tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-29 08:44:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Code cleanup and small enhancements

Browse Source
This commit is contained in:
mboelen 2014-09-15 12:01:09 +02:00
parent 35d32fb5e4
commit c9fde8c2d1
37 changed files with 922 additions and 923 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
include/tests_accounting
View File

@ -30,11 +30,11 @@
Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --description "Check for available FreeBSD accounting information" Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --description "Check for available FreeBSD accounting information"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /var/account/acct ]; then if [ -f /var/account/acct ]; then
Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
logtext "Result: /var/account/acct available" logtext "Result: /var/account/acct available"
AddHP 3 3 AddHP 3 3
else else
Display --indent 2 --text "- Checking accounting information..." --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW
logtext "Result: No accounting information available" logtext "Result: No accounting information available"
logtext "Remark: Possibly there is another location where the accounting data is stored" logtext "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting" ReportSuggestion ${TEST_NO} "Enable process accounting"
@ -51,19 +51,19 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check accounting information" logtext "Test: Check accounting information"
if [ -f /var/account/pacct ]; then if [ -f /var/account/pacct ]; then
Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
logtext "Result: /var/account/pacct available" logtext "Result: /var/account/pacct available"
AddHP 3 3 AddHP 3 3
elif [ -f /var/log/account/pacct ]; then elif [ -f /var/log/account/pacct ]; then
Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
logtext "Result: /var/log/account/pacct available" logtext "Result: /var/log/account/pacct available"
AddHP 3 3 AddHP 3 3
elif [ -f /var/log/pacct ]; then elif [ -f /var/log/pacct ]; then
Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
logtext "Result: /var/log/pacct available" logtext "Result: /var/log/pacct available"
AddHP 3 3 AddHP 3 3
else else
Display --indent 2 --text "- Checking accounting information... " --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW
logtext "Result: No accounting information available (/var/account/pacct does not exist)" logtext "Result: No accounting information available (/var/account/pacct does not exist)"
logtext "Remark: Possibly there is another location where the accounting data is stored" logtext "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting" ReportSuggestion ${TEST_NO} "Enable process accounting"

62
include/tests_authentication
View File

@ -37,7 +37,7 @@
logtext "Test: Searching accounts with UID 0" logtext "Test: Searching accounts with UID 0"
FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^:0:0:::' | cut -d ":" -f1,3 | grep ':0'` FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^:0:0:::' | cut -d ":" -f1,3 | grep ':0'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Search administrator accounts..." --result WARNING --color RED Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED
logtext "Result: Found more than one administrator accounts" logtext "Result: Found more than one administrator accounts"
ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file" ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file"
for I in ${FIND}; do for I in ${FIND}; do
@ -49,7 +49,7 @@
fi fi
done done
else else
Display --indent 2 --text "- Search administrator accounts..." --result OK --color GREEN Display --indent 2 --text "- Search administrator accounts" --result OK --color GREEN
logtext "Result: No accounts found with UID 0 other than root." logtext "Result: No accounts found with UID 0 other than root."
fi fi
fi fi
@ -72,16 +72,16 @@
if [ -f ${PASSWD_FILE} ]; then if [ -f ${PASSWD_FILE} ]; then
FIND=`cat ${PASSWD_FILE} | grep -v '^#' | cut -d ':' -f3 | uniq -d` FIND=`cat ${PASSWD_FILE} | grep -v '^#' | cut -d ':' -f3 | uniq -d`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for non-unique UIDs... " --result OK --color GREEN Display --indent 2 --text "- Checking for non-unique UIDs" --result OK --color GREEN
logtext "Result: all accounts found in ${PASSWD_FILE} are unique" logtext "Result: all accounts found in ${PASSWD_FILE} are unique"
else else
Display --indent 2 --text "- Checking for non-unique UIDs... " --result WARNING --color RED Display --indent 2 --text "- Checking for non-unique UIDs" --result WARNING --color RED
logtext "Result: found multiple accounts with same UID" logtext "Result: found multiple accounts with same UID"
logtext "Output (non-unique UIDs): ${FIND}" logtext "Output (non-unique UIDs): ${FIND}"
ReportWarning ${TEST_NO} "Multiple accounts found with same UID" ReportWarning ${TEST_NO} "Multiple accounts found with same UID"
fi fi
else else
Display --indent 2 --text "- Checking UIDs... " --result SKIPPED --color WHITE Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE
logtext "Result: test skipped, ${PASSWD_FILE} file not available" logtext "Result: test skipped, ${PASSWD_FILE} file not available"
fi fi
logtext "Remarks: ${USER_PASSWD_DOUBLEUID_AUDIT_TEXT}" logtext "Remarks: ${USER_PASSWD_DOUBLEUID_AUDIT_TEXT}"
@ -94,15 +94,15 @@
if [ -f /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -f /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file" Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking chkgrp tool..." --result FOUND --color GREEN Display --indent 2 --text "- Checking chkgrp tool" --result FOUND --color GREEN
logtext "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." logtext "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)."
logtext "Test: Testing consistency of /etc/group file... " logtext "Test: Testing consistency of /etc/group file"
FIND=`/usr/sbin/chkgrp | grep -v 'is fine'` FIND=`/usr/sbin/chkgrp | grep -v 'is fine'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking consistency of /etc/group file..." --result OK --color GREEN Display --indent 4 --text "- Checking consistency of /etc/group file" --result OK --color GREEN
logtext "Result: chkgrp test performed, Group file seems to be ok." logtext "Result: chkgrp test performed, Group file seems to be ok."
else else
Display --indent 4 --text "- Checking consistency of /etc/group file..." --result WARNING --color RED Display --indent 4 --text "- Checking consistency of /etc/group file" --result WARNING --color RED
logtext "Result: chkgrp found some errors. Run the tool manually to see details." logtext "Result: chkgrp found some errors. Run the tool manually to see details."
logtext "chkgrp output: ${FIND}" logtext "chkgrp output: ${FIND}"
ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file" ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file"
@ -118,7 +118,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Test : run grpck to test group files (most likely /etc/group and shadow group files) # Test : run grpck to test group files (most likely /etc/group and shadow group files)
# Expected result : 0 (exit code) # Expected result : 0 (exit code)
logtext "Test: Checking for grpck binary..." logtext "Test: Checking for grpck binary"
if [ "${OS}" = "Linux" ]; then if [ "${OS}" = "Linux" ]; then
# Read only mode # Read only mode
@ -136,10 +136,10 @@
# Check exit-code # Check exit-code
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking consistency of group files (grpck)..." --result OK --color GREEN Display --indent 2 --text "- Checking consistency of group files (grpck)" --result OK --color GREEN
logtext "Result: grpck binary didn't find any errors in the group files" logtext "Result: grpck binary didn't find any errors in the group files"
else else
Display --indent 2 --text "- Checking consistency of group files (grpck)..." --result WARNING --color RED Display --indent 2 --text "- Checking consistency of group files (grpck)" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files" ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files"
ReportSuggestion ${TEST_NO} "Run grpck manually and check your group files" ReportSuggestion ${TEST_NO} "Run grpck manually and check your group files"
fi fi
@ -158,9 +158,9 @@
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent # Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=`cat /etc/master.passwd | grep "[a-z]:\*:" | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'` FIND=`cat /etc/master.passwd | grep "[a-z]:\*:" | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking login shells..." --result OK --color GREEN Display --indent 2 --text "- Checking login shells" --result OK --color GREEN
else else
Display --indent 2 --text "- Checking login shells..." --result WARNING --color RED Display --indent 2 --text "- Checking login shells" --result WARNING --color RED
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'` I=`echo ${I} | sed 's/!space!/ /g'`
J=`echo ${I} | awk -F: '{ print $10 }'` J=`echo ${I} | awk -F: '{ print $10 }'`
@ -183,7 +183,7 @@
fi fi
fi fi
else else
Display --indent 2 --text "- Checking login shells..." --result SKIPPED --color WHITE Display --indent 2 --text "- Checking login shells" --result SKIPPED --color WHITE
logtext "Result: No /etc/master.passwd file found" logtext "Result: No /etc/master.passwd file found"
fi fi
fi fi
@ -197,10 +197,10 @@
logtext "Test: Checking for non unique group ID's in /etc/group" logtext "Test: Checking for non unique group ID's in /etc/group"
FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group ID's..." --result OK --color GREEN Display --indent 2 --text "- Checking non unique group ID's" --result OK --color GREEN
logtext "Result: All group ID's are unique" logtext "Result: All group ID's are unique"
else else
Display --indent 2 --text "- Checking non unique group ID's..." --result WARNING --color RED Display --indent 2 --text "- Checking non unique group ID's" --result WARNING --color RED
logtext "Result: Found the same group ID multiple times" logtext "Result: Found the same group ID multiple times"
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID" ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID"
@ -218,10 +218,10 @@
logtext "Test: Checking for non unique group names in /etc/group" logtext "Test: Checking for non unique group names in /etc/group"
FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d` FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group names..." --result OK --color GREEN Display --indent 2 --text "- Checking non unique group names" --result OK --color GREEN
logtext "Result: All group names are unique" logtext "Result: All group names are unique"
else else
Display --indent 2 --text "- Checking non unique group names..." --result WARNING --color WARNING Display --indent 2 --text "- Checking non unique group names" --result WARNING --color WARNING
logtext "Result: Found the same group name multiple times" logtext "Result: Found the same group name multiple times"
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)" ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)"
@ -239,10 +239,10 @@
logtext "Test: Checking password file consistency (pwck)" logtext "Test: Checking password file consistency (pwck)"
FIND=`/usr/sbin/pwck -q -r 2> /dev/null; echo $?` FIND=`/usr/sbin/pwck -q -r 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
logtext "Result: pwck check didn't find any problems" logtext "Result: pwck check didn't find any problems"
else else
Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
logtext "Result: pwck found one or more errors/warnings in the password file." logtext "Result: pwck found one or more errors/warnings in the password file."
ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
@ -260,10 +260,10 @@
# logtext "Test: Checking password file consistency (usrck)" # logtext "Test: Checking password file consistency (usrck)"
# FIND=`/usr/bin/usrck -n ALL 2>; echo $?` # FIND=`/usr/bin/usrck -n ALL 2>; echo $?`
# if [ "${FIND}" = "0" ]; then # if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN # Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
# logtext "Result: usrck finished didn't find problems" # logtext "Result: usrck finished didn't find problems"
# else # else
# Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED # Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
# logtext "Result: usrck found one or more errors/warnings in the password file." # logtext "Result: usrck found one or more errors/warnings in the password file."
# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file" # ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file"
# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues." # ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues."
@ -280,10 +280,10 @@
logtext "Test: Checking password file consistency (pwck)" logtext "Test: Checking password file consistency (pwck)"
FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
logtext "Result: pwck finished didn't find problems" logtext "Result: pwck finished didn't find problems"
else else
Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
logtext "Result: pwck found one or more errors/warnings in the password file." logtext "Result: pwck found one or more errors/warnings in the password file."
ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
@ -301,10 +301,10 @@
# logtext "Test: Checking password file consistency (pwck)" # logtext "Test: Checking password file consistency (pwck)"
# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` # FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
# if [ "${FIND}" = "0" ]; then # if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN # Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
# logtext "Result: pwck finished didn't find problems" # logtext "Result: pwck finished didn't find problems"
# else # else
# Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED # Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
# logtext "Result: pwck found one or more errors/warnings in the password file." # logtext "Result: pwck found one or more errors/warnings in the password file."
# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" # ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." # ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
@ -321,10 +321,10 @@
# logtext "Test: Checking group file consistency (grpck)" # logtext "Test: Checking group file consistency (grpck)"
# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?` # FIND=`/usr/sbin/grpck 2> /dev/null; echo $?`
# if [ "${FIND}" = "0" ]; then # if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking group file consistency..." --result OK --color GREEN # Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN
# logtext "Result: grpck finished didn't find problems" # logtext "Result: grpck finished didn't find problems"
# else # else
# Display --indent 2 --text "- Checking group file consistency..." --result WARNING --color RED # Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED
# logtext "Result: grpck found one or more errors/warnings in the group file." # logtext "Result: grpck found one or more errors/warnings in the group file."
# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file" # ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file"
# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues." # ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues."
@ -340,7 +340,7 @@
# OpenBSD/NetBSD: unknown # OpenBSD/NetBSD: unknown
Register --test-no AUTH-9234 --os Linux --weight L --network NO --description "Query user accounts" Register --test-no AUTH-9234 --os Linux --weight L --network NO --description "Query user accounts"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Read real system users (including root user) from /etc/passwd..." logtext "Test: Read real system users (including root user) from /etc/passwd"
FIND="" FIND=""
if [ "${OS}" = "FreeBSD" ]; then if [ "${OS}" = "FreeBSD" ]; then
@ -358,7 +358,7 @@
FIND=`awk -F: '($3 > 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` FIND=`awk -F: '($3 > 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
fi fi
Display --indent 2 --text "- Query system users (non daemons)..." --result DONE --color GREEN Display --indent 2 --text "- Query system users (non daemons)" --result DONE --color GREEN
# Check if we got any output # Check if we got any output
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "Result: No users found/unknown result" Display --indent 4 --text "Result: No users found/unknown result"

97
include/tests_banners
View File

@ -19,7 +19,6 @@
################################################################################# #################################################################################
# #
InsertSection "Banners and identification" InsertSection "Banners and identification"
# Display --indent 2 --text "- Checking banners..."
# #
################################################################################# #################################################################################
# #
@ -67,15 +66,15 @@
logtext "Test: Testing existence /etc/motd" logtext "Test: Testing existence /etc/motd"
if [ -f /etc/motd ]; then if [ -f /etc/motd ]; then
logtext "Result: file /etc/motd exists" logtext "Result: file /etc/motd exists"
Display --indent 2 --text "- /etc/motd..." --result FOUND --color GREEN Display --indent 2 --text "- /etc/motd" --result FOUND --color GREEN
if [ ! -L /etc/motd ]; then if [ ! -L /etc/motd ]; then
IsWorldWritable /etc/motd IsWorldWritable /etc/motd
if [ "${FileIsWorldWritable}" = "TRUE" ]; then if [ "${FileIsWorldWritable}" = "TRUE" ]; then
Display --indent 4 --text "- /etc/motd permissions..." --result WARNING --color RED Display --indent 4 --text "- /etc/motd permissions" --result WARNING --color RED
logtext "Result: /etc/motd is world writable. Users can change this file!" logtext "Result: /etc/motd is world writable. Users can change this file!"
ReportWarning ${TEST_NO} "H" "/etc/motd is world writable" ReportWarning ${TEST_NO} "H" "/etc/motd is world writable"
else else
Display --indent 4 --text "- /etc/motd permissions..." --result OK --color GREEN Display --indent 4 --text "- /etc/motd permissions" --result OK --color GREEN
logtext "Result: /etc/motd is not world writable." logtext "Result: /etc/motd is not world writable."
fi fi
else else
@ -83,7 +82,7 @@
fi fi
else else
logtext "Result: File /etc/motd not found" logtext "Result: File /etc/motd not found"
Display --indent 2 --text "- /etc/motd..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- /etc/motd" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -107,11 +106,11 @@
# Check if we have 5 or more key words # Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then if [ ${N} -gt 4 ]; then
logtext "Result: Found ${N} key words, to warn unauthorized users" logtext "Result: Found ${N} key words, to warn unauthorized users"
Display --indent 4 --text "- /etc/motd contents..." --result OK --color GREEN Display --indent 4 --text "- /etc/motd contents" --result OK --color GREEN
AddHP 2 2 AddHP 2 2
else else
logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased" logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/motd contents..." --result WEAK --color YELLOW Display --indent 4 --text "- /etc/motd contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users" ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users"
AddHP 0 1 AddHP 0 1
fi fi
@ -125,17 +124,17 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking file /etc/issue" logtext "Test: Checking file /etc/issue"
if [ -f /etc/issue ]; then if [ -f /etc/issue ]; then
# Check for symlink # Check for symlink
if [ -L /etc/issue ]; then if [ -L /etc/issue ]; then
logtext "Result: file /etc/issue exists (symlink)" logtext "Result: file /etc/issue exists (symlink)"
Display --indent 2 --text "- /etc/issue..." --result SYMLINK --color GREEN Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN
else else
Display --indent 2 --text "- /etc/issue..." --result FOUND --color GREEN Display --indent 2 --text "- /etc/issue" --result FOUND --color GREEN
fi fi
else else
logtext "Result: file /etc/issue does not exist" logtext "Result: file /etc/issue does not exist"
Display --indent 2 --text "- /etc/issue..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- /etc/issue" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -158,11 +157,11 @@
# Check if we have 5 or more key words # Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then if [ ${N} -gt 4 ]; then
logtext "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users" logtext "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users"
Display --indent 4 --text "- /etc/issue contents..." --result OK --color GREEN Display --indent 4 --text "- /etc/issue contents" --result OK --color GREEN
AddHP 2 2 AddHP 2 2
else else
logtext "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased" logtext "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/issue contents..." --result WEAK --color YELLOW Display --indent 4 --text "- /etc/issue contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add a legal banner to /etc/issue, to warn unauthorized users" ReportSuggestion ${TEST_NO} "Add a legal banner to /etc/issue, to warn unauthorized users"
AddHP 0 1 AddHP 0 1
fi fi
@ -176,18 +175,18 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking file /etc/issue.net" logtext "Test: Checking file /etc/issue.net"
if [ -f /etc/issue.net ]; then if [ -f /etc/issue.net ]; then
# Check for symlink # Check for symlink
if [ -L /etc/issue.net ]; then if [ -L /etc/issue.net ]; then
logtext "Result: file /etc/issue.net exists (symlink)" logtext "Result: file /etc/issue.net exists (symlink)"
Display --indent 2 --text "- /etc/issue.net..." --result SYMLINK --color GREEN Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN
else else
logtext "Result: file /etc/issue.net exists" logtext "Result: file /etc/issue.net exists"
Display --indent 2 --text "- /etc/issue.net..." --result FOUND --color GREEN Display --indent 2 --text "- /etc/issue.net" --result FOUND --color GREEN
fi fi
else else
logtext "Result: file /etc/issue.net does not exist" logtext "Result: file /etc/issue.net does not exist"
Display --indent 2 --text "- /etc/issue.net..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- /etc/issue.net" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -201,23 +200,23 @@
N=0 N=0
logtext "Test: Checking file /etc/issue.net contents for legal key words" logtext "Test: Checking file /etc/issue.net contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do for I in ${LEGAL_BANNER_STRINGS}; do
FIND=`grep -i "${I}" /etc/issue.net` FIND=`grep -i "${I}" /etc/issue.net`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: found string '${I}'" logtext "Result: found string '${I}'"
N=`expr ${N} + 1` N=`expr ${N} + 1`
fi fi
done done
# Check if we have 5 or more key words # Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then if [ ${N} -gt 4 ]; then
logtext "Result: Found ${N} key words, to warn unauthorized users" logtext "Result: Found ${N} key words, to warn unauthorized users"
Display --indent 4 --text "- /etc/issue.net contents..." --result OK --color GREEN Display --indent 4 --text "- /etc/issue.net contents" --result OK --color GREEN
AddHP 2 2 AddHP 2 2
else else
logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased" logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/issue.net contents..." --result WEAK --color YELLOW Display --indent 4 --text "- /etc/issue.net contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users" ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
AddHP 0 1 AddHP 0 1
fi fi
fi fi
# #
################################################################################# #################################################################################

