (revision: ${DEBCHANGELOGVERSIONREV})"
# if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then # if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then
# echo "[V] Debian/changelog up-to-date" # echo "[V] Debian/changelog up-to-date"
@ -343,7 +343,7 @@ Exit
if [ ! -f ${OPTION_BINARY_FILE} ]; then echo "BAD (can't find ${OPTION_BINARY_FILE})"; exit 1; fi if [ ! -f ${OPTION_BINARY_FILE} ]; then echo "BAD (can't find ${OPTION_BINARY_FILE})"; exit 1; fi
# Check script # Check script
FIND=`sh -n ${OPTION_BINARY_FILE} ; echo $?` FIND=$(sh -n ${OPTION_BINARY_FILE} ; echo $?)
if [ $FIND -eq 0 ]; then if [ $FIND -eq 0 ]; then
echo "OK" echo "OK"
else else
@ -354,7 +354,7 @@ Exit
# Create SHA1 hashes # Create SHA1 hashes
echo -n "- Create SHA1 hashes " echo -n "- Create SHA1 hashes "
SHA1HASH_LYNIS=`grep -v '^#' ${OPTION_BINARY_FILE} | sha1` SHA1HASH_LYNIS=$(grep -v '^#' ${OPTION_BINARY_FILE} | sha1)
echo "DONE" echo "DONE"
echo " Lynis (SHA1): ${SHA1HASH_LYNIS}" echo " Lynis (SHA1): ${SHA1HASH_LYNIS}"
@ -372,16 +372,16 @@ Exit
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
echo -n "- Creating MD5 hashes..." echo -n "- Creating MD5 hashes..."
PACKAGE_LIST_FILES=`grep "^file:" files.dat | cut -d ':' -f3` PACKAGE_LIST_FILES=$(grep "^file:" files.dat | cut -d ':' -f3)
for I in ${PACKAGE_LIST_FILES}; do for I in ${PACKAGE_LIST_FILES}; do
echo -n "${I} " echo -n "${I} "
#FULLNAME=`grep ":file:include:" files.dat #FULLNAME=$(grep ":file:include:" files.dat)
#echo "${FULLNAME}" >> ${OPENBSD_CONTENTS} #echo "${FULLNAME}" >> ${OPENBSD_CONTENTS}
echo "${I}" >> ${OPENBSD_CONTENTS} echo "${I}" >> ${OPENBSD_CONTENTS}
FILE="../${I}" FILE="../${I}"
MD5HASH=`md5 -q ${FILE}` MD5HASH=$(md5 -q ${FILE})
echo "@md5 ${MD5HASH}" >> ${OPENBSD_CONTENTS} echo "@md5 ${MD5HASH}" >> ${OPENBSD_CONTENTS}
echo "@size 0000" >> ${OPENBSD_CONTENTS} echo "@size 0000" >> ${OPENBSD_CONTENTS}
done done

38
include/binaries
View File

@ -64,7 +64,7 @@
fi fi
# Add a space to make sure we discover a related directory if it was already scanned # Add a space to make sure we discover a related directory if it was already scanned
FIND=`echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}"` FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
SKIPDIR=1; LogText "Result: Skipping this directory as it was already scanned" SKIPDIR=1; LogText "Result: Skipping this directory as it was already scanned"
fi fi
@ -72,7 +72,7 @@
if [ ${SKIPDIR} -eq 0 ]; then if [ ${SKIPDIR} -eq 0 ]; then
BINARY_PATHS_FOUND="${BINARY_PATHS_FOUND}, ${SCANDIR}" BINARY_PATHS_FOUND="${BINARY_PATHS_FOUND}, ${SCANDIR}"
LogText "Directory ${SCANDIR} exists. Starting directory scanning..." LogText "Directory ${SCANDIR} exists. Starting directory scanning..."
FIND=`ls ${SCANDIR}` FIND=$(ls ${SCANDIR})
for I in ${FIND}; do for I in ${FIND}; do
N=$((N + 1)) N=$((N + 1))
BINARY="${SCANDIR}/${I}" BINARY="${SCANDIR}/${I}"
@ -114,7 +114,7 @@
chkrootkit) CHKROOTKITFOUND=1; CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;; chkrootkit) CHKROOTKITFOUND=1; CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;;
comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;; comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;;
csum) CSUMFOUND=1; CSUMBINARY="${BINARY}"; LogText " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;; csum) CSUMFOUND=1; CSUMBINARY="${BINARY}"; LogText " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;;
curl) CURLFOUND=1; CURLBINARY="${BINARY}"; CURLVERSION=`${BINARY} --version | grep "^curl" | awk '{ if ($1=="curl") { print $2 }}'`; LogText " Found known binary: curl (browser) - ${BINARY}" ;; curl) CURLFOUND=1; CURLBINARY="${BINARY}"; CURLVERSION=$(${BINARY} --version | grep "^curl" | awk '{ if ($1=="curl") { print $2 }}'); LogText " Found known binary: curl (browser) - ${BINARY}" ;;
cut) CUTBINARY="${BINARY}" cut) CUTBINARY="${BINARY}"
LogText " Found known binary: cut (text stream editor) - ${BINARY}" LogText " Found known binary: cut (text stream editor) - ${BINARY}"
;; ;;
@ -127,14 +127,14 @@
domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;; domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;; dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;;
egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;; egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;;
exim) EXIMFOUND=1; EXIMBINARY="${BINARY}"; EXIMVERSION=`${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs`; LogText "Found ${BINARY} (version ${EXIMVERSION})" ;; exim) EXIMFOUND=1; EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "Found ${BINARY} (version ${EXIMVERSION})" ;;
fail2ban-server) FAIL2BANFOUND=1; FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;; fail2ban-server) FAIL2BANFOUND=1; FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;;
file) FILEBINARY="${BINARY}" file) FILEBINARY="${BINARY}"
LogText " Found known binary: file (file type detection) - ${BINARY}" LogText " Found known binary: file (file type detection) - ${BINARY}"
;; ;;
find) FINDFOUND=1; FINDBINARY="${BINARY}"; LogText " Found known binary: find (search tool) - ${BINARY}" ;; find) FINDFOUND=1; FINDBINARY="${BINARY}"; LogText " Found known binary: find (search tool) - ${BINARY}" ;;
g++) GPLUSPLUSFOUND=1; GPLUSPLUSBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: g++ (compiler) - ${BINARY}" ;; g++) GPLUSPLUSFOUND=1; GPLUSPLUSBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: g++ (compiler) - ${BINARY}" ;;
# additional file check due to existance /usr/libexec/gcc (directory) # additional file check due to existence /usr/libexec/gcc (directory)
gcc) if [ -f ${BINARY} ]; then GCCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: gcc (compiler) - ${BINARY}"; fi ;; gcc) if [ -f ${BINARY} ]; then GCCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: gcc (compiler) - ${BINARY}"; fi ;;
getent) GETENT_BINARY="${BINARY}" getent) GETENT_BINARY="${BINARY}"
LogText " Found known binary: getent (query tool for name service switch libraries) - ${BINARY}" LogText " Found known binary: getent (query tool for name service switch libraries) - ${BINARY}"
@ -173,7 +173,7 @@
lsattr) LSATTRFOUND=1; LSATTRBINARY="${BINARY}"; LogText " Found known binary: lsattr (file attributes) - ${BINARY}" ;; lsattr) LSATTRFOUND=1; LSATTRBINARY="${BINARY}"; LogText " Found known binary: lsattr (file attributes) - ${BINARY}" ;;
lsmod) LSMODFOUND=1; LSMODBINARY="${BINARY}"; LogText " Found known binary: lsmod (kernel modules) - ${BINARY}" ;; lsmod) LSMODFOUND=1; LSMODBINARY="${BINARY}"; LogText " Found known binary: lsmod (kernel modules) - ${BINARY}" ;;
lsof) LSOFFOUND=1; LSOFBINARY="${BINARY}"; LogText " Found known binary: lsof (open files) - ${BINARY}" ;; lsof) LSOFFOUND=1; LSOFBINARY="${BINARY}"; LogText " Found known binary: lsof (open files) - ${BINARY}" ;;
lynx) LYNXFOUND=1; LYNXBINARY="${BINARY}"; LYNXVERSION=`${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3`; LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;; lynx) LYNXFOUND=1; LYNXBINARY="${BINARY}"; LYNXVERSION=$(${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3); LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;;
maldet) LMDFOUND=1; LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;; maldet) LMDFOUND=1; LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;;
md5) MD5FOUND=1; MD5BINARY="${BINARY}"; LogText " Found known binary: md5 (hash tool) - ${BINARY}" ;; md5) MD5FOUND=1; MD5BINARY="${BINARY}"; LogText " Found known binary: md5 (hash tool) - ${BINARY}" ;;
md5sum) MD5FOUND=1; MD5BINARY="${BINARY}"; LogText " Found known binary: md5sum (hash tool) - ${BINARY}" ;; md5sum) MD5FOUND=1; MD5BINARY="${BINARY}"; LogText " Found known binary: md5sum (hash tool) - ${BINARY}" ;;
@ -182,17 +182,17 @@
LogText " Found known binary: mount (disk utility) - ${BINARY}" LogText " Found known binary: mount (disk utility) - ${BINARY}"
;; ;;
mtree) MTREEFOUND=1; MTREEBINARY="${BINARY}"; LogText " Found known binary: mtree (mapping directory tree) - ${BINARY}" ;; mtree) MTREEFOUND=1; MTREEBINARY="${BINARY}"; LogText " Found known binary: mtree (mapping directory tree) - ${BINARY}" ;;
mysql) MYSQLCLIENTFOUND=1; MYSQLCLIENTBINARY="${BINARY}"; MYSQLCLIENTVERSION=`${BINARY} -V | awk '{ if ($4=="Distrib") { print $5 }}' | sed 's/,//g'` ; LogText "Found ${BINARY} (version: ${MYSQLCLIENTVERSION})" ;; mysql) MYSQLCLIENTFOUND=1; MYSQLCLIENTBINARY="${BINARY}"; MYSQLCLIENTVERSION=$(${BINARY} -V | awk '{ if ($4=="Distrib") { print $5 }}' | sed 's/,//g') ; LogText "Found ${BINARY} (version: ${MYSQLCLIENTVERSION})" ;;
netstat) NETSTATFOUND=1; NETSTATBINARY="${BINARY}"; LogText " Found known binary: netstat (network statistics) - ${BINARY}" ;; netstat) NETSTATFOUND=1; NETSTATBINARY="${BINARY}"; LogText " Found known binary: netstat (network statistics) - ${BINARY}" ;;
nft) NFTFOUND=1; NFTBINARY="${BINARY}"; LogText " Found known binary: nft (nftables client) - ${BINARY}" ;; nft) NFTFOUND=1; NFTBINARY="${BINARY}"; LogText " Found known binary: nft (nftables client) - ${BINARY}" ;;
nmap) NMAPFOUND=1; NMAPBINARY="${BINARY}"; NMAPVERSION=`${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'`; LogText "Found ${BINARY} (version ${NMAPVERSION})" ;; nmap) NMAPFOUND=1; NMAPBINARY="${BINARY}"; NMAPVERSION=$(${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${NMAPVERSION})" ;;
ntpq) NTPQFOUND=1; NTPQBINARY="${BINARY}"; LogText " Found known binary ntpq (time daemon client) - ${BINARY}" ;; ntpq) NTPQFOUND=1; NTPQBINARY="${BINARY}"; LogText " Found known binary ntpq (time daemon client) - ${BINARY}" ;;
osiris) OSIRISFOUND=1; OSIRISBINARY="${BINARY}"; LogText " Found known binary: osiris - ${BINARY}" ;; osiris) OSIRISFOUND=1; OSIRISBINARY="${BINARY}"; LogText " Found known binary: osiris - ${BINARY}" ;;
openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; LogText "Found ${BINARY} (version ${OPENSSLVERSION})" ;; openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=$(${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs); LogText "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; LogText " Found known binary: pacman (package manager) - ${BINARY}" ;; pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; LogText " Found known binary: pacman (package manager) - ${BINARY}" ;;
perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; LogText "Found ${BINARY} (version ${PERLVERSION})" ;; perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=$(${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs); LogText "Found ${BINARY} (version ${PERLVERSION})" ;;
pgrep) PGREPBINARY=${BINARY}; LogText " Found known binary: pgrep (search in process list) - ${BINARY}" ;; pgrep) PGREPBINARY=${BINARY}; LogText " Found known binary: pgrep (search in process list) - ${BINARY}" ;;
php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; LogText "Found known binary: php (programming language intrepreter) - ${BINARY} (version ${PHPVERSION})" ;; php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=$(${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1); LogText "Found known binary: php (programming language interpreter) - ${BINARY} (version ${PHPVERSION})" ;;
pkg) pkg)
PKG_BINARY="${BINARY}" PKG_BINARY="${BINARY}"
LogText " Found known binary: pkg (software package administration) - ${BINARY}" LogText " Found known binary: pkg (software package administration) - ${BINARY}"
@ -205,9 +205,9 @@
ps) PSFOUND=1; PSBINARY="${BINARY}"; LogText " Found known binary: ps (process listing) - ${BINARY}" ;; ps) PSFOUND=1; PSBINARY="${BINARY}"; LogText " Found known binary: ps (process listing) - ${BINARY}" ;;
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; LogText " Found known binary: puppet (automation tooling) - ${BINARY}" ;; puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; LogText " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; LogText " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;; puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; LogText " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=`${BINARY} --version 2>&1 | sed 's/^Python //'`; LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;; python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=`${BINARY} --version 2>&1 | sed 's/^Python //'`; LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;; python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=`${BINARY} --version 2>&1 | sed 's/^Python //'`; LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;; python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;; readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;; rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;; rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
@ -223,21 +223,21 @@
;; ;;
sestatus) SESTATUSFOUND=1; SESTATUSBINARY="${BINARY}"; LogText " Found known binary: sestatus (SELinux client) - ${BINARY}" ;; sestatus) SESTATUSFOUND=1; SESTATUSBINARY="${BINARY}"; LogText " Found known binary: sestatus (SELinux client) - ${BINARY}" ;;
slocate) LOCATEFOUND=1; LOCATEBINARY="${BINARY}"; LogText " Found known binary: slocate (file database) - ${BINARY}" ;; slocate) LOCATEFOUND=1; LOCATEBINARY="${BINARY}"; LogText " Found known binary: slocate (file database) - ${BINARY}" ;;
smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=`${BINARY} -V | grep "^Version" | awk '{ print $2 }'`; fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;; smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;;
smtpctl) SMTPCTLBINARY="${BINARY}"; LogText " Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;; smtpctl) SMTPCTLBINARY="${BINARY}"; LogText " Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;;
showmount) SHOWMOUNTFOUND=1; SHOWMOUNTBINARY="${BINARY}"; LogText " Found known binary: showmount (NFS mounts) - ${BINARY}" ;; showmount) SHOWMOUNTFOUND=1; SHOWMOUNTBINARY="${BINARY}"; LogText " Found known binary: showmount (NFS mounts) - ${BINARY}" ;;
sockstat) SOCKSTATFOUND=1; SOCKSTATBINARY="${BINARY}"; LogText " Found known binary: sockstat (open network sockets) - ${BINARY}" ;; sockstat) SOCKSTATFOUND=1; SOCKSTATBINARY="${BINARY}"; LogText " Found known binary: sockstat (open network sockets) - ${BINARY}" ;;
sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;; sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;;
squid) SQUIDFOUND=1; SQUIDBINARY="${BINARY}"; LogText " Found known binary: squid (proxy) - ${BINARY}" ;; squid) SQUIDFOUND=1; SQUIDBINARY="${BINARY}"; LogText " Found known binary: squid (proxy) - ${BINARY}" ;;
ss) SSFOUND=1; SSBINARY="${BINARY}"; LogText " Found known binary: ss (show sockets) - ${BINARY}" ;; ss) SSFOUND=1; SSBINARY="${BINARY}"; LogText " Found known binary: ss (show sockets) - ${BINARY}" ;;
sshd) SSHDFOUND=1; SSHDBINARY="${BINARY}"; SSHDVERSION=`${BINARY} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | tr -d ',' | tr -d '\r'`; LogText "Found ${BINARY} (version ${SSHDVERSION})" ;; sshd) SSHDFOUND=1; SSHDBINARY="${BINARY}"; SSHDVERSION=$(${BINARY} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | tr -d ',' | tr -d '\r'); LogText "Found ${BINARY} (version ${SSHDVERSION})" ;;
stat) STATFOUND=1; STATBINARY="${BINARY}"; LogText " Found known binary: stat (file information) - ${BINARY}" ;; stat) STATFOUND=1; STATBINARY="${BINARY}"; LogText " Found known binary: stat (file information) - ${BINARY}" ;;
strings) STRINGSFOUND=1; STRINGSBINARY="${BINARY}"; LogText " Found known binary: strings (text strings search) - ${BINARY}" ;; strings) STRINGSFOUND=1; STRINGSBINARY="${BINARY}"; LogText " Found known binary: strings (text strings search) - ${BINARY}" ;;
sha1|sha1sum|shasum) SHA1SUMFOUND=1; SHA1SUMBINARY="${BINARY}"; LogText " Found known binary: sha1/sha1sum/shasum (crypto hashing) - ${BINARY}" ;; sha1|sha1sum|shasum) SHA1SUMFOUND=1; SHA1SUMBINARY="${BINARY}"; LogText " Found known binary: sha1/sha1sum/shasum (crypto hashing) - ${BINARY}" ;;
sha256|sha256sum) SHA256SUMFOUND=1; SHA256SUMBINARY="${BINARY}"; LogText " Found known binary: sha256/sha256sum (crypto hashing) - ${BINARY}" ;; sha256|sha256sum) SHA256SUMFOUND=1; SHA256SUMBINARY="${BINARY}"; LogText " Found known binary: sha256/sha256sum (crypto hashing) - ${BINARY}" ;;
ssh-keyscan) SSHKEYSCANFOUND=1; SSHKEYSCANBINARY="${BINARY}"; LogText " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;; ssh-keyscan) SSHKEYSCANFOUND=1; SSHKEYSCANBINARY="${BINARY}"; LogText " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;;
sysctl) SYSCTLFOUND=1; SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;; sysctl) SYSCTLFOUND=1; SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;;
syslog-ng) SYSLOGNGFOUND=1; SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=`${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'`; LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;; syslog-ng) SYSLOGNGFOUND=1; SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;;
systemctl) SYSTEMCTLFOUND=1; SYSTEMCTLBINARY="${BINARY}"; SERVICE_MANAGER="systemd"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;; systemctl) SYSTEMCTLFOUND=1; SYSTEMCTLBINARY="${BINARY}"; SERVICE_MANAGER="systemd"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;;
timedatectl) TIMEDATECTLFOUND=1; TIMEDATECTL="${BINARY}"; LogText " Found known binary: timedatectl (timedate client) - ${BINARY}" ;; timedatectl) TIMEDATECTLFOUND=1; TIMEDATECTL="${BINARY}"; LogText " Found known binary: timedatectl (timedate client) - ${BINARY}" ;;
tr) TRFOUND=1; TRBINARY="${BINARY}"; LogText " Found known binary: tr (text transformation) - ${BINARY}" ;; tr) TRFOUND=1; TRBINARY="${BINARY}"; LogText " Found known binary: tr (text transformation) - ${BINARY}" ;;
@ -254,7 +254,7 @@
wc) WCBINARY="${BINARY}" wc) WCBINARY="${BINARY}"
LogText " Found known binary: wc (word count) - ${BINARY}" LogText " Found known binary: wc (word count) - ${BINARY}"
;; ;;
wget) WGETFOUND=1; WGETBINARY="${BINARY}"; WGETVERSION=`${BINARY} -V | grep "^GNU Wget" | awk '{ print $3 }'`; LogText "Found ${BINARY} (version ${WGETVERSION})" ;; wget) WGETFOUND=1; WGETBINARY="${BINARY}"; WGETVERSION=$(${BINARY} -V | grep "^GNU Wget" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${WGETVERSION})" ;;
yum) YUMFOUND=1; YUMBINARY="${BINARY}"; LogText " Found known binary: yum (package manager) - ${BINARY}" ;; yum) YUMFOUND=1; YUMBINARY="${BINARY}"; LogText " Found known binary: yum (package manager) - ${BINARY}" ;;
xargs) XARGSBINARY="${BINARY}" xargs) XARGSBINARY="${BINARY}"
LogText " Found known binary: xargs (command output redirection) - ${BINARY}" LogText " Found known binary: xargs (command output redirection) - ${BINARY}"
@ -271,7 +271,7 @@
LogText "Result: Directory ${SCANDIR} does NOT exist" LogText "Result: Directory ${SCANDIR} does NOT exist"
fi fi
done done
BINARY_PATHS_FOUND=`echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g'` BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g')
LogText "Discovered directories: ${BINARY_PATHS_FOUND}" LogText "Discovered directories: ${BINARY_PATHS_FOUND}"
Report "binary_paths=${BINARY_PATHS_FOUND}" Report "binary_paths=${BINARY_PATHS_FOUND}"
BINARY_SCAN_FINISHED=1 BINARY_SCAN_FINISHED=1

184
include/functions
View File

@ -190,11 +190,11 @@
else else
# If 'file' is an directory, use -d # If 'file' is an directory, use -d
if [ -d ${CHECKFILE} ]; then if [ -d ${CHECKFILE} ]; then
FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10` FILEVALUE=$(ls -d -l ${CHECKFILE} | cut -c 2-10)
PROFILEVALUE=`grep '^permdir' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3` PROFILEVALUE=$(grep '^permdir' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3)
else else
FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10` FILEVALUE=$(ls -l ${CHECKFILE} | cut -c 2-10)
PROFILEVALUE=`grep '^permfile' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3` PROFILEVALUE=$(grep '^permfile' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3)
fi fi
if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi
fi fi
@ -218,7 +218,7 @@
if [ ! "${REPORTFILE}" = "/dev/null" ]; then if [ ! "${REPORTFILE}" = "/dev/null" ]; then
# Check if we can find the main type (with or without brackets) # Check if we can find the main type (with or without brackets)
LogText "Test: search string $2 in earlier discovered results" LogText "Test: search string $2 in earlier discovered results"
FIND=`egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2"` FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
ITEM_FOUND=1 ITEM_FOUND=1
RETVAL=0 RETVAL=0
@ -298,7 +298,7 @@
ContainsString() { ContainsString() {
RETVAL=1 RETVAL=1
if [ $# -ne 2 ]; then ReportException "ContainsString" "Incorrect number of arguments for ContainsStrings function"; fi if [ $# -ne 2 ]; then ReportException "ContainsString" "Incorrect number of arguments for ContainsStrings function"; fi
FIND=`echo "$2" | egrep "$1"` FIND=$(echo "$2" | egrep "$1")
if [ ! "${FIND}" = "" ]; then RETVAL=0; fi if [ ! "${FIND}" = "" ]; then RETVAL=0; fi
return ${RETVAL} return ${RETVAL}
} }
@ -334,11 +334,11 @@
CreateTempFile() { CreateTempFile() {
TEMP_FILE="" TEMP_FILE=""
if [ "${OS}" = "AIX" ]; then if [ "${OS}" = "AIX" ]; then
RANDOMSTRING1=`echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')` RANDOMSTRING1=$(echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}'))
TEMP_FILE="/tmp/${RANDOMSTRING1}" TEMP_FILE="/tmp/${RANDOMSTRING1}"
touch ${TEMP_FILE} touch ${TEMP_FILE}
else else
TEMP_FILE=`mktemp /tmp/lynis.XXXXXXXXXX` || exit 1 TEMP_FILE=$(mktemp /tmp/lynis.XXXXXXXXXX) || exit 1
fi fi
if [ ! "${TEMP_FILE}" = "" ]; then if [ ! "${TEMP_FILE}" = "" ]; then
LogText "Action: created temporary file ${TEMP_FILE}" LogText "Action: created temporary file ${TEMP_FILE}"
@ -398,7 +398,7 @@
VALUE=$1 VALUE=$1
LogText "Value is now: ${VALUE}" LogText "Value is now: ${VALUE}"
if [ ! "${AWKBINARY}" = "" ]; then if [ ! "${AWKBINARY}" = "" ]; then
VALUE=`echo ${VALUE} | grep -Eo '[0-9]{1,}'` VALUE=$(echo ${VALUE} | grep -Eo '[0-9]{1,}')
fi fi
LogText "Returning value: ${VALUE}" LogText "Returning value: ${VALUE}"
} }
@ -454,7 +454,7 @@
echo "Search paths used --> ${tPROFILE_TARGETS}" echo "Search paths used --> ${tPROFILE_TARGETS}"
ExitCustom 66 ExitCustom 66
else else
PROFILES=`echo ${PROFILES} | sed 's/^ //'` PROFILES=$(echo ${PROFILES} | sed 's/^ //')
fi fi
} }
@ -525,7 +525,7 @@
# Display: # Display:
# - counting with -m instead of -c, to support language locale # - counting with -m instead of -c, to support language locale
# - wc needs LANG to deal with multi-bytes characters but LANG has been unset in include/consts... # - wc needs LANG to deal with multi-bytes characters but LANG has been unset in include/consts...
LINESIZE=`export LC_ALL= ; export LANG="${DISPLAY_LANG}";echo "${TEXT}" | wc -m | tr -d ' '` LINESIZE=$(export LC_ALL= ; export LANG="${DISPLAY_LANG}";echo "${TEXT}" | wc -m | tr -d ' ')
if [ ${SHOWDEBUG} -eq 1 ]; then DEBUGTEXT=" [${PURPLE}DEBUG${NORMAL}]"; else DEBUGTEXT=""; fi if [ ${SHOWDEBUG} -eq 1 ]; then DEBUGTEXT=" [${PURPLE}DEBUG${NORMAL}]"; else DEBUGTEXT=""; fi
if [ ${INDENT} -gt 0 ]; then SPACES=$((62 - INDENT - LINESIZE)); fi if [ ${INDENT} -gt 0 ]; then SPACES=$((62 - INDENT - LINESIZE)); fi
if [ ${SPACES} -lt 0 ]; then SPACES=0; fi if [ ${SPACES} -lt 0 ]; then SPACES=0; fi
@ -793,18 +793,18 @@
"AIX") "AIX")
# Common interfaces: en0 en1 en2, ent0 ent1 ent2 # Common interfaces: en0 en1 en2, ent0 ent1 ent2
FIND=`entstat en0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }'` FIND=$(entstat en0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
FIND=`entstat ent0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }'` FIND=$(entstat ent0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }')
fi fi
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
# We have a MAC address, now hashing it # We have a MAC address, now hashing it
if [ ! "${SHA1SUMBINARY}" = "" ]; then if [ ! "${SHA1SUMBINARY}" = "" ]; then
HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'` HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
elif [ ! "${CSUMBINARY}" = "" ]; then elif [ ! "${CSUMBINARY}" = "" ]; then
HOSTID=`echo ${FIND} | ${CSUMBINARY} -h SHA1 - | awk '{ print $1 }'` HOSTID=$(echo ${FIND} | ${CSUMBINARY} -h SHA1 - | awk '{ print $1 }')
elif [ ! "${OPENSSLBINARY}" = "" ]; then elif [ ! "${OPENSSLBINARY}" = "" ]; then
HOSTID=`echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }'` HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }')
else else
ReportException "GetHostID" "No sha1, sha1sum, csum or openssl binary available on AIX" ReportException "GetHostID" "No sha1, sha1sum, csum or openssl binary available on AIX"
fi fi
@ -814,9 +814,9 @@
;; ;;
"DragonFly" | "FreeBSD") "DragonFly" | "FreeBSD")
FIND=`${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'` FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
HOSTID=`echo ${FIND} | sha1` HOSTID=$(echo ${FIND} | sha1)
else else
ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD" ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD"
fi fi
@ -829,20 +829,20 @@
# Only use ifconfig if no ip binary has been found # Only use ifconfig if no ip binary has been found
if [ ! "${IFCONFIGBINARY}" = "" ]; then if [ ! "${IFCONFIGBINARY}" = "" ]; then
# Determine if we have ETH0 at all (not all Linux distro have this, e.g. Arch) # Determine if we have ETH0 at all (not all Linux distro have this, e.g. Arch)
HASETH0=`${IFCONFIGBINARY} | grep "^eth0"` HASETH0=$(${IFCONFIGBINARY} | grep "^eth0")
# Check if we can find it with HWaddr on the line # Check if we can find it with HWaddr on the line
FIND=`${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]'` FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
# If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch) # If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch)
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
FIND=`${IFCONFIGBINARY} 2> /dev/null | grep HWaddr` FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr)
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
# If possible directly address eth0 to avoid risking gathering the incorrect MAC address. # If possible directly address eth0 to avoid risking gathering the incorrect MAC address.
# If not, then falling back to getting first interface. Better than nothing. # If not, then falling back to getting first interface. Better than nothing.
if [ ! "${HASETH0}" = "" ]; then if [ ! "${HASETH0}" = "" ]; then
FIND=`${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'` FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
else else
FIND=`${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]'` FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)" ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
else else
@ -850,7 +850,7 @@
fi fi
fi fi
else else
FIND=`${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]'` FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
LogText "GetHostID: No eth0 found (but HWaddr was found), using first network interface to determine hostid, with ifconfig" LogText "GetHostID: No eth0 found (but HWaddr was found), using first network interface to determine hostid, with ifconfig"
fi fi
fi fi
@ -858,10 +858,10 @@
# See if we can use ip binary instead # See if we can use ip binary instead
if [ ! "${IPBINARY}" = "" ]; then if [ ! "${IPBINARY}" = "" ]; then
# Determine if we have the common available eth0 interface # Determine if we have the common available eth0 interface
FIND=`${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'` FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
# Determine the MAC address of first interface with the ip command # Determine the MAC address of first interface with the ip command
FIND=`${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'` FIND=$(${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
ReportException "GetHostID" "Can't create hostid (no MAC addresses found)" ReportException "GetHostID" "Can't create hostid (no MAC addresses found)"
fi fi
@ -874,7 +874,7 @@
# Check if we found a HostID # Check if we found a HostID
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Info: using hardware address ${FIND} to create ID" LogText "Info: using hardware address ${FIND} to create ID"
HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'` HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
LogText "Result: Found HostID: ${HOSTID}" LogText "Result: Found HostID: ${HOSTID}"
else else
ReportException "GetHostID" "Can't create HOSTID, command ip not found" ReportException "GetHostID" "Can't create HOSTID, command ip not found"
@ -904,18 +904,18 @@
;; ;;
"NetBSD") "NetBSD")
FIND=`${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'` FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
HOSTID=`echo ${FIND} | sha1` HOSTID=$(echo ${FIND} | sha1)
else else
ReportException "GetHostID" "No MAC address returned on NetBSD" ReportException "GetHostID" "No MAC address returned on NetBSD"
fi fi
;; ;;
"OpenBSD") "OpenBSD")
FIND=`${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'` FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
HOSTID=`echo ${FIND} | sha1` HOSTID=$(echo ${FIND} | sha1)
else else
ReportException "GetHostID" "No MAC address returned on OpenBSD" ReportException "GetHostID" "No MAC address returned on OpenBSD"
fi fi
@ -925,17 +925,17 @@
INTERFACES_TO_TEST="e1000g1 net0" INTERFACES_TO_TEST="e1000g1 net0"
FOUND=0 FOUND=0
for I in ${INTERFACES_TO_TEST}; do for I in ${INTERFACES_TO_TEST}; do
FIND=`${IFCONFIGBINARY} -a | grep "^${I}"` FIND=$(${IFCONFIGBINARY} -a | grep "^${I}")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1; LogText "Found interface ${I} on Solaris" FOUND=1; LogText "Found interface ${I} on Solaris"
fi fi
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
FIND=`${IFCONFIGBINARY} ${I} | grep ether | awk '{ if ($1=="ether") { print $2 }}'` FIND=$(${IFCONFIGBINARY} ${I} | grep ether | awk '{ if ($1=="ether") { print $2 }}')
if [ ! "${SHA1SUMBINARY}" = "" ]; then if [ ! "${SHA1SUMBINARY}" = "" ]; then
HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'` HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
elif [ ! "${OPENSSLBINARY}" = "" ]; then elif [ ! "${OPENSSLBINARY}" = "" ]; then
HOSTID=`echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }'` HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }')
else else
ReportException "GetHostID" "Can not find sha1/sha1sum or openssl" ReportException "GetHostID" "Can not find sha1/sha1sum or openssl"
fi fi
@ -966,7 +966,7 @@
# Optional: DBUS creates ID as well with dbus-uuidgen and is stored in /var/lib/dbus-machine-id (might be symlinked to /etc/machine-id) # Optional: DBUS creates ID as well with dbus-uuidgen and is stored in /var/lib/dbus-machine-id (might be symlinked to /etc/machine-id)
sMACHINEIDFILE="/etc/machine-id" sMACHINEIDFILE="/etc/machine-id"
if [ -f ${sMACHINEIDFILE} ]; then if [ -f ${sMACHINEIDFILE} ]; then
FIND=`head -1 ${sMACHINEIDFILE} | grep "^[a-f0-9]"` FIND=$(head -1 ${sMACHINEIDFILE} | grep "^[a-f0-9]")
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
MACHINEID="${FIND}" MACHINEID="${FIND}"
fi fi
@ -982,7 +982,7 @@
if [ -f /etc/ssh/${I} ]; then if [ -f /etc/ssh/${I} ]; then
LogText "Result: found ${I} in /etc/ssh" LogText "Result: found ${I} in /etc/ssh"
if [ ! "${SHA1SUMBINARY}" = "" ]; then if [ ! "${SHA1SUMBINARY}" = "" ]; then
HOSTID=`cat /etc/ssh/${I} | ${SHA1SUMBINARY} | awk '{ print $1 }'` HOSTID=$(cat /etc/ssh/${I} | ${SHA1SUMBINARY} | awk '{ print $1 }')
LogText "result: Created HostID with SSH key ($I): ${HOSTID}" LogText "result: Created HostID with SSH key ($I): ${HOSTID}"
else else
ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing" ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing"
@ -1159,7 +1159,7 @@
RUNNING=0 RUNNING=0
PSOPTIONS="" PSOPTIONS=""
if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then PSOPTIONS=" ax"; fi if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then PSOPTIONS=" ax"; fi
FIND=`${PSBINARY} ${PSOPTIONS} | egrep "( |/)$1" | grep -v "grep"` FIND=$(${PSBINARY} ${PSOPTIONS} | egrep "( |/)$1" | grep -v "grep")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
RUNNING=1 RUNNING=1
LogText "IsRunning: process '$1' found (${FIND})" LogText "IsRunning: process '$1' found (${FIND})"
@ -1201,18 +1201,18 @@
FILE="$1" FILE="$1"
case $OS in case $OS in
"AIX") "AIX")
if [ ! "${ISTATBINARY}" = "" ]; then PERMS=`${ISTATBINARY} ${FILE} | sed "s/Owner: //" | sed "s/[a-zA-Z() ]//g"`; fi if [ ! "${ISTATBINARY}" = "" ]; then PERMS=$(${ISTATBINARY} ${FILE} | sed "s/Owner: //" | sed "s/[a-zA-Z() ]//g"); fi
;; ;;
"Linux") "Linux")
if [ ! "${STATBINARY}" = "" ]; then PERMS=`${STATBINARY} -c "%u:%g" ${FILE}`; fi if [ ! "${STATBINARY}" = "" ]; then PERMS=$(${STATBINARY} -c "%u:%g" ${FILE}); fi
;; ;;
"FreeBSD") "FreeBSD")
if [ ! "${STATBINARY}" = "" ]; then PERMS=`${STATBINARY} -f "%u:%g" ${FILE}`; fi if [ ! "${STATBINARY}" = "" ]; then PERMS=$(${STATBINARY} -f "%u:%g" ${FILE}); fi
;; ;;
esac esac
# Fallback with ls (for other platforms, or when a test did not reveal any output) # Fallback with ls (for other platforms, or when a test did not reveal any output)
if [ "${PERMS}" = "" ]; then if [ "${PERMS}" = "" ]; then
PERMS=`ls -n ${FILE} | ${AWKBINARY} '{ print $3":"$4 }'` PERMS=$(ls -n ${FILE} | ${AWKBINARY} '{ print $3":"$4 }')
fi fi
else else
ReportException "IsOwnedByRoot" "Functions needs 1 argument" ReportException "IsOwnedByRoot" "Functions needs 1 argument"
@ -1255,9 +1255,9 @@
# facter # facter
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/facter ] || [ -x /usr/local/bin/facter ]; then if [ -x /usr/bin/facter ] || [ -x /usr/local/bin/facter ]; then
case "`facter is_virtual`" in case "$(facter is_virtual)" in
"true") "true")
SHORT=`facter virtual` SHORT=$(facter virtual)
LogText "Result: found ${SHORT}" LogText "Result: found ${SHORT}"
;; ;;
"false") "false")
@ -1275,7 +1275,7 @@
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/systemd-detect-virt ]; then if [ -x /usr/bin/systemd-detect-virt ]; then
LogText "Test: trying to guess virtualization technology with systemd-detect-virt" LogText "Test: trying to guess virtualization technology with systemd-detect-virt"
FIND=`/usr/bin/systemd-detect-virt` FIND=$(/usr/bin/systemd-detect-virt)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${FIND}" LogText "Result: found ${FIND}"
SHORT="${FIND}" SHORT="${FIND}"
@ -1292,7 +1292,7 @@
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/lscpu ]; then if [ -x /usr/bin/lscpu ]; then
LogText "Test: trying to guess virtualization with lscpu" LogText "Test: trying to guess virtualization with lscpu"
FIND=`lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g'` FIND=$(lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${FIND}" LogText "Result: found ${FIND}"
SHORT="${FIND}" SHORT="${FIND}"
@ -1315,7 +1315,7 @@
fi fi
if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then
LogText "Test: trying to guess virtualization with dmidecode" LogText "Test: trying to guess virtualization with dmidecode"
FIND=`/usr/sbin/dmidecode -s system-product-name | awk '{ print $1 }'` FIND=$(/usr/sbin/dmidecode -s system-product-name | awk '{ print $1 }')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${FIND}" LogText "Result: found ${FIND}"
SHORT="${FIND}" SHORT="${FIND}"
@ -1370,7 +1370,7 @@
# FreeBSD: hw.hv_vendor (remains empty for VirtualBox) # FreeBSD: hw.hv_vendor (remains empty for VirtualBox)
# NetBSD: machdep.dmi.system-product # NetBSD: machdep.dmi.system-product
# OpenBSD: hw.product # OpenBSD: hw.product
FIND=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'` FIND=$(sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
SHORT="${FIND}" SHORT="${FIND}"
fi fi
@ -1383,7 +1383,7 @@
if [ ${PRIVILEGED} -eq 1 ]; then if [ ${PRIVILEGED} -eq 1 ]; then
if [ -x /usr/bin/lshw ]; then if [ -x /usr/bin/lshw ]; then
LogText "Test: trying to guess virtualization with lshw" LogText "Test: trying to guess virtualization with lshw"
FIND=`lshw -quiet -class system 2> /dev/null | awk '{ if ($1=="product:") { print $2 }}'` FIND=$(lshw -quiet -class system 2> /dev/null | awk '{ if ($1=="product:") { print $2 }}')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${FIND}" LogText "Result: found ${FIND}"
SHORT="${FIND}" SHORT="${FIND}"
@ -1398,10 +1398,10 @@
LogText "Result: skipped lshw test, as we already found machine type" LogText "Result: skipped lshw test, as we already found machine type"
fi fi
# Check if we catched some string along all tests # Check if we caught some string along all tests
if [ ! "${SHORT}" = "" ]; then if [ ! "${SHORT}" = "" ]; then
# Lowercase and see if we found a match # Lowercase and see if we found a match
SHORT=`echo ${SHORT} | awk '{ print $1 }' | tr [[:upper:]] [[:lower:]]` SHORT=$(echo ${SHORT} | awk '{ print $1 }' | tr [[:upper:]] [[:lower:]])
case ${SHORT} in case ${SHORT} in
amazon-ec2) ISVIRTUALMACHINE=1; VMTYPE="amazon-ec2"; VMFULLTYPE="Amazon AWS EC2 Instance" ;; amazon-ec2) ISVIRTUALMACHINE=1; VMTYPE="amazon-ec2"; VMFULLTYPE="Amazon AWS EC2 Instance" ;;
@ -1455,7 +1455,7 @@
if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi
fi fi
if [ -f ${sFILE} -o -d ${sFILE} ]; then if [ -f ${sFILE} -o -d ${sFILE} ]; then
FINDVAL=`ls -ld ${sFILE} | cut -c 8` FINDVAL=$(ls -ld ${sFILE} | cut -c 8)
if [ "${FINDVAL}" = "r" ]; then return 0; else return 1; fi if [ "${FINDVAL}" = "r" ]; then return 0; else return 1; fi
else else
return 255 return 255
@ -1481,7 +1481,7 @@
if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi
fi fi
if [ -f ${sFILE} -o -d ${sFILE} ]; then if [ -f ${sFILE} -o -d ${sFILE} ]; then
FINDVAL=`ls -l ${sFILE} | cut -c 10` FINDVAL=$(ls -l ${sFILE} | cut -c 10)
if [ "${FINDVAL}" = "x" ]; then return 0; else return 1; fi if [ "${FINDVAL}" = "x" ]; then return 0; else return 1; fi
else else
return 255 return 255
@ -1504,7 +1504,7 @@
# Only check if target is a file or directory # Only check if target is a file or directory
if [ -f ${sFILE} -o -d ${sFILE} ]; then if [ -f ${sFILE} -o -d ${sFILE} ]; then
FINDVAL=`ls -ld ${sFILE} | cut -c 9` FINDVAL=$(ls -ld ${sFILE} | cut -c 9)
if IsDeveloperMode; then Debug "File mode of ${sFILE} is ${FINDVAL}"; fi if IsDeveloperMode; then Debug "File mode of ${sFILE} is ${FINDVAL}"; fi
if [ "${FINDVAL}" = "w" ]; then return 0; else return 1; fi if [ "${FINDVAL}" = "w" ]; then return 0; else return 1; fi
else else
@ -1637,9 +1637,9 @@
FIND=$(cat ${TMP_NGINX_FILE} | sed 's/ /:space:/g') FIND=$(cat ${TMP_NGINX_FILE} | sed 's/ /:space:/g')
DEPTH=0 DEPTH=0
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/:space:/ /g' | sed 's/;$//' | sed 's/ #.*$//'` I=$(echo ${I} | sed 's/:space:/ /g' | sed 's/;$//' | sed 's/ #.*$//')
OPTION=`echo ${I} | awk '{ print $1 }'` OPTION=$(echo ${I} | awk '{ print $1 }')
VALUE=`echo ${I}| cut -d' ' -f2-` VALUE=$(echo ${I}| cut -d' ' -f2-)
LogText "Result: found option ${OPTION} in ${CONFIG_FILE} with value '${VALUE}'" LogText "Result: found option ${OPTION} in ${CONFIG_FILE} with value '${VALUE}'"
STORE_SETTING=1 STORE_SETTING=1
case ${OPTION} in case ${OPTION} in
@ -1679,7 +1679,7 @@
else else
if [ ! "${VALUE}" = "" ]; then if [ ! "${VALUE}" = "" ]; then
# If multiple values follow, select first one # If multiple values follow, select first one
VALUE=`echo ${VALUE} | awk '{ print $1 }'` VALUE=$(echo ${VALUE} | awk '{ print $1 }')
if [ ! -f ${VALUE} ]; then if [ ! -f ${VALUE} ]; then
LogText "Result: could not find referenced log file ${VALUE} in nginx configuration" LogText "Result: could not find referenced log file ${VALUE} in nginx configuration"
NGINX_ACCESS_LOG_MISSING=1 NGINX_ACCESS_LOG_MISSING=1
@ -1689,8 +1689,8 @@
;; ;;
# Headers # Headers
add_header) add_header)
HEADER=`echo ${VALUE} | awk '{ print $1 }'` HEADER=$(echo ${VALUE} | awk '{ print $1 }')
HEADER_VALUE=`echo ${VALUE} | cut -d' ' -f2-` HEADER_VALUE=$(echo ${VALUE} | cut -d' ' -f2-)
LogText "Result: found header ${HEADER} with value ${HEADER_VALUE}" LogText "Result: found header ${HEADER} with value ${HEADER_VALUE}"
#Report "nginx_header[]=${HEADER}|${HEADER_VALUE}|" #Report "nginx_header[]=${HEADER}|${HEADER_VALUE}|"
;; ;;
@ -1710,12 +1710,12 @@
;; ;;
error_log) error_log)
# Check if debug is appended # Check if debug is appended
FIND=`echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}'` FIND=$(echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}')
if [ ${FIND} -eq 1 ]; then if [ ${FIND} -eq 1 ]; then
NGINX_ERROR_LOG_DEBUG=1 NGINX_ERROR_LOG_DEBUG=1
fi fi
# Check if log file exists # Check if log file exists
FILE=`echo ${VALUE} | awk '{ print $1 }'` FILE=$(echo ${VALUE} | awk '{ print $1 }')
if [ ! "${FILE}" = "" ]; then if [ ! "${FILE}" = "" ]; then
if [ ! -f ${FILE} ]; then if [ ! -f ${FILE} ]; then
NGINX_ERROR_LOG_MISSING=1 NGINX_ERROR_LOG_MISSING=1
@ -1759,7 +1759,7 @@
listen) listen)
NGINX_LISTEN_FOUND=1 NGINX_LISTEN_FOUND=1
# Test for ssl on listen statement # Test for ssl on listen statement
FIND_SSL=`echo ${VALUE} | grep ssl` FIND_SSL=$(echo ${VALUE} | grep ssl)
if [ ! "${FIND_SSL}" = "" ]; then NGINX_SSL_ON=1; fi if [ ! "${FIND_SSL}" = "" ]; then NGINX_SSL_ON=1; fi
;; ;;
location) location)
@ -1789,7 +1789,7 @@
;; ;;
ssl_protocols) ssl_protocols)
NGINX_SSL_PROTOCOLS=1 NGINX_SSL_PROTOCOLS=1
VALUE=`echo ${VALUE} | sed 's/;$//' | tr '[:upper:]' '[:lower:]'` VALUE=$(echo ${VALUE} | sed 's/;$//' | tr '[:upper:]' '[:lower:]')
for ITEM in ${VALUE}; do for ITEM in ${VALUE}; do
LogText "Result: found protocol ${ITEM}" LogText "Result: found protocol ${ITEM}"
case ${ITEM} in case ${ITEM} in
@ -1835,7 +1835,7 @@
else else
if [ $# -eq 2 ] && [ $1 = "TCP" -o $1 = "UDP" ]; then if [ $# -eq 2 ] && [ $1 = "TCP" -o $1 = "UDP" ]; then
LogText "Test: find service listening on $1:$2" LogText "Test: find service listening on $1:$2"
if [ $1 = "TCP" ]; then FIND=`${LSOFBINARY} -i${1} -s${1}:LISTEN -P -n | grep ":${2} "`; else FIND=`${LSOFBINARY} -i${1} -P -n | grep ":${2} "`; fi if [ $1 = "TCP" ]; then FIND=$(${LSOFBINARY} -i${1} -s${1}:LISTEN -P -n | grep ":${2} "); else FIND=$(${LSOFBINARY} -i${1} -P -n | grep ":${2} "); fi
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found service listening on port $2 ($1)" LogText "Result: found service listening on port $2 ($1)"
return 0 return 0
@ -1895,7 +1895,7 @@
fi fi
if [ $# -eq 0 ]; then SIZE=16; else SIZE=$1; fi if [ $# -eq 0 ]; then SIZE=16; else SIZE=$1; fi
CSIZE=$((SIZE / 2)) CSIZE=$((SIZE / 2))
RANDOMSTRING=`head -c ${CSIZE} /dev/urandom | od -An -x | tr -d ' ' | cut -c 1-${SIZE}` RANDOMSTRING=$(head -c ${CSIZE} /dev/urandom | od -An -x | tr -d ' ' | cut -c 1-${SIZE})
} }
@ -1975,13 +1975,13 @@
# Skip test if it's configured in profile (old style) # Skip test if it's configured in profile (old style)
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`echo "${TEST_SKIP_ALWAYS}" | grep "${TEST_NO}" | tr '[:lower:]' '[:upper:]'` FIND=$(echo "${TEST_SKIP_ALWAYS}" | grep "${TEST_NO}" | tr '[:lower:]' '[:upper:]')
if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi
fi fi
# Check if this test is on the list to skip # Check if this test is on the list to skip
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
VALUE=`echo ${TEST_NO} | tr '[:lower:]' '[:upper:]'` VALUE=$(echo ${TEST_NO} | tr '[:lower:]' '[:upper:]')
for I in ${SKIP_TESTS}; do for I in ${SKIP_TESTS}; do
if [ "${I}" = "${VALUE}" ]; then SKIPTEST=1; SKIPREASON="Skipped by profile setting (skip-test)"; fi if [ "${I}" = "${VALUE}" ]; then SKIPTEST=1; SKIPREASON="Skipped by profile setting (skip-test)"; fi
done done
@ -1989,7 +1989,7 @@
# Skip if test is not in the list # Skip if test is not in the list
if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then
FIND=`echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}"` FIND=$(echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}")
if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi
fi fi
@ -2109,7 +2109,7 @@
# Clean up temp files # Clean up temp files
for FILE in ${TEMP_FILES}; do for FILE in ${TEMP_FILES}; do
# Temporary files should be in /tmp # Temporary files should be in /tmp
TMPFILE=`echo ${FILE} | egrep "^/tmp/lynis" | grep -v "\.\."` TMPFILE=$(echo ${FILE} | egrep "^/tmp/lynis" | grep -v "\.\.")
if [ ! "${TMPFILE}" = "" ]; then if [ ! "${TMPFILE}" = "" ]; then
if [ -f ${TMPFILE} ]; then if [ -f ${TMPFILE} ]; then
LogText "Action: removing temporary file ${TMPFILE}" LogText "Action: removing temporary file ${TMPFILE}"
@ -2300,17 +2300,17 @@
PERMS_OK=0 PERMS_OK=0
LogText "Checking permissions of $1" LogText "Checking permissions of $1"
if [ $# -eq 1 ]; then if [ $# -eq 1 ]; then
IS_PARAMETERS_FILE=`echo $1 | grep "/parameters"` IS_PARAMETERS_FILE=$(echo $1 | grep "/parameters")
# Check file permissions # Check file permissions
if [ ! -f "$1" ]; then if [ ! -f "$1" ]; then
LogText "Fatal error: file $1 does not exist. Quitting." LogText "Fatal error: file $1 does not exist. Quitting."
echo "Fatal error: file $1 does not exist" echo "Fatal error: file $1 does not exist"
ExitFatal ExitFatal
else else
PERMS=`ls -l $1` PERMS=$(ls -l $1)
# Owner permissions # Owner permissions
OWNER=`echo ${PERMS} | awk -F" " '{ print $3 }'` OWNER=$(echo ${PERMS} | awk -F" " '{ print $3 }')
OWNERID=`ls -n $1 | awk -F" " '{ print $3 }'` OWNERID=$(ls -n $1 | awk -F" " '{ print $3 }')
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
echo "Fatal error: file $1 should be owned by user 'root' when running it as root (found: ${OWNER})." echo "Fatal error: file $1 should be owned by user 'root' when running it as root (found: ${OWNER})."
@ -2318,8 +2318,8 @@
fi fi
fi fi
# Group permissions # Group permissions
GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'` GROUP=$(echo ${PERMS} | awk -F" " '{ print $4 }')
GROUPID=`ls -n $1 | awk -F" " '{ print $4 }'` GROUPID=$(ls -n $1 | awk -F" " '{ print $4 }')
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
@ -2329,21 +2329,21 @@
fi fi
# Owner permissions # Owner permissions
OWNER_PERMS=`echo ${PERMS} | cut -c2-4` OWNER_PERMS=$(echo ${PERMS} | cut -c2-4)
if [ ! "${OWNER_PERMS}" = "rw-" -a ! "${OWNER_PERMS}" = "r--" ]; then if [ ! "${OWNER_PERMS}" = "rw-" -a ! "${OWNER_PERMS}" = "r--" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod 600 $1" echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod 600 $1"
ExitFatal ExitFatal
fi fi
# Owner permissions # Owner permissions
GROUP_PERMS=`echo ${PERMS} | cut -c5-7` GROUP_PERMS=$(echo ${PERMS} | cut -c5-7)
if [ ! "${GROUP_PERMS}" = "rw-" -a ! "${GROUP_PERMS}" = "r--" -a ! "${GROUP_PERMS}" = "---" ]; then if [ ! "${GROUP_PERMS}" = "rw-" -a ! "${GROUP_PERMS}" = "r--" -a ! "${GROUP_PERMS}" = "---" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod 600 $1" echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod 600 $1"
ExitFatal ExitFatal
fi fi
# Other permissions # Other permissions
OTHER_PERMS=`echo ${PERMS} | cut -c8-10` OTHER_PERMS=$(echo ${PERMS} | cut -c8-10)
if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only. Change with: chmod 600 $1" echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only. Change with: chmod 600 $1"
ExitFatal ExitFatal
@ -2401,7 +2401,7 @@
if [ -f ${FILE} ]; then if [ -f ${FILE} ]; then
# Check if we can find the main type (with or without brackets) # Check if we can find the main type (with or without brackets)
LogText "Test: search string ${STRING} in file ${FILE}" LogText "Test: search string ${STRING} in file ${FILE}"
FIND=`egrep "${STRING}" ${FILE}` FIND=$(egrep "${STRING}" ${FILE})
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
ITEM_FOUND=1 ITEM_FOUND=1
LogText "Result: found search string '${STRING}'" LogText "Result: found search string '${STRING}'"
@ -2547,25 +2547,25 @@
if [ "${OS}" = "macOS" ]; then if [ "${OS}" = "macOS" ]; then
# If a Python binary is found, use the one in path # If a Python binary is found, use the one in path
if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${PYTHONBINARY}" = "" ]; then if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${PYTHONBINARY}" = "" ]; then
FIND=`which python 2> /dev/null` FIND=$(which python 2> /dev/null)
if [ ! "${FIND}" = "" ]; then LogText "Setting temporary pythonbinary variable"; PYTHONBINARY="${FIND}"; fi if [ ! "${FIND}" = "" ]; then LogText "Setting temporary pythonbinary variable"; PYTHONBINARY="${FIND}"; fi
fi fi
if [ ! "${PYTHONBINARY}" = "" ]; then if [ ! "${PYTHONBINARY}" = "" ]; then
SYMLINK_USE_PYTHON=1 SYMLINK_USE_PYTHON=1
LogText "Note: using Python to determine symlinks" LogText "Note: using Python to determine symlinks"
tFILE=`python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" $1` tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" $1)
fi fi
else else
if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${READLINKBINARY}" = "" ]; then if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${READLINKBINARY}" = "" ]; then
FIND=`which readlink 2> /dev/null` FIND=$(which readlink 2> /dev/null)
if [ ! "${FIND}" = "" ]; then LogText "Setting temporary readlinkbinary variable"; READLINKBINARY="${FIND}"; fi if [ ! "${FIND}" = "" ]; then LogText "Setting temporary readlinkbinary variable"; READLINKBINARY="${FIND}"; fi
fi fi
if [ ! "${READLINKBINARY}" = "" ]; then if [ ! "${READLINKBINARY}" = "" ]; then
SYMLINK_USE_READLINK=1 SYMLINK_USE_READLINK=1
LogText "Note: Using real readlink binary to determine symlink on ${sFILE}" LogText "Note: Using real readlink binary to determine symlink on ${sFILE}"
tFILE=`${READLINKBINARY} -f ${sFILE}` tFILE=$(${READLINKBINARY} -f ${sFILE})
LogText "Result: readlink shows ${tFILE} as output" LogText "Result: readlink shows ${tFILE} as output"
fi fi
fi fi
@ -2590,15 +2590,15 @@
FOUNDPATH=1 FOUNDPATH=1
else else
# Check the full path of the symlink, strip the filename, copy the path and linked filename together # Check the full path of the symlink, strip the filename, copy the path and linked filename together
tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'` tDIR=$(echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}')
tFILE="${tDIR}/${tFILE}" tFILE="${tDIR}/${tFILE}"
if [ -L ${tFILE} ]; then if [ -L ${tFILE} ]; then
LogText "Result: this symlink links to another symlink" LogText "Result: this symlink links to another symlink"
# Ensure that we use a second try with the right tool as well # Ensure that we use a second try with the right tool as well
if [ ${SYMLINK_USE_PYTHON} -eq 1 ]; then if [ ${SYMLINK_USE_PYTHON} -eq 1 ]; then
tFILE=`python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" ${tFILE}` tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" ${tFILE})
elif [ ${SYMLINK_USE_READLINK} -eq 1 ]; then elif [ ${SYMLINK_USE_READLINK} -eq 1 ]; then
tFILE=`${READLINKBINARY} -f ${tFILE}` tFILE=$(${READLINKBINARY} -f ${tFILE})
fi fi
# Check if we now have a normal file # Check if we now have a normal file
if [ -f ${tFILE} ]; then if [ -f ${tFILE} ]; then
@ -2656,7 +2656,7 @@
RETVAL=1 RETVAL=1
# Check if this test is on the list to skip # Check if this test is on the list to skip
for I in ${SKIP_TESTS}; do for I in ${SKIP_TESTS}; do
STRING=`echo $1 | tr '[:lower:]' '[:upper:]'` STRING=$(echo $1 | tr '[:lower:]' '[:upper:]')
if [ "${I}" = "${STRING}" ]; then RETVAL=0; LogText "Atomic test ($1) skipped by configuration (skip-test)"; fi if [ "${I}" = "${STRING}" ]; then RETVAL=0; LogText "Atomic test ($1) skipped by configuration (skip-test)"; fi
done done
else else
@ -2768,13 +2768,13 @@
# Apply the related function # Apply the related function
case ${FUNCTION} in case ${FUNCTION} in
"contains") "contains")
FIND=`echo ${VALUE} | egrep "${SEARCH}"` FIND=$(echo ${VALUE} | egrep "${SEARCH}")
if [ "${FIND}" = "" ]; then RETVAL=1; else RETVAL=0; fi if [ "${FIND}" = "" ]; then RETVAL=1; else RETVAL=0; fi
;; ;;
#"gt" | "greater-than") COLOR=$GREEN ;; #"gt" | "greater-than") COLOR=$GREEN ;;
"equals") "equals")
CMP1=`echo ${SEARCH} | tr '[:upper:]' '[:lower:']` CMP1=$(echo ${SEARCH} | tr '[:upper:]' '[:lower:'])
CMP2=`echo ${VALUE} | tr '[:upper:]' '[:lower:']` CMP2=$(echo ${VALUE} | tr '[:upper:]' '[:lower:'])
if [ "${CMP1}" = "${CMP2}" ]; then RETVAL=0; else RETVAL=1; fi if [ "${CMP1}" = "${CMP2}" ]; then RETVAL=0; else RETVAL=1; fi
;; ;;
#"not-equal") COLOR=$WHITE ;; #"not-equal") COLOR=$WHITE ;;
@ -2819,7 +2819,7 @@
ViewGroups() { ViewGroups() {
if [ ! "${INCLUDEDIR}" = "" ]; then if [ ! "${INCLUDEDIR}" = "" ]; then
InsertSection "Available test groups" InsertSection "Available test groups"
for I in `ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"`; do for I in $(ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"); do
echo "${I}" echo "${I}"
done done
fi fi