46
include/tests_boot_services
View File

@ -32,11 +32,11 @@
Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence" Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)..." logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)"
if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then
FOUND=1 FOUND=1
BOOT_LOADER="GRUB" BOOT_LOADER="GRUB"
Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
logtext "Found file ${GRUBCONFFILE}, proceeding with tests." logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
FileIsReadable ${GRUBCONFFILE} FileIsReadable ${GRUBCONFFILE}
@ -44,7 +44,7 @@
FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'` FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'` FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED Display --indent 6 --text "- Checking for password protection" --result WARNING --color RED
logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!" logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!"
logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them." logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them."
logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!" logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
@ -53,7 +53,7 @@
logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password" logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password"
AddHP 0 2 AddHP 0 2
else else
Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN Display --indent 6 --text "- Checking for password protection" --result OK --color GREEN
logtext "Result: GRUB has password protection." logtext "Result: GRUB has password protection."
AddHP 4 4 AddHP 4 4
fi fi
@ -66,7 +66,7 @@
if [ -f /boot/grub/grub.cfg ]; then if [ -f /boot/grub/grub.cfg ]; then
FOUND=1 FOUND=1
BOOT_LOADER="GRUB2" BOOT_LOADER="GRUB2"
Display --indent 4 --text "- Checking presence GRUB2... " --result FOUND --color GREEN Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN
logtext "Result: found GRUB2 configuration file (/boot/grub/grub.cfg)" logtext "Result: found GRUB2 configuration file (/boot/grub/grub.cfg)"
# YYY password check, when documentation of GRUB2 project is improved # YYY password check, when documentation of GRUB2 project is improved
# YYY Add check permission check (600) # YYY Add check permission check (600)
@ -74,7 +74,7 @@
fi fi
if [ ${FOUND} -eq 0 ]; then if [ ${FOUND} -eq 0 ]; then
Display --indent 4 --text "- Checking presence GRUB... " --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking presence GRUB" --result "NOT FOUND" --color WHITE
logtext "Result: no GRUB configuration file found." logtext "Result: no GRUB configuration file found."
fi fi
fi fi
@ -120,13 +120,13 @@
Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence" Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LILOCONFFILE="/etc/lilo.conf" LILOCONFFILE="/etc/lilo.conf"
logtext "Test: checking for presence LILO configuration file..." logtext "Test: checking for presence LILO configuration file"
if [ -f ${LILOCONFFILE} ]; then if [ -f ${LILOCONFFILE} ]; then
FileIsReadable ${LILOCONFFILE} FileIsReadable ${LILOCONFFILE}
if [ ${CANREAD} -eq 1 ]; then if [ ${CANREAD} -eq 1 ]; then
BOOT_LOADER="LILO" BOOT_LOADER="LILO"
Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN Display --indent 4 --text "- Checking presence LILO" --result "OK" --color GREEN
logtext "Checking password option LILO..." logtext "Checking password option LILO"
FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"` FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED
@ -145,7 +145,7 @@
logtext "Result: can not read ${LILOCONFFILE} (no permission)" logtext "Result: can not read ${LILOCONFFILE} (no permission)"
fi fi
else else
Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking presence LILO" --result "NOT FOUND" --color WHITE
logtext "Result: LILO configuration file not found" logtext "Result: LILO configuration file not found"
fi fi
fi fi
@ -212,18 +212,18 @@
Register --test-no BOOT-5159 --os OpenBSD --platform i386 --weight L --network NO --description "Check for OpenBSD i386 boot loader presence" Register --test-no BOOT-5159 --os OpenBSD --platform i386 --weight L --network NO --description "Check for OpenBSD i386 boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/boot.conf ]; then if [ -f /etc/boot.conf ]; then
Display --indent 2 --text "- Checking /etc/boot.conf..." --result "FOUND" --color GREEN Display --indent 2 --text "- Checking /etc/boot.conf" --result "FOUND" --color GREEN
FIND=`grep '^boot' /etc/boot.conf` FIND=`grep '^boot' /etc/boot.conf`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking boot option..." --result WARNING --color RED Display --indent 4 --text "- Checking boot option" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode." ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password" ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password"
else else
Display --indent 4 --text "- Checking boot option..." --result OK --color GREEN Display --indent 4 --text "- Checking boot option" --result OK --color GREEN
logtext "Ok, boot option is enabled." logtext "Ok, boot option is enabled."
fi fi
else else
Display --indent 2 --text "- Checking /etc/boot.conf..." --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking /etc/boot.conf" --result "NOT FOUND" --color YELLOW
logtext "Result: no /etc/boot.conf found. When using the default boot loader, physical" logtext "Result: no /etc/boot.conf found. When using the default boot loader, physical"
logtext "access to the server can be used to possibly enter single user mode." logtext "access to the server can be used to possibly enter single user mode."
ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time." ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time."
@ -237,7 +237,7 @@
Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot services" Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot services"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# FreeBSD (Read /etc/rc.conf file for enabled services) # FreeBSD (Read /etc/rc.conf file for enabled services)
logtext "Searching for services at startup (rc.conf)..." logtext "Searching for services at startup (rc.conf)"
FIND=`egrep -v -i '^#|none' /etc/rc.conf | egrep -i '_enable.*(yes|on|1)' | sort | awk -F= '{ print $1 }' | sed 's/_enable//'` FIND=`egrep -v -i '^#|none' /etc/rc.conf | egrep -i '_enable.*(yes|on|1)' | sort | awk -F= '{ print $1 }' | sed 's/_enable//'`
N=0 N=0
for I in ${FIND}; do for I in ${FIND}; do
@ -245,7 +245,7 @@
report "boottask[]=${I}" report "boottask[]=${I}"
N=`expr ${N} + 1` N=`expr ${N} + 1`
done done
Display --indent 2 --text "- Checking services at startup (rc.conf)..." --result "DONE" --color GREEN Display --indent 2 --text "- Checking services at startup (rc.conf)" --result "DONE" --color GREEN
Display --indent 6 --text "Result: found $N services/options set" Display --indent 6 --text "Result: found $N services/options set"
logtext "Found $N services/options to run at startup" logtext "Found $N services/options to run at startup"
fi fi
@ -278,7 +278,7 @@
N=`expr ${N} + 1` N=`expr ${N} + 1`
done done
logtext "Suggestion: Run systemctl --full --type=service to see all services" logtext "Suggestion: Run systemctl --full --type=service to see all services"
Display --indent 2 --text "- Check running services (systemctl)... " --result "DONE" --color GREEN Display --indent 2 --text "- Check running services (systemctl)" --result "DONE" --color GREEN
Display --indent 8 --text "Result: found $N running services" Display --indent 8 --text "Result: found $N running services"
logtext "Result: Found $N enabled services" logtext "Result: Found $N enabled services"
@ -293,7 +293,7 @@
N=`expr ${N} + 1` N=`expr ${N} + 1`
done done
logtext "Suggestion: Run systemctl list-unit-files --type=service to see all services" logtext "Suggestion: Run systemctl list-unit-files --type=service to see all services"
Display --indent 2 --text "- Check enabled services at boot (systemctl)... " --result "DONE" --color GREEN Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "DONE" --color GREEN
Display --indent 8 --text "Result: found $N enabled services" Display --indent 8 --text "Result: found $N enabled services"
logtext "Result: Found $N running services" logtext "Result: Found $N running services"
@ -301,7 +301,7 @@
logtext "Result: systemctl binary not found, checking chkconfig binary" logtext "Result: systemctl binary not found, checking chkconfig binary"
if [ ! "${CHKCONFIGBINARY}" = "" ]; then if [ ! "${CHKCONFIGBINARY}" = "" ]; then
logtext "Result: chkconfig binary found, trying that to discover information" logtext "Result: chkconfig binary found, trying that to discover information"
logtext "Searching for services at startup (chkconfig, runlevel 3 and 5)... " logtext "Searching for services at startup (chkconfig, runlevel 3 and 5)"
FIND=`${CHKCONFIGBINARY} --list | egrep '3:on|5:on' | awk '{ print $1 }'` FIND=`${CHKCONFIGBINARY} --list | egrep '3:on|5:on' | awk '{ print $1 }'`
N=0 N=0
report "boot_service_tool=chkconfig" report "boot_service_tool=chkconfig"
@ -311,7 +311,7 @@
N=`expr ${N} + 1` N=`expr ${N} + 1`
done done
logtext "Suggestion: Run chkconfig --list to see all services and disable unneeded services" logtext "Suggestion: Run chkconfig --list to see all services and disable unneeded services"
Display --indent 2 --text "- Check services at startup (chkconfig)... " --result "DONE" --color GREEN Display --indent 2 --text "- Check services at startup (chkconfig)" --result "DONE" --color GREEN
Display --indent 8 --text "Result: found $N services" Display --indent 8 --text "Result: found $N services"
logtext "Result: Found $N services at startup" logtext "Result: Found $N services at startup"
else else
@ -372,7 +372,7 @@
logtext "Found service (at boot, runlevel 2): ${I}" logtext "Found service (at boot, runlevel 2): ${I}"
N=`expr ${N} + 1` N=`expr ${N} + 1`
done done
Display --indent 2 --text "- Check services at startup (rc2.d)... " --result "DONE" --color WHITE Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE
Display --indent 4 --text "Result: found $N services" Display --indent 4 --text "Result: found $N services"
logtext "Found $N services" logtext "Found $N services"
fi fi
@ -452,13 +452,13 @@
# Check results # Check results
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Check startup files (permissions)... " --result "WARNING" --color RED Display --indent 2 --text "- Check startup files (permissions)" --result "WARNING" --color RED
ReportWarning ${TEST_NO} "H" "One or more startup files can be overwritten by all users" ReportWarning ${TEST_NO} "H" "One or more startup files can be overwritten by all users"
ReportSuggestion ${TEST_NO} "Check startup scripts for world write access and change permissions if needed" ReportSuggestion ${TEST_NO} "Check startup scripts for world write access and change permissions if needed"
logtext "Result: found one or more scripts which are possibly writable by other users" logtext "Result: found one or more scripts which are possibly writable by other users"
AddHP 0 3 AddHP 0 3
else else
Display --indent 2 --text "- Check startup files (permissions)... " --result "OK" --color GREEN Display --indent 2 --text "- Check startup files (permissions)" --result "OK" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi

4
include/tests_crypto
View File

@ -65,9 +65,9 @@
done done
if [ ${FOUNDPROBLEM} -eq 0 ]; then if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking SSL certificate expiration..." --result OK --color GREEN Display --indent 2 --text "- Checking SSL certificate expiration" --result OK --color GREEN
else else
Display --indent 2 --text "- Checking SSL certificate expiration..." --result WARNING --color RED Display --indent 2 --text "- Checking SSL certificate expiration" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "One or more SSL certificates expired" ReportWarning ${TEST_NO} "M" "One or more SSL certificates expired"
fi fi
fi fi

4
include/tests_custom.template
View File

@ -40,10 +40,10 @@
logtext "Test: checking something" logtext "Test: checking something"
ReportWarning ${TEST_NO} "M" "Test warning" ReportWarning ${TEST_NO} "M" "Test warning"
if [ ${FOUND} -eq 0 ]; then if [ ${FOUND} -eq 0 ]; then
Display --indent 4 --text "- Performing custom test 1..." --result OK --color GREEN Display --indent 4 --text "- Performing custom test 1" --result OK --color GREEN
logtext "Result: the test looks great!" logtext "Result: the test looks great!"
else else
Display --indent 4 --text "- Performing custom test 1..." --result WARNING --color RED Display --indent 4 --text "- Performing custom test 1" --result WARNING --color RED
logtext "Result: hmm bad result of this test :(" logtext "Result: hmm bad result of this test :("
ReportSuggestion ${TEST_NO} "This could be better!" ReportSuggestion ${TEST_NO} "This could be better!"
fi fi

52
include/tests_databases
View File

@ -37,10 +37,10 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"` FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- MySQL process status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- MySQL process status" --result "NOT FOUND" --color WHITE
logtext "Result: MySQL process not active" logtext "Result: MySQL process not active"
else else
Display --indent 2 --text "- MySQL process status..." --result "FOUND" --color GREEN Display --indent 2 --text "- MySQL process status" --result "FOUND" --color GREEN
logtext "Result: MySQL is active" logtext "Result: MySQL is active"
MYSQL_RUNNING=1 MYSQL_RUNNING=1
fi fi
@ -70,19 +70,19 @@
if [ ! "${MYSQLCLIENTBINARY}" = "" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${MYSQLCLIENTBINARY}" = "" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking MySQL root password" Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking MySQL root password"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Trying to login to local MySQL server without password" logtext "Test: Trying to login to local MySQL server without password"
FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?` FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
logtext "Result: Login succeeded, no MySQL root password set!" logtext "Result: Login succeeded, no MySQL root password set!"
ReportWarning ${TEST_NO} "H" "No MySQL root password set" ReportWarning ${TEST_NO} "H" "No MySQL root password set"
ReportSuggestion ${TEST_NO} "Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD)" ReportSuggestion ${TEST_NO} "Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD)"
Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED
AddHP 0 5 AddHP 0 5
else else
logtext "Result: Login did not succeed, so a MySQL root password is set" logtext "Result: Login did not succeed, so a MySQL root password is set"
Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN
AddHP 2 2 AddHP 2 2
fi fi
else else
logtext "Test skipped, MySQL daemon not running or no MySQL client available" logtext "Test skipped, MySQL daemon not running or no MySQL client available"
fi fi
@ -93,15 +93,15 @@
# Description : Check if PostgreSQL is being used # Description : Check if PostgreSQL is being used
Register --test-no DBS-1826 --weight L --network NO --description "Checking active PostgreSQL processes" Register --test-no DBS-1826 --weight L --network NO --description "Checking active PostgreSQL processes"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | grep "postgres:" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "postgres:" | grep -v "grep"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- PostgreSQL processes status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- PostgreSQL processes status" --result "NOT FOUND" --color WHITE
logtext "Result: PostgreSQL process not active" logtext "Result: PostgreSQL process not active"
else else
Display --indent 2 --text "- PostgreSQL processes status..." --result "FOUND" --color GREEN Display --indent 2 --text "- PostgreSQL processes status" --result "FOUND" --color GREEN
logtext "Result: PostgreSQL is active" logtext "Result: PostgreSQL is active"
POSTGRESQL_RUNNING=1 POSTGRESQL_RUNNING=1
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -120,10 +120,10 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"` FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Oracle processes status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Oracle processes status" --result "NOT FOUND" --color WHITE
logtext "Result: Oracle process(es) not active" logtext "Result: Oracle process(es) not active"
else else
Display --indent 2 --text "- Oracle processes status..." --result "FOUND" --color GREEN Display --indent 2 --text "- Oracle processes status" --result "FOUND" --color GREEN
logtext "Result: Oracle is active" logtext "Result: Oracle is active"
ORACLE_RUNNING=1 ORACLE_RUNNING=1
fi fi

34
include/tests_file_integrity
View File

@ -19,7 +19,7 @@
################################################################################# #################################################################################
# #
InsertSection "Software: file integrity" InsertSection "Software: file integrity"
Display --indent 2 --text "- Checking file integrity tools..." Display --indent 2 --text "- Checking file integrity tools"
# Test : FINT-4310 # Test : FINT-4310
@ -30,10 +30,10 @@
if [ ! "${AFICKBINARY}" = "" ]; then if [ ! "${AFICKBINARY}" = "" ]; then
logtext "Result: AFICK is installed (${AFICKBINARY})" logtext "Result: AFICK is installed (${AFICKBINARY})"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK..." --result FOUND --color GREEN Display --indent 4 --text "- AFICK" --result FOUND --color GREEN
else else
logtext "Result: AFICK is not installed" logtext "Result: AFICK is not installed"
Display --indent 4 --text "- AFICK..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -47,10 +47,10 @@
if [ ! "${AIDEBINARY}" = "" ]; then if [ ! "${AIDEBINARY}" = "" ]; then
logtext "Result: AIDE is installed (${AIDEBINARY})" logtext "Result: AIDE is installed (${AIDEBINARY})"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE..." --result FOUND --color GREEN Display --indent 4 --text "- AIDE" --result FOUND --color GREEN
else else
logtext "Result: AIDE is not installed" logtext "Result: AIDE is not installed"
Display --indent 4 --text "- AIDE..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -112,10 +112,10 @@
if [ ! "${OSIRISBINARY}" = "" ]; then if [ ! "${OSIRISBINARY}" = "" ]; then
logtext "Result: Osiris is installed (${OSIRISBINARY})" logtext "Result: Osiris is installed (${OSIRISBINARY})"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris..." --result FOUND --color GREEN Display --indent 4 --text "- Osiris" --result FOUND --color GREEN
else else
logtext "Result: Osiris is not installed" logtext "Result: Osiris is not installed"
Display --indent 4 --text "- Osiris..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -129,10 +129,10 @@
if [ ! "${SAMHAINBINARY}" = "" ]; then if [ ! "${SAMHAINBINARY}" = "" ]; then
logtext "Result: Samhain is installed (${SAMHAINBINARY})" logtext "Result: Samhain is installed (${SAMHAINBINARY})"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain..." --result FOUND --color GREEN Display --indent 4 --text "- Samhain" --result FOUND --color GREEN
else else
logtext "Result: Samhain is not installed" logtext "Result: Samhain is not installed"
Display --indent 4 --text "- Samhain..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -146,10 +146,10 @@
if [ ! "${TRIPWIREBINARY}" = "" ]; then if [ ! "${TRIPWIREBINARY}" = "" ]; then
logtext "Result: Tripwire is installed (${TRIPWIREBINARY})" logtext "Result: Tripwire is installed (${TRIPWIREBINARY})"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire..." --result FOUND --color GREEN Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN
else else
logtext "Result: Tripwire is not installed" logtext "Result: Tripwire is not installed"
Display --indent 4 --text "- Tripwire..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -163,9 +163,9 @@
IsRunning ossec-syscheckd IsRunning ossec-syscheckd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)..." --result FOUND --color GREEN Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN
else else
Display --indent 4 --text "- OSSEC (syscheck)..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -180,10 +180,10 @@
if [ ! "${MTREEBINARY}" = "" ]; then if [ ! "${MTREEBINARY}" = "" ]; then
logtext "Result: mtree is installed (${MTREEBINARY})" logtext "Result: mtree is installed (${MTREEBINARY})"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree..." --result FOUND --color GREEN Display --indent 4 --text "- mtree" --result FOUND --color GREEN
else else
logtext "Result: mtree is not installed" logtext "Result: mtree is not installed"
Display --indent 4 --text "- mtree..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -196,11 +196,11 @@
logtext "Test: Check if at least on file integrity tool is available/installed" logtext "Test: Check if at least on file integrity tool is available/installed"
if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then
logtext "Result: found at least one file integrity tool" logtext "Result: found at least one file integrity tool"
Display --indent 2 --text "- Checking presence integrity tool..." --result FOUND --color GREEN Display --indent 2 --text "- Checking presence integrity tool" --result FOUND --color GREEN
AddHP 5 5 AddHP 5 5
else else
logtext "Result: No file integrity tools found" logtext "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool..." --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool" ReportSuggestion ${TEST_NO} "Install a file integrity tool"
AddHP 0 5 AddHP 0 5
fi fi

24
include/tests_file_permissions
View File

@ -18,7 +18,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "System Tools" InsertSection "File Permissions"
# #
################################################################################# #################################################################################
# #
@ -26,7 +26,7 @@
# Description : Perform file permissions check # Description : Perform file permissions check
Register --test-no FILE-7524 --weight L --network NO --description "Perform file permissions check" Register --test-no FILE-7524 --weight L --network NO --description "Perform file permissions check"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Starting file permissions check..." Display --indent 2 --text "- Starting file permissions check"
logtext "Test: Checking file permissions" logtext "Test: Checking file permissions"
logtext "Using profile ${PROFILE} for baseline." logtext "Using profile ${PROFILE} for baseline."
FIND=`cat ${PROFILE} | egrep '^permfile:|^permdir:' | cut -d: -f2` FIND=`cat ${PROFILE} | egrep '^permfile:|^permdir:' | cut -d: -f2`
@ -37,17 +37,17 @@
logtext " Actual permissions: ${FILEVALUE}" logtext " Actual permissions: ${FILEVALUE}"
logtext " Result: $PERMS" logtext " Result: $PERMS"
if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then
Display --indent 4 --text "${I}" --result "NOT FOUND" --color WHITE Display --indent 4 --text "${I}" --result "NOT FOUND" --color WHITE
elif [ "${PERMS}" = "OK" ]; then elif [ "${PERMS}" = "OK" ]; then
Display --indent 4 --text "${I}" --result OK --color GREEN Display --indent 4 --text "${I}" --result OK --color GREEN
elif [ "${PERMS}" = "BAD" ]; then elif [ "${PERMS}" = "BAD" ]; then
Display --indent 4 --text "${I}" --result WARNING --color RED Display --indent 4 --text "${I}" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Incorrect permissions for file ${I}" ReportWarning ${TEST_NO} "M" "Incorrect permissions for file ${I}"
else else
logtext "UNKNOWN status for file" logtext "UNKNOWN status for file"
fi fi
done done
fi fi
# #
################################################################################# #################################################################################
# #

74
include/tests_filesystems
View File

@ -40,16 +40,16 @@
logtext "Test: Checking if ${I} is mounted separately or mounted on / file system" logtext "Test: Checking if ${I} is mounted separately or mounted on / file system"
if [ -L ${I} ]; then if [ -L ${I} ]; then
logtext "Result: ${I} is a symlink. Manual check required to determine exact file system" logtext "Result: ${I} is a symlink. Manual check required to determine exact file system"
Display --indent 4 --text "- Checking ${I} mount point..." --result SYMLINK --color WHITE Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE
elif [ -d ${I} ]; then elif [ -d ${I} ]; then
logtext "Result: directory ${I} exists" logtext "Result: directory ${I} exists"
FIND=`mount | grep "${I}"` FIND=`mount | grep "${I}"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${I} as a separated mount point" logtext "Result: found ${I} as a separated mount point"
Display --indent 4 --text "- Checking ${I} mount point..." --result OK --color GREEN Display --indent 4 --text "- Checking ${I} mount point" --result OK --color GREEN
else else
logtext "Result: ${I} not found in mount list. Directory most likely stored on / file system" logtext "Result: ${I} not found in mount list. Directory most likely stored on / file system"
Display --indent 4 --text "- Checking ${I} mount point..." --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking ${I} mount point" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition" ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition"
fi fi
else else
@ -79,10 +79,10 @@
report "lvm_volume_group[]=${I}" report "lvm_volume_group[]=${I}"
done done
LVM_VG_USED=1 LVM_VG_USED=1
Display --indent 2 --text "- Checking LVM volume groups..." --result FOUND --color GREEN Display --indent 2 --text "- Checking LVM volume groups" --result FOUND --color GREEN
else else
logtext "Result: no LVM volume groups found" logtext "Result: no LVM volume groups found"
Display --indent 2 --text "- Checking LVM volume groups..." --result NONE --color WHITE Display --indent 2 --text "- Checking LVM volume groups" --result NONE --color WHITE
fi fi
fi fi
# #
@ -101,10 +101,10 @@
logtext "Found LVM volume: ${I}" logtext "Found LVM volume: ${I}"
report "lvm_volume[]=${I}" report "lvm_volume[]=${I}"
done done
Display --indent 4 --text "- Checking LVM volumes..." --result FOUND --color GREEN Display --indent 4 --text "- Checking LVM volumes" --result FOUND --color GREEN
else else
logtext "Result: no LVM volume groups found" logtext "Result: no LVM volume groups found"
Display --indent 4 --text "- Checking LVM volumes..." --result NONE --color WHITE Display --indent 4 --text "- Checking LVM volumes" --result NONE --color WHITE
fi fi
fi fi
# #
@ -144,10 +144,10 @@
logtext "Test: Query /etc/fstab for available FFS/UFS mount points" logtext "Test: Query /etc/fstab for available FFS/UFS mount points"
FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab` FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)..." --result NONE --color WHITE Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result NONE --color WHITE
logtext "Result: unable to find any single mount point (FFS/UFS)" logtext "Result: unable to find any single mount point (FFS/UFS)"
else else
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)..." --result FOUND --color GREEN Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result FOUND --color GREEN
report "filesystem[]=ufs" report "filesystem[]=ufs"
for I in ${FIND}; do for I in ${FIND}; do
logtext "FFS/UFS mount found: ${I}" logtext "FFS/UFS mount found: ${I}"
@ -165,10 +165,10 @@
logtext "Test: Query /etc/fstab for available ZFS mount points" logtext "Test: Query /etc/fstab for available ZFS mount points"
FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'` FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Querying ZFS mount points (mount -p)..." --result NONE --color WHITE Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result NONE --color WHITE
logtext "Result: unable to find any single mount point (ZFS)" logtext "Result: unable to find any single mount point (ZFS)"
else else
Display --indent 2 --text "- Querying ZFS mount points (mount -p)..." --result FOUND --color GREEN Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result FOUND --color GREEN
report "filesystem[]=zfs" report "filesystem[]=zfs"
for I in ${FIND}; do for I in ${FIND}; do
logtext "ZFS mount found: ${I}" logtext "ZFS mount found: ${I}"
@ -206,9 +206,9 @@
report "swap_partition[]=${I}" report "swap_partition[]=${I}"
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)..." --result OK --color GREEN Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN
else else
Display --indent 2 --text "- Query swap partitions (fstab)..." --result WARNING --color YELLOW Display --indent 2 --text "- Query swap partitions (fstab)" --result WARNING --color YELLOW
ReportWarning ${TEST_NO} "L" "No swap partion found in /etc/fstab" ReportWarning ${TEST_NO} "L" "No swap partion found in /etc/fstab"
logtext "Result: no swap partitions found in /etc/fstab" logtext "Result: no swap partitions found in /etc/fstab"
fi fi
@ -225,10 +225,10 @@
logtext "Test: check swap partitions with incorrect mount options" logtext "Test: check swap partitions with incorrect mount options"
FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Testing swap partitions..." --result OK --color GREEN Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN
logtext "Result: all swap partitions have correct options (sw or swap)" logtext "Result: all swap partitions have correct options (sw or swap)"
else else
Display --indent 2 --text "- Testing swap partitions..." --result WARNING --color RED Display --indent 2 --text "- Testing swap partitions" --result WARNING --color RED
logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})" logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
#ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})" #ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})"
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file. Swap partition usually have 'sw' or 'swap' in the options field (4th)." ReportSuggestion ${TEST_NO} "Check your /etc/fstab file. Swap partition usually have 'sw' or 'swap' in the options field (4th)."
@ -242,14 +242,14 @@
if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --description "Searching for old files in /tmp" Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --description "Searching for old files in /tmp"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for old files in /tmp..." logtext "Test: Searching for old files in /tmp"
# Search for files only in /tmp, with an access time older than X days # Search for files only in /tmp, with an access time older than X days
FIND=`find /tmp -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | sed 's/ /!space!/g'` FIND=`find /tmp -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for old files in /tmp..." --result OK --color GREEN Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN
logtext "Result: no files found in /tmp which are older than 3 months" logtext "Result: no files found in /tmp which are older than 3 months"
else else
Display --indent 2 --text "- Checking for old files in /tmp..." --result WARNING --color RED Display --indent 2 --text "- Checking for old files in /tmp" --result WARNING --color RED
N=0 N=0
for I in ${FIND}; do for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'` FILE=`echo ${I} | sed 's/!space!/ /g'`
@ -275,7 +275,7 @@
#for I in ${SKELDIRS}; do #for I in ${SKELDIRS}; do
# #
# logtext "Searching skel directory ${I}..." # logtext "Searching skel directory ${I}"
# #
# if [ -d ${I} ]; then # if [ -d ${I} ]; then
# logtext "Result: Directory found, scanning for unsafe file permissions" # logtext "Result: Directory found, scanning for unsafe file permissions"
@ -283,20 +283,20 @@
# if [ ! "${FIND}" = "0" ]; then # if [ ! "${FIND}" = "0" ]; then
# FIND=`find ${I} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` # FIND=`find ${I} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
# if [ "${FIND}" = "" ]; then # if [ "${FIND}" = "" ]; then
# Display --indent 2 --text "- Checking skel file permissions (${I})..." --result OK --color GREEN # Display --indent 2 --text "- Checking skel file permissions (${I})" --result OK --color GREEN
# logtext "Result: Directory seems to be ok, no files found with read/write/execute bit set." # logtext "Result: Directory seems to be ok, no files found with read/write/execute bit set."
# logtext "Status: OK" # logtext "Status: OK"
# else # else
# Display --indent 2 --text "- Checking skel file permissions (${I})..." --result WARNING --color RED # Display --indent 2 --text "- Checking skel file permissions (${I})" --result WARNING --color RED
# logtext "Result: The following files do have non restrictive permissions: ${FIND}" # logtext "Result: The following files do have non restrictive permissions: ${FIND}"
# ReportSuggestion ${TEST_NO} "Remove the read, write or execute bit from these files (chmod o-rwx)" # ReportSuggestion ${TEST_NO} "Remove the read, write or execute bit from these files (chmod o-rwx)"
# fi # fi
# else # else
# Display --indent 2 --text "- Checking skel file permissions (${I})..." --result EMPTY --color WHITE # Display --indent 2 --text "- Checking skel file permissions (${I})" --result EMPTY --color WHITE
# logtext "Directory ${I} is empty, no scan performed" # logtext "Directory ${I} is empty, no scan performed"
# fi # fi
# else # else
# Display --indent 2 --text "- Checking skel file permissions (${I})..." --result "NOT FOUND" --color WHITE # Display --indent 2 --text "- Checking skel file permissions (${I})" --result "NOT FOUND" --color WHITE
# logtext "Result: Skel directory (${I}) not found" # logtext "Result: Skel directory (${I}) not found"
# fi # fi
#done #done
@ -311,11 +311,11 @@
# Depending on OS, number of field with 'tmp' differs # Depending on OS, number of field with 'tmp' differs
FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10` FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10`
if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then
Display --indent 2 --text "- Checking /tmp sticky bit..." --result OK --color GREEN Display --indent 2 --text "- Checking /tmp sticky bit" --result OK --color GREEN
logtext "Result: Sticky bit (${FIND}) found on /tmp directory" logtext "Result: Sticky bit (${FIND}) found on /tmp directory"
AddHP 3 3 AddHP 3 3
else else
Display --indent 2 --text "- Checking /tmp sticky bit..." --result WARNING --color RED Display --indent 2 --text "- Checking /tmp sticky bit" --result WARNING --color RED
ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!" ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!"
ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory." ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory."
AddHP 0 3 AddHP 0 3
@ -371,11 +371,11 @@
logtext "Result: ACL option NOT enabled on root file system" logtext "Result: ACL option NOT enabled on root file system"
logtext "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option" logtext "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option"
logtext "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file" logtext "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file"
Display --indent 2 --text "- ACL support root file system..." --result DISABLED --color YELLOW Display --indent 2 --text "- ACL support root file system" --result DISABLED --color YELLOW
AddHP 0 1 AddHP 0 1
else else
logtext "Result: ACL option enabled on root file system" logtext "Result: ACL option enabled on root file system"
Display --indent 2 --text "- ACL support root file system..." --result ENABLED --color GREEN Display --indent 2 --text "- ACL support root file system" --result ENABLED --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi
@ -396,9 +396,9 @@
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: mount system / is configured with options: ${FIND}" logtext "Result: mount system / is configured with options: ${FIND}"
if [ "${FIND}" = "defaults" ]; then if [ "${FIND}" = "defaults" ]; then
Display --indent 2 --text "- Mount options of /..." --result OK --color GREEN Display --indent 2 --text "- Mount options of /" --result OK --color GREEN
else else
Display --indent 2 --text "- Mount options of /..." --result "NON DEFAULT" --color YELLOW Display --indent 2 --text "- Mount options of /" --result "NON DEFAULT" --color YELLOW
fi fi
else else
logtext "Result: no mount point / or expected options found" logtext "Result: no mount point / or expected options found"
@ -424,16 +424,16 @@
logtext "Result: mount system /boot is configured with options: ${FIND}" logtext "Result: mount system /boot is configured with options: ${FIND}"
if [ ${HARDENED} -eq 1 ]; then if [ ${HARDENED} -eq 1 ]; then
logtext "Result: marked /boot options as hardenened" logtext "Result: marked /boot options as hardenened"
Display --indent 2 --text "- Mount options of /boot..." --result HARDENED --color GREEN Display --indent 2 --text "- Mount options of /boot" --result HARDENED --color GREEN
AddHP 5 5 AddHP 5 5
else else
if [ "${FIND}" = "defaults" ]; then if [ "${FIND}" = "defaults" ]; then
logtext "Result: marked /boot options as default (non hardened)" logtext "Result: marked /boot options as default (non hardened)"
Display --indent 2 --text "- Mount options of /boot..." --result DEFAULT --color RED Display --indent 2 --text "- Mount options of /boot" --result DEFAULT --color RED
AddHP 3 5 AddHP 3 5
else else
logtext "Result: marked /boot options as non default (unclear about hardening)" logtext "Result: marked /boot options as non default (unclear about hardening)"
Display --indent 2 --text "- Mount options of /boot..." --result "NON DEFAULT" --color YELLOW Display --indent 2 --text "- Mount options of /boot" --result "NON DEFAULT" --color YELLOW
AddHP 4 5 AddHP 4 5
fi fi
fi fi
@ -527,11 +527,11 @@
fi fi
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking Locate database..." --result FOUND --color GREEN Display --indent 2 --text "- Checking Locate database" --result FOUND --color GREEN
report "locate_db=${LOCATE_DB}" report "locate_db=${LOCATE_DB}"
else else
logtext "Result: database not found" logtext "Result: database not found"
Display --indent 2 --text "- Checking Locate database..." --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking Locate database" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file." ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
fi fi
fi fi