32
include/helper_audit_dockerfile
View File

@ -24,7 +24,7 @@ if [ $# -eq 0 ]; then
Display --text " "; Display --text " " Display --text " "; Display --text " "
ExitFatal ExitFatal
else else
FILE=`echo $1 | egrep "^http|https"` FILE=$(echo $1 | egrep "^http|https")
if [ ! "${FILE}" = "" ] ; then if [ ! "${FILE}" = "" ] ; then
CreateTempFile CreateTempFile
TMP_FILE="${TEMP_FILE}" TMP_FILE="${TEMP_FILE}"
@ -59,12 +59,12 @@ fi
InsertSection "Image" InsertSection "Image"
PKGMGR="" PKGMGR=""
FIND=`grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g'` FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g')
for I in ${FIND}; do for I in ${FIND}; do
IMAGE=`echo ${I} | sed 's/:space:/ /g' | awk '{ if ($1=="FROM") { print $2 }}'` IMAGE=$(echo ${I} | sed 's/:space:/ /g' | awk '{ if ($1=="FROM") { print $2 }}')
Display --indent 2 --text "Found image:" --result "${IMAGE}" Display --indent 2 --text "Found image:" --result "${IMAGE}"
IS_UBUNTU=`echo ${IMAGE} | grep -i ubuntu` IS_UBUNTU=$(echo ${IMAGE} | grep -i ubuntu)
if [ ! "${IS_DEBIAN}" = "" ]; then IMAGE="debian"; fi if [ ! "${IS_DEBIAN}" = "" ]; then IMAGE="debian"; fi
if [ ! "${IS_FEDORA}" = "" ]; then IMAGE="fedora"; fi if [ ! "${IS_FEDORA}" = "" ]; then IMAGE="fedora"; fi
if [ ! "${IS_UBUNTU}" = "" ]; then IMAGE="ubuntu"; fi if [ ! "${IS_UBUNTU}" = "" ]; then IMAGE="ubuntu"; fi
@ -95,11 +95,11 @@ fi
InsertSection "Basics" InsertSection "Basics"
FIND=`egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g'` FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
ReportWarning "dockerfile" "No maintainer found. Unclear who created this file." ReportWarning "dockerfile" "No maintainer found. Unclear who created this file."
else else
MAINTAINER=`echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}'` MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}')
Display --indent 2 --text "Maintainer" --result "${MAINTAINER}" Display --indent 2 --text "Maintainer" --result "${MAINTAINER}"
fi fi
@ -111,7 +111,7 @@ InsertSection "Basics"
case $PKGMGR in case $PKGMGR in
"apt") "apt")
FIND=`egrep "apt-get(.*) install" ${AUDIT_FILE}` FIND=$(egrep "apt-get(.*) install" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Found installation via apt-get" LogText "Found installation via apt-get"
else else
@ -123,14 +123,14 @@ InsertSection "Basics"
;; ;;
esac esac
FIND=`egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#"` FIND=$(egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
ReportWarning "dockerfile" "Possible development utilities found, which is not advised for production environment" ReportWarning "dockerfile" "Possible development utilities found, which is not advised for production environment"
LogText "Details: ${FIND}" LogText "Details: ${FIND}"
fi fi
# SSH # SSH
FIND_OPENSSH=`grep openssh ${AUDIT_FILE}` FIND_OPENSSH=$(grep openssh ${AUDIT_FILE})
if [ ! "${FIND_OPENSSH}" = "" ]; then if [ ! "${FIND_OPENSSH}" = "" ]; then
Display --indent 2 --text "OpenSSH" --result "FOUND" --color RED Display --indent 2 --text "OpenSSH" --result "FOUND" --color RED
ReportSuggestion "dockerfile" "Don't use OpenSSH in container, use 'docker exec' instead" ReportSuggestion "dockerfile" "Don't use OpenSSH in container, use 'docker exec' instead"
@ -143,21 +143,21 @@ InsertSection "Basics"
FILE_DOWNLOAD=0 FILE_DOWNLOAD=0
LogText "Checking usage of cURL" LogText "Checking usage of cURL"
FIND_CURL=`grep curl ${AUDIT_FILE}` FIND_CURL=$(grep curl ${AUDIT_FILE})
if [ ! "${FIND_CURL}" = "" ]; then if [ ! "${FIND_CURL}" = "" ]; then
Display --indent 4 --text "Download tool" --result "curl" Display --indent 4 --text "Download tool" --result "curl"
FILE_DOWNLOAD=1 FILE_DOWNLOAD=1
fi fi
LogText "Checking usage of wget" LogText "Checking usage of wget"
FIND_WGET=`grep wget ${AUDIT_FILE}` FIND_WGET=$(grep wget ${AUDIT_FILE})
if [ ! "${FIND_WGET}" = "" ]; then if [ ! "${FIND_WGET}" = "" ]; then
Display --indent 4 --text "Download tool" --result "wget" Display --indent 4 --text "Download tool" --result "wget"
FILE_DOWNLOAD=1 FILE_DOWNLOAD=1
fi fi
FIND=`grep "^ADD http" ${AUDIT_FILE}` FIND=$(grep "^ADD http" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FILE_DOWNLOAD=1 FILE_DOWNLOAD=1
ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed" ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
@ -166,7 +166,7 @@ InsertSection "Basics"
if [ ${FILE_DOWNLOAD} -eq 1 ]; then if [ ${FILE_DOWNLOAD} -eq 1 ]; then
SSL_USED_FIND=`egrep "(https)" ${AUDIT_FILE}` SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE})
if [ ! "${SSL_USED_FIND}" = "" ]; then if [ ! "${SSL_USED_FIND}" = "" ]; then
SSL_USED="YES" SSL_USED="YES"
@ -177,9 +177,9 @@ InsertSection "Basics"
ReportSuggestion "Use SSL downloads when possible to increase security (DNSSEC, HTTPS, validation of domain, avoid MitM)" ReportSuggestion "Use SSL downloads when possible to increase security (DNSSEC, HTTPS, validation of domain, avoid MitM)"
fi fi
Display --indent 2 --text "Integrity testing performed" --result "${SSL_USED}" --color ${COLOR} Display --indent 2 --text "Integrity testing performed" --result "${SSL_USED}" --color ${COLOR}
HASHING_USED=`egrep "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE}` HASHING_USED=$(egrep "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE})
Display --indent 2 --text "Hashing" --result "${HASHING_USED}" Display --indent 2 --text "Hashing" --result "${HASHING_USED}"
KEYS_USED=`egrep "(apt-key adv)" ${AUDIT_FILE}` KEYS_USED=$(egrep "(apt-key adv)" ${AUDIT_FILE})
Display --indent 2 --text "Signing keys used" --result ${SSL_USED} Display --indent 2 --text "Signing keys used" --result ${SSL_USED}
Display --indent 2 --text "All downloads properly checked" --result "?" Display --indent 2 --text "All downloads properly checked" --result "?"
else else
@ -191,7 +191,7 @@ InsertSection "Basics"
# #
InsertSection "Permissions" InsertSection "Permissions"
FIND=`grep -i "chmod 777" ${AUDIT_FILE}` FIND=$(grep -i "chmod 777" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
ReportWarning "dockerfile" "Warning: chmod 777 found" ReportWarning "dockerfile" "Warning: chmod 777 found"
fi fi

4
include/helper_system_remote_scan
View File

@ -49,8 +49,8 @@
# Enable screen output again # Enable screen output again
QUIET=0 QUIET=0
SCP_BINARY=`which scp 2> /dev/null` SCP_BINARY=$(which scp 2> /dev/null)
SSH_BINARY=`which ssh 2> /dev/null` SSH_BINARY=$(which ssh 2> /dev/null)
if [ "${SCP_BINARY}" = "" ]; then echo "Could not find scp binary"; ExitFatal; fi if [ "${SCP_BINARY}" = "" ]; then echo "Could not find scp binary"; ExitFatal; fi
if [ "${SSH_BINARY}" = "" ]; then echo "Could not find ssh binary"; ExitFatal; fi if [ "${SSH_BINARY}" = "" ]; then echo "Could not find ssh binary"; ExitFatal; fi

2
include/helper_update
View File

@ -51,7 +51,7 @@ if [ "$1" = "release" ]; then
elif [ "$1" = "info" ]; then elif [ "$1" = "info" ]; then
# CV - Current Version # CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g'` PROGRAM_AC=$(echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g')
PROGRAM_LV=0 PROGRAM_LV=0
CheckUpdates CheckUpdates

2
include/parameters
View File

@ -287,7 +287,7 @@
--plugindir | --plugin-dir | --plugins-dir) --plugindir | --plugin-dir | --plugins-dir)
shift shift
PLUGINDIR=$1 PLUGINDIR=$1
LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'` LASTCHAR=$(echo $1 | awk '{ print substr($0, length($0))}')
if [ "${LASTCHAR}" = "/" ]; then if [ "${LASTCHAR}" = "/" ]; then
echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}" echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}"
ExitCustom 65 ExitCustom 65

12
include/report
View File

@ -140,7 +140,7 @@
fi fi
# Show suggestions from logfile # Show suggestions from logfile
SSUGGESTIONS=`grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g'` SSUGGESTIONS=$(grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g')
if [ "${SSUGGESTIONS}" = "" ]; then if [ "${SSUGGESTIONS}" = "" ]; then
echo " ${OK}No suggestions${NORMAL}"; echo "" echo " ${OK}No suggestions${NORMAL}"; echo ""
@ -159,7 +159,7 @@
if [ $? -eq 0 ]; then SOLUTION=$(echo ${SEARCH} | sed 's/!space!/ /g' | sed 's/solution://' | sed 's/text://' | tr -d '[]'); fi if [ $? -eq 0 ]; then SOLUTION=$(echo ${SEARCH} | sed 's/!space!/ /g' | sed 's/solution://' | sed 's/text://' | tr -d '[]'); fi
fi fi
done done
IS_CUSTOM=`echo ${ADDLINK} | grep "^CUST"` IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}" echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}"
if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
@ -228,7 +228,7 @@
if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
# Determine if the quality of the program can be increased by filtering out the exceptions # Determine if the quality of the program can be increased by filtering out the exceptions
FIND=`${GREPBINARY} "^exception" ${REPORTFILE}` FIND=$(${GREPBINARY} "^exception" ${REPORTFILE})
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
echo "" echo ""
echo " ${RED}${NOTE_EXCEPTIONS_FOUND}${NORMAL}" echo " ${RED}${NOTE_EXCEPTIONS_FOUND}${NORMAL}"
@ -248,12 +248,12 @@
echo "" echo ""
echo " ${PURPLE}${NOTE_SKIPPED_TESTS_NON_PRIVILEGED}${NORMAL}" echo " ${PURPLE}${NOTE_SKIPPED_TESTS_NON_PRIVILEGED}${NORMAL}"
FIND=`echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g'` FIND=$(echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g')
# Split entries # Split entries
FIND=`echo ${FIND} | sed 's/====/ /g'` FIND=$(echo ${FIND} | sed 's/====/ /g')
# Display found entries # Display found entries
for I in ${FIND}; do for I in ${FIND}; do
J=`echo ${I} | sed 's/:space:/ /g'` J=$(echo ${I} | sed 's/:space:/ /g')
echo " ${J}" echo " ${J}"
done done
echo "" echo ""

38
include/tests_authentication
View File

@ -102,7 +102,7 @@
Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)."
LogText "Test: Testing consistency of /etc/group file" LogText "Test: Testing consistency of /etc/group file"
FIND=`/usr/sbin/chkgrp | ${GREPBINARY} -v 'is fine'` FIND=$(/usr/sbin/chkgrp | ${GREPBINARY} -v 'is fine')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_OK}" --color GREEN Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_OK}" --color GREEN
LogText "Result: chkgrp test performed, Group file seems to be ok." LogText "Result: chkgrp test performed, Group file seems to be ok."
@ -158,7 +158,7 @@
LogText "Test: Checking login shells" LogText "Test: Checking login shells"
if [ -f /etc/master.passwd ]; then if [ -f /etc/master.passwd ]; then
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent # Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=`${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g'` FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
else else
@ -202,7 +202,7 @@
LogText "Test: Checking login shells" LogText "Test: Checking login shells"
if [ -f /etc/master.passwd ]; then if [ -f /etc/master.passwd ]; then
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent # Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=`${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g'` FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
else else
@ -488,7 +488,7 @@
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file" Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions" LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions"
FIND=`ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10` FIND=$(ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: Found file permissions: ${FIND}" LogText "Result: Found file permissions: ${FIND}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
LogText "Result: file ${SUDOERS_FILE} has correct permissions" LogText "Result: file ${SUDOERS_FILE} has correct permissions"
@ -650,7 +650,7 @@
if [ -d ${DIR} -a ! -L ${DIR} ]; then if [ -d ${DIR} -a ! -L ${DIR} ]; then
LogText "Result: directory ${DIR} exists" LogText "Result: directory ${DIR} exists"
# Search in the specified directory # Search in the specified directory
FIND=`find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort` FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort)
if [ ! "${FIND}" = "" ]; then FOUND=1; fi if [ ! "${FIND}" = "" ]; then FOUND=1; fi
for FILE in ${FIND}; do for FILE in ${FIND}; do
LogText "Found file: ${FILE}" LogText "Found file: ${FILE}"
@ -680,7 +680,7 @@
if [ -f /etc/pam.d/common-auth ]; then if [ -f /etc/pam.d/common-auth ]; then
LogText "Result: file /etc/pam.d/common-auth exists" LogText "Result: file /etc/pam.d/common-auth exists"
LogText "Test: checking presence LDAP module" LogText "Test: checking presence LDAP module"
FIND=`${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth` FIND=$(${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: LDAP module present" LogText "Result: LDAP module present"
LogText "Output: ${FIND}" LogText "Output: ${FIND}"
@ -809,7 +809,7 @@
Register --test-no AUTH-9288 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Checking for expired passwords" Register --test-no AUTH-9288 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Checking for expired passwords"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if FileIsReadable /etc/shadow; then if FileIsReadable /etc/shadow; then
DAYS_SINCE_EPOCH=$((`date --utc +%s`/86400)) DAYS_SINCE_EPOCH=$(($(date --utc +%s)/86400))
LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}" LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}"
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)" LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed) # Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
@ -921,7 +921,7 @@
TEST_PERFORMED=1 TEST_PERFORMED=1
LogText "Result: file /etc/sysconfig/init exists" LogText "Result: file /etc/sysconfig/init exists"
LogText "Test: checking presence sulogin for single user mode" LogText "Test: checking presence sulogin for single user mode"
FIND=`${GREPBINARY} "^SINGLE=/sbin/sulogin" /etc/sysconfig/init` FIND=$(${GREPBINARY} "^SINGLE=/sbin/sulogin" /etc/sysconfig/init)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1 FOUND=1
LogText "Result: found sulogin, so single user is protected" LogText "Result: found sulogin, so single user is protected"
@ -943,7 +943,7 @@
# Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support) # Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support)
TEST_PERFORMED=1 TEST_PERFORMED=1
LogText "Result: found target ${I}" LogText "Result: found target ${I}"
FIND=`${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "/sulogin"` FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "/sulogin")
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication" LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication"
else else
@ -1075,7 +1075,7 @@
if [ -f /etc/passwd ]; then if [ -f /etc/passwd ]; then
LogText "Result: file /etc/passwd exists" LogText "Result: file /etc/passwd exists"
LogText "Test: Checking umask value in /etc/passwd" LogText "Test: Checking umask value in /etc/passwd"
FIND=`${GREPBINARY} "umask=" /etc/passwd` FIND=$(${GREPBINARY} "umask=" /etc/passwd)
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
ReportManual "AUTH-9328:03" ReportManual "AUTH-9328:03"
fi fi
@ -1088,7 +1088,7 @@
if [ -f /etc/login.defs ]; then if [ -f /etc/login.defs ]; then
LogText "Result: file /etc/login.defs exists" LogText "Result: file /etc/login.defs exists"
LogText "Test: Checking umask value in /etc/login.defs" LogText "Test: Checking umask value in /etc/login.defs"
FIND=`${GREPBINARY} "^UMASK" /etc/login.defs | ${AWKBINARY} '{ print $2 }'` FIND=$(${GREPBINARY} "^UMASK" /etc/login.defs | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: umask value is not configured (most likely it will have the default 022 value)" LogText "Result: umask value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
@ -1113,7 +1113,7 @@
if [ -f /etc/init.d/functions ]; then if [ -f /etc/init.d/functions ]; then
LogText "Result: file /etc/init.d/functions exists" LogText "Result: file /etc/init.d/functions exists"
LogText "Test: Checking umask value in /etc/init.d/functions" LogText "Test: Checking umask value in /etc/init.d/functions"
FIND=`${GREPBINARY} "^umask" /etc/init.d/functions | ${AWKBINARY} '{ print $2 }'` FIND=$(${GREPBINARY} "^umask" /etc/init.d/functions | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: umask is not configured" LogText "Result: umask is not configured"
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE
@ -1135,7 +1135,7 @@
if [ -f /etc/init.d/rc ]; then if [ -f /etc/init.d/rc ]; then
LogText "Result: file /etc/init.d/rc exists" LogText "Result: file /etc/init.d/rc exists"
LogText "Test: Checking UMASK value in /etc/init.d/rc" LogText "Test: Checking UMASK value in /etc/init.d/rc"
FIND=`${GREPBINARY} -i "^UMASK" /etc/init.d/rc | ${AWKBINARY} '{ print $2 }'` FIND=$(${GREPBINARY} -i "^UMASK" /etc/init.d/rc | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
@ -1160,7 +1160,7 @@
FOUND=0 FOUND=0
WEAK_UMASK=0 WEAK_UMASK=0
LogText "Result: file /etc/login.conf exists" LogText "Result: file /etc/login.conf exists"
FIND=`${GREPBINARY} "umask" /etc/login.conf | ${SEDBINARY} 's/#.*//' | ${SEDBINARY} -E 's/^[[:cntrl:]]//' | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $2}' | ${AWKBINARY} -F= '{ if ($1=="umask") { print $2 }}'` FIND=$(${GREPBINARY} "umask" /etc/login.conf | ${SEDBINARY} 's/#.*//' | ${SEDBINARY} -E 's/^[[:cntrl:]]//' | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $2}' | ${AWKBINARY} -F= '{ if ($1=="umask") { print $2 }}')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
for UMASK_VALUE in ${FIND}; do for UMASK_VALUE in ${FIND}; do
case ${UMASK_VALUE} in case ${UMASK_VALUE} in
@ -1196,9 +1196,9 @@
if [ -f /etc/init.d/rcS ]; then if [ -f /etc/init.d/rcS ]; then
LogText "Result: file /etc/init.d/rcS exists" LogText "Result: file /etc/init.d/rcS exists"
LogText "Test: Checking if script runs another script." LogText "Test: Checking if script runs another script."
FIND=`${GREPBINARY} -i "^exec " /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }'` FIND=$(${GREPBINARY} -i "^exec " /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
FIND2=`${GREPBINARY} -i "^UMASK" /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }'` FIND2=$(${GREPBINARY} -i "^UMASK" /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }')
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
@ -1234,7 +1234,7 @@
FOUND=0 FOUND=0
if [ -f /etc/security/policy.conf ]; then if [ -f /etc/security/policy.conf ]; then
LogText "Result: found /etc/security/policy.conf" LogText "Result: found /etc/security/policy.conf"
FIND=`${GREPBINARY} "^LOCK_AFTER_RETRIES" /etc/security/policy.conf` FIND=$(${GREPBINARY} "^LOCK_AFTER_RETRIES" /etc/security/policy.conf)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1 FOUND=1
LogText "Result: account locking option set" LogText "Result: account locking option set"
@ -1254,7 +1254,7 @@
LogText "Test: checking /etc/default/login" LogText "Test: checking /etc/default/login"
if [ -f /etc/default/login ]; then if [ -f /etc/default/login ]; then
LogText "Result: file /etc/default/login exists" LogText "Result: file /etc/default/login exists"
FIND=`${GREPBINARY} "^RETRIES" /etc/default/login` FIND=$(${GREPBINARY} "^RETRIES" /etc/default/login)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1 FOUND=1
LogText "Result: retries option configured" LogText "Result: retries option configured"
@ -1331,7 +1331,7 @@
Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Logging of failed login attempts via /etc/login.defs" Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Logging of failed login attempts via /etc/login.defs"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking FAILLOG_ENAB option in /etc/login.defs " LogText "Test: Checking FAILLOG_ENAB option in /etc/login.defs "
FIND=`${GREPBINARY} "^FAILLOG_ENAB" /etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }'` FIND=$(${GREPBINARY} "^FAILLOG_ENAB" /etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }')
# Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value) # Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
if [ "${FIND}" = "yes" ]; then if [ "${FIND}" = "yes" ]; then
AUTH_FAILED_LOGINS_LOGGED=1 AUTH_FAILED_LOGINS_LOGGED=1

4
include/tests_banners
View File

@ -100,7 +100,7 @@
# N=0 # N=0
# LogText "Test: Checking file /etc/motd contents for legal key words" # LogText "Test: Checking file /etc/motd contents for legal key words"
# for I in ${LEGAL_BANNER_STRINGS}; do # for I in ${LEGAL_BANNER_STRINGS}; do
# FIND=`${GREPBINARY} -i "${I}" /etc/motd` # FIND=$(${GREPBINARY} -i "${I}" /etc/motd)
# if [ ! "${FIND}" = "" ]; then # if [ ! "${FIND}" = "" ]; then
# LogText "Result: found string '${I}'" # LogText "Result: found string '${I}'"
# N=$((N + 1)) # N=$((N + 1))
@ -205,7 +205,7 @@
N=0 N=0
LogText "Test: Checking file /etc/issue.net contents for legal key words" LogText "Test: Checking file /etc/issue.net contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do for I in ${LEGAL_BANNER_STRINGS}; do
FIND=`${GREPBINARY} -i "${I}" /etc/issue.net` FIND=$(${GREPBINARY} -i "${I}" /etc/issue.net)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found string '${I}'" LogText "Result: found string '${I}'"
N=$((N + 1)) N=$((N + 1))

3
include/tests_boot_services
View File

@ -99,6 +99,7 @@
;; ;;
*) *)
CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd") CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd")
if [ ! -z "${CONTAINS_SYSTEMD}" ]; then if [ ! -z "${CONTAINS_SYSTEMD}" ]; then
SERVICE_MANAGER="systemd" SERVICE_MANAGER="systemd"
else else
@ -259,7 +260,7 @@
# Some OSes like Gentoo do not have /boot mounted by default # Some OSes like Gentoo do not have /boot mounted by default
# TODO: root directory and rewrite ls statement # TODO: root directory and rewrite ls statement
if [ -d /boot ]; then if [ -d /boot ]; then
if [ "`ls /boot/* 2> /dev/null`" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then if [ "$(ls /boot/* 2> /dev/null)" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then
BOOT_LOADER_FOUND=1 BOOT_LOADER_FOUND=1
LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted" LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW

6
include/tests_containers
View File

@ -65,10 +65,10 @@
#Register --test-no CONT-1906 --weight L --network NO --category security --description "Query Xen guests" #Register --test-no CONT-1906 --weight L --network NO --category security --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then #if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests # Show Xen guests
#FIND=`xm list | ${AWKBINARY} '$1 != "Name|Domain-0" {print $1","$2}'` #FIND=$(xm list | ${AWKBINARY} '$1 != "Name|Domain-0" {print $1","$2}')
#for I in ${FIND}; do #for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | ${CUTBINARY} -d ':' -f1` #XENGUESTNAME=$(echo ${I} | ${CUTBINARY} -d ':' -f1)
#XENGUESTID=`echo ${I} | ${CUTBINARY} -d ':' -f2` #XENGUESTID=$(echo ${I} | ${CUTBINARY} -d ':' -f2)
#LogText "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})" #LogText "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done #done
#fi #fi

4
include/tests_databases
View File

@ -37,7 +37,7 @@
# Description : Check if MySQL is being used # Description : Check if MySQL is being used
Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process" Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | ${EGREPBINARY} "mysqld|mysqld_safe" | ${GREPBINARY} -v "grep"` FIND=$(${PSBINARY} ax | ${EGREPBINARY} "mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: MySQL process not active" LogText "Result: MySQL process not active"
@ -209,7 +209,7 @@
#Register --test-no DBS-1842 --weight L --network NO --category security --description "Checking Oracle home paths" #Register --test-no DBS-1842 --weight L --network NO --category security --description "Checking Oracle home paths"
#if [ ${SKIPTEST} -eq 0 ]; then #if [ ${SKIPTEST} -eq 0 ]; then
# if [ -f /etc/oratab ]; then # if [ -f /etc/oratab ]; then
# FIND=`${GREPBINARY} -v "#" /etc/oratab | ${AWKBINARY} -F: "{ print $2 }"` # FIND=$(${GREPBINARY} -v "#" /etc/oratab | ${AWKBINARY} -F: "{ print $2 }")
# fi # fi
#fi #fi
# #

10
include/tests_filesystems
View File

@ -247,9 +247,9 @@
# Can be ^/dev/partition # Can be ^/dev/partition
# Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>) # Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>)
HAS_UUID=`echo ${I} | ${GREPBINARY} "^UUID="` HAS_UUID=$(echo ${I} | ${GREPBINARY} "^UUID=")
if [ ! -z "${HAS_UUID}" ]; then if [ ! -z "${HAS_UUID}" ]; then
UUID=`echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }'` UUID=$(echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }')
LogText "Result: Using ${UUID} as UUID" LogText "Result: Using ${UUID} as UUID"
if [ ! -z "${BLKIDBINARY}" ]; then if [ ! -z "${BLKIDBINARY}" ]; then
FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//') FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//')
@ -303,7 +303,7 @@
else else
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})" LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
#ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap parition (${FIND})" #ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap partition (${FIND})"
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options"
LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)" LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)"
fi fi
@ -429,7 +429,7 @@
FIND1="${ROOTDIR}dev/root" FIND1="${ROOTDIR}dev/root"
else else
# Only determine device if it is EXT2/3/4 # Only determine device if it is EXT2/3/4
#FIND1=`mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}'` #FIND1=$(mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}')
FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }') FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }')
fi fi
# Trying to determine default mount options from EXT2/EXT3/EXT4 file systems # Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
@ -538,7 +538,7 @@
PARTIALLY_HARDENED=0 PARTIALLY_HARDENED=0
FULLY_HARDENED=1 FULLY_HARDENED=1
for FLAG in ${EXPECTED_FLAGS}; do for FLAG in ${EXPECTED_FLAGS}; do
FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG}` FLAG_AVAILABLE=$(echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG})
if [ "${FLAG_AVAILABLE}" = "" ]; then if [ "${FLAG_AVAILABLE}" = "" ]; then
LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}" LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
FULLY_HARDENED=0 FULLY_HARDENED=0

4
include/tests_firewalls
View File

@ -106,7 +106,7 @@
TABLES="filter" TABLES="filter"
for TABLE in ${TABLES}; do for TABLE in ${TABLES}; do
LogText "Test: gathering information from table ${TABLE}" LogText "Test: gathering information from table ${TABLE}"
FIND="$FIND""\n"`${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1'` FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1')
done done
echo "${FIND}" | while read line; do echo "${FIND}" | while read line; do
@ -336,7 +336,7 @@
FIREWALL_ACTIVE=1 FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipfw" FIREWALL_SOFTWARE="ipfw"
Report "firewall_software[]=ipfw" Report "firewall_software[]=ipfw"
IPFW_ENABLED=`service -e | ${GREPBINARY} -o ipfw` IPFW_ENABLED=$(service -e | ${GREPBINARY} -o ipfw)
if [ "${IPFW_ENABLED}" = "ipfw" ]; then if [ "${IPFW_ENABLED}" = "ipfw" ]; then
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN
LogText "Result: IPFW is enabled at start-up for IPv4" LogText "Result: IPFW is enabled at start-up for IPv4"