121
include/tests_hardening
View File

@ -25,17 +25,17 @@
# Description : Check for installed compilers # Description : Check for installed compilers
Register --test-no HRDN-7220 --weight L --network NO --description "Check if one or more compilers are installed" Register --test-no HRDN-7220 --weight L --network NO --description "Check if one or more compilers are installed"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check if one or more compilers can be found on the system" logtext "Test: Check if one or more compilers can be found on the system"
if [ ${COMPILER_INSTALLED} -eq 0 ]; then if [ ${COMPILER_INSTALLED} -eq 0 ]; then
logtext "Result: no compilers found" logtext "Result: no compilers found"
Display --indent 4 --text "- Installed compiler(s)..." --result "NOT FOUND" --color GREEN Display --indent 4 --text "- Installed compiler(s)" --result "NOT FOUND" --color GREEN
AddHP 3 3 AddHP 3 3
else else
logtext "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'" logtext "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'"
Display --indent 4 --text "- Installed compiler(s)..." --result "FOUND" --color RED Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED
ReportSuggestion ${TEST_NO} "Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed" ReportSuggestion ${TEST_NO} "Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed"
AddHP 1 3 AddHP 1 3
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -44,56 +44,56 @@
# Description : Check for permissions of installed compilers # Description : Check for permissions of installed compilers
Register --test-no HRDN-7222 --weight L --network NO --description "Check compiler permissions" Register --test-no HRDN-7222 --weight L --network NO --description "Check compiler permissions"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check if one or more compilers can be found on the system" logtext "Test: Check if one or more compilers can be found on the system"
HARDEN_COMPILERS_NEEDED=0 HARDEN_COMPILERS_NEEDED=0
if [ ${COMPILER_INSTALLED} -eq 0 ]; then if [ ${COMPILER_INSTALLED} -eq 0 ]; then
logtext "Result: no compilers found" logtext "Result: no compilers found"
else else
# as # as
if [ ! "${ASBINARY}" = "" ]; then if [ ! "${ASBINARY}" = "" ]; then
logtext "Test: Check file permissions for as (Assembler)" logtext "Test: Check file permissions for as (Assembler)"
IsWorldExecutable ${ASBINARY} IsWorldExecutable ${ASBINARY}
if [ ${SYMLINK} -eq 0 ]; then if [ ${SYMLINK} -eq 0 ]; then
logtext "Binary: ${ASBINARY} (world executable: ${FileIsWorldExecutable})" logtext "Binary: ${ASBINARY} (world executable: ${FileIsWorldExecutable})"
else else
logtext "Binary: ${GCCBINARY} (symlinked to: ${sFILE}) (world executable: ${FileIsWorldExecutable})" logtext "Binary: ${GCCBINARY} (symlinked to: ${sFILE}) (world executable: ${FileIsWorldExecutable})"
fi fi
if [ ${FileIsWorldExecutable} = "TRUE" ]; then if [ ${FileIsWorldExecutable} = "TRUE" ]; then
AddHP 2 3 AddHP 2 3
HARDEN_COMPILERS_NEEDED=1 HARDEN_COMPILERS_NEEDED=1
else else
AddHP 3 3 AddHP 3 3
fi fi
fi fi
# gcc # gcc
if [ ! "${GCCBINARY}" = "" ]; then if [ ! "${GCCBINARY}" = "" ]; then
logtext "Test: Check file permissions for GCC compiler" logtext "Test: Check file permissions for GCC compiler"
IsWorldExecutable ${GCCBINARY} IsWorldExecutable ${GCCBINARY}
if [ ${SYMLINK} -eq 0 ]; then if [ ${SYMLINK} -eq 0 ]; then
logtext "Binary: ${GCCBINARY} (world executable: ${FileIsWorldExecutable})" logtext "Binary: ${GCCBINARY} (world executable: ${FileIsWorldExecutable})"
else else
logtext "Binary: ${GCCBINARY} (symlinked to: ${sFILE}) (world executable: ${FileIsWorldExecutable})" logtext "Binary: ${GCCBINARY} (symlinked to: ${sFILE}) (world executable: ${FileIsWorldExecutable})"
fi fi
if [ ${FileIsWorldExecutable} = "TRUE" ]; then if [ ${FileIsWorldExecutable} = "TRUE" ]; then
AddHP 2 3 AddHP 2 3
HARDEN_COMPILERS_NEEDED=1 HARDEN_COMPILERS_NEEDED=1
else else
AddHP 3 3 AddHP 3 3
fi fi
fi fi
# Report suggestion is one or more compilers can be better hardened # Report suggestion is one or more compilers can be better hardened
if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then
logtext "Result: at least one compiler could be better hardened by restricting executable access to root or group only" logtext "Result: at least one compiler could be better hardened by restricting executable access to root or group only"
ReportSuggestion ${TEST_NO} "Harden compilers and restrict access to world" ReportSuggestion ${TEST_NO} "Harden compilers and restrict access to world"
fi fi
#YYY check if compilers have a specific group (like compiler, or NOT root/wheel) #YYY check if compilers have a specific group (like compiler, or NOT root/wheel)
# Display --indent 4 --text "- Installed compiler(s)..." --result "FOUND" --color RED # Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED
# /usr/bin/*cc* # /usr/bin/*cc*
# /usr/bin/*++* # /usr/bin/*++*
# /usr/bin/ld # /usr/bin/ld
# (and 700 or 750 permissions) # (and 700 or 750 permissions)
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -102,22 +102,21 @@
# Description : Check for installed malware scanners # Description : Check for installed malware scanners
Register --test-no HRDN-7230 --weight L --network NO --description "Check for malware scanner" Register --test-no HRDN-7230 --weight L --network NO --description "Check for malware scanner"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check if one or more compilers can be found on the system" logtext "Test: Check if one or more compilers can be found on the system"
if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
logtext "Result: found at least one malware scanner" logtext "Result: found at least one malware scanner"
Display --indent 4 --text "- Installed malware scanner..." --result "FOUND" --color GREEN Display --indent 4 --text "- Installed malware scanner" --result "FOUND" --color GREEN
AddHP 3 3 AddHP 3 3
else else
logtext "Result: no malware scanner found" logtext "Result: no malware scanner found"
Display --indent 4 --text "- Installed malware scanner..." --result "NOT FOUND" --color RED Display --indent 4 --text "- Installed malware scanner" --result "NOT FOUND" --color RED
ReportSuggestion ${TEST_NO} "Harden the system by installing one or malware scanners to perform periodic file system scans" ReportSuggestion ${TEST_NO} "Harden the system by installing one or malware scanners to perform periodic file system scans"
AddHP 1 3 AddHP 1 3
fi fi
fi fi
# #
################################################################################# #################################################################################
# #
# logtext "--------------------------------------------------------------------" # logtext "--------------------------------------------------------------------"
# logtext "| System part | Preferred value | Actual value | Points |" # logtext "| System part | Preferred value | Actual value | Points |"
# logtext "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |" # logtext "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |"
@ -126,8 +125,6 @@
# logtext "--------------------------------------------------------------------" # logtext "--------------------------------------------------------------------"
# logtext "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown " # logtext "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown "
# logtext "--------------------------------------------------------------------" # logtext "--------------------------------------------------------------------"
# #
################################################################################# #################################################################################
# #

67
include/tests_homedirs
View File

@ -25,7 +25,6 @@
# Ignore some top level directories (not the sub directories below) # Ignore some top level directories (not the sub directories below)
IGNORE_HOME_DIRS="/bin /boot /cdrom /dev /etc /home /lib /lib64 /media /mnt IGNORE_HOME_DIRS="/bin /boot /cdrom /dev /etc /home /lib /lib64 /media /mnt
/opt /proc /sbin /selinux /srv /sys /tmp /usr /var" /opt /proc /sbin /selinux /srv /sys /tmp /usr /var"
# #
################################################################################# #################################################################################
# #
@ -34,18 +33,18 @@
# Description : Create list with home directories # Description : Create list with home directories
Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories" Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Read sixth field of /etc/passwd # Read sixth field of /etc/passwd
logtext "Test: query /etc/passwd to obtain home directories" logtext "Test: query /etc/passwd to obtain home directories"
FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | sort | uniq` FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | sort | uniq`
for I in ${FIND}; do for I in ${FIND}; do
if [ -d ${I} ]; then if [ -d ${I} ]; then
logtext "Result: found home directory: ${I} (directory exists)" logtext "Result: found home directory: ${I} (directory exists)"
report "home_directory[]=${I}" report "home_directory[]=${I}"
else else
logtext "Result: found home directory: ${I} (directory does not exist)" logtext "Result: found home directory: ${I} (directory does not exist)"
fi fi
done done
fi fi
# #
################################################################################# #################################################################################
# #
@ -53,28 +52,28 @@
# Description : Check for suspicious shell history files # Description : Check for suspicious shell history files
Register --test-no HOME-9310 --weight L --network NO --description "Checking for suspicious shell history files" Register --test-no HOME-9310 --weight L --network NO --description "Checking for suspicious shell history files"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${HOMEDIRS}" = "" ]; then if [ ! "${HOMEDIRS}" = "" ]; then
if [ "${OS}" = "Solaris" ]; then if [ "${OS}" = "Solaris" ]; then
# Solaris doesn't support -maxdepth # Solaris doesn't support -maxdepth
FIND=`find ${HOMEDIRS} -name ".*history" -not -type f -print` FIND=`find ${HOMEDIRS} -name ".*history" -not -type f -print`
else else
FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" -not -type f -print` FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" -not -type f -print`
fi fi
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking shell history files... " --result OK --color GREEN Display --indent 2 --text "- Checking shell history files" --result OK --color GREEN
logtext "Result: Ok, history files are type 'file'." logtext "Result: Ok, history files are type 'file'."
else else
Display --indent 2 --text "- Checking shell history files... " --result WARNING --color RED Display --indent 2 --text "- Checking shell history files" --result WARNING --color RED
logtext "Result: the following files seem to be of the wrong file type:" logtext "Result: the following files seem to be of the wrong file type:"
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
logtext "Info: above files could be redirected files to avoid logging and should be investigated" logtext "Info: above files could be redirected files to avoid logging and should be investigated"
ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file" ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file"
fi fi
logtext "Remarks: ${HOME_HISTORY_LOG_TEXT}" logtext "Remarks: ${HOME_HISTORY_LOG_TEXT}"
else else
Display --indent 2 --text "- Checking shell history files... " --result SKIPPED --color WHITE Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE
logtext "Result: Homedirs is empty, test will be skipped" logtext "Result: Homedirs is empty, test will be skipped"
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -103,7 +102,7 @@
fi fi
#YYY #YYY
#echo -n " - Checking PATH variable vulnerabilities... " #echo -n " - Checking PATH variable vulnerabilities"
# #
#FIND=`find ${HOMEDIRS} -name * | grep -r 'PATH=' | egrep '=.:|:.:|:.;' | grep -v 'CDPATH'` #FIND=`find ${HOMEDIRS} -name * | grep -r 'PATH=' | egrep '=.:|:.:|:.;' | grep -v 'CDPATH'`
#if [ "${FIND}" = "" ] #if [ "${FIND}" = "" ]

20
include/tests_insecure_services
View File

@ -32,16 +32,16 @@
Register --test-no INSE-8002 --weight L --network NO --description "Check for enabled inet daemon" Register --test-no INSE-8002 --weight L --network NO --description "Check for enabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check running processes # Check running processes
logtext "Test: Searching for active inet daemon..." logtext "Test: Searching for active inet daemon"
IsRunning inetd IsRunning inetd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
logtext "Result: inetd is running" logtext "Result: inetd is running"
Display --indent 2 --text "- Checking inetd status..." --result ACTIVE --color GREEN Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN
#YYY perform manual check #YYY perform manual check
INETD_ACTIVE=1 INETD_ACTIVE=1
else else
logtext "Result: inetd is NOT running" logtext "Result: inetd is NOT running"
Display --indent 2 --text "- Checking inetd status..." --result "NOT ACTIVE" --color GREEN Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN
fi fi
fi fi
# #
@ -53,13 +53,13 @@
Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for enabled inet daemon" Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for enabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check configuration file # Check configuration file
logtext "Test: Searching for file ${INETD_CONFIG_FILE}..." logtext "Test: Searching for file ${INETD_CONFIG_FILE}"
if [ -f ${INETD_CONFIG_FILE} ]; then if [ -f ${INETD_CONFIG_FILE} ]; then
logtext "Result: ${INETD_CONFIG_FILE} exists" logtext "Result: ${INETD_CONFIG_FILE} exists"
Display --indent 4 --text "- Checking inetd.conf..." --result FOUND --color WHITE Display --indent 4 --text "- Checking inetd.conf" --result FOUND --color WHITE
else else
logtext "Result: ${INETD_CONFIG_FILE} does not exist" logtext "Result: ${INETD_CONFIG_FILE} does not exist"
Display --indent 4 --text "- Checking inetd.conf..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE
fi fi
# YYY immutable bit could be set # YYY immutable bit could be set
# YYY permission check (already set in profile) # YYY permission check (already set in profile)
@ -76,9 +76,9 @@
logtext "Test: check if all services are disabled if inetd is disabled" logtext "Test: check if all services are disabled if inetd is disabled"
FIND=`cat ${INETD_CONFIG_FILE} | grep -v "^#" | grep -v "^$"` FIND=`cat ${INETD_CONFIG_FILE} | grep -v "^#" | grep -v "^$"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking inetd.conf services..." --result OK --color GREEN Display --indent 4 --text "- Checking inetd.conf services" --result OK --color GREEN
else else
Display --indent 4 --text "- Checking inetd.conf services..." --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking inetd.conf services" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}" ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}"
fi fi
fi fi
@ -94,11 +94,11 @@
FIND=`grep "^telnet" ${INETD_CONFIG_FILE}` FIND=`grep "^telnet" ${INETD_CONFIG_FILE}`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: telnet not enabled in ${INETD_CONFIG_FILE}" logtext "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)..." --result "NOT FOUND" --color GREEN Display --indent 2 --text "- Checking inetd (telnet)" --result "NOT FOUND" --color GREEN
AddHP 3 3 AddHP 3 3
else else
logtext "Result: telnet enabled in ${INETD_CONFIG_FILE}" logtext "Result: telnet enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)..." --result WARNING --color RED Display --indent 2 --text "- Checking inetd (telnet)" --result WARNING --color RED
ReportSuggestion "${TEST_NO}" "Disable telnet in inetd configuration and use SSH instead" ReportSuggestion "${TEST_NO}" "Disable telnet in inetd configuration and use SSH instead"
AddHP 1 3 AddHP 1 3
fi fi

50
include/tests_kernel
View File

@ -45,11 +45,11 @@
FIND2=`echo ${FIND} | egrep "runlevel5|graphical"` FIND2=`echo ${FIND} | egrep "runlevel5|graphical"`
if [ ! "${FIND2}" = "" ]; then if [ ! "${FIND2}" = "" ]; then
logtext "Result: Found match on runlevel5/graphical" logtext "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel..." --result "runlevel 5" --color GREEN Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
report "linux_default_runlevel=5" report "linux_default_runlevel=5"
else else
logtext "Result: No match found on runlevel, defaulting to runlevel 3" logtext "Result: No match found on runlevel, defaulting to runlevel 3"
Display --indent 2 --text "- Checking default runlevel..." --result "runlevel 3" --color GREEN Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
report "linux_default_runlevel=3" report "linux_default_runlevel=3"
fi fi
fi fi
@ -62,13 +62,13 @@
logtext "Test: Checking /etc/inittab" logtext "Test: Checking /etc/inittab"
if [ -f /etc/inittab ]; then if [ -f /etc/inittab ]; then
logtext "Result: file /etc/inittab found" logtext "Result: file /etc/inittab found"
logtext "Test: Checking default Linux run level..." logtext "Test: Checking default Linux run level"
FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1` FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW
logtext "Result: Can't determine default run level from /etc/inittab" logtext "Result: Can't determine default run level from /etc/inittab"
else else
Display --indent 2 --text "- Checking default run level..." --result "${FIND}" --color GREEN Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN
logtext "Found default run level '${FIND}'" logtext "Found default run level '${FIND}'"
report "linux_default_runlevel=${FIND}" report "linux_default_runlevel=${FIND}"
fi fi
@ -79,16 +79,16 @@
FIND=`who -r | awk '{ if ($1=="run-level") { print $2 } }'` FIND=`who -r | awk '{ if ($1=="run-level") { print $2 } }'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: Found default run level '${FIND}'" logtext "Result: Found default run level '${FIND}'"
report "linux_default_runlevel=${FIND}" report "linux_default_runlevel=${FIND}"
Display --indent 2 --text "- Checking default run level..." --result "RUNLEVEL ${FIND}" --color GREEN Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN
else else
logtext "Result: Can't determine default run level from who -r" logtext "Result: Can't determine default run level from who -r"
Display --indent 2 --text "- Checking default run level..." --result UNKNOWN --color YELLOW Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW
fi fi
fi fi
fi fi
fi fi
fi fi
# #
################################################################################# #################################################################################
# #
@ -99,10 +99,10 @@
Register --test-no KRNL-5677 --os Linux --weight L --network NO --description "Check CPU options and support" Register --test-no KRNL-5677 --os Linux --weight L --network NO --description "Check CPU options and support"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking CPU support (NX/PAE)" Display --indent 2 --text "- Checking CPU support (NX/PAE)"
logtext "Test: Checking /proc/cpuinfo..." logtext "Test: Checking /proc/cpuinfo"
if [ -f /proc/cpuinfo ]; then if [ -f /proc/cpuinfo ]; then
logtext "Result: found /proc/cpuinfo" logtext "Result: found /proc/cpuinfo"
logtext "Test: Checking CPU options (XD/NX/PAE)..." logtext "Test: Checking CPU options (XD/NX/PAE)"
FIND_PAE_NX=`cat /proc/cpuinfo | grep " pae " | grep " nx "` FIND_PAE_NX=`cat /proc/cpuinfo | grep " pae " | grep " nx "`
FIND_PAE=`cat /proc/cpuinfo | grep " pae "` FIND_PAE=`cat /proc/cpuinfo | grep " pae "`
FIND_NX=`cat /proc/cpuinfo | grep " nx "` FIND_NX=`cat /proc/cpuinfo | grep " nx "`
@ -271,7 +271,7 @@
# Description : Checking FreeBSD loaded kernel modules # Description : Checking FreeBSD loaded kernel modules
Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules" Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking active kernel modules..." Display --indent 2 --text "- Checking active kernel modules"
logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}" logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}"
logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}" logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}"
logtext "Action: Checking modules" logtext "Action: Checking modules"
@ -339,17 +339,17 @@
logtext "Kernel installed: ${FINDINST}" logtext "Kernel installed: ${FINDINST}"
logtext "Kernel candidate: ${FINDCAND}" logtext "Kernel candidate: ${FINDCAND}"
if [ "${FINDINST}" = "" ]; then if [ "${FINDINST}" = "" ]; then
Display --indent 2 --text "- Checking for available kernel update... " --result UNKNOWN --color YELLOW Display --indent 2 --text "- Checking for available kernel update" --result UNKNOWN --color YELLOW
logtext "Result: Exception occured, no output from apt-cache policy" logtext "Result: Exception occured, no output from apt-cache policy"
ReportException "${TEST_NO}:01" ReportException "${TEST_NO}:01"
logtext "Exception: apt-cache policy did not return an installed kernel version" logtext "Exception: apt-cache policy did not return an installed kernel version"
ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty" ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty"
else else
if [ "${FINDINST}" = "${FINDCAND}" ]; then if [ "${FINDINST}" = "${FINDCAND}" ]; then
Display --indent 2 --text "- Checking for available kernel update... " --result OK --color GREEN Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN
logtext "Result: no kernel update available" logtext "Result: no kernel update available"
else else
Display --indent 2 --text "- Checking for available kernel update... " --result "UPDATE AVAILABLE" --color YELLOW Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
logtext "Result: kernel update available according 'apt-cache policy'." logtext "Result: kernel update available according 'apt-cache policy'."
ReportSuggestion ${TEST_NO} "Determine priority for available kernel update" ReportSuggestion ${TEST_NO} "Determine priority for available kernel update"
fi fi
@ -373,12 +373,12 @@
FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core") { print "hard core enabled" } }'` FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core") { print "hard core enabled" } }'`
if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
logtext "Result: core dumps (soft or hard) are enabled" logtext "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration... " --result ENABLED --color YELLOW Display --indent 2 --text "- Checking core dumps configuration" --result ENABLED --color YELLOW
#YYY suggestion #YYY suggestion
AddHP 1 2 AddHP 1 2
else else
logtext "Result: core dumps (soft and hard) are both disabled" logtext "Result: core dumps (soft and hard) are both disabled"
Display --indent 2 --text "- Checking core dumps configuration... " --result DISABLED --color GREEN Display --indent 2 --text "- Checking core dumps configuration" --result DISABLED --color GREEN
CORE_DUMPS_DISABLED=1 CORE_DUMPS_DISABLED=1
AddHP 3 3 AddHP 3 3
fi fi
@ -393,22 +393,22 @@
fi fi
if [ "${FIND}" = "2" ]; then if [ "${FIND}" = "2" ]; then
logtext "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" logtext "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
Display --indent 4 --text "- Checking setuid core dumps configuration... " --result PROTECTED --color GREEN Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN
AddHP 1 1 AddHP 1 1
elif [ "${FIND}" = "1" ]; then elif [ "${FIND}" = "1" ]; then
logtext "Result: all programs can perform core dumps (value 1, for debugging)" logtext "Result: all programs can perform core dumps (value 1, for debugging)"
Display --indent 2 --text "- Checking setuid core dumps configuration... " --result DEBUG --color YELLOW Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW
ReportSuggestion ${TEST_NO} "Determine if really all binaries need to be able to core dump" ReportSuggestion ${TEST_NO} "Determine if really all binaries need to be able to core dump"
AddHP 0 1 AddHP 0 1
else else
logtext "Result: found default option, some programs can dump (not processes which need to change credentials)" logtext "Result: found default option, some programs can dump (not processes which need to change credentials)"
Display --indent 4 --text "- Checking setuid core dumps configuration... " --result DEFAULT --color YELLOW Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW
AddHP 1 1 AddHP 1 1
fi fi
# Check ulimit settings and harden it # Check ulimit settings and harden it
# echo 'ulimit -S -c 0 > /dev/null 2>&1' >> /etc/profile # echo 'ulimit -S -c 0 > /dev/null 2>&1' >> /etc/profile
else else
logtext "Result: file /etc/security/limits.conf does not exist, skipping test" logtext "Result: file /etc/security/limits.conf does not exist, skipping test"
fi fi
fi fi
# #

2
include/tests_kernel_hardening
View File

@ -29,7 +29,7 @@
Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sysctl key pairs in scan profile" Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sysctl key pairs in scan profile"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
Display --indent 2 --text "- Comparing sysctl key pairs with scan profile..." Display --indent 2 --text "- Comparing sysctl key pairs with scan profile"
FIND=`grep "^sysctl:" ${PROFILE} | sed 's/ /:space:/g'` FIND=`grep "^sysctl:" ${PROFILE} | sed 's/ /:space:/g'`
for I in ${FIND}; do for I in ${FIND}; do
tFINDkey=`echo ${I} | awk -F: '{ print $2 }'` tFINDkey=`echo ${I} | awk -F: '{ print $2 }'`

47
include/tests_ldap
View File

@ -33,16 +33,16 @@
Register --test-no LDAP-2219 --weight L --network NO --description "Check running OpenLDAP instance" Register --test-no LDAP-2219 --weight L --network NO --description "Check running OpenLDAP instance"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
#YYY add additional slash #YYY add additional slash
FIND=`${PSBINARY} ax | grep "slapd" | grep -v "grep"` IsRunning slapd
if [ "${FIND}" = "" ]; then if [ ${RUNNING} -eq 0 ]; then
Display --indent 2 --text "- Checking OpenLDAP instance..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking OpenLDAP instance" --result "NOT FOUND" --color WHITE
logtext "Result: No running slapd process found." logtext "Result: No running slapd process found."
else else
Display --indent 2 --text "- Checking OpenLDAP instance..." --result FOUND --color GREEN Display --indent 2 --text "- Checking OpenLDAP instance" --result FOUND --color GREEN
logtext "Result: Found running slapd process" logtext "Result: Found running slapd process"
SLAPDFOUND=1 SLAPDFOUND=1
SLAPD_RUNNING=1 SLAPD_RUNNING=1
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -52,21 +52,21 @@
if [ ${SLAPD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SLAPD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LDAP-2224 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check presence slapd.conf" Register --test-no LDAP-2224 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check presence slapd.conf"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching slapd.conf" logtext "Test: Searching slapd.conf"
for I in ${SLAPD_CONF_LOCS}; do for I in ${SLAPD_CONF_LOCS}; do
if [ -f ${I}/slapd.conf ]; then if [ -f ${I}/slapd.conf ]; then
logtext "Result: found ${I}/slapd.conf" logtext "Result: found ${I}/slapd.conf"
SLAPD_CONF_LOCATION="${I}/slapd.conf" SLAPD_CONF_LOCATION="${I}/slapd.conf"
else else
logtext "Result: ${I} does not contain slapd.conf" logtext "Result: ${I} does not contain slapd.conf"
fi fi
done done
# Check if we found a valid location # Check if we found a valid location
if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking slapd.conf..." --result FOUND --color GREEN Display --indent 4 --text "- Checking slapd.conf" --result FOUND --color GREEN
else else
Display --indent 4 --text "- Checking slapd.conf..." --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Checking slapd.conf" --result "NOT FOUND" --color YELLOW
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -97,7 +97,6 @@
################################################################################# #################################################################################
# #
wait_for_keypress wait_for_keypress
# #

325
include/tests_logging
View File

@ -41,21 +41,21 @@
# Notes : Log which syslog daemon is found YYY # Notes : Log which syslog daemon is found YYY
Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon" Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a logging daemon... " logtext "Test: Searching for a logging daemon"
FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"` FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for a running log daemon..." --result WARNING --color RED Display --indent 2 --text "- Checking for a running log daemon" --result WARNING --color RED
logtext "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" logtext "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured." ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
ReportWarning ${TEST_NO} "H" "No syslog daemon found" ReportWarning ${TEST_NO} "H" "No syslog daemon found"
AddHP 0 3 AddHP 0 3
else else
Display --indent 2 --text "- Checking for a running log daemon..." --result OK --color GREEN Display --indent 2 --text "- Checking for a running log daemon" --result OK --color GREEN
logtext "Result: Found a logging daemon" logtext "Result: Found a logging daemon"
SYSLOG_DAEMON_PRESENT=1 SYSLOG_DAEMON_PRESENT=1
SYSLOG_DAEMON_RUNNING=1 SYSLOG_DAEMON_RUNNING=1
AddHP 3 3 AddHP 3 3
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -64,18 +64,18 @@
# Description : Check for a running syslog-ng daemon # Description : Check for a running syslog-ng daemon
Register --test-no LOGG-2132 --weight L --network NO --description "Check for running syslog-ng daemon" Register --test-no LOGG-2132 --weight L --network NO --description "Check for running syslog-ng daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for syslog-ng daemon in process list... " logtext "Test: Searching for syslog-ng daemon in process list"
FIND=`${PSBINARY} ax | grep "/syslog-ng" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "/syslog-ng" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: Found syslog-ng in process list" logtext "Result: Found syslog-ng in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result FOUND --color GREEN Display --indent 4 --text "- Checking Syslog-NG status" --result FOUND --color GREEN
SYSLOG_DAEMON_PRESENT=1 SYSLOG_DAEMON_PRESENT=1
SYSLOG_NG_RUNNING=1 SYSLOG_NG_RUNNING=1
else else
logtext "Result: Syslog-ng NOT found in process list" logtext "Result: Syslog-ng NOT found in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking Syslog-NG status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
################################################################################# #################################################################################
# #
@ -84,16 +84,16 @@
if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Syslog-NG configuration file consistency" Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Syslog-NG configuration file consistency"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSLOGNGBINARY} -s; echo $?` FIND=`${SYSLOGNGBINARY} -s; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
logtext "Result: Syslog-NG configuration file seems to be consistent" logtext "Result: Syslog-NG configuration file seems to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result OK --color GREEN Display --indent 6 --text "- Checking Syslog-NG consistency" --result OK --color GREEN
else else
logtext "Result: Syslog-NG configuration file seems NOT to be consistent" logtext "Result: Syslog-NG configuration file seems NOT to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result WARNING --color RED Display --indent 6 --text "- Checking Syslog-NG consistency" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file" ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file"
ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s" ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -102,17 +102,17 @@
# Description : Check for a running metalog daemon # Description : Check for a running metalog daemon
Register --test-no LOGG-2210 --weight L --network NO --description "Check for running metalog daemon" Register --test-no LOGG-2210 --weight L --network NO --description "Check for running metalog daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for metalog daemon in process list... " logtext "Test: Searching for metalog daemon in process list"
FIND=`${PSBINARY} ax | grep "metalog" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "metalog" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: Found metalog in process list" logtext "Result: Found metalog in process list"
Display --indent 4 --text "- Checking Metalog status" --result FOUND --color GREEN Display --indent 4 --text "- Checking Metalog status" --result FOUND --color GREEN
SYSLOG_DAEMON_PRESENT=1 SYSLOG_DAEMON_PRESENT=1
METALOG_RUNNING=1 METALOG_RUNNING=1
else else
logtext "Result: metalog NOT found in process list" logtext "Result: metalog NOT found in process list"
Display --indent 4 --text "- Checking Metalog status" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking Metalog status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -121,17 +121,17 @@
# Description : Check for a running rsyslog daemon # Description : Check for a running rsyslog daemon
Register --test-no LOGG-2230 --weight L --network NO --description "Check for running RSyslog daemon" Register --test-no LOGG-2230 --weight L --network NO --description "Check for running RSyslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for RSyslog daemon in process list... " logtext "Test: Searching for RSyslog daemon in process list"
FIND=`${PSBINARY} ax | grep "rsyslogd" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "rsyslogd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: Found rsyslogd in process list" logtext "Result: Found rsyslogd in process list"
Display --indent 4 --text "- Checking RSyslog status" --result FOUND --color GREEN Display --indent 4 --text "- Checking RSyslog status" --result FOUND --color GREEN
SYSLOG_DAEMON_PRESENT=1 SYSLOG_DAEMON_PRESENT=1
RSYSLOG_RUNNING=1 RSYSLOG_RUNNING=1
else else
logtext "Result: rsyslogd NOT found in process list" logtext "Result: rsyslogd NOT found in process list"
Display --indent 4 --text "- Checking RSyslog status" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking RSyslog status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -140,17 +140,17 @@
# Description : Check for a running RFC 3195 compliant daemon (syslog via TCP) # Description : Check for a running RFC 3195 compliant daemon (syslog via TCP)
Register --test-no LOGG-2240 --weight L --network NO --description "Check for running RFC 3195 compliant daemon" Register --test-no LOGG-2240 --weight L --network NO --description "Check for running RFC 3195 compliant daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list... " logtext "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list"
FIND=`${PSBINARY} ax | grep "rfc3195d" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "rfc3195d" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: Found rfc3195d in process list" logtext "Result: Found rfc3195d in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result FOUND --color GREEN Display --indent 4 --text "- Checking RFC 3195 daemon status" --result FOUND --color GREEN
SYSLOG_DAEMON_PRESENT=1 SYSLOG_DAEMON_PRESENT=1
RFC3195D_RUNNING=1 RFC3195D_RUNNING=1
else else
logtext "Result: rfc3195d NOT found in process list" logtext "Result: rfc3195d NOT found in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -163,22 +163,22 @@
# This test should be below all other logging daemons # This test should be below all other logging daemons
Register --test-no LOGG-2138 --os Linux --weight L --network NO --description "Checking kernel logger daemon on Linux" Register --test-no LOGG-2138 --os Linux --weight L --network NO --description "Checking kernel logger daemon on Linux"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching kernel logger daemon (klogd)" logtext "Test: Searching kernel logger daemon (klogd)"
if [ ${RSYSLOG_RUNNING} -eq 0 ]; then if [ ${RSYSLOG_RUNNING} -eq 0 ]; then
# Search for klogd, but ignore other lines related to klogd (like dd with input/output file) # Search for klogd, but ignore other lines related to klogd (like dd with input/output file)
FIND=`${PSBINARY} ax | grep "klogd" | grep -v "dd" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "klogd" | grep -v "dd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: klogd running" logtext "Result: klogd running"
Display --indent 4 --text "- Checking klogd" --result FOUND --color GREEN Display --indent 4 --text "- Checking klogd" --result FOUND --color GREEN
else else
logtext "Result: No klogd found" logtext "Result: No klogd found"
Display --indent 4 --text "- Checking klogd" --result "NOT FOUND" --color RED Display --indent 4 --text "- Checking klogd" --result "NOT FOUND" --color RED
ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files" ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files"
ReportSuggestion ${TEST_NO} "Check why klogd is not running" ReportSuggestion ${TEST_NO} "Check why klogd is not running"
fi fi
else else
logtext "Result: test skipped, because rsyslogd is being used" logtext "Result: test skipped, because rsyslogd is being used"
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -187,19 +187,18 @@
# Description : Check for minilogd presence on Linux systems # Description : Check for minilogd presence on Linux systems
Register --test-no LOGG-2142 --os Linux --weight L --network NO --description "Checking minilog daemon" Register --test-no LOGG-2142 --os Linux --weight L --network NO --description "Checking minilog daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Result: Checking for unkilled minilogd instances.." logtext "Result: Checking for unkilled minilogd instances"
# Search for minilogd. It shouldn't be running normally, if another syslog daemon is started # Search for minilogd. It shouldn't be running normally, if another syslog daemon is started
FIND=`${PSBINARY} ax | grep "minilogd" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "minilogd" | grep -v "grep"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE
logtext "Result: No minilogd is running.." logtext "Result: No minilogd is running"
else else
Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED
logtext "Result: minilogd found in process list" logtext "Result: minilogd found in process list"
# minilogd daemon seems to be running.. # minilogd daemon seems to be running
ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running" ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running"
ReportSuggestion ${TEST_NO} "Check minilogd is active and if other syslog daemons are started up properly" fi
fi
fi fi
# #
################################################################################# #################################################################################
@ -242,17 +241,17 @@
if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking logrotated files" Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking logrotated files"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking which files are rotated with logrotate and if they exist" logtext "Test: Checking which files are rotated with logrotate and if they exist"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'` FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: nothing found" logtext "Result: nothing found"
else else
logtext "Result: found one or more files which are rotated via logrotate" logtext "Result: found one or more files which are rotated via logrotate"
for I in ${FIND}; do for I in ${FIND}; do
logtext "Output: ${I}" logtext "Output: ${I}"
done done
fi fi
fi fi
# #
################################################################################# #################################################################################
# #
@ -261,23 +260,23 @@
if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration" Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking which directories can be found in logrotate configuration" logtext "Test: Checking which directories can be found in logrotate configuration"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq` FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: nothing found" logtext "Result: nothing found"
else else
logtext "Result: found one or more directories (via logrotate configuration)" logtext "Result: found one or more directories (via logrotate configuration)"
for I in ${FIND}; do for I in ${FIND}; do
if [ -d ${I} ]; then if [ -d ${I} ]; then
logtext "Directory found: ${I}" logtext "Directory found: ${I}"
report "log_directory[]=${I}" report "log_directory[]=${I}"
else else
logtext "Directory could not be found: ${I}" logtext "Directory could not be found: ${I}"
# YYY strip more parts of the name, until it can be found (and stop at /) # YYY strip more parts of the name, until it can be found (and stop at /)
fi fi
done done
fi fi
fi fi
# #
################################################################################# #################################################################################
# #
@ -286,36 +285,36 @@
# succesful resolving via DNS or any other name service. # succesful resolving via DNS or any other name service.
Register --test-no LOGG-2152 --weight L --os Solaris --network NO --description "Checking loghost" Register --test-no LOGG-2152 --weight L --os Solaris --network NO --description "Checking loghost"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Try local hosts file # Try local hosts file
logtext "Result: Checking for loghost in /etc/inet/hosts" logtext "Result: Checking for loghost in /etc/inet/hosts"
FIND=`grep loghost /etc/inet/hosts | grep -v "^#"` FIND=`grep loghost /etc/inet/hosts | grep -v "^#"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
SOLARIS_LOGHOST_FOUND=1 SOLARIS_LOGHOST_FOUND=1
logtext "Result: Found loghost entry in /etc/inet/hosts" logtext "Result: Found loghost entry in /etc/inet/hosts"
else else
logtext "Result: No loghost entry found in /etc/inet/hosts" logtext "Result: No loghost entry found in /etc/inet/hosts"
# Try name resolving if no entry is present in local host file
logtext "Result: Checking for loghost via name resolving"
FIND=`getent hosts loghost | grep loghost`
if [ ! "${FIND}" = "" ]; then
SOLARIS_LOGHOST_FOUND=1
logtext "Result: name resolving was succesful"
logtext "Output: ${FIND}"
else
logtext "Result: name resolving didn't find results"
fi
fi
# Try name resolving if no entry is present in local host file
logtext "Result: Checking for loghost via name resolving"
FIND=`getent hosts loghost | grep loghost`
if [ ! "${FIND}" = "" ]; then
SOLARIS_LOGHOST_FOUND=1
logtext "Result: name resolving was succesful"
logtext "Output: ${FIND}"
else
logtext "Result: name resolving didn't find results"
fi
fi
if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then
logtext "Result: loghost entry found and most likely used to send syslog messages" logtext "Result: loghost entry found and most likely used to send syslog messages"
Display --indent 2 --text "- Checking loghost entry" --result OK --color GREEN Display --indent 2 --text "- Checking loghost entry" --result OK --color GREEN
else else
Display --indent 2 --text "- Checking loghost entry" --result WARNING --color RED Display --indent 2 --text "- Checking loghost entry" --result WARNING --color RED
logtext "Result: No loghost entry found" logtext "Result: No loghost entry found"
ReportWarning ${TEST_NO} "L" "No loghost entry found" ReportWarning ${TEST_NO} "L" "No loghost entry found"
ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services" ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services"
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -326,27 +325,27 @@
if [ ${SYSLOG_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SYSLOG_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2154 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking syslog configuration file" Register --test-no LOGG-2154 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking syslog configuration file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then
SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf" SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf"
else else
SYSLOGD_CONF="/etc/syslog.conf" SYSLOGD_CONF="/etc/syslog.conf"
fi fi
if [ -f ${SYSLOGD_CONF} ]; then if [ -f ${SYSLOGD_CONF} ]; then
logtext "Test: check if logs are also logged to a remote logging host" logtext "Test: check if logs are also logged to a remote logging host"
FIND=`egrep "@[a-zA-Z0-9]" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"` FIND=`egrep "@[a-zA-Z0-9]" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: remote logging enabled" logtext "Result: remote logging enabled"
AddHP 5 5 AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN
else else
logtext "Result: no remote logging found" logtext "Result: no remote logging found"
ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection" ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
AddHP 1 3 AddHP 1 3
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
fi fi
else else
logtext "Result: test skipped, file ${SYSLOGD_CONF} not found" logtext "Result: test skipped, file ${SYSLOGD_CONF} not found"
fi fi
fi fi
# #
################################################################################# #################################################################################