36
include/tests_kernel
View File

@ -43,12 +43,12 @@
if [ -L /etc/systemd/system/default.target ]; then if [ -L /etc/systemd/system/default.target ]; then
LogText "Result: symlink found" LogText "Result: symlink found"
if [ ! "${READLINKBINARY}" = "" ]; then if [ ! "${READLINKBINARY}" = "" ]; then
FIND=`${READLINKBINARY} /etc/systemd/system/default.target` FIND=$(${READLINKBINARY} /etc/systemd/system/default.target)
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target" LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
ReportException "${TEST_NO}:01" ReportException "${TEST_NO}:01"
else else
FIND2=`echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical"` FIND2=$(echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
if [ ! "${FIND2}" = "" ]; then if [ ! "${FIND2}" = "" ]; then
LogText "Result: Found match on runlevel5/graphical" LogText "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
@ -69,7 +69,7 @@
if [ -f /etc/inittab ]; then if [ -f /etc/inittab ]; then
LogText "Result: file /etc/inittab found" LogText "Result: file /etc/inittab found"
LogText "Test: Checking default Linux run level" LogText "Test: Checking default Linux run level"
FIND=`${AWKBINARY} -F: '/^id/ { print $2; }' /etc/inittab | head -n 1` FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' /etc/inittab | head -n 1)
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: Can't determine default run level from /etc/inittab" LogText "Result: Can't determine default run level from /etc/inittab"
@ -82,7 +82,7 @@
LogText "Result: file /etc/inittab not found" LogText "Result: file /etc/inittab not found"
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then
LogText "Test: Checking run level with who -r, for Debian based systems" LogText "Test: Checking run level with who -r, for Debian based systems"
FIND=`who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }'` FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: Found default run level '${FIND}'" LogText "Result: Found default run level '${FIND}'"
Report "linux_default_runlevel=${FIND}" Report "linux_default_runlevel=${FIND}"
@ -109,9 +109,9 @@
if [ -f /proc/cpuinfo ]; then if [ -f /proc/cpuinfo ]; then
LogText "Result: found /proc/cpuinfo" LogText "Result: found /proc/cpuinfo"
LogText "Test: Checking CPU options (XD/NX/PAE)" LogText "Test: Checking CPU options (XD/NX/PAE)"
FIND_PAE_NX=`${GREPBINARY} " pae " /proc/cpuinfo | ${GREPBINARY} " nx "` FIND_PAE_NX=$(${GREPBINARY} " pae " /proc/cpuinfo | ${GREPBINARY} " nx ")
FIND_PAE=`${GREPBINARY} " pae " /proc/cpuinfo` FIND_PAE=$(${GREPBINARY} " pae " /proc/cpuinfo)
FIND_NX=`${GREPBINARY} " nx " /proc/cpuinfo` FIND_NX=$(${GREPBINARY} " nx " /proc/cpuinfo)
FOUND=0 FOUND=0
if [ ! "${FIND_PAE_NX}" = "" ]; then if [ ! "${FIND_PAE_NX}" = "" ]; then
LogText "PAE: Yes" LogText "PAE: Yes"
@ -165,11 +165,11 @@
Register --test-no KRNL-5695 --os Linux --weight L --network NO --category security --description "Determine Linux kernel version and release number" Register --test-no KRNL-5695 --os Linux --weight L --network NO --category security --description "Determine Linux kernel version and release number"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Kernel number (and suffix) # Kernel number (and suffix)
LINUX_KERNEL_RELEASE=`uname -r` LINUX_KERNEL_RELEASE=$(uname -r)
Report "linux_kernel_release=${LINUX_KERNEL_RELEASE}" Report "linux_kernel_release=${LINUX_KERNEL_RELEASE}"
LogText "Result: found kernel release ${LINUX_KERNEL_RELEASE}" LogText "Result: found kernel release ${LINUX_KERNEL_RELEASE}"
# Type and build date # Type and build date
LINUX_KERNEL_VERSION=`uname -v` LINUX_KERNEL_VERSION=$(uname -v)
Report "linux_kernel_version=${LINUX_KERNEL_VERSION}" Report "linux_kernel_version=${LINUX_KERNEL_VERSION}"
LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}" LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}"
Display --indent 2 --text "- Checking kernel version and release" --result "${STATUS_DONE}" --color GREEN Display --indent 2 --text "- Checking kernel version and release" --result "${STATUS_DONE}" --color GREEN
@ -184,7 +184,7 @@
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
LogText "Test: checking if kernel is monolithic or modular" LogText "Test: checking if kernel is monolithic or modular"
# Checking if any modules are loaded # Checking if any modules are loaded
FIND=`${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' '` FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ')
Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: Found monolithic kernel" LogText "Result: Found monolithic kernel"
@ -207,7 +207,7 @@
Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules" Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
FIND=`${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort` FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort)
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Loaded modules according lsmod:" LogText "Loaded modules according lsmod:"
@ -233,7 +233,7 @@
# Description : Checking for available Linux kernel configuration file in /boot # Description : Checking for available Linux kernel configuration file in /boot
Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config" Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
CHECKFILE="/boot/config-`uname -r`" CHECKFILE="/boot/config-$(uname -r)"
if [ -f ${CHECKFILE} ]; then if [ -f ${CHECKFILE} ]; then
LINUXCONFIGFILE="${CHECKFILE}" LINUXCONFIGFILE="${CHECKFILE}"
LogText "Result: found config (${LINUXCONFIGFILE})" LogText "Result: found config (${LINUXCONFIGFILE})"
@ -267,7 +267,7 @@
if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi
if [ ! "${GREPTOOL}" = "" ]; then if [ ! "${GREPTOOL}" = "" ]; then
LogText "Test: Checking the default I/O kernel scheduler" LogText "Test: Checking the default I/O kernel scheduler"
LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g` LINUX_KERNEL_IOSCHED=$(${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g)
if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then
LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'" LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN
@ -292,7 +292,7 @@
LogText "Description: View all active kernel modules (including kernel)" LogText "Description: View all active kernel modules (including kernel)"
LogText "Test: Checking modules" LogText "Test: Checking modules"
if [ -f /sbin/kldstat ]; then if [ -f /sbin/kldstat ]; then
FIND=`kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6` FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:" LogText "Loaded modules according kldstat:"
N=0 N=0
@ -323,7 +323,7 @@
LogText "Description: View all active kernel modules (including kernel)" LogText "Description: View all active kernel modules (including kernel)"
LogText "Test: Checking modules" LogText "Test: Checking modules"
if [ -f /sbin/kldstat ]; then if [ -f /sbin/kldstat ]; then
FIND=`kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6` FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:" LogText "Loaded modules according kldstat:"
N=0 N=0
@ -350,7 +350,7 @@
Register --test-no KRNL-5770 --os Solaris --weight L --network NO --category security --description "Checking active kernel modules" Register --test-no KRNL-5770 --os Solaris --weight L --network NO --category security --description "Checking active kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching loaded kernel modules" LogText "Test: searching loaded kernel modules"
FIND=`modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort` FIND=$(modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found module: ${I}" LogText "Found module: ${I}"
@ -394,7 +394,7 @@
LogText "Kernel candidate: ${FINDCAND}" LogText "Kernel candidate: ${FINDCAND}"
if [ -z "${FINDINST}" ]; then if [ -z "${FINDINST}" ]; then
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: Exception occured, no output from apt-cache policy" LogText "Result: Exception occurred, no output from apt-cache policy"
ReportException "${TEST_NO}:01" ReportException "${TEST_NO}:01"
LogText "Exception: apt-cache policy did not return an installed kernel version" LogText "Exception: apt-cache policy did not return an installed kernel version"
ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty" ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty"
@ -523,7 +523,7 @@
fi fi
done done
if [ ! -z "${FINDVERSION}" ]; then if [ ! -z "${FINDVERSION}" ]; then
CURRENT_KERNEL=`uname -r` CURRENT_KERNEL=$(uname -r)
if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then
LogText "Result: reboot needed, as current kernel is different than the one loaded" LogText "Result: reboot needed, as current kernel is different than the one loaded"
REBOOT_NEEDED=1 REBOOT_NEEDED=1

6
include/tests_logging
View File

@ -189,7 +189,7 @@
LogText "Test: Searching kernel logger daemon (klogd)" LogText "Test: Searching kernel logger daemon (klogd)"
if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then
# Search for klogd, but ignore other lines related to klogd (like dd with input/output file) # Search for klogd, but ignore other lines related to klogd (like dd with input/output file)
#FIND=`${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep"` #FIND=$(${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep")
IsRunning klogd IsRunning klogd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
LogText "Result: klogd running" LogText "Result: klogd running"
@ -285,7 +285,7 @@
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration" Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which directories can be found in logrotate configuration" LogText "Test: Checking which directories can be found in logrotate configuration"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u` FIND=$(${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: nothing found" LogText "Result: nothing found"
else else
@ -319,7 +319,7 @@
# Try name resolving if no entry is present in local host file # Try name resolving if no entry is present in local host file
LogText "Result: Checking for loghost via name resolving" LogText "Result: Checking for loghost via name resolving"
FIND=`getent hosts loghost | ${GREPBINARY} loghost` FIND=$(getent hosts loghost | ${GREPBINARY} loghost)
if [ ! -z "${FIND}" ]; then if [ ! -z "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1 SOLARIS_LOGHOST_FOUND=1
LogText "Result: name resolving was succesful" LogText "Result: name resolving was succesful"

30
include/tests_nameservices
View File

@ -155,7 +155,7 @@
LogText "Test: checking /etc/nodename" LogText "Test: checking /etc/nodename"
if [ -f /etc/nodename ]; then if [ -f /etc/nodename ]; then
LogText "Result: file /etc/nodename exists" LogText "Result: file /etc/nodename exists"
FIND=`cat /etc/nodename` FIND=$(cat /etc/nodename)
LogText "Output: ${FIND}" LogText "Output: ${FIND}"
Display --indent 2 --text "- Checking /etc/nodename" --result "${STATUS_DONE}" --color GREEN Display --indent 2 --text "- Checking /etc/nodename" --result "${STATUS_DONE}" --color GREEN
else else
@ -176,7 +176,7 @@
#LogText "Test: Checking file /etc/domainname" #LogText "Test: Checking file /etc/domainname"
#if [ -f /etc/domainname ]; then #if [ -f /etc/domainname ]; then
# LogText "Result: file /etc/domainname exists" # LogText "Result: file /etc/domainname exists"
# FIND2=`cat /etc/domainname` # FIND2=$(cat /etc/domainname)
# if [ ! "${FIND}" = "" ]; then # if [ ! "${FIND}" = "" ]; then
# LogText "Found domain name: ${FIND}" # LogText "Found domain name: ${FIND}"
# DOMAINNAME="${FIND}" # DOMAINNAME="${FIND}"
@ -267,11 +267,11 @@
if [ ${UNBOUND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${UNBOUND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Unbound configuration file" Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Unbound configuration file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`which unbound-checkconf` FIND=$(which unbound-checkconf)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Test: running unbound-checkconf" LogText "Test: running unbound-checkconf"
# Don't capture any output, just gather exit code (0 is fine, otherwise bad) # Don't capture any output, just gather exit code (0 is fine, otherwise bad)
FIND=`unbound-checkconf > /dev/null 2>&1` FIND=$(unbound-checkconf > /dev/null 2>&1)
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
UNBOUND_CONFIG_OK=1 UNBOUND_CONFIG_OK=1
LogText "Result: Configuration is fine" LogText "Result: Configuration is fine"
@ -335,7 +335,7 @@
LogText "Test: searching for named-checkconf binary" LogText "Test: searching for named-checkconf binary"
if [ ! "${NAMEDCHECKCONFBINARY}" = "" ]; then if [ ! "${NAMEDCHECKCONFBINARY}" = "" ]; then
LogText "Result: named-checkconf is installed" LogText "Result: named-checkconf is installed"
FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?` FIND=$(${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?)
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine" LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_OK}" --color GREEN Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_OK}" --color GREEN
@ -364,7 +364,7 @@
Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner" Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Trying to determine version from banner" LogText "Test: Trying to determine version from banner"
FIND=`${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*"` FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*")
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: no useful information in banner found" LogText "Result: no useful information in banner found"
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN
@ -470,29 +470,29 @@
################################################################################# #################################################################################
# #
# Test : NAME-4238 # Test : NAME-4238
# Description : Check PowerDNS authoritive status # Description : Check PowerDNS authoritative status
if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritive status" Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritative status"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for PowerDNS master status" LogText "Test: Checking for PowerDNS master status"
FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}) FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then if [ ! -z "${FIND}" ]; then
LogText "Found master=yes in configuration file" LogText "Found master=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive master: YES" Display --indent 4 --text "- PowerDNS authoritative master: YES"
POWERDNS_AUTH_MASTER=1 POWERDNS_AUTH_MASTER=1
else else
LogText "Result: most likely not master (no master=yes)" LogText "Result: most likely not master (no master=yes)"
Display --indent 4 --text "- PowerDNS authoritive master: NO" Display --indent 4 --text "- PowerDNS authoritative master: NO"
fi fi
LogText "Test: Checking for PowerDNS slave status" LogText "Test: Checking for PowerDNS slave status"
FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}) FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then if [ ! -z "${FIND}" ]; then
LogText "Found slave=yes in configuration file" LogText "Found slave=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive slave: YES" Display --indent 4 --text "- PowerDNS authoritative slave: YES"
POWERDNS_AUTH_SLAVE=1 POWERDNS_AUTH_SLAVE=1
else else
LogText "Result: most likely not slave (no slave=yes)" LogText "Result: most likely not slave (no slave=yes)"
Display --indent 4 --text "- PowerDNS authoritive slave: NO" Display --indent 4 --text "- PowerDNS authoritative slave: NO"
fi fi
fi fi
# #
@ -529,7 +529,7 @@
if [ ${YPBIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${YPBIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain" Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking `domainname` for NIS domain value" LogText "Test: Checking $(domainname) for NIS domain value"
FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)") FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)")
if [ ! -z "${FIND}" ]; then if [ ! -z "${FIND}" ]; then
LogText "Value: ${FIND}" LogText "Value: ${FIND}"
@ -541,7 +541,7 @@
LogText "Test: Checking file ${ROOTDIR}etc/defaultdomain" LogText "Test: Checking file ${ROOTDIR}etc/defaultdomain"
if [ -f ${ROOTDIR}etc/defaultdomain ]; then if [ -f ${ROOTDIR}etc/defaultdomain ]; then
LogText "Result: file ${ROOTDIR}etc/defaultdomain exists" LogText "Result: file ${ROOTDIR}etc/defaultdomain exists"
FIND2=`cat ${ROOTDIR}etc/defaultdomain` FIND2=$(cat ${ROOTDIR}etc/defaultdomain)
if [ ! -z "${FIND2}" ]; then if [ ! -z "${FIND2}" ]; then
LogText "Output: ${FIND2}" LogText "Output: ${FIND2}"
NISDOMAIN="${FIND2}" NISDOMAIN="${FIND2}"
@ -641,7 +641,7 @@
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping" Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check server hostname not locally mapped in /etc/hosts" LogText "Test: Check server hostname not locally mapped in /etc/hosts"
sFIND=`${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}` sFIND=$(${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
if [ ! "${sFIND}" = "" ]; then if [ ! "${sFIND}" = "" ]; then
LogText "Result: Found this server hostname mapped to a local address" LogText "Result: Found this server hostname mapped to a local address"
LogText "Output: ${sFIND}" LogText "Output: ${sFIND}"

86
include/tests_networking
View File

@ -46,12 +46,12 @@
IPV6_ONLY=255 IPV6_ONLY=255
IPV6_MISCONFIGURED=0 IPV6_MISCONFIGURED=0
IPV6_MISCONFIGURED_MTU=0 IPV6_MISCONFIGURED_MTU=0
FIND=`sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/"` FIND=$(sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
IPV6_CONFIGURED=1 IPV6_CONFIGURED=1
for I in ${FIND}; do for I in ${FIND}; do
SYSCTL_KEY=`echo ${I} | ${AWKBINARY} -F= '{ print $1 }'` SYSCTL_KEY=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
SYSCTL_VALUE=`echo ${I} | ${AWKBINARY} -F= '{ print $2 }'` SYSCTL_VALUE=$(echo ${I} | ${AWKBINARY} -F= '{ print $2 }')
case ${SYSCTL_KEY} in case ${SYSCTL_KEY} in
"net.ipv6.conf.default.accept_ra") "net.ipv6.conf.default.accept_ra")
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_RA=1; else IPV6_ACCEPT_RA=0; fi if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_RA=1; else IPV6_ACCEPT_RA=0; fi
@ -89,7 +89,7 @@
LogText "Result: IPV6 mode is ${IPV6_MODE}" LogText "Result: IPV6 mode is ${IPV6_MODE}"
if [ ${IPV6_CONFIGURED} -eq 1 ]; then if [ ${IPV6_CONFIGURED} -eq 1 ]; then
Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE
STATUS=`echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]'` STATUS=$(echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]')
Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE
if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi
LogText "Result: IPv6 only configuration: ${STATUS}" LogText "Result: IPv6 only configuration: ${STATUS}"
@ -123,7 +123,7 @@
LogText "Test: Checking /etc/resolv.conf file" LogText "Test: Checking /etc/resolv.conf file"
if [ -f /etc/resolv.conf ]; then if [ -f /etc/resolv.conf ]; then
LogText "Result: Found /etc/resolv.conf file" LogText "Result: Found /etc/resolv.conf file"
FIND=`${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq` FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Testing nameservers" Display --indent 4 --text "- Testing nameservers"
LogText "Test: Querying nameservers" LogText "Test: Querying nameservers"
@ -137,7 +137,7 @@
if [ ! "${DIGBINARY}" = "" ]; then if [ ! "${DIGBINARY}" = "" ]; then
# See if we can query something at the nameserver # See if we can query something at the nameserver
# 0=good, other=bad # 0=good, other=bad
DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?` DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?)
if [ "${DNSRESPONSE}" = "0" ]; then if [ "${DNSRESPONSE}" = "0" ]; then
Display --indent 8 --text "Nameserver: ${I}" --result "${STATUS_OK}" --color GREEN Display --indent 8 --text "Nameserver: ${I}" --result "${STATUS_OK}" --color GREEN
LogText "Nameserver ${I} seems to respond to queries from this host." LogText "Nameserver ${I} seems to respond to queries from this host."
@ -196,7 +196,7 @@
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)" Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then if [ $SKIPTEST -eq 0 ]; then
LogText "Test: Searching default gateway(s)" LogText "Test: Searching default gateway(s)"
FIND=`${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2` FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do for I in ${FIND}; do
LogText "Result: Found default gateway ${I}" LogText "Result: Found default gateway ${I}"
@ -260,34 +260,34 @@
FIND="" FIND=""
case ${OS} in case ${OS} in
AIX) AIX)
FIND=`lscfg -vl ent* | ${GREPBINARY} "Network Address" | ${CUTBINARY} -d"." -f14 | ${AWKBINARY} '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }'` FIND=$(lscfg -vl ent* | ${GREPBINARY} "Network Address" | ${CUTBINARY} -d"." -f14 | ${AWKBINARY} '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }')
;; ;;
DragonFly|FreeBSD) DragonFly|FreeBSD)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u` FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
;; ;;
Linux) Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then if [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u` FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u)
else else
if [ ! "${IPBINARY}" = "" ]; then if [ ! "${IPBINARY}" = "" ]; then
LogText "Test: Using ip binary to gather hardware addresses" LogText "Test: Using ip binary to gather hardware addresses"
FIND=`${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }'` FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }')
else else
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)" ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
fi fi
fi fi
;; ;;
macOS) macOS)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr" || $1=="ether") print $2 }' | ${SORTBINARY} -u` FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr" || $1=="ether") print $2 }' | ${SORTBINARY} -u)
;; ;;
NetBSD) NetBSD)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="address:") print $2 }' | ${SORTBINARY} -u` FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="address:") print $2 }' | ${SORTBINARY} -u)
;; ;;
OpenBSD) OpenBSD)
FIND=`${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr") print $2 }' | ${SORTBINARY} -u` FIND=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr") print $2 }' | ${SORTBINARY} -u)
;; ;;
Solaris) Solaris)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u` FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
;; ;;
*) *)
# Having a system currently unsupported? Share your details to determine MAC information # Having a system currently unsupported? Share your details to determine MAC information
@ -311,39 +311,39 @@
FIND=""; FIND2="" FIND=""; FIND2=""
case ${OS} in case ${OS} in
AIX) AIX)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;; ;;
DragonFly|FreeBSD|NetBSD) DragonFly|FreeBSD|NetBSD)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;; ;;
Linux) Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then if [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2` FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2)
# Version which works for multiple types of ifconfig (e.g. Slackware) # Version which works for multiple types of ifconfig (e.g. Slackware)
FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'` FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }')
else else
if [ ! "${IPBINARY}" = "" ]; then if [ ! "${IPBINARY}" = "" ]; then
LogText "Test: Using ip binary to gather IP addresses" LogText "Test: Using ip binary to gather IP addresses"
FIND=`${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//'` FIND=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
FIND2=`${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//'` FIND2=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
else else
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)" ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
fi fi
fi fi
;; ;;
macOS) macOS)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;; ;;
OpenBSD) OpenBSD)
FIND=`${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` FIND=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=`${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` FIND2=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;; ;;
Solaris) Solaris)
FIND=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=`${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;; ;;
*) *)
LogText "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details." LogText "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details."
@ -377,7 +377,7 @@
case ${OS} in case ${OS} in
DragonFly|FreeBSD) DragonFly|FreeBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then if [ ! "${SOCKSTATBINARY}" = "" ]; then
FIND=`${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u` FIND=$(${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
# To strip off IP's: ${SEDBINARY} 's/|.*:/|/' # To strip off IP's: ${SEDBINARY} 's/|.*:/|/'
else else
FIND="" FIND=""
@ -387,15 +387,15 @@
Linux) Linux)
if [ ! "${NETSTATBINARY}" = "" ]; then if [ ! "${NETSTATBINARY}" = "" ]; then
# UDP # UDP
FIND=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:'` FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:')
# TCP # TCP
FIND2=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:'` FIND2=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:')
else else
if [ ! "${SSBINARY}" = "" ]; then if [ ! "${SSBINARY}" = "" ]; then
# UDP # UDP
FIND=`${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local` FIND=$(${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
# TCP # TCP
FIND2=`${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local` FIND2=$(${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
else else
ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports" ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports"
fi fi
@ -405,7 +405,7 @@
macOS) macOS)
if [ ! "${LSOFBINARY}" = "" ]; then if [ ! "${LSOFBINARY}" = "" ]; then
# UDP and TCP combined # UDP and TCP combined
FIND=`${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME"` FIND=$(${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME")
else else
FIND="" FIND=""
fi fi
@ -416,7 +416,7 @@
NetBSD) NetBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then if [ ! "${SOCKSTATBINARY}" = "" ]; then
FIND=`${SOCKSTATBINARY} 2> /dev/null | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u` FIND=$(${SOCKSTATBINARY} 2> /dev/null | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
else else
FIND="" FIND=""
fi fi
@ -425,9 +425,9 @@
OpenBSD) OpenBSD)
if [ ! "${NETSTATBINARY}" = "" ]; then if [ ! "${NETSTATBINARY}" = "" ]; then
# UDP # UDP
FIND=`${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"||" }'` FIND=$(${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"||" }')
# TCP # TCP
FIND2=`${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"||" }}'` FIND2=$(${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"||" }}')
else else
ReportException "${TEST_NO}:3" "netstat missing to gather listening ports" ReportException "${TEST_NO}:3" "netstat missing to gather listening ports"
fi fi
@ -472,14 +472,14 @@
Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (BSD)" Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (BSD)"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (FreeBSD)" LogText "Test: Checking promiscuous interfaces (FreeBSD)"
FIND=`${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1` FIND=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: Promiscuous interfaces: ${FIND}" LogText "Result: Promiscuous interfaces: ${FIND}"
for I in ${FIND}; do for I in ${FIND}; do
WHITELISTED=0 WHITELISTED=0
for PROFILE in ${PROFILES}; do for PROFILE in ${PROFILES}; do
Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}" Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}"
ISWHITELISTED=`${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}` ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
if [ ! "${ISWHITELISTED}" = "" ]; then if [ ! "${ISWHITELISTED}" = "" ]; then
WHITELISTED=1 WHITELISTED=1
LogText "Result: this interface was whitelisted in profile (${PROFILE})" LogText "Result: this interface was whitelisted in profile (${PROFILE})"
@ -514,13 +514,13 @@
Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)" Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (Linux)" LogText "Test: Checking promiscuous interfaces (Linux)"
NETWORK=`${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1` NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
if [ ! "${NETWORK}" = "" ]; then if [ ! "${NETWORK}" = "" ]; then
for I in ${NETWORK}; do for I in ${NETWORK}; do
FIND=`${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC` FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: Promiscuous interface: ${I}" LogText "Result: Promiscuous interface: ${I}"
ISWHITELISTED=`${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}` ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
if [ "${ISWHITELISTED}" = "" ]; then if [ "${ISWHITELISTED}" = "" ]; then
FOUNDPROMISC=1 FOUNDPROMISC=1
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})" ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"