38
include/tests_mail_messaging
View File

@ -40,12 +40,12 @@
IsRunning exim IsRunning exim
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running Exim process" logtext "Result: found running Exim process"
Display --indent 2 --text "- Checking Exim status..." --result RUNNING --color GREEN Display --indent 2 --text "- Checking Exim status" --result RUNNING --color GREEN
EXIM_RUNNING=1 EXIM_RUNNING=1
SMTP_DAEMON="exim" SMTP_DAEMON="exim"
else else
logtext "Result: no running Exim processes found" logtext "Result: no running Exim processes found"
Display --indent 2 --text "- Checking Exim status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Exim status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -57,15 +57,15 @@
#Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration" #Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration"
#if [ ${SKIPTEST} -eq 0 ]; then #if [ ${SKIPTEST} -eq 0 ]; then
# if [ ! "${EXIMBINARY}" = "" ]; then # if [ ! "${EXIMBINARY}" = "" ]; then
# logtext "Test: Searching Exim configuration file..." # logtext "Test: Searching Exim configuration file"
# FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'` # FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'`
# if [ ! "${FIND}" = "" ]; then # if [ ! "${FIND}" = "" ]; then
# Display --indent 2 --text "- Checking Exim configuration..." --result FOUND --color GREEN # Display --indent 2 --text "- Checking Exim configuration" --result FOUND --color GREEN
# Display --indent 4 --text "Result: configuration file is ${FIND}" # Display --indent 4 --text "Result: configuration file is ${FIND}"
# logtext "Result: found Exim" # logtext "Result: found Exim"
# logtext "Result: configuration file is ${FIND}" # logtext "Result: configuration file is ${FIND}"
# else # else
# Display --indent 2 --text "- Checking Exim configuration..." --result WARNING --color RED # Display --indent 2 --text "- Checking Exim configuration" --result WARNING --color RED
# logtext "Couldn't find the Exim configuration file, however Exim seems to be installed." # logtext "Couldn't find the Exim configuration file, however Exim seems to be installed."
# fi # fi
# else # else
@ -86,12 +86,12 @@
#FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"` #FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
if [ ! "${FIND1}" = "" ]; then if [ ! "${FIND1}" = "" ]; then
logtext "Result: found running Postfix process" logtext "Result: found running Postfix process"
Display --indent 2 --text "- Checking Postfix status..." --result RUNNING --color GREEN Display --indent 2 --text "- Checking Postfix status" --result RUNNING --color GREEN
POSTFIX_RUNNING=1 POSTFIX_RUNNING=1
SMTP_DAEMON="postfix" SMTP_DAEMON="postfix"
else else
logtext "Result: no running Postfix processes found" logtext "Result: no running Postfix processes found"
Display --indent 2 --text "- Checking Postfix status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Postfix status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -102,11 +102,11 @@
if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration" Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking Postfix configuration..." --result FOUND --color GREEN Display --indent 2 --text "- Checking Postfix configuration" --result FOUND --color GREEN
POSTFIX_CONFIGDIR=`${POSTCONFBINARY} | grep '^config_directory' | awk '{ print $3 }'` POSTFIX_CONFIGDIR=`${POSTCONFBINARY} | grep '^config_directory' | awk '{ print $3 }'`
POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf" POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
logtext "Postfix configuration directory: ${POSTFIX_CONFIGDIR}" logtext "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
logtext "Postfix configuration file: ${POSTFIX_CONFIGFILE}" logtext "Postfix configuration file: ${POSTFIX_CONFIGFILE}"
fi fi
# #
################################################################################# #################################################################################
@ -129,11 +129,11 @@
if [ ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then if [ ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then
SHOWWARNING=1 SHOWWARNING=1
else else
Display --indent 4 --text "- Checking Postfix banner..." --result OK --color GREEN Display --indent 4 --text "- Checking Postfix banner" --result OK --color GREEN
fi fi
fi fi
if [ ${SHOWWARNING} -eq 1 ]; then if [ ${SHOWWARNING} -eq 1 ]; then
Display --indent 4 --text "- Checking Postfix banner..." --result WARNING --color RED Display --indent 4 --text "- Checking Postfix banner" --result WARNING --color RED
logtext "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'." logtext "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'" ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'"
ReportSuggestion ${TEST_NO} "You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})" ReportSuggestion ${TEST_NO} "You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
@ -150,13 +150,13 @@
IsRunning dovecot IsRunning dovecot
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running dovecot process" logtext "Result: found running dovecot process"
Display --indent 2 --text "- Checking Dovecot status..." --result RUNNING --color GREEN Display --indent 2 --text "- Checking Dovecot status" --result RUNNING --color GREEN
DOVECOT_RUNNING=1 DOVECOT_RUNNING=1
IMAP_DAEMON="dovecot" IMAP_DAEMON="dovecot"
POP3_DAEMON="dovecot" POP3_DAEMON="dovecot"
else else
logtext "Result: dovecot not found" logtext "Result: dovecot not found"
Display --indent 2 --text "- Checking Dovecot status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Dovecot status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -190,12 +190,12 @@
IsRunning qmail-smtpd IsRunning qmail-smtpd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running Qmail process" logtext "Result: found running Qmail process"
Display --indent 2 --text "- Checking Qmail status..." --result RUNNING --color GREEN Display --indent 2 --text "- Checking Qmail status" --result RUNNING --color GREEN
QMAIL_RUNNING=1 QMAIL_RUNNING=1
SMTP_DAEMON="qmail" SMTP_DAEMON="qmail"
else else
logtext "Result: no running Qmail processes found" logtext "Result: no running Qmail processes found"
Display --indent 2 --text "- Checking Qmail status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Qmail status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -209,12 +209,12 @@
IsRunning sendmail IsRunning sendmail
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running Sendmail process" logtext "Result: found running Sendmail process"
Display --indent 2 --text "- Checking Sendmail status..." --result RUNNING --color GREEN Display --indent 2 --text "- Checking Sendmail status" --result RUNNING --color GREEN
SENDMAIL_RUNNING=1 SENDMAIL_RUNNING=1
SMTP_DAEMON="sendmail" SMTP_DAEMON="sendmail"
else else
logtext "Result: no running Sendmail processes found" logtext "Result: no running Sendmail processes found"
Display --indent 2 --text "- Checking Sendmail status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Sendmail status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -228,12 +228,12 @@
FIND=`${PSBINARY} ax | grep "/smtpd" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "/smtpd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: found running smtpd process" logtext "Result: found running smtpd process"
Display --indent 2 --text "- Checking OpenBSD smtpd status..." --result RUNNING --color GREEN Display --indent 2 --text "- Checking OpenBSD smtpd status" --result RUNNING --color GREEN
SMTPD_RUNNING=1 SMTPD_RUNNING=1
SMTP_DAEMON="smtpd" SMTP_DAEMON="smtpd"
else else
logtext "Result: smtpd not found" logtext "Result: smtpd not found"
Display --indent 2 --text "- Checking OpenBSD smtpd status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking OpenBSD smtpd status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #

30
include/tests_malware
View File

@ -33,12 +33,12 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence chkrootkit" logtext "Test: checking presence chkrootkit"
if [ ! "${CHKROOTKITBINARY}" = "" ]; then if [ ! "${CHKROOTKITBINARY}" = "" ]; then
Display --indent 2 --text "- Checking chkrootkit..." --result "FOUND" --color GREEN Display --indent 2 --text "- Checking chkrootkit" --result "FOUND" --color GREEN
logtext "Result: Found ${CHKROOTKITBINARY}" logtext "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
AddHP 2 2 AddHP 2 2
else else
Display --indent 2 --text "- Checking chkrootkit..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking chkrootkit" --result "NOT FOUND" --color WHITE
logtext "Result: chkrootkit not found" logtext "Result: chkrootkit not found"
fi fi
fi fi
@ -51,12 +51,12 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence Rootkit Hunter" logtext "Test: checking presence Rootkit Hunter"
if [ ! "${RKHUNTERBINARY}" = "" ]; then if [ ! "${RKHUNTERBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Rootkit Hunter..." --result "FOUND" --color GREEN Display --indent 2 --text "- Checking Rootkit Hunter" --result "FOUND" --color GREEN
logtext "Result: Found ${RKHUNTERBINARY}" logtext "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
AddHP 2 2 AddHP 2 2
else else
Display --indent 2 --text "- Checking Rootkit Hunter..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Rootkit Hunter" --result "NOT FOUND" --color WHITE
logtext "Result: Rootkit Hunter not found" logtext "Result: Rootkit Hunter not found"
fi fi
fi fi
@ -101,12 +101,12 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence clamscan" logtext "Test: checking presence clamscan"
if [ ! "${CLAMSCANBINARY}" = "" ]; then if [ ! "${CLAMSCANBINARY}" = "" ]; then
Display --indent 2 --text "- Checking ClamAV scanner..." --result "FOUND" --color GREEN Display --indent 2 --text "- Checking ClamAV scanner" --result "FOUND" --color GREEN
logtext "Result: Found ${CLAMSCANBINARY}" logtext "Result: Found ${CLAMSCANBINARY}"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
AddHP 2 2 AddHP 2 2
else else
Display --indent 2 --text "- Checking ClamAV scanner..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking ClamAV scanner" --result "NOT FOUND" --color WHITE
logtext "Result: clamscan couldn't be found" logtext "Result: clamscan couldn't be found"
fi fi
fi fi
@ -121,12 +121,12 @@
logtext "Test: checking running ClamAV daemon (clamd)" logtext "Test: checking running ClamAV daemon (clamd)"
FIND=`${PSBINARY} ax | grep "/clamd" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "/clamd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking ClamAV daemon..." --result "FOUND" --color GREEN Display --indent 2 --text "- Checking ClamAV daemon" --result "FOUND" --color GREEN
logtext "Result: found running clamd process" logtext "Result: found running clamd process"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
CLAMD_RUNNING=1 CLAMD_RUNNING=1
else else
Display --indent 2 --text "- Checking ClamAV daemon..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking ClamAV daemon" --result "NOT FOUND" --color WHITE
logtext "Result: clamd not running" logtext "Result: clamd not running"
fi fi
fi fi
@ -141,11 +141,11 @@
logtext "Test: checking running freshclam daemon" logtext "Test: checking running freshclam daemon"
FIND=`${PSBINARY} ax | grep "/freshclam" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "/freshclam" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking freshclam..." --result "FOUND" --color GREEN Display --indent 4 --text "- Checking freshclam" --result "FOUND" --color GREEN
logtext "Result: found running freshclam process" logtext "Result: found running freshclam process"
AddHP 2 2 AddHP 2 2
else else
Display --indent 4 --text "- Checking freshclam..." --result "SUGGESTION" --color YELLOW Display --indent 4 --text "- Checking freshclam" --result "SUGGESTION" --color YELLOW
logtext "Result: freshclam is not running" logtext "Result: freshclam is not running"
ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database" ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
fi fi
@ -153,17 +153,23 @@
# #
################################################################################# #################################################################################
# #
# Test : MALW-3288
# Description : Check for LMD
#
#################################################################################
#
# Test : MALW-3292 # Test : MALW-3292
# Description : Check if at least one malware scanner is installed # Description : Check if at least one malware scanner is installed
# Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner" # Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner"
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then # if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
# logtext "Result: At least one malware scanner is installed" # logtext "Result: At least one malware scanner is installed"
# Display --indent 2 --text "- Checking presence malware scanner..." --result "FOUND" --color GREEN # Display --indent 2 --text "- Checking presence malware scanner" --result "FOUND" --color GREEN
# #AddHP 3 3 # #AddHP 3 3
# else # else
# logtext "Result: No malware scanners found" # logtext "Result: No malware scanners found"
# Display --indent 2 --text "- Checking presence malware scanner..." --result "NOT FOUND" --color YELLOW # Display --indent 2 --text "- Checking presence malware scanner" --result "NOT FOUND" --color YELLOW
# ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system" # ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system"
# #AddHP 0 3 # #AddHP 0 3
# fi # fi

14
include/tests_memory_processes
View File

@ -28,7 +28,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /proc/meminfo ]; then if [ -f /proc/meminfo ]; then
logtext "Result: found /proc/meminfo" logtext "Result: found /proc/meminfo"
Display --indent 2 --text "- Checking /proc/meminfo... " --result FOUND --color GREEN Display --indent 2 --text "- Checking /proc/meminfo" --result FOUND --color GREEN
FIND=`cat /proc/meminfo | grep "^MemTotal" | tr -s ' ' | awk '{ print $2" "$3 }'` FIND=`cat /proc/meminfo | grep "^MemTotal" | tr -s ' ' | awk '{ print $2" "$3 }'`
MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'` MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'`
MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'` MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'`
@ -48,14 +48,14 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching /usr/sbin/prtconf" logtext "Test: Searching /usr/sbin/prtconf"
if [ -x /usr/sbin/prtconf ]; then if [ -x /usr/sbin/prtconf ]; then
Display --indent 2 --text "- Querying prtconf for installed memory..." --result DONE --color GREEN Display --indent 2 --text "- Querying prtconf for installed memory" --result DONE --color GREEN
MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3` MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3`
MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4` MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4`
logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
report "memory_size=${MEMORY_SIZE}" report "memory_size=${MEMORY_SIZE}"
report "memory_units=${MEMORY_UNITS}" report "memory_units=${MEMORY_UNITS}"
else else
Display --indent 2 --text "- Querying prtconf for installed memory..." --result SKIPPED --color WHITE Display --indent 2 --text "- Querying prtconf for installed memory" --result SKIPPED --color WHITE
logtext "Result: /usr/sbin/prtconf not found" logtext "Result: /usr/sbin/prtconf not found"
fi fi
fi fi
@ -75,11 +75,11 @@
fi fi
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: no zombie processes found" logtext "Result: no zombie processes found"
Display --indent 2 --text "- Searching for dead/zombie processes..." --result OK --color GREEN Display --indent 2 --text "- Searching for dead/zombie processes" --result OK --color GREEN
else else
logtext "Result: found one or more dead or zombie processes" logtext "Result: found one or more dead or zombie processes"
logtext "Output: PIDs ${FIND}" logtext "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for dead/zombie processes..." --result WARNING --color RED Display --indent 2 --text "- Searching for dead/zombie processes" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes" ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes"
fi fi
fi fi
@ -99,12 +99,12 @@
fi fi
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: No processes were waiting for IO requests to be handled first" logtext "Result: No processes were waiting for IO requests to be handled first"
Display --indent 2 --text "- Searching for IO waiting processes..." --result OK --color GREEN Display --indent 2 --text "- Searching for IO waiting processes" --result OK --color GREEN
else else
logtext "Result: found one or more processes which were waiting to get IO requests handled first" logtext "Result: found one or more processes which were waiting to get IO requests handled first"
logtext "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured." logtext "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
logtext "Output: PIDs ${FIND}" logtext "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for IO waiting processes..." --result WARNING --color RED Display --indent 2 --text "- Searching for IO waiting processes" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests" ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests"
fi fi
fi fi

72
include/tests_nameservices
View File

@ -44,12 +44,12 @@
FIND=`cat /etc/resolv.conf | grep "^domain" | awk '{ print $2 }'` FIND=`cat /etc/resolv.conf | grep "^domain" | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: no default domain found" logtext "Result: no default domain found"
Display --indent 2 --text "- Checking default DNS search domain..." --result NONE --color WHITE Display --indent 2 --text "- Checking default DNS search domain" --result NONE --color WHITE
else else
logtext "Result: found default domain" logtext "Result: found default domain"
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
report "resolv_conf_domain=${FIND}" report "resolv_conf_domain=${FIND}"
Display --indent 2 --text "- Checking default DNS search domain..." --result FOUND --color GREEN Display --indent 2 --text "- Checking default DNS search domain" --result FOUND --color GREEN
RESOLV_DOMAINNAME="${FIND}" RESOLV_DOMAINNAME="${FIND}"
fi fi
fi fi
@ -78,23 +78,23 @@
# Warn if we have more than 6 search domains, which is maximum in most resolvers # Warn if we have more than 6 search domains, which is maximum in most resolvers
if [ ${N} -gt 6 ]; then if [ ${N} -gt 6 ]; then
logtext "Result: Found ${N} search domains" logtext "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains..." --result WARNING --color YELLOW Display --indent 2 --text "- Checking search domains" --result WARNING --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers" ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
else else
logtext "Result: Found ${N} search domains" logtext "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains..." --result FOUND --color GREEN Display --indent 2 --text "- Checking search domains" --result FOUND --color GREEN
fi fi
fi fi
else else
logtext "Result: /etc/resolv.conf does not exist, skipping test" logtext "Result: /etc/resolv.conf does not exist, skipping test"
Display --indent 2 --text "- Checking search domains..." --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking search domains" --result "NOT FOUND" --color YELLOW
fi fi
# Check amount of search domains (max 1) # Check amount of search domains (max 1)
FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '` FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '`
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines..." --result "CONFIG ERROR" --color YELLOW Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
else else
logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
@ -113,7 +113,7 @@
FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'` FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: no specific other options configured in /etc/resolv.conf" logtext "Result: no specific other options configured in /etc/resolv.conf"
Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "NONE" --color WHITE Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NONE" --color WHITE
else else
for I in ${FIND}; do for I in ${FIND}; do
logtext "Found option: ${I}" logtext "Found option: ${I}"
@ -121,11 +121,11 @@
#rotate --> add performance tune point #rotate --> add performance tune point
#timeout <3 --> add performe tune point #timeout <3 --> add performe tune point
done done
Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "FOUND" --color GREEN Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "FOUND" --color GREEN
fi fi
else else
logtext "Result: /etc/resolv.conf not found, test skipped" logtext "Result: /etc/resolv.conf not found, test skipped"
Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NOT FOUND" --color YELLOW
fi fi
fi fi
# #
@ -137,7 +137,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`uname -n` FIND=`uname -n`
logtext "Result: 'uname -n' returned ${FIND}" logtext "Result: 'uname -n' returned ${FIND}"
Display --indent 2 --text "- Checking uname -n output..." --result DONE --color GREEN Display --indent 2 --text "- Checking uname -n output" --result DONE --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -152,10 +152,10 @@
logtext "Result: file /etc/nodename exists" logtext "Result: file /etc/nodename exists"
FIND=`cat /etc/nodename` FIND=`cat /etc/nodename`
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
Display --indent 2 --text "- Checking /etc/nodename..." --result "DONE" --color GREEN Display --indent 2 --text "- Checking /etc/nodename" --result "DONE" --color GREEN
else else
logtext "Result: file /etc/nodename could not be found" logtext "Result: file /etc/nodename could not be found"
Display --indent 2 --text "- Checking /etc/nodename..." --result "NONE FOUND" --color YELLOW Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW
fi fi
fi fi
# #
@ -210,10 +210,10 @@
if [ ! "${DOMAINNAME}" = "" ]; then if [ ! "${DOMAINNAME}" = "" ]; then
logtext "Result: found domain name" logtext "Result: found domain name"
report "domainname=${DOMAINNAME}" report "domainname=${DOMAINNAME}"
Display --indent 2 --text "- Searching DNS domain name..." --result "FOUND" --color GREEN Display --indent 2 --text "- Searching DNS domain name" --result "FOUND" --color GREEN
Display --indent 6 --text "Domain name: ${DOMAINNAME}" Display --indent 6 --text "Domain name: ${DOMAINNAME}"
else else
Display --indent 2 --text "- Searching DNS domain name..." --result "UNKNOWN" --color YELLOW Display --indent 2 --text "- Searching DNS domain name" --result "UNKNOWN" --color YELLOW
ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name" ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name"
fi fi
fi fi
@ -228,10 +228,10 @@
FIND=`${PSBINARY} ax | grep "nscd" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "nscd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: nscd is running" logtext "Result: nscd is running"
Display --indent 2 --text "- Checking nscd status..." --result RUNNING --color GREEN Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN
else else
logtext "Result: nscd is not running" logtext "Result: nscd is not running"
Display --indent 2 --text "- Checking nscd status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE
#YYY show performance suggestion if LDAP is used #YYY show performance suggestion if LDAP is used
fi fi
fi fi
@ -246,11 +246,11 @@
FIND=`${PSBINARY} ax | grep "/named" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "/named" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: found BIND process" logtext "Result: found BIND process"
Display --indent 2 --text "- Checking BIND status..." --result "FOUND" --color GREEN Display --indent 2 --text "- Checking BIND status" --result "FOUND" --color GREEN
BIND_RUNNING=1 BIND_RUNNING=1
else else
logtext "Result: BIND not running" logtext "Result: BIND not running"
Display --indent 2 --text "- Checking BIND status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking BIND status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -270,9 +270,9 @@
fi fi
done done
if [ ! "${BIND_CONFIG_LOCATION}" = "" ]; then if [ ! "${BIND_CONFIG_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking BIND configuration file..." --result "FOUND" --color GREEN Display --indent 4 --text "- Checking BIND configuration file" --result "FOUND" --color GREEN
else else
Display --indent 4 --text "- Checking BIND configuration file..." --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Checking BIND configuration file" --result "NOT FOUND" --color YELLOW
fi fi
fi fi
# #
@ -289,10 +289,10 @@
FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?` FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
logtext "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine" logtext "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
Display --indent 4 --text "- Checking BIND configuration consistency..." --result "OK" --color GREEN Display --indent 4 --text "- Checking BIND configuration consistency" --result "OK" --color GREEN
else else
logtext "Result: possible errors found in ${BIND_CONFIG_LOCATION}" logtext "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
Display --indent 4 --text "- Checking BIND configuration consistency..." --result WARNING --color RED Display --indent 4 --text "- Checking BIND configuration consistency" --result WARNING --color RED
ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file" ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
fi fi
else else
@ -318,11 +318,11 @@
FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"` FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: no useful information in banner found" logtext "Result: no useful information in banner found"
Display --indent 4 --text "- Checking BIND version in banner ..." --result "OK" --color GREEN Display --indent 4 --text "- Checking BIND version in banner" --result "OK" --color GREEN
AddHP 2 2 AddHP 2 2
else else
logtext "Result: possible BIND version available in version banner" logtext "Result: possible BIND version available in version banner"
Display --indent 4 --text "- Checking BIND version in banner..." --result WARNING --color RED Display --indent 4 --text "- Checking BIND version in banner" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Found BIND version in banner" ReportWarning ${TEST_NO} "M" "Found BIND version in banner"
ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file" ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file"
AddHP 0 2 AddHP 0 2
@ -360,11 +360,11 @@
FIND=`${PSBINARY} ax | grep "/pdns_server" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "/pdns_server" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: found PowerDNS process" logtext "Result: found PowerDNS process"
Display --indent 2 --text "- Checking PowerDNS status..." --result "RUNNING" --color GREEN Display --indent 2 --text "- Checking PowerDNS status" --result "RUNNING" --color GREEN
POWERDNS_RUNNING=1 POWERDNS_RUNNING=1
else else
logtext "Result: PowerDNS not running" logtext "Result: PowerDNS not running"
Display --indent 2 --text "- Checking PowerDNS status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking PowerDNS status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -380,13 +380,13 @@
for I in ${POWERDNS_CONFIG_LOCS}; do for I in ${POWERDNS_CONFIG_LOCS}; do
if [ -f ${I}/pdns.conf ]; then if [ -f ${I}/pdns.conf ]; then
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf" POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
logtext "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})" logtext "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})"
fi fi
done done
if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking PowerDNS configuration file..." --result "FOUND" --color GREEN Display --indent 4 --text "- Checking PowerDNS configuration file" --result "FOUND" --color GREEN
else else
Display --indent 4 --text "- Checking PowerDNS configuration file..." --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Checking PowerDNS configuration file" --result "NOT FOUND" --color YELLOW
fi fi
fi fi
# #
@ -412,10 +412,10 @@
for I in ${FIND}; do for I in ${FIND}; do
logtext "Found backend: ${I}" logtext "Found backend: ${I}"
done done
Display --indent 4 --text "- Checking PowerDNS backends..." --result "FOUND" --color GREEN Display --indent 4 --text "- Checking PowerDNS backends" --result "FOUND" --color GREEN
else else
logtext "Result: no PowerDNS backends found" logtext "Result: no PowerDNS backends found"
Display --indent 4 --text "- Checking PowerDNS backends..." --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Checking PowerDNS backends" --result "NOT FOUND" --color YELLOW
fi fi
fi fi
# #
@ -458,12 +458,12 @@
FIND=`${PSBINARY} ax | grep "ypbind" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "ypbind" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: ypbind is running" logtext "Result: ypbind is running"
Display --indent 2 --text "- Checking ypbind status..." --result "FOUND" --color GREEN Display --indent 2 --text "- Checking ypbind status" --result "FOUND" --color GREEN
YPBIND_RUNNING=1 YPBIND_RUNNING=1
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead" ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
else else
logtext "Result: ypbind is not active" logtext "Result: ypbind is not active"
Display --indent 2 --text "- Checking ypbind status..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking ypbind status" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -522,10 +522,10 @@
if [ ! "${NISDOMAIN}" = "" ]; then if [ ! "${NISDOMAIN}" = "" ]; then
logtext "Found NIS domain: ${NISDOMAIN}" logtext "Found NIS domain: ${NISDOMAIN}"
report "nisdomain=${NISDOMAIN}" report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain..." --result "FOUND" --color GREEN Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN
else else
logtext "Result: No NIS domain found" logtext "Result: No NIS domain found"
Display --indent 4 --text "- Checking NIS domain..." --result "UNKNOWN" --color YELLOW Display --indent 4 --text "- Checking NIS domain" --result "UNKNOWN" --color YELLOW
fi fi
fi fi
# #
@ -553,7 +553,7 @@
fi fi
else else
logtext "Result: /etc/hosts not found, test skipped" logtext "Result: /etc/hosts not found, test skipped"
Display --indent 4 --text "Searching duplicate line..." --result "SKIPPED" --color YELLOW Display --indent 4 --text "Searching duplicate line" --result "SKIPPED" --color YELLOW
fi fi
fi fi
# #

52
include/tests_networking
View File

@ -33,13 +33,13 @@
# Description : Basic nameserver configuration tests (connectivity) # Description : Basic nameserver configuration tests (connectivity)
Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests" Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking configured nameservers..." Display --indent 2 --text "- Checking configured nameservers"
logtext "Test: Checking /etc/resolv.conf file" logtext "Test: Checking /etc/resolv.conf file"
if [ -f /etc/resolv.conf ]; then if [ -f /etc/resolv.conf ]; then
logtext "Result: Found /etc/resolv.conf file" logtext "Result: Found /etc/resolv.conf file"
FIND=`grep '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g'` FIND=`grep '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Testing nameservers..." Display --indent 4 --text "- Testing nameservers"
logtext "Test: Querying nameservers" logtext "Test: Querying nameservers"
for I in ${FIND}; do for I in ${FIND}; do
logtext "Found nameserver: ${I}" logtext "Found nameserver: ${I}"
@ -53,12 +53,12 @@
# 0=good, other=bad # 0=good, other=bad
DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?` DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?`
if [ "${DNSRESPONSE}" = "0" ]; then if [ "${DNSRESPONSE}" = "0" ]; then
Display --indent 8 --text "Nameserver: ${I}..." --result OK --color GREEN Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN
logtext "Nameserver ${I} seems to respond to queries from this host." logtext "Nameserver ${I} seems to respond to queries from this host."
# Count responsive nameservers # Count responsive nameservers
NUMBERACTIVENS=`expr ${NUMBERACTIVENS} + 1` NUMBERACTIVENS=`expr ${NUMBERACTIVENS} + 1`
else else
Display --indent 8 --text "Nameserver: ${I}..." --result "NO RESPONSE" --color RED Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED
logtext "Result: nameserver ${I} does NOT respond" logtext "Result: nameserver ${I} does NOT respond"
logtext "Exit-code from dig: ${DNSRESPONSE}" logtext "Exit-code from dig: ${DNSRESPONSE}"
ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)." ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
@ -66,7 +66,7 @@
fi fi
else else
logtext "Result: Nameserver test for ${I} skipped, 'dig' not installed" logtext "Result: Nameserver test for ${I} skipped, 'dig' not installed"
Display --indent 6 --text "Nameserver: ${I}... " --result SKIPPED --color YELLOW Display --indent 6 --text "Nameserver: ${I}" --result SKIPPED --color YELLOW
fi fi
done done
fi fi
@ -82,19 +82,19 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DIGBINARY}" = "" ]; then if [ ! "${DIGBINARY}" = "" ]; then
if [ ${NUMBERACTIVENS} -lt 2 ]; then if [ ${NUMBERACTIVENS} -lt 2 ]; then
Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result WARNING --color RED Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result WARNING --color RED
logtext "Result: less than 2 responsive nameservers found" logtext "Result: less than 2 responsive nameservers found"
ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers" ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers"
logtext "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc." logtext "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible" ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
AddHP 1 2 AddHP 1 2
else else
Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result OK --color GREEN Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result OK --color GREEN
logtext "Result: found at least 2 responsive nameservers" logtext "Result: found at least 2 responsive nameservers"
AddHP 3 3 AddHP 3 3
fi fi
else else
Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result SKIPPED --color YELLOW Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result SKIPPED --color YELLOW
logtext "Result: dig not installed, test can't be fully performed" logtext "Result: dig not installed, test can't be fully performed"
fi fi
else else
@ -109,17 +109,17 @@
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Find default gateway (route)" Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then if [ $SKIPTEST -eq 0 ]; then
logtext "Test: Searching default gateway(s)..." logtext "Test: Searching default gateway(s)"
FIND=`${NETSTATBINARY} -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2` FIND=`${NETSTATBINARY} -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do for I in ${FIND}; do
logtext "Result: Found default gateway ${I}" logtext "Result: Found default gateway ${I}"
report "default_gateway[]=${I}" report "default_gateway[]=${I}"
done done
Display --indent 2 --text "- Checking default gateway..." --result DONE --color GREEN Display --indent 2 --text "- Checking default gateway" --result DONE --color GREEN
else else
logtext "Result: No default gateway found" logtext "Result: No default gateway found"
Display --indent 2 --text "- Checking default gateway..." --result "NONE FOUND" --color WHITE Display --indent 2 --text "- Checking default gateway" --result "NONE FOUND" --color WHITE
fi fi
fi fi
# #
@ -279,7 +279,7 @@
esac esac
# Retrieve information from sockstat, when available # Retrieve information from sockstat, when available
logtext "Test: Retrieving sockstat information to find listening ports..." logtext "Test: Retrieving sockstat information to find listening ports"
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do for I in ${FIND}; do
N=`expr ${N} + 1` N=`expr ${N} + 1`
@ -296,9 +296,9 @@
done done
fi fi
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 2 --text "- Getting listening ports (TCP/UDP)..." --result SKIPPED --color YELLOW Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result SKIPPED --color YELLOW
else else
Display --indent 2 --text "- Getting listening ports (TCP/UDP)..." --result DONE --color GREEN Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result DONE --color GREEN
Display --indent 6 --text "* Found ${N} ports" Display --indent 6 --text "* Found ${N} ports"
fi fi
fi fi
@ -311,7 +311,7 @@
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking promiscuous interfaces (BSD)" Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking promiscuous interfaces (BSD)"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking promiscuous interfaces (FreeBSD)..." logtext "Test: Checking promiscuous interfaces (FreeBSD)"
FIND=`${IFCONFIGBINARY} | grep PROMISC | cut -d ':' -f1` FIND=`${IFCONFIGBINARY} | grep PROMISC | cut -d ':' -f1`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: Promiscuous interfaces: ${FIND}" logtext "Result: Promiscuous interfaces: ${FIND}"
@ -329,10 +329,10 @@
# Show result # Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces..." --result OK --color GREEN Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN
logtext "Result: No promiscuous interfaces found" logtext "Result: No promiscuous interfaces found"
else else
Display --indent 2 --text "- Checking promiscuous interfaces..." --result WARNING --color RED Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED
fi fi
fi fi
# #
@ -364,10 +364,10 @@
# Show result # Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces..." --result OK --color GREEN Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN
logtext "Result: No promiscuous interfaces found" logtext "Result: No promiscuous interfaces found"
else else
Display --indent 2 --text "- Checking promiscuous interfaces..." --result WARNING --color RED Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED
fi fi
fi fi
# #
@ -380,8 +380,8 @@
# #
# Test : NETW-3024 # Test : NETW-3024
# Description : Netstat/socktstat compare (FreeBSD) # Description : Netstat/socktstat compare (FreeBSD)
# echo -n " - Comparing output sockstat and netstat... " # echo -n " - Comparing output sockstat and netstat"
# logtext "Comparing output of sockstat and netstat... " # logtext "Comparing output of sockstat and netstat"
# NETSTATOUTPUT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort | uniq` # NETSTATOUTPUT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort | uniq`
# #
# if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then # if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then
@ -401,15 +401,15 @@
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state" Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Using netstat for check for connections in WAIT state..." logtext "Test: Using netstat for check for connections in WAIT state"
FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'` FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'`
if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="100"; fi if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="100"; fi
logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections..." --result WARNING --color YELLOW Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW
ReportWarning ${TEST_NO} "H" "Found too much connections in WAIT state (${FIND})" ReportWarning ${TEST_NO} "H" "Found too much connections in WAIT state (${FIND})"
else else
Display --indent 2 --text "- Checking waiting connections..." --result OK --color GREEN Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN
logtext "Result: ${FIND} connections are in WAIT state" logtext "Result: ${FIND} connections are in WAIT state"
fi fi
fi fi
@ -422,12 +422,12 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
IsRunning dhclient IsRunning dhclient
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking status DHCP client..." --result RUNNING --color WHITE Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE
#YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine #YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine
#report "manual[]=System is running DHCP client" #report "manual[]=System is running DHCP client"
DHCP_CLIENT_RUNNING=1 DHCP_CLIENT_RUNNING=1
else else
Display --indent 2 --text "- Checking status DHCP client..." --result "NOT ACTIVE" --color WHITE Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
fi fi
fi fi
# #

40
include/tests_php
View File

@ -61,7 +61,7 @@
if [ "${tFILES}" = "" ]; then if [ "${tFILES}" = "" ]; then
logtext "Result: no files found for ${I}" logtext "Result: no files found for ${I}"
else else
logtext "Result: found files in location ${I}, checking.." logtext "Result: found files in location ${I}, checking"
for I in ${tFILES}; do for I in ${tFILES}; do
if [ -f ${I} ]; then if [ -f ${I} ]; then
logtext "Result: file ${I} exists, adding to php.ini array" logtext "Result: file ${I} exists, adding to php.ini array"
@ -72,11 +72,11 @@
done done
if [ ! "${PHPINIFILE}" = "" ]; then if [ ! "${PHPINIFILE}" = "" ]; then
Display --indent 2 --text "- Checking PHP..." --result "FOUND" --color GREEN Display --indent 2 --text "- Checking PHP" --result "FOUND" --color GREEN
logtext "Result: using single file ${PHPINIFILE} for main php.ini tests" logtext "Result: using single file ${PHPINIFILE} for main php.ini tests"
logtext "Result: using php.ini array ${PHPINI_ALLFILES} for further tests" logtext "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
else else
Display --indent 2 --text "- Checking PHP..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking PHP" --result "NOT FOUND" --color WHITE
logtext "Result: no php.ini file found" logtext "Result: no php.ini file found"
fi fi
fi fi
@ -109,13 +109,13 @@
done done
if [ ${FOUND} -eq 0 ]; then if [ ${FOUND} -eq 0 ]; then
logtext "Result: all PHP functions can be executed" logtext "Result: all PHP functions can be executed"
Display --indent 4 --text "- Checking PHP disabled functions..." --result "NONE" --color YELLOW Display --indent 4 --text "- Checking PHP disabled functions" --result "NONE" --color YELLOW
ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions" ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions"
logtext "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)" logtext "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
AddHP 0 1 AddHP 0 1
else else
logtext "Result: one or more PHP functions are disabled/blacklisted" logtext "Result: one or more PHP functions are disabled/blacklisted"
Display --indent 4 --text "- Checking PHP disabled functions..." --result "FOUND" --color GREEN Display --indent 4 --text "- Checking PHP disabled functions" --result "FOUND" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi
@ -139,16 +139,16 @@
fi fi
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option" Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP register_globals option.." logtext "Test: Checking PHP register_globals option"
FIND=`cat ${PHPINIFILE} | egrep -i 'register_globals.*(on|yes|1)' | grep -v '^;'` FIND=`cat ${PHPINIFILE} | egrep -i 'register_globals.*(on|yes|1)' | grep -v '^;'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking register_globals option..." --result WARNING --color RED Display --indent 4 --text "- Checking register_globals option" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off" ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
logtext "Result: register_globals option is turned on, which can be a risk for variable value overwriting." logtext "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
AddHP 1 2 AddHP 1 2
else else
Display --indent 4 --text "- Checking register_globals option..." --result OK --color GREEN Display --indent 4 --text "- Checking register_globals option" --result OK --color GREEN
logtext "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value." logtext "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value."
ReportManual ${TEST_NO}:01 ReportManual ${TEST_NO}:01
AddHP 2 2 AddHP 2 2
@ -163,16 +163,16 @@
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option" Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking expose_php option.." logtext "Test: Checking expose_php option"
FIND=`cat ${PHPINIFILE} | egrep -i 'expose_php.*(off|no|0)' | grep -v '^;'` FIND=`cat ${PHPINIFILE} | egrep -i 'expose_php.*(off|no|0)' | grep -v '^;'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking expose_php option..." --result ON --color RED Display --indent 4 --text "- Checking expose_php option" --result ON --color RED
ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers." ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off" ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
report "Result: expose_php option is turned on, which can expose useful information for an attacker" report "Result: expose_php option is turned on, which can expose useful information for an attacker"
AddHP 1 2 AddHP 1 2
else else
Display --indent 4 --text "- Checking expose_php option..." --result OFF --color GREEN Display --indent 4 --text "- Checking expose_php option" --result OFF --color GREEN
logtext "Result: Found 'expose_php' in disabled state (0, no, or off)" logtext "Result: Found 'expose_php' in disabled state (0, no, or off)"
AddHP 2 2 AddHP 2 2
fi fi
@ -187,15 +187,15 @@
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option" Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP enable_dl option.." logtext "Test: Checking PHP enable_dl option"
FIND=`cat ${PHPINIFILE} | egrep -i 'enable_dl.*(off|no|0)' | grep -v '^;'` FIND=`cat ${PHPINIFILE} | egrep -i 'enable_dl.*(off|no|0)' | grep -v '^;'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking enable_dl option..." --result ON --color YELLOW Display --indent 4 --text "- Checking enable_dl option" --result ON --color YELLOW
report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP" report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP" ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP"
AddHP 0 1 AddHP 0 1
else else
Display --indent 4 --text "- Checking enable_dl option..." --result OFF --color GREEN Display --indent 4 --text "- Checking enable_dl option" --result OFF --color GREEN
logtext "Result: Found 'enable_dl' in disabled state (0, no, or off)" logtext "Result: Found 'enable_dl' in disabled state (0, no, or off)"
AddHP 2 2 AddHP 2 2
fi fi
@ -210,15 +210,15 @@
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option" Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP allow_url_fopen option.." logtext "Test: Checking PHP allow_url_fopen option"
FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_fopen.*(off|no|0)' | grep -v '^;'` FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_fopen.*(off|no|0)' | grep -v '^;'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option..." --result ON --color YELLOW Display --indent 4 --text "- Checking allow_url_fopen option" --result ON --color YELLOW
report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP" report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
AddHP 0 1 AddHP 0 1
else else
Display --indent 4 --text "- Checking allow_url_fopen option..." --result OFF --color GREEN Display --indent 4 --text "- Checking allow_url_fopen option" --result OFF --color GREEN
logtext "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)" logtext "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
AddHP 2 2 AddHP 2 2
fi fi
@ -233,15 +233,15 @@
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option" Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP allow_url_include option.." logtext "Test: Checking PHP allow_url_include option"
FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_include.*(off|no|0)' | grep -v '^;'` FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_include.*(off|no|0)' | grep -v '^;'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_include option..." --result ON --color YELLOW Display --indent 4 --text "- Checking allow_url_include option" --result ON --color YELLOW
report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP" report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
AddHP 0 1 AddHP 0 1
else else
Display --indent 4 --text "- Checking allow_url_include option..." --result OFF --color GREEN Display --indent 4 --text "- Checking allow_url_include option" --result OFF --color GREEN
logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)" logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
AddHP 2 2 AddHP 2 2
fi fi

62
include/tests_ports_packages
View File

@ -24,7 +24,7 @@
# #
################################################################################# #################################################################################
# #
Display --indent 2 --text "- Searching package managers..." Display --indent 2 --text "- Searching package managers"
# Test : PKGS-7301 # Test : PKGS-7301
# Description : Query FreeBSD pkg # Description : Query FreeBSD pkg
@ -33,12 +33,12 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`pkg -N 2>&1; echo $?` FIND=`pkg -N 2>&1; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 4 --text "- Searching packages with pkg..." --result FOUND --color GREEN Display --indent 4 --text "- Searching packages with pkg" --result FOUND --color GREEN
report "package_manager[]=pkg" report "package_manager[]=pkg"
PACKAGE_MGR_PKG=1 PACKAGE_MGR_PKG=1
#logtext "Result: Found pkg" #logtext "Result: Found pkg"
#logtext "Test: Querying pkg to get package list..." #logtext "Test: Querying pkg to get package list"
#Display --indent 6 --text "- Querying pkg for installed packages..." #Display --indent 6 --text "- Querying pkg for installed packages"
#logtext "Output:"; logtext "-----" #logtext "Output:"; logtext "-----"
#SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'` #SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
#for J in ${SPACKAGES}; do #for J in ${SPACKAGES}; do
@ -48,7 +48,7 @@
# report "installed_package[]=${sPKG_NAME}|${sPKG_VERSION}|" # report "installed_package[]=${sPKG_NAME}|${sPKG_VERSION}|"
#done #done
else else
Display --indent 4 --text "- Searching pkg..." --result "NOT INSTALLED" --color YELLOW Display --indent 4 --text "- Searching pkg" --result "NOT INSTALLED" --color YELLOW
fi fi
fi fi
# #
@ -60,11 +60,11 @@
Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD/NetBSD pkg_info" Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD/NetBSD pkg_info"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
Display --indent 4 --text "- Checking pkg_info..." --result FOUND --color GREEN Display --indent 4 --text "- Checking pkg_info" --result FOUND --color GREEN
logtext "Result: Found pkg_info" logtext "Result: Found pkg_info"
report "package_manager[]=pkg_info" report "package_manager[]=pkg_info"
logtext "Test: Querying pkg_info to get package list..." logtext "Test: Querying pkg_info to get package list"
Display --indent 6 --text "- Querying pkg_info for installed packages..." Display --indent 6 --text "- Querying pkg_info for installed packages"
logtext "Output:"; logtext "-----" logtext "Output:"; logtext "-----"
SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'` SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
@ -88,10 +88,10 @@
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3` # SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3`
# if [ "${SDOUBLEINSTALLED}" = "" ]; then # if [ "${SDOUBLEINSTALLED}" = "" ]; then
# Display --indent 6 --text "- Querying pkg_info for double installed packages..." --result OK --color GREEN # Display --indent 6 --text "- Querying pkg_info for double installed packages" --result OK --color GREEN
# logtext "Ok, no packages show up twice or more in the package listing." # logtext "Ok, no packages show up twice or more in the package listing."
# else # else
# Display --indent 6 --text "- Querying pkg_info for double installed packages..." --result WARNING --color RED # Display --indent 6 --text "- Querying pkg_info for double installed packages" --result WARNING --color RED
# for J in ${SDOUBLEINSTALLED}; do # for J in ${SDOUBLEINSTALLED}; do
# ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})" # ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})"
# logtext "This package ${J} is visible twice or more in the pkg_info listing." # logtext "This package ${J} is visible twice or more in the pkg_info listing."
@ -102,7 +102,7 @@
# done # done
# fi # fi
# else # else
# Display --indent 4 --text "- Searching pkg_info..." --result "NOT FOUND" --color WHITE # Display --indent 4 --text "- Searching pkg_info" --result "NOT FOUND" --color WHITE
# logtext "Result: pkg_info can NOT be found on this system" # logtext "Result: pkg_info can NOT be found on this system"
# fi # fi
# #
@ -113,11 +113,11 @@
if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages" Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching pkginfo..." --result FOUND --color GREEN Display --indent 4 --text "- Searching pkginfo" --result FOUND --color GREEN
logtext "Result: Found Solaris pkginfo" logtext "Result: Found Solaris pkginfo"
report "package_manager[]=pkginfo" report "package_manager[]=pkginfo"
logtext "Test: Querying pkginfo to get package list" logtext "Test: Querying pkginfo to get package list"
Display --indent 4 --text "- Querying pkginfo for installed packages..." Display --indent 4 --text "- Querying pkginfo for installed packages"
logtext "Output:"; logtext "-----" logtext "Output:"; logtext "-----"
# Strip SUNW from strings # Strip SUNW from strings
SPACKAGES=`/usr/bin/pkginfo -i | tr -s ' ' | cut -d ' ' -f2 | sed "s#^SUNW##"` SPACKAGES=`/usr/bin/pkginfo -i | tr -s ' ' | cut -d ' ' -f2 | sed "s#^SUNW##"`
@ -138,11 +138,11 @@
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with RPM" Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with RPM"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
Display --indent 4 --text "- Searching RPM package manager..." --result FOUND --color GREEN Display --indent 4 --text "- Searching RPM package manager" --result FOUND --color GREEN
logtext "Result: Found rpm binary (${RPMBINARY})" logtext "Result: Found rpm binary (${RPMBINARY})"
report "package_manager[]=rpm" report "package_manager[]=rpm"
logtext "Test: Querying 'rpm -qa' to get package list" logtext "Test: Querying 'rpm -qa' to get package list"
Display --indent 6 --text "- Querying RPM package manager..." Display --indent 6 --text "- Querying RPM package manager"
logtext "Output:"; logtext "--------" logtext "Output:"; logtext "--------"
SPACKAGES=`${RPMBINARY} -qa | sort` SPACKAGES=`${RPMBINARY} -qa | sort`
if [ "${SPACKAGES}" = "" ]; then if [ "${SPACKAGES}" = "" ]; then
@ -169,11 +169,11 @@
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with pacman" Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with pacman"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
Display --indent 4 --text "- Searching pacman package manager..." --result FOUND --color GREEN Display --indent 4 --text "- Searching pacman package manager" --result FOUND --color GREEN
logtext "Result: Found pacman binary (${PACMANBINARY})" logtext "Result: Found pacman binary (${PACMANBINARY})"
report "package_manager[]=pacman" report "package_manager[]=pacman"
logtext "Test: Querying 'pacman -Q' to get package list" logtext "Test: Querying 'pacman -Q' to get package list"
Display --indent 6 --text "- Querying pacman package manager..." Display --indent 6 --text "- Querying pacman package manager"
logtext "Output:"; logtext "--------" logtext "Output:"; logtext "--------"
SPACKAGES=`${PACMANBINARY} -Q | sort | sed 's/ /,/g'` SPACKAGES=`${PACMANBINARY} -Q | sort | sed 's/ /,/g'`
if [ "${SPACKAGES}" = "" ]; then if [ "${SPACKAGES}" = "" ]; then
@ -266,7 +266,7 @@
logtext "Result: Found dpkg binary" logtext "Result: Found dpkg binary"
report "package_manager[]=dpkg" report "package_manager[]=dpkg"
logtext "Test: Querying dpkg -l to get package list" logtext "Test: Querying dpkg -l to get package list"
Display --indent 6 --text "- Querying package manager..." Display --indent 6 --text "- Querying package manager"
logtext "Output:" logtext "Output:"
SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' '#' | sort` SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' '#' | sort`
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
@ -403,7 +403,7 @@
# Don't check yet, output of found vulnerable packages unclear (YYY) # Don't check yet, output of found vulnerable packages unclear (YYY)
else else
logtext "Result: ${FIND}" logtext "Result: ${FIND}"
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages..." --result WARNING --color RED #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED
#logtext "Result: pkg audit found one or more installed packages which are vulnerable." #logtext "Result: pkg audit found one or more installed packages which are vulnerable."
#ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." #ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
#ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" #ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
@ -593,7 +593,7 @@
# Test : PKGS-7388 # Test : PKGS-7388
# Description : Check security repository in Debian/ubuntu apt sources.list file # Description : Check security repository in Debian/ubuntu apt sources.list file
if [ -f /etc/apt/sources.list -a -d /etc/apt/sources.list.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -f /etc/apt/sources.list -a -d /etc/apt/sources.list.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7388 --os preqs-met ${PREQS_MET} --weight L --network NO --description "Check security repository in Debian/ubuntu apt sources.list file" Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check security repository in Debian/ubuntu apt sources.list file"
if [ $SKIPTEST -eq 0 ]; then if [ $SKIPTEST -eq 0 ]; then
FOUND=0 FOUND=0
if [ ! "${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY}" = "yes" ]; then if [ ! "${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY}" = "yes" ]; then
@ -646,11 +646,11 @@
logtext "Test: Package database consistency by running apt-get check" logtext "Test: Package database consistency by running apt-get check"
FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?` FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking APT package database..." --result OK --color GREEN Display --indent 2 --text "- Checking APT package database" --result OK --color GREEN
logtext "Result: package database seems to be consistent." logtext "Result: package database seems to be consistent."
else else
logtext "Result: package database is most likely NOT consistent" logtext "Result: package database is most likely NOT consistent"
Display --indent 2 --text "- Checking APT package database..." --result WARNING --color RED Display --indent 2 --text "- Checking APT package database" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code." ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code."
ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check." ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check."
fi fi
@ -701,7 +701,7 @@
# Show packages which would be upgraded and match 'security' in repository name # Show packages which would be upgraded and match 'security' in repository name
FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq` FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
#Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED #Display --indent 2 --text "- Checking vulnerable packages" --result WARNING --color RED
VULNERABLE_PACKAGES_FOUND=1 VULNERABLE_PACKAGES_FOUND=1
SCAN_PERFORMED=1 SCAN_PERFORMED=1
logtext "Result: found vulnerable package(s) via apt-get (-security channel)" logtext "Result: found vulnerable package(s) via apt-get (-security channel)"
@ -716,13 +716,13 @@
if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades" ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED Display --indent 2 --text "- Checking vulnerable packages" --result WARNING --color RED
else else
Display --indent 2 --text "- Checking vulnerable packages..." --result OK --color GREEN Display --indent 2 --text "- Checking vulnerable packages" --result OK --color GREEN
logtext "Result: no vulnerable packages found" logtext "Result: no vulnerable packages found"
fi fi
else else
Display --indent 2 --text "- Checking vulnerable packages (apt-get only)..." --result DONE --color GREEN Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result DONE --color GREEN
logtext "Result: test not fully executed (missing apt-check output)" logtext "Result: test not fully executed (missing apt-check output)"
fi fi
fi fi
@ -741,11 +741,11 @@
FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'` FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: no packages found which can be upgraded" logtext "Result: no packages found which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages..." --result NONE --color GREEN Display --indent 2 --text "- Checking upgradeable packages" --result NONE --color GREEN
AddHP 3 3 AddHP 3 3
else else
logtext "Result: found one or more packages which can be upgraded" logtext "Result: found one or more packages which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages..." --result FOUND --color YELLOW Display --indent 2 --text "- Checking upgradeable packages" --result FOUND --color YELLOW
# output: program/repository upgradeable from version X to Y # output: program/repository upgradeable from version X to Y
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'` I=`echo ${I} | sed 's/!space!/ /g'`
@ -754,7 +754,7 @@
fi fi
else else
logtext "Result: /usr/bin/apt-show-versions not found" logtext "Result: /usr/bin/apt-show-versions not found"
Display --indent 2 --text "- Checking upgradeable packages..." --result SKIPPED --color WHITE Display --indent 2 --text "- Checking upgradeable packages" --result SKIPPED --color WHITE
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes" ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
fi fi
fi fi
@ -768,11 +768,11 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking for package audit tool" logtext "Test: checking for package audit tool"
if [ ${PKG_AUDIT_TOOL_FOUND} -eq 0 ]; then if [ ${PKG_AUDIT_TOOL_FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking package audit tool..." --result NONE --color RED Display --indent 2 --text "- Checking package audit tool" --result NONE --color RED
ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages" ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
logtext "Result: no package audit tool found" logtext "Result: no package audit tool found"
else else
Display --indent 2 --text "- Checking package audit tool..." --result INSTALLED --color GREEN Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN
Display --indent 4 --text "Found: ${PKG_AUDIT_TOOL}" Display --indent 4 --text "Found: ${PKG_AUDIT_TOOL}"
logtext "Result: found package audit tool: ${PKG_AUDIT_TOOL}" logtext "Result: found package audit tool: ${PKG_AUDIT_TOOL}"
fi fi