74
include/tests_ports_packages
View File

@ -87,7 +87,7 @@
# #
# Test : PKGS-7303 # Test : PKGS-7303
# Description : Query brew package manager # Description : Query brew package manager
FIND=`which brew 2> /dev/null` FIND=$(which brew 2> /dev/null)
if [ ! "${FIND}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${FIND}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager" Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
@ -97,7 +97,7 @@
LogText "Test: Querying brew to get package list" LogText "Test: Querying brew to get package list"
Display --indent 4 --text "- Querying brew for installed packages" Display --indent 4 --text "- Querying brew for installed packages"
LogText "Output:"; LogText "-----" LogText "Output:"; LogText "-----"
GPACKAGES=`brew list` GPACKAGES=$(brew list)
for J in ${GPACKAGES}; do for J in ${GPACKAGES}; do
LogText "Found package ${J}" LogText "Found package ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
@ -166,7 +166,7 @@
LogText "Test: Querying 'rpm -qa' to get package list" LogText "Test: Querying 'rpm -qa' to get package list"
Display --indent 6 --text "- Querying RPM package manager" Display --indent 6 --text "- Querying RPM package manager"
LogText "Output:"; LogText "--------" LogText "Output:"; LogText "--------"
SPACKAGES=`${RPMBINARY} -qa --queryformat "%{NAME},%{VERSION}-%{RELEASE}.%{ARCH}\n" 2> /dev/null | sort` SPACKAGES=$(${RPMBINARY} -qa --queryformat "%{NAME},%{VERSION}-%{RELEASE}.%{ARCH}\n" 2> /dev/null | sort)
if [ "${SPACKAGES}" = "" ]; then if [ "${SPACKAGES}" = "" ]; then
LogText "Result: RPM binary available, but package list seems to be empty" LogText "Result: RPM binary available, but package list seems to be empty"
LogText "Info: looks like the rpm binary is installed, but not used for package installation" LogText "Info: looks like the rpm binary is installed, but not used for package installation"
@ -199,15 +199,15 @@
LogText "Test: Querying 'pacman -Q' to get package list" LogText "Test: Querying 'pacman -Q' to get package list"
Display --indent 6 --text "- Querying pacman package manager" Display --indent 6 --text "- Querying pacman package manager"
LogText "Output:"; LogText "--------" LogText "Output:"; LogText "--------"
SPACKAGES=`${PACMANBINARY} -Q | ${SORTBINARY} | ${SEDBINARY} 's/ /,/g'` SPACKAGES=$(${PACMANBINARY} -Q | ${SORTBINARY} | ${SEDBINARY} 's/ /,/g')
if [ "${SPACKAGES}" = "" ]; then if [ "${SPACKAGES}" = "" ]; then
LogText "Result: pacman binary available, but package list seems to be empty" LogText "Result: pacman binary available, but package list seems to be empty"
LogText "Info: looks like the pacman binary is installed, but not used for package installation" LogText "Info: looks like the pacman binary is installed, but not used for package installation"
else else
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
N=$((N + 1)) N=$((N + 1))
PACKAGE_NAME=`echo ${J} | ${AWKBINARY} -F, '{ print $1 }'` PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{ print $1 }')
PACKAGE_VERSION=`echo ${J} | ${AWKBINARY} -F, '{ print $2 }'` PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{ print $2 }')
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
done done
@ -225,7 +225,7 @@
FOUND=0 FOUND=0
FIND=$(which checkupdates 2> /dev/null) FIND=$(which checkupdates 2> /dev/null)
if [ ! -z "${FIND}" ]; then if [ ! -z "${FIND}" ]; then
FIND=`checkupdates` FIND=$(checkupdates)
for I in ${FIND}; do for I in ${FIND}; do
LogText "Result: update available for ${I}" LogText "Result: update available for ${I}"
Report "available_update[]=${I}" Report "available_update[]=${I}"
@ -255,17 +255,17 @@
COUNT=0 COUNT=0
# Check configuration options (options start with a capital) # Check configuration options (options start with a capital)
LogText "Test: searching configured options in ${PACMANCONF}" LogText "Test: searching configured options in ${PACMANCONF}"
FIND=`${GREPBINARY} "^[A-Z]" ${PACMANCONF} | ${SORTBINARY} -u | ${SEDBINARY} 's/ /:space:/g'` FIND=$(${GREPBINARY} "^[A-Z]" ${PACMANCONF} | ${SORTBINARY} -u | ${SEDBINARY} 's/ /:space:/g')
for I in ${FIND}; do for I in ${FIND}; do
PMOPTION=`echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }'` PMOPTION=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }')
PMVALUE=`echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }'` PMVALUE=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }')
LogText "Result: found option ${PMOPTION} configured with value ${PMVALUE}" LogText "Result: found option ${PMOPTION} configured with value ${PMVALUE}"
Report "pacman_option[]=${PMOPTION}:${PMVALUE}:" Report "pacman_option[]=${PMOPTION}:${PMVALUE}:"
done done
# Check software repositories # Check software repositories
LogText "Test: checking available repositories" LogText "Test: checking available repositories"
FIND=`${GREPBINARY} "^\[.*\]$" ${PACMANCONF} | ${TRBINARY} -d '[]'` FIND=$(${GREPBINARY} "^\[.*\]$" ${PACMANCONF} | ${TRBINARY} -d '[]')
for I in ${FIND}; do for I in ${FIND}; do
COUNT=$((COUNT + 1)) COUNT=$((COUNT + 1))
Report "package_repository[]=${I}" Report "package_repository[]=${I}"
@ -325,7 +325,7 @@
N=0 N=0
PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="zypper" PACKAGE_AUDIT_TOOL="zypper"
FIND=`${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }'` FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do for I in ${FIND}; do
N=$((N + 1)) N=$((N + 1))
@ -346,7 +346,7 @@
if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages" Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)"` FIND=$(${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: No security updates found with Zypper" LogText "Result: No security updates found with Zypper"
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@ -355,7 +355,7 @@
LogText "Result: Zypper found one or more installed packages which are vulnerable." LogText "Result: Zypper found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed" ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed"
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
FIND=`${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u` FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
LogText "List of vulnerable packages/version:" LogText "List of vulnerable packages/version:"
for I in ${FIND}; do for I in ${FIND}; do
VULNERABLE_PACKAGES_FOUND=1 VULNERABLE_PACKAGES_FOUND=1
@ -381,11 +381,11 @@
LogText "Test: Querying dpkg -l to get package list" LogText "Test: Querying dpkg -l to get package list"
Display --indent 6 --text "- Querying package manager" Display --indent 6 --text "- Querying package manager"
LogText "Output:" LogText "Output:"
SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort` SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort)
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
N=$((N + 1)) N=$((N + 1))
PACKAGE_NAME=`echo ${J} | ${CUTBINARY} -d ',' -f2` PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
PACKAGE_VERSION=`echo ${J} | ${CUTBINARY} -d ',' -f3` PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f3)
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done done
@ -398,13 +398,13 @@
# #
# Test : PKGS-7346 # Test : PKGS-7346
# Description : Check packages which are removed, but still own configuration files, cron jobs etc # Description : Check packages which are removed, but still own configuration files, cron jobs etc
# Notes : Cleanup: for pkg in `dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3`; do aptitude purge ${pkg}; done # Notes : Cleanup: for pkg in $(dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3); do aptitude purge ${pkg}; done
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system" Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
LogText "Test: Querying dpkg -l to get unpurged packages" LogText "Test: Querying dpkg -l to get unpurged packages"
SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort` SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
if [ "${SPACKAGES}" = "" ]; then if [ "${SPACKAGES}" = "" ]; then
Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN
LogText "Result: no packages found with left overs" LogText "Result: no packages found with left overs"
@ -432,7 +432,7 @@
Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles" Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/local/sbin/portsclean ]; then if [ -x /usr/local/sbin/portsclean ]; then
FIND=`/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' '` FIND=$(/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ')
if [ ${FIND} -eq 0 ]; then if [ ${FIND} -eq 0 ]; then
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN
LogText "Result: no unused distfiles found" LogText "Result: no unused distfiles found"
@ -459,11 +459,11 @@
PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="dnf" PACKAGE_AUDIT_TOOL="dnf"
SPACKAGES=`${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}'` SPACKAGES=$(${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}')
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
N=$((N + 1)) N=$((N + 1))
PACKAGE_NAME=`echo ${J} | ${CUTBINARY} -d ',' -f1` PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1)
PACKAGE_VERSION=`echo ${J} | ${CUTBINARY} -d ',' -f2` PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done done
@ -477,7 +477,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check for security updates # Check for security updates
LogText "Action: checking updateinfo for security updates" LogText "Action: checking updateinfo for security updates"
FIND=`${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}'` FIND=$(${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
VULNERABLE_PACKAGES_FOUND=1 VULNERABLE_PACKAGES_FOUND=1
LogText "Result: found vulnerable packages, upgrade of system needed." LogText "Result: found vulnerable packages, upgrade of system needed."
@ -503,7 +503,7 @@
Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity" Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check if repoquery plugin is available # Check if repoquery plugin is available
FIND=`${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery"` FIND=$(${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Action: checking integrity of package database" LogText "Action: checking integrity of package database"
FIND=$(${DNFBINARY} -q repoquery --duplicated) FIND=$(${DNFBINARY} -q repoquery --duplicated)
@ -511,7 +511,7 @@
LogText "Result: found unexpected result on repoquery --duplicated" LogText "Result: found unexpected result on repoquery --duplicated"
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated" ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated"
fi fi
FIND=`${DNFBINARY} -q repoquery --unsatisfied` FIND=$(${DNFBINARY} -q repoquery --unsatisfied)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found unexpected result on repoquery --unsatisfied" LogText "Result: found unexpected result on repoquery --unsatisfied"
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied" ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied"
@ -566,7 +566,7 @@
Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1 AddHP 1 1
# Check in /etc/cron.hourly, daily, weekly, monthly etc # Check in /etc/cron.hourly, daily, weekly, monthly etc
COUNT=`find /etc/cron* -name debsums | wc -l` COUNT=$(find /etc/cron* -name debsums | wc -l)
if [ ${COUNT} -gt 0 ]; then if [ ${COUNT} -gt 0 ]; then
LogText "Result: Cron job is configured for debsums utility." LogText "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
@ -593,7 +593,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
LogText "Test: Querying portmaster for possible port upgrades" LogText "Test: Querying portmaster for possible port upgrades"
UPACKAGES=`/usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }'` UPACKAGES=$(/usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }')
for J in ${UPACKAGES}; do for J in ${UPACKAGES}; do
N=$((N + 1)) N=$((N + 1))
LogText "Upgrade available (new version): ${J}" LogText "Upgrade available (new version): ${J}"
@ -618,7 +618,7 @@
PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="pkg_admin audit" PACKAGE_AUDIT_TOOL="pkg_admin audit"
if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then
FIND=`/usr/sbin/pkg_admin audit` FIND=$(/usr/sbin/pkg_admin audit)
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: pkg_admin audit results are clean" LogText "Result: pkg_admin audit results are clean"
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@ -628,7 +628,7 @@
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable." LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages." ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
LogText "List of vulnerable packages/version:" LogText "List of vulnerable packages/version:"
for I in `/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u`; do for I in $(/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
VULNERABLE_PACKAGES_FOUND=1 VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}" Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}" LogText "Vulnerable package: ${I}"
@ -697,7 +697,7 @@
Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit" Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL_FOUND=1
FIND=`/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found'` FIND=$(/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: Portaudit results are clean" LogText "Result: Portaudit results are clean"
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@ -708,7 +708,7 @@
ReportWarning ${TEST_NO} "Found one or more vulnerable packages." ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
LogText "List of vulnerable packages/version:" LogText "List of vulnerable packages/version:"
for I in `/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u`; do for I in $(/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
VULNERABLE_PACKAGES_FOUND=1 VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}" Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}" LogText "Vulnerable package: ${I}"
@ -749,7 +749,7 @@
LogText "Result: found YUM utils package (/usr/bin/package-cleanup)" LogText "Result: found YUM utils package (/usr/bin/package-cleanup)"
# Check for duplicates # Check for duplicates
LogText "Test: Checking for duplicate packages" LogText "Test: Checking for duplicate packages"
FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?` FIND=$(/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: No duplicate packages found" LogText "Result: No duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN
@ -762,7 +762,7 @@
# Check for package database problems # Check for package database problems
LogText "Test: Checking for database problems" LogText "Test: Checking for database problems"
FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?` FIND=$(/usr/bin/package-cleanup --problems > /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: No package database problems found" LogText "Result: No package database problems found"
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN
@ -822,7 +822,7 @@
# Check if it's installed as package (this is old style) # Check if it's installed as package (this is old style)
if [ ${DO_TEST} -eq 0 ]; then if [ ${DO_TEST} -eq 0 ]; then
FIND=`rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed"` FIND=$(rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found yum-plugin-security package" LogText "Result: found yum-plugin-security package"
DO_TEST=1 DO_TEST=1
@ -834,7 +834,7 @@
PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="yum-security" PACKAGE_AUDIT_TOOL="yum-security"
LogText "Test: Checking for vulnerable packages" LogText "Test: Checking for vulnerable packages"
FIND2=`/usr/bin/yum list-sec security | ${AWKBINARY} '{ if($2=="security" || $2~"Sec") print $3","$5 }'` FIND2=$(/usr/bin/yum list-sec security | ${AWKBINARY} '{ if($2=="security" || $2~"Sec") print $3","$5 }')
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
LogText "Result: no vulnerable packages found" LogText "Result: no vulnerable packages found"
Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_OK}" --color GREEN
@ -936,7 +936,7 @@
Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency" Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Package database consistency by running apt-get check" LogText "Test: Package database consistency by running apt-get check"
FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?` FIND=$(/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN
LogText "Result: package database seems to be consistent." LogText "Result: package database seems to be consistent."

16
include/tests_printers_spools
View File

@ -48,7 +48,7 @@
LogText "Result: /usr/sbin/chkprintcap NOT found, test skipped." LogText "Result: /usr/sbin/chkprintcap NOT found, test skipped."
else else
LogText "Result: /usr/sbin/chkprintcap found" LogText "Result: /usr/sbin/chkprintcap found"
FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?` FIND=$(/usr/sbin/chkprintcap > /dev/null ; echo $?)
# Only an exit code of zero should come back. Use string instead of integer, due unexpected trash # Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_OK}" --color GREEN
@ -69,7 +69,7 @@
Register --test-no PRNT-2304 --weight L --network NO --category security --description "Check cupsd status" Register --test-no PRNT-2304 --weight L --network NO --category security --description "Check cupsd status"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking cupsd status" LogText "Test: Checking cupsd status"
#FIND=`${PSBINARY} ax | ${GREPBINARY} "cupsd" | ${GREPBINARY} -v "grep" | ${GREPBINARY} -v apcupsd` #FIND=$(${PSBINARY} ax | ${GREPBINARY} "cupsd" | ${GREPBINARY} -v "grep" | ${GREPBINARY} -v apcupsd)
IsRunning cupsd IsRunning cupsd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN
@ -117,7 +117,7 @@
Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions" Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking CUPS configuration file permissions" LogText "Test: Checking CUPS configuration file permissions"
FIND=`ls -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10` FIND=$(ls -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: found ${FIND}" LogText "Result: found ${FIND}"
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
@ -139,7 +139,7 @@
FOUND=0 FOUND=0
# Checking network addresses # Checking network addresses
LogText "Test: Checking CUPS daemon listening network addresses" LogText "Test: Checking CUPS daemon listening network addresses"
FIND=`${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }'` FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
N=0 N=0
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found network address: ${I}" LogText "Found network address: ${I}"
@ -168,7 +168,7 @@
# Checking sockets # Checking sockets
LogText "Test: Checking cups daemon listening sockets" LogText "Test: Checking cups daemon listening sockets"
FIND=`${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }'` FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }')
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found socket address: ${I}" LogText "Found socket address: ${I}"
N=$((N + 1)) N=$((N + 1))
@ -224,7 +224,7 @@
QDAEMON_CONFIG_FILE="/etc/qconfig" QDAEMON_CONFIG_FILE="/etc/qconfig"
FileIsReadable ${QDAEMON_CONFIG_FILE} FileIsReadable ${QDAEMON_CONFIG_FILE}
if [ ${CANREAD} -eq 1 ]; then if [ ${CANREAD} -eq 1 ]; then
FIND=`${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device"` FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}" LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
@ -271,11 +271,11 @@
LogText "Test: Checking old print jobs" LogText "Test: Checking old print jobs"
DirectoryExists /var/spool/lpd/qdir DirectoryExists /var/spool/lpd/qdir
if [ ${DIRECTORY_FOUND} -eq 1 ]; then if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=`find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g'` FIND=$(find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
N=0 N=0
for I in ${FIND}; do for I in ${FIND}; do
FILE=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found old print job: ${FILE}" LogText "Found old print job: ${FILE}"
N=$((N + 1)) N=$((N + 1))
done done

32
include/tests_shells
View File

@ -51,7 +51,7 @@
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs" Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking console TTYs" LogText "Test: Checking console TTYs"
FIND=`${EGREPBINARY} '^console' /etc/ttys | ${GREPBINARY} -v 'insecure'` FIND=$(${EGREPBINARY} '^console' /etc/ttys | ${GREPBINARY} -v 'insecure')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
LogText "Result: console is secured against single user mode without password." LogText "Result: console is secured against single user mode without password."
@ -75,7 +75,7 @@
if [ -f /etc/shells ]; then if [ -f /etc/shells ]; then
LogText "Result: Found /etc/shells file" LogText "Result: Found /etc/shells file"
LogText "Test: Reading available shells from /etc/shells" LogText "Test: Reading available shells from /etc/shells"
SSHELLS=`${GREPBINARY} "^/" /etc/shells` SSHELLS=$(${GREPBINARY} "^/" /etc/shells)
CSSHELLS=0; CSSHELLS_ALL=0 CSSHELLS=0; CSSHELLS_ALL=0
Display --indent 2 --text "- Checking shells from /etc/shells" Display --indent 2 --text "- Checking shells from /etc/shells"
for I in ${SSHELLS}; do for I in ${SSHELLS}; do
@ -117,9 +117,9 @@
if [ -f /etc/profile ]; then if [ -f /etc/profile ]; then
# Determine if we can find a TMOUT value # Determine if we can find a TMOUT value
FIND=`${GREPBINARY} 'TMOUT=' /etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'` FIND=$(${GREPBINARY} 'TMOUT=' /etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
# Determine if the value is exported (with export, readonly, or typeset) # Determine if the value is exported (with export, readonly, or typeset)
FIND2=`${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }'` FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
N=0; IDLE_TIMEOUT=1 N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do for I in ${FIND}; do
@ -160,12 +160,12 @@
fi fi
if [ -d /etc/profile.d ]; then if [ -d /etc/profile.d ]; then
FIND=`ls /etc/profile.d/*.sh 2> /dev/null` FIND=$(ls /etc/profile.d/*.sh 2> /dev/null)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
# Determine if we can find a TMOUT value # Determine if we can find a TMOUT value
FIND=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'` FIND=$(cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
# Determine if the value is exported (with export, readonly, or typeset) # Determine if the value is exported (with export, readonly, or typeset)
FIND2=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }'` FIND2=$(cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
N=0; IDLE_TIMEOUT=1 N=0; IDLE_TIMEOUT=1
@ -231,7 +231,7 @@
if [ -f ${FILE} ]; then if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists" LogText "Result: file ${FILE} exists"
FOUND=1 FOUND=1
FIND=`${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }'` FIND=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: did not find umask configured in ${FILE}" LogText "Result: did not find umask configured in ${FILE}"
Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW
@ -280,10 +280,10 @@
LogText "Test: Check if bash is in the list of shells." LogText "Test: Check if bash is in the list of shells."
if [ -f /etc/shells ]; then if [ -f /etc/shells ]; then
LogText "Test: checking for bash shell in /etc/shells" LogText "Test: checking for bash shell in /etc/shells"
FIND=`${EGREPBINARY} '(/usr)?(/local)?/bin/bash' /etc/shells | ${GREPBINARY} -v "^#" | head -1` FIND=$(${EGREPBINARY} '(/usr)?(/local)?/bin/bash' /etc/shells | ${GREPBINARY} -v "^#" | head -1)
else else
LogText "Test: checking if bash is available via which command" LogText "Test: checking if bash is available via which command"
FIND=`which bash 2> /dev/null | head -1` FIND=$(which bash 2> /dev/null | head -1)
fi fi
LogText "Result: command revealed ${FIND} as output" LogText "Result: command revealed ${FIND} as output"
@ -296,7 +296,7 @@
# CVE-2014-6271 # CVE-2014-6271
LogText "Test: Check for first exploit (CVE-2014-6271)" LogText "Test: Check for first exploit (CVE-2014-6271)"
echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP} echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
rm -f ${SHELLSHOCK_TMP} rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}" LogText "Output: ${VULNERABLE}"
@ -313,7 +313,7 @@
# CVE-2014-6278 # CVE-2014-6278
LogText "Test: Check for CVE-2014-6278" LogText "Test: Check for CVE-2014-6278"
echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP} echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
rm -f ${SHELLSHOCK_TMP} rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}" LogText "Output: ${VULNERABLE}"
@ -328,7 +328,7 @@
# CVE-2014-7169 # CVE-2014-7169
LogText "Test: Check for taviso bug CVE-2014-7169" LogText "Test: Check for taviso bug CVE-2014-7169"
echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | ${GREPBINARY} ' vulnerable'" > ${SHELLSHOCK_TMP} echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | ${GREPBINARY} ' vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
rm -f ${SHELLSHOCK_TMP} rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}" LogText "Output: ${VULNERABLE}"
@ -343,7 +343,7 @@
# CVE-2014-7186 # CVE-2014-7186
LogText "Test: Check for CVE-2014-7186" LogText "Test: Check for CVE-2014-7186"
echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP} echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
rm -f ${SHELLSHOCK_TMP} rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}" LogText "Output: ${VULNERABLE}"
@ -358,7 +358,7 @@
# CVE-2014-7187 # CVE-2014-7187
LogText "Test: Check for CVE-2014-7187" LogText "Test: Check for CVE-2014-7187"
echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP} echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
rm -f ${SHELLSHOCK_TMP} rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}" LogText "Output: ${VULNERABLE}"
@ -373,7 +373,7 @@
# CVE-2014-//// # CVE-2014-////
LogText "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)" LogText "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)"
echo "env X=' () { }; echo hello' bash -c 'date'| ${GREPBINARY} 'hello'" > ${SHELLSHOCK_TMP} echo "env X=' () { }; echo hello' bash -c 'date'| ${GREPBINARY} 'hello'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
rm -f ${SHELLSHOCK_TMP} rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then if [ ! "${VULNERABLE}" = "" ]; then
LogText "Output: ${VULNERABLE}" LogText "Output: ${VULNERABLE}"