16
include/tests_printers_spools
View File

@ -37,7 +37,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching /usr/sbin/chkprintcap" logtext "Test: Searching /usr/sbin/chkprintcap"
if [ ! -f /usr/sbin/chkprintcap ]; then if [ ! -f /usr/sbin/chkprintcap ]; then
Display --indent 2 --text "- Checking chkprintcap..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking chkprintcap" --result "NOT FOUND" --color WHITE
logtext "Result: /usr/sbin/chkprintcap NOT found, test skipped." logtext "Result: /usr/sbin/chkprintcap NOT found, test skipped."
else else
logtext "Result: /usr/sbin/chkprintcap found" logtext "Result: /usr/sbin/chkprintcap found"
@ -64,11 +64,11 @@
logtext "Test: Checking cupsd status" logtext "Test: Checking cupsd status"
FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd` FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking cups daemon..." --result RUNNING --color GREEN Display --indent 2 --text "- Checking cups daemon" --result RUNNING --color GREEN
logtext "Result: cups daemon running" logtext "Result: cups daemon running"
CUPSD_RUNNING=1; PRINTING_DAEMON="cups" CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
else else
Display --indent 2 --text "- Checking cups daemon..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking cups daemon" --result "NOT FOUND" --color WHITE
logtext "Result: cups daemon not running, cups daemon tests skipped" logtext "Result: cups daemon not running, cups daemon tests skipped"
fi fi
fi fi
@ -88,11 +88,11 @@
fi fi
done done
if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then
Display --indent 2 --text "- Checking CUPS configuration file..." --result OK --color GREEN Display --indent 2 --text "- Checking CUPS configuration file" --result OK --color GREEN
logtext "Result: configuration file found (${CUPSD_CONFIG_FILE})" logtext "Result: configuration file found (${CUPSD_CONFIG_FILE})"
CUPSD_FOUND=1 CUPSD_FOUND=1
else else
Display --indent 2 --text "- Checking CUPS configuration file..." --result "NOT FOUND" --color RED Display --indent 2 --text "- Checking CUPS configuration file" --result "NOT FOUND" --color RED
logtext "Result: configuration file not found" logtext "Result: configuration file not found"
logtext "Development: no CUPS configuration file found" logtext "Development: no CUPS configuration file found"
fi fi
@ -164,10 +164,10 @@
done done
if [ ${N} -eq 0 ]; then if [ ${N} -eq 0 ]; then
Display --indent 2 --text "- Checking CUPS addresses/sockets..." --result "NONE" --color WHITE Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "NONE" --color WHITE
logtext "Result: no addresses found on which CUPS daemon is listening" logtext "Result: no addresses found on which CUPS daemon is listening"
else else
Display --indent 2 --text "- Checking CUPS addresses/sockets..." --result "FOUND" --color GREEN Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "FOUND" --color GREEN
logtext "Result: CUPS daemon is listening on network/socket" logtext "Result: CUPS daemon is listening on network/socket"
fi fi
fi fi
@ -199,7 +199,7 @@
#Register --test-no PRNT-23xx--preqs-met ${PREQS_MET} --weight L --network NO --description "Check cupsd address configuration" #Register --test-no PRNT-23xx--preqs-met ${PREQS_MET} --weight L --network NO --description "Check cupsd address configuration"
#if [ ${SKIPTEST} -eq 0 ]; then #if [ ${SKIPTEST} -eq 0 ]; then
#if [ "${OS}" = "Linux" ]; then #if [ "${OS}" = "Linux" ]; then
# echo " - Testing printcap file... [Test not implemented yet]" # echo " - Testing printcap file [Test not implemented yet]"
# # Check printcap with checkpc command # # Check printcap with checkpc command
#fi #fi
# #

16
include/tests_shells
View File

@ -46,13 +46,13 @@
# Description : check all console TTYs in which root user can enter single user mode without password # Description : check all console TTYs in which root user can enter single user mode without password
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs" Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking console TTYs..." logtext "Test: Checking console TTYs"
FIND=`cat /etc/ttys | egrep '^console' | grep -v 'insecure'` FIND=`cat /etc/ttys | egrep '^console' | grep -v 'insecure'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking console TTYs... " --result OK --color GREEN Display --indent 2 --text "- Checking console TTYs" --result OK --color GREEN
logtext "Result: console is secured against single user mode without password." logtext "Result: console is secured against single user mode without password."
else else
Display --indent 2 --text "- Checking console TTYs... " --result WARNING --color RED Display --indent 2 --text "- Checking console TTYs" --result WARNING --color RED
logtext "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!" logtext "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!"
logtext "Output /etc/ttys:" logtext "Output /etc/ttys:"
logtext "${FIND}" logtext "${FIND}"
@ -74,13 +74,13 @@
# Description : which shells are available according /etc/shells # Description : which shells are available according /etc/shells
Register --test-no SHLL-6211 --weight L --network NO --description "Checking available and valid shells" Register --test-no SHLL-6211 --weight L --network NO --description "Checking available and valid shells"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for /etc/shells..." logtext "Test: Searching for /etc/shells"
if [ -f /etc/shells ]; then if [ -f /etc/shells ]; then
logtext "Result: Found /etc/shells file" logtext "Result: Found /etc/shells file"
logtext "Test: Reading available shells from /etc/shells" logtext "Test: Reading available shells from /etc/shells"
SSHELLS=`cat /etc/shells | grep "^/"` SSHELLS=`cat /etc/shells | grep "^/"`
CSSHELLS=0; CSSHELLS_ALL=0 CSSHELLS=0; CSSHELLS_ALL=0
Display --indent 2 --text "- Checking shells from /etc/shells..." Display --indent 2 --text "- Checking shells from /etc/shells"
for I in ${SSHELLS}; do for I in ${SSHELLS}; do
CSSHELLS_ALL=`expr ${CSSHELLS_ALL} + 1` CSSHELLS_ALL=`expr ${CSSHELLS_ALL} + 1`
report "available_shell[]=${I}" report "available_shell[]=${I}"
@ -181,15 +181,15 @@
# Description : Check default umask # Description : Check default umask
# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask" # Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask"
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking /etc/profile..." # logtext "Test: Checking /etc/profile"
# if [ -f /etc/profile ]; then # if [ -f /etc/profile ]; then
# FIND=`grep "^umask" | awk '{ print $2 }'` # FIND=`grep "^umask" | awk '{ print $2 }'`
# if [ "${FIND}" = "" ]; then # if [ "${FIND}" = "" ]; then
# logtext "Result: xxx" # logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask... " --result OK --color GREEN # Display --indent 2 --text "- Checking default umask" --result OK --color GREEN
# else # else
# logtext "Result: xxx" # logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask... " --result WARNING --color RED # Display --indent 2 --text "- Checking default umask" --result WARNING --color RED
# #ReportWarning ${TEST_NO} "M" "xxx" # #ReportWarning ${TEST_NO} "M" "xxx"
# #ReportSuggestion ${TEST_NO} "xxx" # #ReportSuggestion ${TEST_NO} "xxx"
# fi # fi

52
include/tests_snmp
View File

@ -30,17 +30,17 @@
# Description : Check for a running SNMP daemon # Description : Check for a running SNMP daemon
Register --test-no SNMP-3302 --weight L --network NO --description "Check for running SNMP daemon" Register --test-no SNMP-3302 --weight L --network NO --description "Check for running SNMP daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a SNMP daemon..." logtext "Test: Searching for a SNMP daemon"
# Check running processes # Check running processes
FIND=`${PSBINARY} ax | grep "snmpd" | grep -v "grep"` IsRunning snmpd
if [ ! "${FIND}" = "" ]; then if [ ${RUNNING} -eq 1 ]; then
SNMP_DAEMON_RUNNING=1 SNMP_DAEMON_RUNNING=1
logtext "Result: SNMP daemon is running" logtext "Result: SNMP daemon is running"
Display --indent 2 --text "- Checking running SNMP daemon..." --result FOUND --color GREEN Display --indent 2 --text "- Checking running SNMP daemon" --result FOUND --color GREEN
else else
logtext "Result: No running SNMP daemon found" logtext "Result: No running SNMP daemon found"
Display --indent 2 --text "- Checking running SNMP daemon..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking running SNMP daemon" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -51,19 +51,19 @@
Register --test-no SNMP-3304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP daemon file location" Register --test-no SNMP-3304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP daemon file location"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Action: searching for snmpd.conf file" logtext "Action: searching for snmpd.conf file"
for I in ${SNMP_DAEMON_CONFIG_LOCS}; do for I in ${SNMP_DAEMON_CONFIG_LOCS}; do
if [ -f "${I}/snmpd.conf" ]; then if [ -f "${I}/snmpd.conf" ]; then
logtext "Result: ${I}/snmpd.conf exists" logtext "Result: ${I}/snmpd.conf exists"
SNMPD_DAEMON_CONFIG="${I}/snmpd.conf" SNMPD_DAEMON_CONFIG="${I}/snmpd.conf"
fi fi
done done
if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No snmpd configuration found" logtext "Result: No snmpd configuration found"
Display --indent 4 --text "- Checking SNMP configuration..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking SNMP configuration" --result "NOT FOUND" --color WHITE
else else
logtext "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}" logtext "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}"
Display --indent 4 --text "- Checking SNMP configuration..." --result "FOUND" --color GREEN Display --indent 4 --text "- Checking SNMP configuration" --result "FOUND" --color GREEN
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -87,10 +87,10 @@
# Check status of test # Check status of test
if [ ${WARN} -eq 0 ]; then if [ ${WARN} -eq 0 ]; then
Display --indent 2 --text "- Checking SNMP community strings..." --result OK --color GREEN Display --indent 2 --text "- Checking SNMP community strings" --result OK --color GREEN
AddHP 2 2 AddHP 2 2
else else
Display --indent 2 --text "- Checking SNMP community strings..." --result WARNING --color RED Display --indent 2 --text "- Checking SNMP community strings" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Found easy guessable SNMP community string" ReportWarning ${TEST_NO} "M" "Found easy guessable SNMP community string"
fi fi
fi fi

48
include/tests_solaris
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2014, Michael Boelen (michael.boelen@cisofy.com), The Netherlands
# Web site: http://www.rootkit.nl # Web site: http://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -26,17 +26,17 @@
# Description : Check if Stop-A is disabled # Description : Check if Stop-A is disabled
# Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon" # Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon"
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon..." # logtext "Test: Searching for a SSH daemon"
# # Check running processes # # Check running processes
# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"` # FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"`
# if [ ! "${FIND}" = "" ]; then # if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1 # SSH_DAEMON_RUNNING=1
# logtext "Result: Stop-A is disabled" # logtext "Result: Stop-A is disabled"
# Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN # Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN
# else # else
# logtext "Result: Stop-A is NOT disabled" # logtext "Result: Stop-A is NOT disabled"
# Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE # Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE
# fi # fi
# fi # fi
# #
################################################################################# #################################################################################
@ -45,17 +45,17 @@
# Description : Check if vold is disabled, to disallow unaudited mounts # Description : Check if vold is disabled, to disallow unaudited mounts
# Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon" # Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon"
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon..." # logtext "Test: Searching for a SSH daemon"
# # Check running processes # # Check running processes
# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"` # FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"`
# if [ ! "${FIND}" = "" ]; then # if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1 # SSH_DAEMON_RUNNING=1
# logtext "Result: Stop-A is disabled" # logtext "Result: Stop-A is disabled"
# Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN # Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN
# else # else
# logtext "Result: Stop-A is NOT disabled" # logtext "Result: Stop-A is NOT disabled"
# Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE # Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE
# fi # fi
# fi # fi
# #

225
include/tests_squid
View File

@ -35,17 +35,17 @@
# programs. # programs.
Register --test-no SQD-3602 --weight L --network NO --description "Check for running Squid daemon" Register --test-no SQD-3602 --weight L --network NO --description "Check for running Squid daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a Squid daemon..." logtext "Test: Searching for a Squid daemon"
FOUND=0 FOUND=0
# Check running processes # Check running processes
FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"` FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
SQUID_DAEMON_RUNNING=1 SQUID_DAEMON_RUNNING=1
logtext "Result: Squid daemon is running" logtext "Result: Squid daemon is running"
Display --indent 2 --text "- Checking running Squid daemon..." --result FOUND --color GREEN Display --indent 2 --text "- Checking running Squid daemon" --result FOUND --color GREEN
else else
logtext "Result: No running Squid daemon found" logtext "Result: No running Squid daemon found"
Display --indent 2 --text "- Checking running Squid daemon..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking running Squid daemon" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -71,10 +71,10 @@
done done
if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No Squid configuration file found" logtext "Result: No Squid configuration file found"
Display --indent 4 --text "- Searching Squid configuration file..." --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Searching Squid configuration file" --result "NOT FOUND" --color YELLOW
else else
logtext "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}" logtext "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching Squid configuration..." --result FOUND --color GREEN Display --indent 4 --text "- Searching Squid configuration" --result FOUND --color GREEN
fi fi
fi fi
# #
@ -85,21 +85,21 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${SQUIDBINARY}" = "" ]; then if [ ! "${SQUIDBINARY}" = "" ]; then
logtext "Result: Squid binary found (${SQUIDBINARY})" logtext "Result: Squid binary found (${SQUIDBINARY})"
# Skip check if a setuid/setgid bit is found # Skip check if a setuid/setgid bit is found
FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print` FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'` FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'`
Display --indent 4 --text "- Checking Squid version..." --result "FOUND" --color GREEN Display --indent 4 --text "- Checking Squid version" --result "FOUND" --color GREEN
SQUID_VERSION="${FIND2}" SQUID_VERSION="${FIND2}"
else else
logtext "Result: test skipped for security reasons, setuid/setgid bit set" logtext "Result: test skipped for security reasons, setuid/setgid bit set"
Display --indent 4 --text "- Checking Squid version..." --result "SKIPPED" --color RED Display --indent 4 --text "- Checking Squid version" --result "SKIPPED" --color RED
fi fi
else else
logtext "Result: no Squid binary found" logtext "Result: no Squid binary found"
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -119,12 +119,13 @@
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" logtext "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
FIND=`cat ${SQUID_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` FIND=`cat ${SQUID_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'` I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found Squid option: ${I}" logtext "Found Squid option: ${I}"
done report "squid_option=${I}"
Display --indent 4 --text "- Checking defined Squid options..." --result "DONE" --color GREEN done
Display --indent 4 --text "- Checking defined Squid options" --result "DONE" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -147,13 +148,13 @@
FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" logtext "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
Display --indent 4 --text "- Checking Squid configuration file permissions..." --result WARNING --color RED Display --indent 4 --text "- Checking Squid configuration file permissions" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access" ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive" ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
AddHP 0 2 AddHP 0 2
else else
logtext "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions" logtext "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
Display --indent 4 --text "- Checking Squid configuration file permissions..." --result OK --color GREEN Display --indent 4 --text "- Checking Squid configuration file permissions" --result OK --color GREEN
AddHP 2 2 AddHP 2 2
fi fi
fi fi
@ -161,7 +162,7 @@
################################################################################# #################################################################################
# #
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
Display --indent 4 --text "- Checking Squid access control..." Display --indent 4 --text "- Checking Squid access control"
fi fi
# #
################################################################################# #################################################################################
@ -171,18 +172,18 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid authentication methods" Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid authentication methods"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check auth_param option for authentication methods" logtext "Test: check auth_param option for authentication methods"
FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'` FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
Display --indent 6 --text "- Checking Squid authentication methods..." --result "NONE" --color YELLOW Display --indent 6 --text "- Checking Squid authentication methods" --result "NONE" --color YELLOW
else else
Display --indent 6 --text "- Checking Squid authentication methods..." --result "FOUND" --color GREEN Display --indent 6 --text "- Checking Squid authentication methods" --result "FOUND" --color GREEN
for I in ${FIND}; do for I in ${FIND}; do
logtext "Result: found authentication method ${I}" logtext "Result: found authentication method ${I}"
report "squid_auth_method=${I}" report "squid_auth_method=${I}"
done done
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -192,19 +193,19 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check external Squid authentication" Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check external Squid authentication"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check external_acl_type option for external authentication helpers" logtext "Test: check external_acl_type option for external authentication helpers"
FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}` FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "No external_acl_type found" logtext "No external_acl_type found"
Display --indent 6 --text "- Checking Squid external authentication methods..." --result "NONE" --color YELLOW Display --indent 6 --text "- Checking Squid external authentication methods" --result "NONE" --color YELLOW
else else
Display --indent 6 --text "- Checking Squid external authentication methods..." --result "FOUND" --color GREEN Display --indent 6 --text "- Checking Squid external authentication methods" --result "FOUND" --color GREEN
for I in ${FIND}; do for I in ${FIND}; do
logtext "Result: found external authentication method helper" logtext "Result: found external authentication method helper"
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
#report "squid_external_acl_type=TRUE" #report "squid_external_acl_type=TRUE"
done done
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -214,22 +215,22 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid access control lists" Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid access control lists"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
logtext "Test: checking ACLs" logtext "Test: checking ACLs"
FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: No ACLs found" logtext "Result: No ACLs found"
Display --indent 6 --text "- Checking Access Control Lists..." --result "NONE" --color RED Display --indent 6 --text "- Checking Access Control Lists" --result "NONE" --color RED
else else
for I in ${FIND}; do for I in ${FIND}; do
N=`expr ${N} + 1` N=`expr ${N} + 1`
I=`echo ${I} | sed 's/!space!/ /g'` I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found ACL: ${I}" logtext "Found ACL: ${I}"
#report "squid_acl=${I}" #report "squid_acl=${I}"
done done
logtext "Result: Found ${N} ACLs" logtext "Result: Found ${N} ACLs"
Display --indent 6 --text "- Checking Access Control Lists..." --result "${N} ACLs FOUND" --color GREEN Display --indent 6 --text "- Checking Access Control Lists" --result "${N} ACLs FOUND" --color GREEN
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -239,48 +240,48 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid safe ports" Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid safe ports"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
logtext "Test: checking ACL Safe_ports http_access option" logtext "Test: checking ACL Safe_ports http_access option"
FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"` FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: no Safe_ports found" logtext "Result: no Safe_ports found"
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option..." --result "NOT FOUND" --color YELLOW Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
else else
logtext "Result: checking ACL safe ports" logtext "Result: checking ACL safe ports"
FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'` FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'`
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "NONE FOUND" --color YELLOW Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
AddHP 0 1 AddHP 0 1
else else
logtext "Result: Safe_ports found" logtext "Result: Safe_ports found"
for I in ${FIND}; do for I in ${FIND}; do
logtext "Found safe port: ${I}" logtext "Found safe port: ${I}"
done done
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "FOUND" --color GREEN Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "FOUND" --color GREEN
AddHP 1 1 AddHP 1 1
fi fi
#SQUID_DAEMON_UNSAFE_PORTS_LIST #SQUID_DAEMON_UNSAFE_PORTS_LIST
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
logtext "Test: Checking port ${I} in Safe_ports list" logtext "Test: Checking port ${I} in Safe_ports list"
FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "NOT FOUND" --color GREEN Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN
AddHP 1 1 AddHP 1 1
else else
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "FOUND" --color RED Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "FOUND" --color RED
ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}" ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
AddHP 0 1 AddHP 0 1
fi fi
done done
fi fi
fi fi
# #
################################################################################# #################################################################################
# #
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
Display --indent 4 --text "- Checking Squid Denial of Service tuning options..." Display --indent 4 --text "- Checking Squid Denial of Service tuning options"
fi fi
# #
################################################################################# #################################################################################
@ -309,7 +310,7 @@
################################################################################# #################################################################################
# #
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
Display --indent 4 --text "- Checking Squid general options..." Display --indent 4 --text "- Checking Squid general options"
fi fi
# #
################################################################################# #################################################################################
@ -340,10 +341,10 @@
# Squid # Squid
#Hardening: #Hardening:
# $1 $3 # $1 $3
# acl snmp_community # acl snmp_community
# acl maxconn # acl maxconn
# acl max_user_ip # acl max_user_ip
# #
# follow_x_forwarded_for # follow_x_forwarded_for
#Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well) #Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well)