4
include/tests_solaris
View File

@ -32,7 +32,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# LogText "Test: Searching for a SSH daemon" # LogText "Test: Searching for a SSH daemon"
# # Check running processes # # Check running processes
# FIND=`${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep"` # FIND=$(${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep")
# if [ ! "${FIND}" = "" ]; then # if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1 # SSH_DAEMON_RUNNING=1
# LogText "Result: Stop-A is disabled" # LogText "Result: Stop-A is disabled"
@ -51,7 +51,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# LogText "Test: Searching for a SSH daemon" # LogText "Test: Searching for a SSH daemon"
# # Check running processes # # Check running processes
# FIND=`${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep"` # FIND=$(${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep")
# if [ ! "${FIND}" = "" ]; then # if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1 # SSH_DAEMON_RUNNING=1
# LogText "Result: Stop-A is disabled" # LogText "Result: Stop-A is disabled"

32
include/tests_squid
View File

@ -42,7 +42,7 @@
LogText "Test: Searching for a Squid daemon" LogText "Test: Searching for a Squid daemon"
FOUND=0 FOUND=0
# Check running processes # Check running processes
FIND=`${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep"` FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
SQUID_DAEMON_RUNNING=1 SQUID_DAEMON_RUNNING=1
LogText "Result: Squid daemon is running" LogText "Result: Squid daemon is running"
@ -92,9 +92,9 @@
if [ ! "${SQUIDBINARY}" = "" ]; then if [ ! "${SQUIDBINARY}" = "" ]; then
LogText "Result: Squid binary found (${SQUIDBINARY})" LogText "Result: Squid binary found (${SQUIDBINARY})"
# Skip check if a setuid/setgid bit is found # Skip check if a setuid/setgid bit is found
FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print` FIND=$(find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print)
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
FIND2=`${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }'` FIND2=$(${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }')
Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN
SQUID_VERSION="${FIND2}" SQUID_VERSION="${FIND2}"
else else
@ -114,9 +114,9 @@
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version" Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
FIND=`${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g'` FIND=$(${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found Squid option: ${I}" LogText "Found Squid option: ${I}"
Report "squid_option=${I}" Report "squid_option=${I}"
done done
@ -131,7 +131,7 @@
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions" Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}" LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
@ -159,7 +159,7 @@
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods" Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check auth_param option for authentication methods" LogText "Test: check auth_param option for authentication methods"
FIND=`${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'` FIND=$(${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW
@ -180,7 +180,7 @@
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication" Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check external_acl_type option for external authentication helpers" LogText "Test: check external_acl_type option for external authentication helpers"
FIND=`${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG}` FIND=$(${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG})
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "No external_acl_type found" LogText "No external_acl_type found"
Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW
@ -203,14 +203,14 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
LogText "Test: checking ACLs" LogText "Test: checking ACLs"
FIND=`${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g'` FIND=$(${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: No ACLs found" LogText "Result: No ACLs found"
Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED
else else
for I in ${FIND}; do for I in ${FIND}; do
N=$((N + 1)) N=$((N + 1))
I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found ACL: ${I}" LogText "Found ACL: ${I}"
#Report "squid_acl=${I}" #Report "squid_acl=${I}"
done done
@ -228,14 +228,14 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
LogText "Test: checking ACL Safe_ports http_access option" LogText "Test: checking ACL Safe_ports http_access option"
FIND=`${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports"` FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports")
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: no Safe_ports found" LogText "Result: no Safe_ports found"
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
else else
LogText "Result: checking ACL safe ports" LogText "Result: checking ACL safe ports"
FIND2=`${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }'` FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }')
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
@ -251,7 +251,7 @@
#SQUID_DAEMON_UNSAFE_PORTS_LIST #SQUID_DAEMON_UNSAFE_PORTS_LIST
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
LogText "Test: Checking port ${I} in Safe_ports list" LogText "Test: Checking port ${I} in Safe_ports list"
FIND2=`${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG})
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 1 1 AddHP 1 1
@ -279,7 +279,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
LogText "Test: checking option reply_body_max_size" LogText "Test: checking option reply_body_max_size"
FIND=`${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g'` FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: option reply_body_max_size not configured" LogText "Result: option reply_body_max_size not configured"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
@ -306,10 +306,10 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppresion" Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppresion"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on"` FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on")
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: option httpd_suppress_version_string not configured" LogText "Result: option httpd_suppress_version_string not configured"
Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 2 AddHP 1 2
ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version." ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
else else

18
include/tests_ssh
View File

@ -136,18 +136,18 @@
# Go through our list of options # Go through our list of options
for I in ${SSHOPS}; do for I in ${SSHOPS}; do
OPTIONNAME=`echo ${I} | ${CUTBINARY} -d ':' -f1` OPTIONNAME=$(echo ${I} | ${CUTBINARY} -d ':' -f1)
OPTIONNAME_LOWER=`echo ${I} | ${CUTBINARY} -d ':' -f1 | ${AWKBINARY} '{ print tolower($1) }'` OPTIONNAME_LOWER=$(echo ${I} | ${CUTBINARY} -d ':' -f1 | ${AWKBINARY} '{ print tolower($1) }')
EXPECTEDVALUE=`echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f1` EXPECTEDVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f1)
MEDIUMSCOREDVALUE=`echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f2` MEDIUMSCOREDVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f2)
WEAKVALUE=`echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f3` WEAKVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f3)
TESTTYPE=`echo ${I} | ${CUTBINARY} -d ':' -f3` TESTTYPE=$(echo ${I} | ${CUTBINARY} -d ':' -f3)
RESULT="NONE" RESULT="NONE"
if ! SkipAtomicTest "${TEST_NO}:${OPTIONNAME_LOWER}"; then if ! SkipAtomicTest "${TEST_NO}:${OPTIONNAME_LOWER}"; then
# Get value and use the last occurrence # Get value and use the last occurrence
FOUNDVALUE=`${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1` FOUNDVALUE=$(${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1)
LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}" LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}"
if [ ! "${FOUNDVALUE}" = "" ]; then if [ ! "${FOUNDVALUE}" = "" ]; then
@ -262,7 +262,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
# AllowUsers # AllowUsers
FIND=`${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }'` FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: AllowUsers set, with value ${FIND}" LogText "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
@ -273,7 +273,7 @@
fi fi
# AllowGroups # AllowGroups
FIND=`${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }'` FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: AllowUsers set ${FIND}" LogText "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN

22
include/tests_storage
View File

@ -35,10 +35,10 @@
FOUND=0 FOUND=0
LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null` FIND=$(ls /etc/modprobe.d/* 2> /dev/null)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FIND=`${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"` FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=`${EGREPBINARY} -r "^blacklist usb[-_]storage" /etc/modprobe.d/*` FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" /etc/modprobe.d/*)
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1 FOUND=1
LogText "Result: found usb-storage driver in disabled state (blacklisted)" LogText "Result: found usb-storage driver in disabled state (blacklisted)"
@ -48,7 +48,7 @@
fi fi
fi fi
if [ -f /etc/modprobe.conf ]; then if [ -f /etc/modprobe.conf ]; then
FIND=`${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#"` FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1 FOUND=1
LogText "Result: found usb-storage driver in disabled state" LogText "Result: found usb-storage driver in disabled state"
@ -77,11 +77,11 @@
USBDEVICESPATH="/sys/bus/usb/devices/usb" USBDEVICESPATH="/sys/bus/usb/devices/usb"
for device in "${USBDEVICESPATH}"*; do for device in "${USBDEVICESPATH}"*; do
if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then
if [ `cat "${device}/authorized_default"` -eq 1 ]; then if [ $(cat "${device}/authorized_default") -eq 1 ]; then
FOUND=1 FOUND=1
LogText "Test: ${device} is authorized by default" LogText "Test: ${device} is authorized by default"
Report "usb_authorized_default_device[]=${device}" Report "usb_authorized_default_device[]=${device}"
elif [ `cat "${device}/authorized"` -eq 1 ]; then elif [ $(cat "${device}/authorized") -eq 1 ]; then
FOUND=1 FOUND=1
LogText "Test: ${device} is authorized currently" LogText "Test: ${device} is authorized currently"
Report "usb_authorized_device[]=${device}" Report "usb_authorized_device[]=${device}"
@ -112,10 +112,10 @@
FOUND=0 FOUND=0
LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null` FIND=$(ls /etc/modprobe.d/* 2> /dev/null)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FIND1=`${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"` FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=`${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"` FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#")
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1 FOUND=1
LogText "Result: found firewire ohci driver in disabled state" LogText "Result: found firewire ohci driver in disabled state"
@ -125,8 +125,8 @@
fi fi
fi fi
if [ -f /etc/modprobe.conf ]; then if [ -f /etc/modprobe.conf ]; then
FIND1=`${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.conf | ${GREPBINARY} -v "#"` FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.conf | ${GREPBINARY} -v "#")
FIND2=`${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} -v "#"` FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} -v "#")
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1 FOUND=1
LogText "Result: found firewire ohci driver in disabled state" LogText "Result: found firewire ohci driver in disabled state"

16
include/tests_storage_nfs
View File

@ -37,7 +37,7 @@
Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs" Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking rpcinfo registered programs" LogText "Test: Checking rpcinfo registered programs"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${TRBINARY} -s ' ' ','` FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${TRBINARY} -s ' ' ',')
for I in ${FIND}; do for I in ${FIND}; do
LogText "rpcinfo: ${I}" LogText "rpcinfo: ${I}"
done done
@ -52,7 +52,7 @@
Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc" Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NFS registered versions" LogText "Test: Checking NFS registered versions"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort` FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort)
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found version: ${I}" LogText "Found version: ${I}"
done done
@ -67,7 +67,7 @@
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc" Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NFS registered protocols" LogText "Test: Checking NFS registered protocols"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort` FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort)
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found protocol: ${I}" LogText "Found protocol: ${I}"
done done
@ -77,7 +77,7 @@
# Check port number # Check port number
LogText "Test: Checking NFS registered ports" LogText "Test: Checking NFS registered ports"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort` FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort)
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found port: ${I}" LogText "Found port: ${I}"
done done
@ -94,7 +94,7 @@
Register --test-no STRG-1920 --weight L --network NO --category security --description "Checking NFS daemon" Register --test-no STRG-1920 --weight L --network NO --category security --description "Checking NFS daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking running NFS daemon" LogText "Test: Checking running NFS daemon"
FIND=`${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep"` FIND=$(${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep")
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Output: NFS daemon is not running" LogText "Output: NFS daemon is not running"
Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
@ -122,10 +122,10 @@
LogText "Test: check /etc/exports" LogText "Test: check /etc/exports"
if [ -f /etc/exports ]; then if [ -f /etc/exports ]; then
LogText "Result: /etc/exports exists" LogText "Result: /etc/exports exists"
FIND=`${GREPBINARY} -v "^$" /etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g'` FIND=$(${GREPBINARY} -v "^$" /etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found line: ${I}" LogText "Found line: ${I}"
done done
else else
@ -161,7 +161,7 @@
Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share" Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
#LogText "Test: " #LogText "Test: "
sFIND=`${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d'| ${GREPBINARY} "\*"` sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d'| ${GREPBINARY} "\*")
if [ "${sFIND}" != "" ]; then if [ "${sFIND}" != "" ]; then
LogText "Result: all client are allowed to access a NFS share in /etc/exports" LogText "Result: all client are allowed to access a NFS share in /etc/exports"
Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW

12
include/tests_time
View File

@ -46,7 +46,7 @@
# TODO: Skip NTP tests if we are in a DomU xen instance # TODO: Skip NTP tests if we are in a DomU xen instance
FIND=$(cat /sys/hypervisor/type) FIND=$(cat /sys/hypervisor/type)
if [ "${FIND}" = "xen" ]; then PREQS_MET="NO"; else PREQS_MET="YES"; fi if [ "${FIND}" = "xen" ]; then PREQS_MET="NO"; else PREQS_MET="YES"; fi
elif [ -f /sbin/sysctl ] && [ "`/sbin/sysctl -n security.jail.jailed 2>/dev/null || echo 0`" -eq 1 ]; then elif [ -f /sbin/sysctl ] && [ "$(/sbin/sysctl -n security.jail.jailed 2>/dev/null || echo 0)" -eq 1 ]; then
# Skip NTP tests if we're in a FreeBSD jail # Skip NTP tests if we're in a FreeBSD jail
PREQS_MET="NO" PREQS_MET="NO"
else else
@ -271,7 +271,7 @@
else else
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found one or more high stratum (16) peers)" LogText "Result: Found one or more high stratum (16) peers)"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for startum 16 peers" ReportSuggestion ${TEST_NO} "Check ntpq peers output for stratum 16 peers"
fi fi
fi fi
fi fi
@ -281,12 +281,12 @@
# Test : TIME-3120 # Test : TIME-3120
# Description : Check unreliable peers from peer list # Description : Check unreliable peers from peer list
# Notes : Items with # are too far away (network distance) # Notes : Items with # are too far away (network distance)
# Items with - are not chosing due clustering algoritm # Items with - are not chosen due clustering algorithm
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers" Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking unreliable ntp peers" LogText "Test: Checking unreliable ntp peers"
FIND=`${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g'` FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN
LogText "Result: No unreliable peers found" LogText "Result: No unreliable peers found"
@ -313,7 +313,7 @@
FIND2=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }') FIND2=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }')
if [ -z "${FIND}" -a ! -z "${FIND2}" ]; then if [ -z "${FIND}" -a ! -z "${FIND2}" ]; then
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN
FIND2=`echo ${FIND2} | ${SEDBINARY} 's/*//g'` FIND2=$(echo ${FIND2} | ${SEDBINARY} 's/*//g')
LogText "Result: Found selected time source (value: ${FIND2})" LogText "Result: Found selected time source (value: ${FIND2})"
else else
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_WARNING}" --color RED Display --indent 2 --text "- Checking selected time source" --result "${STATUS_WARNING}" --color RED
@ -431,7 +431,7 @@
Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN
sFIND=$(${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0') sFIND=$(${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0')
for I in ${sFIND}; do for I in ${sFIND}; do
FIND=`${GREPBINARY} ^${I} ${FILE} | wc -l` FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l)
if [ ${FIND} -gt 0 ]; then if [ ${FIND} -gt 0 ]; then
LogText "Result: $I exist in ${FILE}" LogText "Result: $I exist in ${FILE}"
else else

6
include/tests_tooling
View File

@ -221,8 +221,8 @@
# # Check email alert configuration # # Check email alert configuration
# LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}" # LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}"
# #
# FIND=`${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}` # FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
# FIND2=`${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}` # FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
# #
# if [ ! "${FIND}" = "" ]; then # if [ ! "${FIND}" = "" ]; then
# FAIL2BAN_EMAIL=1 # FAIL2BAN_EMAIL=1
@ -271,7 +271,7 @@
# LogText "Checking for fail2ban iptables chains" # LogText "Checking for fail2ban iptables chains"
# #
# if [ ! "${IPTABLESBINARY}" = "" ]; then # if [ ! "${IPTABLESBINARY}" = "" ]; then
# CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban` # CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban)
# if [ ! "${CHECK_CHAINS}" = "" ]; then # if [ ! "${CHECK_CHAINS}" = "" ]; then
# LogText "Result: found at least one iptables chain for fail2ban" # LogText "Result: found at least one iptables chain for fail2ban"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN # Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN

38
include/tests_webservers
View File

@ -61,7 +61,7 @@
Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE
else else
LogText "Test: Scanning for Apache binary" LogText "Test: Scanning for Apache binary"
IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache'` IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache')
if [ "${IS_APACHE}" = "" ]; then if [ "${IS_APACHE}" = "" ]; then
LogText "Result: ${HTTPDBINARY} is not Apache" LogText "Result: ${HTTPDBINARY} is not Apache"
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
@ -69,7 +69,7 @@
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon" LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon"
APACHE_INSTALLED=1 APACHE_INSTALLED=1
APACHE_VERSION=`${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} "^Server version:" | ${AWKBINARY} '{ print $3 }' | ${AWKBINARY} -F/ '{ print $2 }'` APACHE_VERSION=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} "^Server version:" | ${AWKBINARY} '{ print $3 }' | ${AWKBINARY} -F/ '{ print $2 }')
LogText "Apache version: ${APACHE_VERSION}" LogText "Apache version: ${APACHE_VERSION}"
Report "apache_version=${APACHE_VERSION}" Report "apache_version=${APACHE_VERSION}"
fi fi
@ -93,7 +93,7 @@
Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file" Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
APACHE_CONFIGFILE="" APACHE_CONFIGFILE=""
APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | ${SEDBINARY} 's/[ ]-D SERVER_CONFIG_FILE=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '[:cntrl:]'` APACHE_TEST=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | ${SEDBINARY} 's/[ ]-D SERVER_CONFIG_FILE=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '[:cntrl:]')
if [ "${APACHE_TEST}" = "" ]; then if [ "${APACHE_TEST}" = "" ]; then
LogText "Result: Can't find the configuration file, so skipping some Apache related tests" LogText "Result: Can't find the configuration file, so skipping some Apache related tests"
@ -104,7 +104,7 @@
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})" Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
else else
# Probably the prefix is missing, so we are going to search that # Probably the prefix is missing, so we are going to search that
APACHE_HTTPDROOT=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | ${SEDBINARY} 's/[ ]-D HTTPD_ROOT=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' '` APACHE_HTTPDROOT=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | ${SEDBINARY} 's/[ ]-D HTTPD_ROOT=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ')
#echo "Apache root prefix: ${APACHE_HTTPDROOT}" #echo "Apache root prefix: ${APACHE_HTTPDROOT}"
#echo "Complete path to configuration file: ${APACHE_HTTPDROOT}/${APACHE_TEST}" #echo "Complete path to configuration file: ${APACHE_HTTPDROOT}/${APACHE_TEST}"
APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}" APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}"
@ -143,13 +143,13 @@
cVHOSTS=0; tVHOSTS="" cVHOSTS=0; tVHOSTS=""
# Check every configuration file # Check every configuration file
for I in `cat ${TMPFILE}`; do for I in $(cat ${TMPFILE}); do
LogText "Apache config file: ${I}" LogText "Apache config file: ${I}"
FileIsReadable ${I} FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then if [ ${CANREAD} -eq 1 ]; then
# Search Virtual Hosts # Search Virtual Hosts
for J in `${GREPBINARY} "ServerName" ${I} | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'`; do for J in $(${GREPBINARY} "ServerName" ${I} | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'); do
if [ ! -z ${J} ]; then if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}" tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=$((cVHOSTS + 1)) cVHOSTS=$((cVHOSTS + 1))
@ -205,12 +205,12 @@
# for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do # for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do
# if [ -f ${APACHE_CONFIGFILE} ]; then # if [ -f ${APACHE_CONFIGFILE} ]; then
# # Check if option ServerTokens is configured # # Check if option ServerTokens is configured
# SERVERTOKENSTEST=`${GREPBINARY} ServerTokens ${APACHE_CONFIGFILE} | ${GREPBINARY} -v '^#'` # SERVERTOKENSTEST=$(${GREPBINARY} ServerTokens ${APACHE_CONFIGFILE} | ${GREPBINARY} -v '^#')
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then # if [ ! "${SERVERTOKENSTEST}" = "" ]; then
# Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_FOUND}" --color WHITE # Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_FOUND}" --color WHITE
# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | ${SEDBINARY} 's/ServerTokens//' | ${TRBINARY} -d ' '` # SERVERTOKENSTEST=$(echo ${SERVERTOKENSTEST} | ${SEDBINARY} 's/ServerTokens//' | ${TRBINARY} -d ' ')
# LogText "Option ServerTokens found: ${SERVERTOKENSTEST}" # LogText "Option ServerTokens found: ${SERVERTOKENSTEST}"
# SERVERTOKENSEXPECTED=`${GREPBINARY} 'apache' ${PROFILE} | ${GREPBINARY} 'ServerTokens' | ${CUTBINARY} -d ':' -f3` # SERVERTOKENSEXPECTED=$(${GREPBINARY} 'apache' ${PROFILE} | ${GREPBINARY} 'ServerTokens' | ${CUTBINARY} -d ':' -f3)
# if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then # if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then
# LogText "Result: Value from configuration file yielded the same output as in template" # LogText "Result: Value from configuration file yielded the same output as in template"
# SERVERTOKENSFOUND=1 # SERVERTOKENSFOUND=1
@ -254,7 +254,7 @@
#for I in ${APACHE_MODULES_ENABLED_LOCS}; do #for I in ${APACHE_MODULES_ENABLED_LOCS}; do
#LogText "Test: checking ${I}" #LogText "Test: checking ${I}"
#if [ -d ${I} ]; then #if [ -d ${I} ]; then
#FIND=`${GREPBINARY} -r LoadModule ${I}/* | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2":"$3 }'` #FIND=$(${GREPBINARY} -r LoadModule ${I}/* | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2":"$3 }')
#else #else
#LogText "Result: ${I} does not exist" #LogText "Result: ${I} does not exist"
#fi #fi
@ -380,7 +380,7 @@
Register --test-no HTTP-6702 --weight L --network NO --category security --description "Check nginx process" Register --test-no HTTP-6702 --weight L --network NO --category security --description "Check nginx process"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching running nginx process" LogText "Test: searching running nginx process"
FIND=`${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep"` FIND=$(${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found running nginx process(es)" LogText "Result: found running nginx process(es)"
Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN
@ -430,9 +430,9 @@
N=0 N=0
${SEDBINARY} -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE} ${SEDBINARY} -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}
# Search for included configuration files (may include directories and wild cards) # Search for included configuration files (may include directories and wild cards)
FIND=`${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g'` FIND=$(${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g')
for I in ${FIND}; do for I in ${FIND}; do
FIND2=`${LSBINARY} ${I} 2>/dev/null` FIND2=$(${LSBINARY} ${I} 2>/dev/null)
for J in ${FIND2}; do for J in ${FIND2}; do
# Ensure that we are parsing normal files # Ensure that we are parsing normal files
if [ -f ${J} ]; then if [ -f ${J} ]; then
@ -442,7 +442,7 @@
FileIsReadable ${J} FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then if [ ${CANREAD} -eq 1 ]; then
NGINX_CONF_FILES="${NGINX_CONF_FILES} ${J}" NGINX_CONF_FILES="${NGINX_CONF_FILES} ${J}"
FIND3=`sed -e 's/^[ ]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}` FIND3=$(sed -e 's/^[ ]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE})
else else
ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable" ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
fi fi
@ -451,9 +451,9 @@
done done
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
SORTFILE=`${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})"` SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})")
for I in ${SORTFILE}; do for I in ${SORTFILE}; do
I=`echo ${I} | ${SEDBINARY} 's/:space:/ /g'` I=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g')
Report "nginx_config_option[]=${I}"; Report "nginx_config_option[]=${I}";
done done
@ -470,7 +470,7 @@
################################################################################# #################################################################################
# #
# Test : HTTP-6708 # Test : HTTP-6708
# Description : Check discovered nginx configuration settings for further hardering # Description : Check discovered nginx configuration settings for further hardening
# Notes : Daemon of nginx should be running, nginx.conf should be found # Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_FILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_FILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings" Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings"
@ -651,7 +651,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# N=0 # N=0
# LogText "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}" # LogText "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}"
# FIND=`${GREPBINARY} "proxy_pass" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/proxy_pass//g' | ${TRBINARY} -d ';'` # FIND=$(${GREPBINARY} "proxy_pass" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/proxy_pass//g' | ${TRBINARY} -d ';')
# for I in ${FIND}; do # for I in ${FIND}; do
# LogText "Found reverse proxy configuration for: ${I}" # LogText "Found reverse proxy configuration for: ${I}"
# N=$((N + 1)) # N=$((N + 1))
@ -675,7 +675,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# N=0 # N=0
# LogText "Test: searching nginx virtual hosts" # LogText "Test: searching nginx virtual hosts"
# FIND=`${GREPBINARY} "server_name" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/server_name//g' | ${TRBINARY} -d ';'` # FIND=$(${GREPBINARY} "server_name" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/server_name//g' | ${TRBINARY} -d ';')
# for I in ${FIND}; do # for I in ${FIND}; do
# if [ "${I}" = "_" ]; then I="Default virtual host"; fi # if [ "${I}" = "_" ]; then I="Default virtual host"; fi
# LogText "Found virtual host: ${I}" # LogText "Found virtual host: ${I}"

2
include/tool_tips
View File

@ -31,7 +31,7 @@
for I in ${ETC_PATHS}; do for I in ${ETC_PATHS}; do
if [ -d ${I}/bash-completion.d ]; then if [ -d ${I}/bash-completion.d ]; then
if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
Display "This system has a bash_completition directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis" Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis"
fi fi
fi fi
done done

14
lynis
View File

@ -61,7 +61,7 @@
################################################################################# #################################################################################
# #
# Work directory # Work directory
WORKDIR=`pwd` WORKDIR=$(pwd)
# Test from which directories we can use all functions and tests # Test from which directories we can use all functions and tests
@ -248,7 +248,7 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
################################################################################# #################################################################################
# #
# CV - Current Version # CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g'` PROGRAM_AC=$(echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g')
PROGRAM_LV=0 PROGRAM_LV=0
# #
################################################################################# #################################################################################
@ -299,7 +299,7 @@ ${NORMAL}
################################################################################# #################################################################################
# #
# Decide where to write our PID file. For unprivileged users this will be in their home directory, or /tmp if their # Decide where to write our PID file. For unprivileged users this will be in their home directory, or /tmp if their
# home directory isn't set. For root it will be /var/run, or the current workign directory if /var/run doesn't exist. # home directory isn't set. For root it will be /var/run, or the current working directory if /var/run doesn't exist.
MYHOMEDIR=$(echo ~ 2> /dev/null) MYHOMEDIR=$(echo ~ 2> /dev/null)
if [ "${MYHOMEDIR}" = "" ]; then MYHOMEDIR="/tmp"; fi if [ "${MYHOMEDIR}" = "" ]; then MYHOMEDIR="/tmp"; fi
@ -815,14 +815,14 @@ ${NORMAL}
LogText "Found plugin file: ${PLUGIN_FILE}" LogText "Found plugin file: ${PLUGIN_FILE}"
# Double check if output is a valid file name # Double check if output is a valid file name
if [ -f ${PLUGIN_FILE} ]; then if [ -f ${PLUGIN_FILE} ]; then
FIND2=`grep "^# PLUGIN_NAME=" ${PLUGIN_FILE} | awk -F= '{ print $2 }'` FIND2=$(grep "^# PLUGIN_NAME=" ${PLUGIN_FILE} | awk -F= '{ print $2 }')
if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then
if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=$((${N_PLUGIN} + 1)); fi if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=$((${N_PLUGIN} + 1)); fi
# Check if the plugin is enabled in any of the profiles # Check if the plugin is enabled in any of the profiles
PLUGIN_ENABLED_STATE=0 PLUGIN_ENABLED_STATE=0
for PROFILE in ${PROFILES}; do for PROFILE in ${PROFILES}; do
LogText "Action: checking plugin status in profile: ${PROFILE}" LogText "Action: checking plugin status in profile: ${PROFILE}"
FIND3=`grep "^plugin=${FIND2}" ${PROFILE}` FIND3=$(grep "^plugin=${FIND2}" ${PROFILE})
if [ ! "${FIND3}" = "" ]; then if [ ! "${FIND3}" = "" ]; then
LogText "Result: plugin enabled in profile (${PROFILE})" LogText "Result: plugin enabled in profile (${PROFILE})"
PLUGIN_ENABLED_STATE=1 PLUGIN_ENABLED_STATE=1
@ -832,8 +832,8 @@ ${NORMAL}
LogText "Result: plugin ${FIND2} is enabled" LogText "Result: plugin ${FIND2} is enabled"
PLUGINFILE="${PLUGINDIR}/plugin_${FIND2}_phase${PLUGIN_PHASE}" PLUGINFILE="${PLUGINDIR}/plugin_${FIND2}_phase${PLUGIN_PHASE}"
if [ -f ${PLUGINFILE} ]; then if [ -f ${PLUGINFILE} ]; then
PLUGIN_VERSION=`grep "^# PLUGIN_VERSION=" ${PLUGIN_FILE} | awk -F= '{ print $2 }'` PLUGIN_VERSION=$(grep "^# PLUGIN_VERSION=" ${PLUGIN_FILE} | awk -F= '{ print $2 }')
PLUGIN_VERSION_NODOTS=`echo ${PLUGIN_VERSION} | sed 's/.//g'` PLUGIN_VERSION_NODOTS=$(echo ${PLUGIN_VERSION} | sed 's/.//g')
if SafePerms ${PLUGINFILE}; then if SafePerms ${PLUGINFILE}; then
LogText "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})" LogText "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})"
Report "plugin_enabled_phase${PLUGIN_PHASE}[]=${FIND2}|${PLUGIN_VERSION}|" Report "plugin_enabled_phase${PLUGIN_PHASE}[]=${FIND2}|${PLUGIN_VERSION}|"

50
plugins/plugin_pam_phase1
View File

@ -68,25 +68,25 @@
# Check if the PAM directory structure exists # Check if the PAM directory structure exists
if [ -d ${PAM_DIRECTORY} ]; then if [ -d ${PAM_DIRECTORY} ]; then
LogText "Result: /etc/pam.d exists" LogText "Result: /etc/pam.d exists"
FIND_FILES=`find ${PAM_DIRECTORY} -type f -print` FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print)
# First check /etc/pam.conf if it exists. # First check /etc/pam.conf if it exists.
#if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi #if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi
for PAM_FILE in ${FIND_FILES}; do for PAM_FILE in ${FIND_FILES}; do
LogText "Now checking PAM file ${PAM_FILE}" LogText "Now checking PAM file ${PAM_FILE}"
while read line; do while read line; do
# Strip empty lines, commented lines, tabs, line breaks (\), then finally remove all double spaces # Strip empty lines, commented lines, tabs, line breaks (\), then finally remove all double spaces
LINE=`echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//'` LINE=$(echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//')
if [ ! "${LINE}" = "" ]; then if [ ! "${LINE}" = "" ]; then
PAM_SERVICE=`echo ${PAM_FILE} | awk -F/ '{ print $NF }'` PAM_SERVICE=$(echo ${PAM_FILE} | awk -F/ '{ print $NF }')
PAM_CONTROL_FLAG="-" PAM_CONTROL_FLAG="-"
PAM_CONTROL_OPTIONS="-" PAM_CONTROL_OPTIONS="-"
PAM_MODULE="-" PAM_MODULE="-"
PAM_MODULE_OPTIONS="-" PAM_MODULE_OPTIONS="-"
PAM_TYPE=`echo ${LINE} | awk '{ print $1 }'` PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }')
PARSELINE=0 PARSELINE=0
case ${PAM_TYPE} in case ${PAM_TYPE} in
"@include") "@include")
FILE=`echo ${LINE} | awk '{ print $2 }'` FILE=$(echo ${LINE} | awk '{ print $2 }')
Debug "Result: Found @include in ${PAM_FILE}. Does include PAM settings from file ${FILE} (which is individually processed)" Debug "Result: Found @include in ${PAM_FILE}. Does include PAM settings from file ${FILE} (which is individually processed)"
;; ;;
"account") "account")
@ -106,16 +106,16 @@
;; ;;
esac esac
if [ ${PARSELINE} -eq 1 ]; then if [ ${PARSELINE} -eq 1 ]; then
MULTIPLE_OPTIONS=`echo ${LINE} | awk '$2 ~ /^\[/'` MULTIPLE_OPTIONS=$(echo ${LINE} | awk '$2 ~ /^\[/')
if [ ! "${MULTIPLE_OPTIONS}" = "" ]; then if [ ! "${MULTIPLE_OPTIONS}" = "" ]; then
# Needs more parsing, depending on the options found # Needs more parsing, depending on the options found
PAM_CONTROL_OPTIONS=`echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//"` PAM_CONTROL_OPTIONS=$(echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//")
LogText "Result: Found brackets in line, indicating multiple options for control flags: ${PAM_CONTROL_OPTIONS}" LogText "Result: Found brackets in line, indicating multiple options for control flags: ${PAM_CONTROL_OPTIONS}"
LINE=`echo ${LINE} | sed "s/ \[.*\] / other /"` LINE=$(echo ${LINE} | sed "s/ \[.*\] / other /")
fi fi
PAM_MODULE=`echo ${LINE} | awk '{ print $3 }'` PAM_MODULE=$(echo ${LINE} | awk '{ print $3 }')
PAM_MODULE_OPTIONS=`echo ${LINE} | cut -d ' ' -f 4-` PAM_MODULE_OPTIONS=$(echo ${LINE} | cut -d ' ' -f 4-)
PAM_CONTROL_FLAG=`echo ${LINE} | awk '{ print $2 }'` PAM_CONTROL_FLAG=$(echo ${LINE} | awk '{ print $2 }')
case ${PAM_CONTROL_FLAG} in case ${PAM_CONTROL_FLAG} in
"optional"|"required"|"requisite"|"sufficient") "optional"|"required"|"requisite"|"sufficient")
#Debug "Found a common control flag: ${PAM_CONTROL_FLAG} for ${PAM_MODULE}" #Debug "Found a common control flag: ${PAM_CONTROL_FLAG} for ${PAM_MODULE}"
@ -135,7 +135,7 @@
LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) without options configured" LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) without options configured"
fi fi
PAM_MODULE_NAME=`echo ${PAM_MODULE} | sed 's/.so$//'` PAM_MODULE_NAME=$(echo ${PAM_MODULE} | sed 's/.so$//')
# #
# Specific PAMs are commonly seen on these platforms: # Specific PAMs are commonly seen on these platforms:
# #
@ -202,8 +202,8 @@
if [ "${PAM_PASSWORD_PWHISTORY_AMOUNT}" = "" ]; then PAM_PASSWORD_PWHISTORY_AMOUNT=10; fi if [ "${PAM_PASSWORD_PWHISTORY_AMOUNT}" = "" ]; then PAM_PASSWORD_PWHISTORY_AMOUNT=10; fi
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do for I in ${PAM_MODULE_OPTIONS}; do
OPTION=`echo ${I} | awk -F= '{ print $1 }'` OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=`echo ${I} | awk -F= '{ print $2 }'` VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0 CREDITS_CONFIGURED=0
case ${OPTION} in case ${OPTION} in
remember) remember)
@ -231,8 +231,8 @@
LogText "Result: found ${PAM_MODULE} module (generic)" LogText "Result: found ${PAM_MODULE} module (generic)"
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do for I in ${PAM_MODULE_OPTIONS}; do
OPTION=`echo ${I} | awk -F= '{ print $1 }'` OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=`echo ${I} | awk -F= '{ print $2 }'` VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0 CREDITS_CONFIGURED=0
case ${OPTION} in case ${OPTION} in
remember) remember)
@ -268,9 +268,9 @@
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
Debug "Module options configured" Debug "Module options configured"
for I in ${PAM_MODULE_OPTIONS}; do for I in ${PAM_MODULE_OPTIONS}; do
OPTION=`echo ${I} | awk -F= '{ print $1 }'` OPTION=$(echo ${I} | awk -F= '{ print $1 }')
Debug ${OPTION} Debug ${OPTION}
VALUE=`echo ${I} | awk -F= '{ print $2 }'` VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0 CREDITS_CONFIGURED=0
case ${OPTION} in case ${OPTION} in
minlen) minlen)
@ -286,7 +286,7 @@
MAX_PASSWORD_RETRY=${VALUE} MAX_PASSWORD_RETRY=${VALUE}
;; ;;
minclass) minclass)
# Minimum number of class required out of upper, lower, digit and oters # Minimum number of class required out of upper, lower, digit and others
LogText "Result: Min number of password class is configured" LogText "Result: Min number of password class is configured"
MIN_PASSWORD_CLASS=${VALUE} MIN_PASSWORD_CLASS=${VALUE}
;; ;;
@ -318,8 +318,8 @@
fi fi
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do for I in ${PAM_MODULE_OPTIONS}; do
OPTION=`echo ${I} | awk -F= '{ print $1 }'` OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=`echo ${I} | awk -F= '{ print $2 }'` VALUE=$(echo ${I} | awk -F= '{ print $2 }')
case ${OPTION} in case ${OPTION} in
deny) deny)
AUTH_BLOCK_BAD_LOGIN_ATTEMPTS="${VALUE}" AUTH_BLOCK_BAD_LOGIN_ATTEMPTS="${VALUE}"
@ -402,7 +402,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Digits # Digits
if [ ${CREDITS_D_PASSWORD} -lt 0 ]; then if [ ${CREDITS_D_PASSWORD} -lt 0 ]; then
CREDITS_D_PASSWORD=`echo ${CREDITS_D_PASSWORD} | cut -b 2-` CREDITS_D_PASSWORD=$(echo ${CREDITS_D_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Digital characters required: ${CREDITS_D_PASSWORD}" LogText "[PAM] Minimum number of Digital characters required: ${CREDITS_D_PASSWORD}"
Report "password_min_digital_required=${CREDITS_D_PASSWORD}" Report "password_min_digital_required=${CREDITS_D_PASSWORD}"
elif [ ${CREDITS_D_PASSWORD} -ge 0 ]; then elif [ ${CREDITS_D_PASSWORD} -ge 0 ]; then
@ -412,7 +412,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Lowercase # Lowercase
if [ ${CREDITS_L_PASSWORD} -lt 0 ]; then if [ ${CREDITS_L_PASSWORD} -lt 0 ]; then
CREDITS_L_PASSWORD=`echo ${CREDITS_L_PASSWORD} | cut -b 2-` CREDITS_L_PASSWORD=$(echo ${CREDITS_L_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Lowercase characters required: ${CREDITS_L_PASSWORD}" LogText "[PAM] Minimum number of Lowercase characters required: ${CREDITS_L_PASSWORD}"
Report "password_min_l_required=${CREDITS_L_PASSWORD}" Report "password_min_l_required=${CREDITS_L_PASSWORD}"
elif [ ${CREDITS_L_PASSWORD} -ge 0 ]; then elif [ ${CREDITS_L_PASSWORD} -ge 0 ]; then
@ -422,7 +422,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Other characters # Other characters
if [ ${CREDITS_O_PASSWORD} -lt 0 ]; then if [ ${CREDITS_O_PASSWORD} -lt 0 ]; then
CREDITS_O_PASSWORD=`echo ${CREDITS_O_PASSWORD} | cut -b 2-` CREDITS_O_PASSWORD=$(echo ${CREDITS_O_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Other characters required: ${CREDITS_O_PASSWORD}" LogText "[PAM] Minimum number of Other characters required: ${CREDITS_O_PASSWORD}"
Report "password_min_other_required=${CREDITS_O_PASSWORD}" Report "password_min_other_required=${CREDITS_O_PASSWORD}"
elif [ ${CREDITS_O_PASSWORD} -ge 0 ]; then elif [ ${CREDITS_O_PASSWORD} -ge 0 ]; then
@ -432,7 +432,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Uppercase # Uppercase
if [ ${CREDITS_U_PASSWORD} -lt 0 ]; then if [ ${CREDITS_U_PASSWORD} -lt 0 ]; then
CREDITS_U_PASSWORD=`echo ${CREDITS_U_PASSWORD} | cut -b 2-` CREDITS_U_PASSWORD=$(echo ${CREDITS_U_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Uppercase characters required: ${CREDITS_U_PASSWORD}" LogText "[PAM] Minimum number of Uppercase characters required: ${CREDITS_U_PASSWORD}"
Report "password_min_u_required=${CREDITS_U_PASSWORD}" Report "password_min_u_required=${CREDITS_U_PASSWORD}"
elif [ ${CREDITS_U_PASSWORD} -ge 0 ]; then elif [ ${CREDITS_U_PASSWORD} -ge 0 ]; then

36
plugins/plugin_systemd_phase1
View File

@ -39,7 +39,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${SYSTEMCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3800 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemctl exit code" --progress Register --test-no PLGN-3800 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemctl exit code" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} > /dev/null` FIND=$(${SYSTEMCTLBINARY} > /dev/null)
if [ $? -gt 0 ]; then if [ $? -gt 0 ]; then
Report "systemctl_error_message=${FIND}" Report "systemctl_error_message=${FIND}"
else else
@ -57,13 +57,13 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3802 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd version and options" --progress Register --test-no PLGN-3802 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd version and options" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1` FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
SYSTEMD_VERSION=${FIND} SYSTEMD_VERSION=${FIND}
Report "systemd_version=${FIND}" Report "systemd_version=${FIND}"
LogText "Result: found systemd version ${FIND}" LogText "Result: found systemd version ${FIND}"
fi fi
FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1` FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Report "systemd_builtin_components=${FIND}" Report "systemd_builtin_components=${FIND}"
LogText "Result: found builtin components list" LogText "Result: found builtin components list"
@ -77,7 +77,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'` FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found systemd unit files via systemctl list-unit-files" LogText "Result: found systemd unit files via systemctl list-unit-files"
for I in ${FIND}; do for I in ${FIND}; do
@ -94,7 +94,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'` FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found systemd unit files via systemctl list-unit-files" LogText "Result: found systemd unit files via systemctl list-unit-files"
for I in ${FIND}; do for I in ${FIND}; do
@ -111,7 +111,7 @@
if [ -f /etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -f /etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3808 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd machine ID" --progress Register --test-no PLGN-3808 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd machine ID" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`cat /etc/machine-id | head -1` FIND=$(cat /etc/machine-id | head -1)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
SYSTEMD_MACHINEID="${FIND}" SYSTEMD_MACHINEID="${FIND}"
LogText "Result: found machine ID: ${SYSTEMD_MACHINEID}" LogText "Result: found machine ID: ${SYSTEMD_MACHINEID}"
@ -125,7 +125,7 @@
if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|"` FIND=$(find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Report "systemd_binaries=${FIND}" Report "systemd_binaries=${FIND}"
LogText "Result: found systemd binaries in /usr/lib/systemd" LogText "Result: found systemd binaries in /usr/lib/systemd"
@ -141,10 +141,10 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3812 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress Register --test-no PLGN-3812 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${JOURNALCTLBINARY} --list-boots | wc -l` FIND=$(${JOURNALCTLBINARY} --list-boots | wc -l)
LogText "Output: number of boots listed in journal is ${FIND}" LogText "Output: number of boots listed in journal is ${FIND}"
if [ ! "${FIND}" = "" ]; then Report "journal_bootlogs=${FIND}"; fi if [ ! "${FIND}" = "" ]; then Report "journal_bootlogs=${FIND}"; fi
FIND=`${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }'` FIND=$(${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }')
LogText "Output: oldest boot date in journal is ${FIND}" LogText "Output: oldest boot date in journal is ${FIND}"
if [ ! "${FIND}" = "" ]; then Report "journal_oldest_bootdate=${FIND}"; fi if [ ! "${FIND}" = "" ]; then Report "journal_oldest_bootdate=${FIND}"; fi
fi fi
@ -156,11 +156,11 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3814 --preqs-met ${PREQS_MET} --weight L --network NO --description "Verify journal integrity" --progress Register --test-no PLGN-3814 --preqs-met ${PREQS_MET} --weight L --network NO --description "Verify journal integrity" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${JOURNALCTLBINARY} --verify 2>&1 | grep FAIL | sed 's/[[:space:]]/:space:/g'` FIND=$(${JOURNALCTLBINARY} --verify 2>&1 | grep FAIL | sed 's/[[:space:]]/:space:/g')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Report "journal_contains_errors=1" Report "journal_contains_errors=1"
for I in ${FIND}; do for I in ${FIND}; do
LINE=`echo ${I} | sed 's/:space:/ /g'` LINE=$(echo ${I} | sed 's/:space:/ /g')
LogText "Output (fails): ${LINE}" LogText "Output (fails): ${LINE}"
done done
else else
@ -176,7 +176,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'` FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}')
Report "journal_disk_size=${FIND}" Report "journal_disk_size=${FIND}"
LogText "Result: journals are ${FIND} in size" LogText "Result: journals are ${FIND} in size"
fi fi
@ -188,7 +188,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'` FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g')
Report "journal_meta_data=${FIND}" Report "journal_meta_data=${FIND}"
fi fi
# #
@ -214,7 +214,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3830 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status" --progress Register --test-no PLGN-3830 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1` FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Report "systemd_status=${FIND}" Report "systemd_status=${FIND}"
LogText "Result: found systemd status = ${FIND}" LogText "Result: found systemd status = ${FIND}"
@ -228,7 +228,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'` FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do for I in ${FIND}; do
Report "systemd_unit_not_found[]=${I}" Report "systemd_unit_not_found[]=${I}"
@ -243,7 +243,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'` FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found one or more services with faulty state" LogText "Result: found one or more services with faulty state"
for I in ${FIND}; do for I in ${FIND}; do
@ -261,7 +261,7 @@
Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
SYSTEMD_COREDUMP_USED=1 SYSTEMD_COREDUMP_USED=1
FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump` FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: systemd uses systemd-coredump to handle coredumps" LogText "Result: systemd uses systemd-coredump to handle coredumps"
Report "systemd_coredump_used=1" Report "systemd_coredump_used=1"
@ -281,7 +281,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3860 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress Register --test-no PLGN-3860 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${JOURNALCTLBINARY} SYSLOG_IDENTIFIER=systemd-coredump --since=yesterday -o cat 2> /dev/null` FIND=$(${JOURNALCTLBINARY} SYSLOG_IDENTIFIER=systemd-coredump --since=yesterday -o cat 2> /dev/null)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Report "journal_coredumps_lastday=1" Report "journal_coredumps_lastday=1"
LogText "Result: found recent coredumps" LogText "Result: found recent coredumps"