50
include/tests_ssh
View File

@ -33,13 +33,13 @@
# Description : Check for a running SSH daemon # Description : Check for a running SSH daemon
Register --test-no SSH-7402 --weight L --network NO --description "Check for running SSH daemon" Register --test-no SSH-7402 --weight L --network NO --description "Check for running SSH daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a SSH daemon..." logtext "Test: Searching for a SSH daemon"
IsRunning sshd IsRunning sshd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
SSH_DAEMON_RUNNING=1 SSH_DAEMON_RUNNING=1
Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN
else else
Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -70,11 +70,11 @@
done done
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No sshd configuration found" logtext "Result: No sshd configuration found"
Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Searching SSH configuration" --result "NOT FOUND" --color YELLOW
ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found" ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found"
else else
logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN Display --indent 4 --text "- Searching SSH configuration" --result FOUND --color GREEN
fi fi
fi fi
# #
@ -85,16 +85,16 @@
# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi # if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port" # Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port"
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon..." # logtext "Test: Searching for a SSH daemon"
# CheckOption "^Port " ${SSH_DAEMON_CONFIG} # CheckOption "^Port " ${SSH_DAEMON_CONFIG}
# if [ ${FOUND} -eq 1 ]; then # if [ ${FOUND} -eq 1 ]; then
# FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'` # FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'`
# # Check if this output is numeric and usuable for later (e.g. in netstat output) # # Check if this output is numeric and usuable for later (e.g. in netstat output)
# Display --indent 2 --text "- Checking SSH listening port..." --result FOUND --color GREEN # Display --indent 2 --text "- Checking SSH listening port" --result FOUND --color GREEN
# logtext "Result: setting port number to ${FIND}" # logtext "Result: setting port number to ${FIND}"
# SSH_DAEMON_PORT="${FIND}" # SSH_DAEMON_PORT="${FIND}"
# else # else
# Display --indent 2 --text "- Checking SSH listening port..." --result "NOT FOUND" --color WHITE # Display --indent 2 --text "- Checking SSH listening port" --result "NOT FOUND" --color WHITE
# logtext "Result: setting port to default number, as no other port has been configured" # logtext "Result: setting port to default number, as no other port has been configured"
# SSH_DAEMON_PORT="22" # SSH_DAEMON_PORT="22"
# fi # fi
@ -113,7 +113,7 @@
I=`echo ${I} | sed 's/!space!/ /g'` I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found SSH option: ${I}" logtext "Found SSH option: ${I}"
done done
Display --indent 4 --text "- Checking defined SSH options..." --result "DONE" --color GREEN Display --indent 4 --text "- Checking defined SSH options" --result "DONE" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -127,18 +127,18 @@
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'` FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'`
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: PermitRootLogin is enabled, root can login directly" logtext "Result: PermitRootLogin is enabled, root can login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED Display --indent 4 --text "- SSH option: PermitRootLogin" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Root can directly login via SSH" ReportWarning ${TEST_NO} "M" "Root can directly login via SSH"
AddHP 0 3 AddHP 0 3
else else
# YYY add test for DenyUsers root # YYY add test for DenyUsers root
if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then
logtext "Result: PermitRootLogin is disabled. Root can't login directly" logtext "Result: PermitRootLogin is disabled. Root can't login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN Display --indent 4 --text "- SSH option: PermitRootLogin" --result DISABLED --color GREEN
AddHP 3 3 AddHP 3 3
else else
logtext "Result: Value of PermitRootLogin is unknown (not defined)" logtext "Result: Value of PermitRootLogin is unknown (not defined)"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE Display --indent 4 --text "- SSH option: PermitRootLogin" --result DEFAULT --color WHITE
fi fi
fi fi
fi fi
@ -154,17 +154,17 @@
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'` FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'`
if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
logtext "Result: Protocol option is set to allow SSH protocol version 1" logtext "Result: Protocol option is set to allow SSH protocol version 1"
Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed" ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
AddHP 0 3 AddHP 0 3
else else
if [ "${FIND}" = "2" ]; then if [ "${FIND}" = "2" ]; then
logtext "Result: only protocol 2 is allowed" logtext "Result: only protocol 2 is allowed"
Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN Display --indent 4 --text "- SSH option: Protocol" --result OK --color GREEN
AddHP 3 3 AddHP 3 3
else else
logtext "Result: value of Protocol is unknown (not defined)" logtext "Result: value of Protocol is unknown (not defined)"
Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE Display --indent 4 --text "- SSH option: Protocol" --result DEFAULT --color WHITE
fi fi
fi fi
fi fi
@ -180,18 +180,18 @@
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'` FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'`
if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then
logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked" logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked"
Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED Display --indent 4 --text "- SSH option: StrictModes" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "StrictModes is turned off" ReportWarning ${TEST_NO} "M" "StrictModes is turned off"
ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config" ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config"
AddHP 0 3 AddHP 0 3
else else
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: StrictModes active, file permissions are checked" logtext "Result: StrictModes active, file permissions are checked"
Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN Display --indent 4 --text "- SSH option: StrictModes" --result OK --color GREEN
AddHP 3 3 AddHP 3 3
else else
logtext "Result: value of StrictModes is unknown (not defined)" logtext "Result: value of StrictModes is unknown (not defined)"
Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE Display --indent 4 --text "- SSH option: StrictModes" --result DEFAULT --color WHITE
fi fi
fi fi
fi fi
@ -207,17 +207,17 @@
# FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'` # FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'`
# if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then # if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
# logtext "Result: Protocol option is set to allow SSH protocol version 1" # logtext "Result: Protocol option is set to allow SSH protocol version 1"
# Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED # Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED
# ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed" # ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
# AddHP 0 3 # AddHP 0 3
# else # else
# if [ "${FIND}" = "2" ]; then # if [ "${FIND}" = "2" ]; then
# logtext "Result: only protocol 2 is allowed" # logtext "Result: only protocol 2 is allowed"
# Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN # Display --indent 4 --text "- SSH option: Protocol" --result OK --color GREEN
# AddHP 3 3 # AddHP 3 3
# else # else
# logtext "Result: value of Protocol is unknown (not defined)" # logtext "Result: value of Protocol is unknown (not defined)"
# Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE # Display --indent 4 --text "- SSH option: Protocol" --result DEFAULT --color WHITE
# fi # fi
# fi # fi
# fi # fi
@ -235,22 +235,22 @@
FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set, with value ${FIND}" logtext "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN Display --indent 4 --text "- SSH option: AllowUsers" --result FOUND --color GREEN
FOUND=1 FOUND=1
else else
logtext "Result: AllowUsers is not set" logtext "Result: AllowUsers is not set"
Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- SSH option: AllowUsers" --result "NOT FOUND" --color WHITE
fi fi
# AllowGroups # AllowGroups
FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set ${FIND}" logtext "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN Display --indent 4 --text "- SSH option: AllowGroups" --result FOUND --color GREEN
FOUND=1 FOUND=1
else else
logtext "Result: AllowGroups is not set" logtext "Result: AllowGroups is not set"
Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- SSH option: AllowGroups" --result "NOT FOUND" --color WHITE
fi fi
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then

8
include/tests_storage
View File

@ -52,12 +52,12 @@
fi fi
if [ ${FOUND} -eq 0 ]; then if [ ${FOUND} -eq 0 ]; then
logtext "Result: usb-storage driver is not explicitly disabled" logtext "Result: usb-storage driver is not explicitly disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)..." --result "NOT DISABLED" --color WHITE Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
AddHP 2 3 AddHP 2 3
else else
logtext "Result: usb-storage driver is disabled" logtext "Result: usb-storage driver is disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)..." --result "DISABLED" --color GREEN Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "DISABLED" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi
@ -94,13 +94,13 @@
if [ ${FOUND} -eq 0 ]; then if [ ${FOUND} -eq 0 ]; then
logtext "Result: firewire ohci driver is not explicitly disabled" logtext "Result: firewire ohci driver is not explicitly disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)..." --result "NOT DISABLED" --color WHITE Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "NOT DISABLED" --color WHITE
ReportSuggestion ${TEST_NO} "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft" ReportSuggestion ${TEST_NO} "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft"
# after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u # after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u
AddHP 2 3 AddHP 2 3
else else
logtext "Result: firewire ohci driver is disabled" logtext "Result: firewire ohci driver is disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)..." --result "DISABLED" --color GREEN Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "DISABLED" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi

25
include/tests_storage_nfs
View File

@ -27,10 +27,9 @@
# #
################################################################################# #################################################################################
# #
# Test : STRG-1902 # Test : STRG-1902
# Description : Check rpcinfo # Description : Check rpcinfo
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check rpcinfo registered programs" Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check rpcinfo registered programs"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking rpcinfo registered programs" logtext "Test: Checking rpcinfo registered programs"
@ -38,14 +37,14 @@
for I in ${FIND}; do for I in ${FIND}; do
logtext "rpcinfo: ${I}" logtext "rpcinfo: ${I}"
done done
Display --indent 2 --text "- Query rpc registered programs..." --result "DONE" --color GREEN Display --indent 2 --text "- Query rpc registered programs" --result "DONE" --color GREEN
fi fi
# #
################################################################################# #################################################################################
# #
# Test : STRG-1904 # Test : STRG-1904
# Description : Check nfs versions in rpcinfo # Description : Check nfs versions in rpcinfo
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc" Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking NFS registered versions" logtext "Test: Checking NFS registered versions"
@ -53,7 +52,7 @@
for I in ${FIND}; do for I in ${FIND}; do
logtext "Found version: ${I}" logtext "Found version: ${I}"
done done
Display --indent 2 --text "- Query NFS versions..." --result "DONE" --color GREEN Display --indent 2 --text "- Query NFS versions" --result "DONE" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -81,7 +80,7 @@
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Output: no NFS port number found" logtext "Output: no NFS port number found"
fi fi
Display --indent 2 --text "- Query NFS protocols..." --result "DONE" --color GREEN Display --indent 2 --text "- Query NFS protocols" --result "DONE" --color GREEN
fi fi
# #
################################################################################# #################################################################################
@ -94,10 +93,10 @@
FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Output: NFS daemon is not running" logtext "Output: NFS daemon is not running"
Display --indent 2 --text "- Check running NFS daemon..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Check running NFS daemon" --result "NOT FOUND" --color WHITE
else else
logtext "Output: NFS daemon is running" logtext "Output: NFS daemon is running"
Display --indent 2 --text "- Check running NFS daemon.." --result "FOUND" --color GREEN Display --indent 2 --text "- Check running NFS daemon" --result "FOUND" --color GREEN
NFS_DAEMON_RUNNING=1 NFS_DAEMON_RUNNING=1
fi fi
fi fi
@ -129,10 +128,10 @@
logtext "Result: /etc/exports does not contain exported file systems" logtext "Result: /etc/exports does not contain exported file systems"
NFS_EXPORTS_EMPTY=1 NFS_EXPORTS_EMPTY=1
fi fi
Display --indent 4 --text "- Checking /etc/exports..." --result "FOUND" --color GREEN Display --indent 4 --text "- Checking /etc/exports" --result "FOUND" --color GREEN
else else
logtext "Result: file /etc/exports does not exist" logtext "Result: file /etc/exports does not exist"
Display --indent 4 --text "- Checking /etc/exports..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking /etc/exports" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -144,7 +143,7 @@
Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports" Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
Display --indent 6 --text "- Checking empty /etc/exports..." --result SUGGESTION --color YELLOW Display --indent 6 --text "- Checking empty /etc/exports" --result SUGGESTION --color YELLOW
logtext "Result: /etc/exports seems to have no exported file systems" logtext "Result: /etc/exports seems to have no exported file systems"
ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system" ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
fi fi
@ -161,12 +160,12 @@
sFIND=`${SHOWMOUNTBINARY} -e | awk '{ print $2 }' | sed '1d'| grep "\*"` sFIND=`${SHOWMOUNTBINARY} -e | awk '{ print $2 }' | sed '1d'| grep "\*"`
if [ "${sFIND}" != "" ]; then if [ "${sFIND}" != "" ]; then
logtext "Result: all client are allowed to access a NFS share in /etc/exports" logtext "Result: all client are allowed to access a NFS share in /etc/exports"
Display --indent 4 --text "- Checking NFS client access..." --result "ALL CLIENTS" --color YELLOW Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW
ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports" ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports"
AddHP 2 3 AddHP 2 3
else else
logtext "Result: only some clients are allowed to access a NFS share" logtext "Result: only some clients are allowed to access a NFS share"
Display --indent 4 --text "- Checking NFS client access..." --result OK --color GREEN Display --indent 4 --text "- Checking NFS client access" --result OK --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi

4
include/tests_tcpwrappers
View File

@ -30,9 +30,9 @@
# Description : Basic nameserver configuration tests (connectivity) # Description : Basic nameserver configuration tests (connectivity)
# Register --test-no TCPW-xxxx --weight L --network YES --description "Basic nameserver configuration tests" # Register --test-no TCPW-xxxx --weight L --network YES --description "Basic nameserver configuration tests"
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# Display --indent 2 --text "- Checking configured nameservers..." # Display --indent 2 --text "- Checking configured nameservers"
# logtext "Test: Checking /etc/resolv.conf file" # logtext "Test: Checking /etc/resolv.conf file"
# Display --indent 8 --text "Nameserver: ${I}..." --result OK --color GREEN # Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN
# ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)." # ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
# ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond" # ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
# fi # fi

20
include/tests_time
View File

@ -47,7 +47,7 @@
Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client" Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate) # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate)
logtext "Test: Searching for a running NTP daemon or available client... " logtext "Test: Searching for a running NTP daemon or available client"
FOUND=0 FOUND=0
# Check running processes # Check running processes
@ -140,10 +140,10 @@
done done
if [ ${FOUND_IN_CRON} -eq 1 ]; then if [ ${FOUND_IN_CRON} -eq 1 ]; then
Display --indent 2 --text "- Checking NTP client in cron files..." --result FOUND --color GREEN Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate in cron directory" logtext "Result: found ntpdate or rdate in cron directory"
else else
Display --indent 2 --text "- Checking NTP client in cron.d files..." --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate found in cron directories" logtext "Result: no ntpdate or rdate found in cron directories"
fi fi
@ -154,7 +154,7 @@
logtext "Result: found ntpdate action when network interface comes up" logtext "Result: found ntpdate action when network interface comes up"
FOUND=1 FOUND=1
NTP_CONFIG_TYPE_EVENTBASED=1 NTP_CONFIG_TYPE_EVENTBASED=1
Display --indent 2 --text "- Checking event based ntpdate (if-up)..." --result FOUND --color GREEN Display --indent 2 --text "- Checking event based ntpdate (if-up)" --result FOUND --color GREEN
else else
logtext "Result: file /etc/network/if-up.d/ntpdate does not exist" logtext "Result: file /etc/network/if-up.d/ntpdate does not exist"
fi fi
@ -297,11 +297,11 @@
logtext "Test: Checking preferred time source" logtext "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'` FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking time source candidates..." --result NONE --color YELLOW Display --indent 2 --text "- Checking time source candidates" --result NONE --color YELLOW
logtext "Result: No other time source candidates found" logtext "Result: No other time source candidates found"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates" ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates"
else else
Display --indent 2 --text "- Checking time source candidates..." --result OK --color GREEN Display --indent 2 --text "- Checking time source candidates" --result OK --color GREEN
logtext "Result: Found one or more candidates to synchronize time with." logtext "Result: Found one or more candidates to synchronize time with."
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/+//g'` I=`echo ${I} | sed 's/+//g'`
@ -320,10 +320,10 @@
logtext "Test: Checking preferred time source" logtext "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^x'` FIND=`${NTPQBINARY} -p -n | grep '^x'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking falsetickers..." --result OK --color GREEN Display --indent 2 --text "- Checking falsetickers" --result OK --color GREEN
logtext "Result: No falsetickers found (items preceeding with an 'x')" logtext "Result: No falsetickers found (items preceeding with an 'x')"
else else
Display --indent 2 --text "- Checking falsetickers..." --result NONE --color YELLOW Display --indent 2 --text "- Checking falsetickers" --result NONE --color YELLOW
logtext "Result: Found one or more falsetickers (items preceeding with an 'x')" logtext "Result: Found one or more falsetickers (items preceeding with an 'x')"
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/x//g'` I=`echo ${I} | sed 's/x//g'`
@ -345,11 +345,11 @@
logtext "Test: Checking NTP protocol version (ntpq -c ntpversion)" logtext "Test: Checking NTP protocol version (ntpq -c ntpversion)"
FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'` FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking NTP version..." --result UNKNOWN --color YELLOW Display --indent 2 --text "- Checking NTP version" --result UNKNOWN --color YELLOW
logtext "Result: No NTP version found" logtext "Result: No NTP version found"
ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version" ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version"
else else
Display --indent 2 --text "- Checking NTP version..." --result FOUND --color GREEN Display --indent 2 --text "- Checking NTP version" --result FOUND --color GREEN
logtext "Result: Found NTP version ${FIND}" logtext "Result: Found NTP version ${FIND}"
report "ntp_version=${FIND}" report "ntp_version=${FIND}"
fi fi

2
include/tests_tooling
View File

@ -35,7 +35,7 @@ PUPPET_MASTER_RUNNING=0
Register --test-no TOOL-5002 --weight L --network NO --description "Checking for automation tools" Register --test-no TOOL-5002 --weight L --network NO --description "Checking for automation tools"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking automation tooling..." Display --indent 2 --text "- Checking automation tooling"
# Cfengine # Cfengine
if [ ! "${CFAGENTBINARY}" = "" ]; then if [ ! "${CFAGENTBINARY}" = "" ]; then

6
include/tests_virtualization
View File

@ -39,10 +39,10 @@
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]" report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done done
logtext "Result: total of ${N} running zones" logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones..." --result "FOUND ${N} zones" --color GREEN Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else else
logtext "Result: no running zones found" logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones..." --result NONE --color WHITE Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi fi
fi fi
# #
@ -71,7 +71,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then # if [ ${SKIPTEST} -eq 0 ]; then
# # Initialise # # Initialise
# VMWARE_GUEST=0 # VMWARE_GUEST=0
# Display --indent 2 --text "- Checking VMware guest status..." # Display --indent 2 --text "- Checking VMware guest status"
# #YYY check memory driver file # #YYY check memory driver file
# #YYY check LKM list # #YYY check LKM list
# #YYY check vmware tools # #YYY check vmware tools

24
include/tests_webservers
View File

@ -56,7 +56,7 @@
if [ "${HTTPDBINARY}" = "" ]; then if [ "${HTTPDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE
else else
logtext "Test: Scanning for Apache binary..." logtext "Test: Scanning for Apache binary"
IS_APACHE=`${HTTPDBINARY} -v | egrep '[aA]pache'` IS_APACHE=`${HTTPDBINARY} -v | egrep '[aA]pache'`
if [ "${IS_APACHE}" = "" ]; then if [ "${IS_APACHE}" = "" ]; then
logtext "Result: ${HTTPDBINARY} is not Apache" logtext "Result: ${HTTPDBINARY} is not Apache"
@ -121,7 +121,7 @@
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6626 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing other Apache configuration file" Register --test-no HTTP-6626 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing other Apache configuration file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
#Display --indent 4 --text "- Searching Apache virtual hosts..." #Display --indent 4 --text "- Searching Apache virtual hosts"
for I in ${sTEST_APACHE_TARGETS}; do for I in ${sTEST_APACHE_TARGETS}; do
if [ -d ${I} ]; then if [ -d ${I} ]; then
find ${I} -name "*.conf" -print >> ${TMPFILE2} find ${I} -name "*.conf" -print >> ${TMPFILE2}
@ -200,7 +200,7 @@
# # Check if option ServerTokens is configured # # Check if option ServerTokens is configured
# SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'` # SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'`
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then # if [ ! "${SERVERTOKENSTEST}" = "" ]; then
# Display --indent 4 --text "- Checking option ServerTokens..." --result FOUND --color WHITE # Display --indent 4 --text "- Checking option ServerTokens" --result FOUND --color WHITE
# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '` # SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '`
# logtext "Option ServerTokens found: ${SERVERTOKENSTEST}" # logtext "Option ServerTokens found: ${SERVERTOKENSTEST}"
# SERVERTOKENSEXPECTED=`cat ${PROFILE} | grep 'apache' | grep 'ServerTokens' | cut -d ':' -f3` # SERVERTOKENSEXPECTED=`cat ${PROFILE} | grep 'apache' | grep 'ServerTokens' | cut -d ':' -f3`
@ -213,7 +213,7 @@
# logtext "Expected: ${SERVERTOKENSEXPECTED}" # logtext "Expected: ${SERVERTOKENSEXPECTED}"
# fi # fi
# else # else
# Display --indent 4 --text "- Checking option ServerTokens..." --result "NOT FOUND" --color WHITE # Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE
# fi # fi
# #
# else # else
@ -224,9 +224,9 @@
# #
# # Display results from checks # # Display results from checks
# if [ ${SERVERTOKENSFOUND} -eq 1 ]; then # if [ ${SERVERTOKENSFOUND} -eq 1 ]; then
# Display --indent 6 --text "- Value of ServerTokens..." --result OK --color GREEN # Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN
# else # else
# Display --indent 6 --text "- Value of ServerTokens..." --result WARNING --color RED # Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED
# ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template" # ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template"
# fi # fi
# fi # fi
@ -467,7 +467,7 @@
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check discovered nginx configuration settings" Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check discovered nginx configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: start parsing all discovered nginx options" logtext "Test: start parsing all discovered nginx options"
Display --indent 4 --text "- Parsing configuration options..." Display --indent 4 --text "- Parsing configuration options"
ParseNginx ParseNginx
fi fi
# #
@ -527,7 +527,7 @@
Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx access logging" Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx access logging"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0 NGINX_LOG_SUGGESTION=0
Display --indent 6 --text "- Checking log file configuration..." Display --indent 6 --text "- Checking log file configuration"
# Check for missing access log # Check for missing access log
if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then
@ -616,10 +616,10 @@
# done # done
# if [ ${N} -eq 0 ]; then # if [ ${N} -eq 0 ]; then
# logtext "Result: no reverse proxying functionality found" # logtext "Result: no reverse proxying functionality found"
# Display --indent 4 --text "- Searching reverse proxy functionality..." --result "NOT FOUND" --color WHITE # Display --indent 4 --text "- Searching reverse proxy functionality" --result "NOT FOUND" --color WHITE
# else # else
# logtext "Result: found ${N} addresses for which nginx will be a reverse proxy" # logtext "Result: found ${N} addresses for which nginx will be a reverse proxy"
# Display --indent 4 --text "- Searching reverse proxy functionality..." --result "${N} FOUND" --color GREEN # Display --indent 4 --text "- Searching reverse proxy functionality" --result "${N} FOUND" --color GREEN
# fi # fi
# fi # fi
# #
@ -642,10 +642,10 @@
# done # done
# if [ ${N} -eq 0 ]; then # if [ ${N} -eq 0 ]; then
# logtext "Result: no virtual hosts found" # logtext "Result: no virtual hosts found"
# Display --indent 4 --text "- Searching virtual hosts..." --result "NOT FOUND" --color WHITE # Display --indent 4 --text "- Searching virtual hosts" --result "NOT FOUND" --color WHITE
# else # else
# logtext "Result: found ${N} virtual hosts" # logtext "Result: found ${N} virtual hosts"
# Display --indent 4 --text "- Searching virtual hosts..." --result "${N} FOUND" --color GREEN # Display --indent 4 --text "- Searching virtual hosts" --result "${N} FOUND" --color GREEN
# fi # fi
# fi # fi
# #