tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Code cleanup and small enhancements

This commit is contained in:
mboelen 2014-09-15 12:01:09 +02:00
parent 35d32fb5e4
commit c9fde8c2d1
37 changed files with 922 additions and 923 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
include/tests_accounting
View File

@ -30,11 +30,11 @@
Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --description "Check for available FreeBSD accounting information"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /var/account/acct ]; then
Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
logtext "Result: /var/account/acct available"
AddHP 3 3
else
Display --indent 2 --text "- Checking accounting information..." --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW
logtext "Result: No accounting information available"
logtext "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"
@ -51,19 +51,19 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check accounting information"
if [ -f /var/account/pacct ]; then
Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
logtext "Result: /var/account/pacct available"
AddHP 3 3
elif [ -f /var/log/account/pacct ]; then
Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
logtext "Result: /var/log/account/pacct available"
AddHP 3 3
elif [ -f /var/log/pacct ]; then
Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
logtext "Result: /var/log/pacct available"
AddHP 3 3
else
Display --indent 2 --text "- Checking accounting information... " --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW
logtext "Result: No accounting information available (/var/account/pacct does not exist)"
logtext "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"

62
include/tests_authentication
View File

@ -37,7 +37,7 @@
logtext "Test: Searching accounts with UID 0"
FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^:0:0:::' | cut -d ":" -f1,3 | grep ':0'`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Search administrator accounts..." --result WARNING --color RED
Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED
logtext "Result: Found more than one administrator accounts"
ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file"
for I in ${FIND}; do
@ -49,7 +49,7 @@
fi
done
else
Display --indent 2 --text "- Search administrator accounts..." --result OK --color GREEN
Display --indent 2 --text "- Search administrator accounts" --result OK --color GREEN
logtext "Result: No accounts found with UID 0 other than root."
fi
fi
@ -72,16 +72,16 @@
if [ -f ${PASSWD_FILE} ]; then
FIND=`cat ${PASSWD_FILE} | grep -v '^#' | cut -d ':' -f3 | uniq -d`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for non-unique UIDs... " --result OK --color GREEN
Display --indent 2 --text "- Checking for non-unique UIDs" --result OK --color GREEN
logtext "Result: all accounts found in ${PASSWD_FILE} are unique"
else
Display --indent 2 --text "- Checking for non-unique UIDs... " --result WARNING --color RED
Display --indent 2 --text "- Checking for non-unique UIDs" --result WARNING --color RED
logtext "Result: found multiple accounts with same UID"
logtext "Output (non-unique UIDs): ${FIND}"
ReportWarning ${TEST_NO} "Multiple accounts found with same UID"
fi
else
Display --indent 2 --text "- Checking UIDs... " --result SKIPPED --color WHITE
Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE
logtext "Result: test skipped, ${PASSWD_FILE} file not available"
fi
logtext "Remarks: ${USER_PASSWD_DOUBLEUID_AUDIT_TEXT}"
@ -94,15 +94,15 @@
if [ -f /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking chkgrp tool..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking chkgrp tool" --result FOUND --color GREEN
logtext "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)."
logtext "Test: Testing consistency of /etc/group file... "
logtext "Test: Testing consistency of /etc/group file"
FIND=`/usr/sbin/chkgrp | grep -v 'is fine'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking consistency of /etc/group file..." --result OK --color GREEN
Display --indent 4 --text "- Checking consistency of /etc/group file" --result OK --color GREEN
logtext "Result: chkgrp test performed, Group file seems to be ok."
else
Display --indent 4 --text "- Checking consistency of /etc/group file..." --result WARNING --color RED
Display --indent 4 --text "- Checking consistency of /etc/group file" --result WARNING --color RED
logtext "Result: chkgrp found some errors. Run the tool manually to see details."
logtext "chkgrp output: ${FIND}"
ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file"
@ -118,7 +118,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Test : run grpck to test group files (most likely /etc/group and shadow group files)
# Expected result : 0 (exit code)
logtext "Test: Checking for grpck binary..."
logtext "Test: Checking for grpck binary"
if [ "${OS}" = "Linux" ]; then
# Read only mode
@ -136,10 +136,10 @@
# Check exit-code
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking consistency of group files (grpck)..." --result OK --color GREEN
Display --indent 2 --text "- Checking consistency of group files (grpck)" --result OK --color GREEN
logtext "Result: grpck binary didn't find any errors in the group files"
else
Display --indent 2 --text "- Checking consistency of group files (grpck)..." --result WARNING --color RED
Display --indent 2 --text "- Checking consistency of group files (grpck)" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files"
ReportSuggestion ${TEST_NO} "Run grpck manually and check your group files"
fi
@ -158,9 +158,9 @@
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=`cat /etc/master.passwd | grep "[a-z]:\*:" | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking login shells..." --result OK --color GREEN
Display --indent 2 --text "- Checking login shells" --result OK --color GREEN
else
Display --indent 2 --text "- Checking login shells..." --result WARNING --color RED
Display --indent 2 --text "- Checking login shells" --result WARNING --color RED
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
J=`echo ${I} | awk -F: '{ print $10 }'`
@ -183,7 +183,7 @@
fi
fi
else
Display --indent 2 --text "- Checking login shells..." --result SKIPPED --color WHITE
Display --indent 2 --text "- Checking login shells" --result SKIPPED --color WHITE
logtext "Result: No /etc/master.passwd file found"
fi
fi
@ -197,10 +197,10 @@
logtext "Test: Checking for non unique group ID's in /etc/group"
FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group ID's..." --result OK --color GREEN
Display --indent 2 --text "- Checking non unique group ID's" --result OK --color GREEN
logtext "Result: All group ID's are unique"
else
Display --indent 2 --text "- Checking non unique group ID's..." --result WARNING --color RED
Display --indent 2 --text "- Checking non unique group ID's" --result WARNING --color RED
logtext "Result: Found the same group ID multiple times"
logtext "Output: ${FIND}"
ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID"
@ -218,10 +218,10 @@
logtext "Test: Checking for non unique group names in /etc/group"
FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group names..." --result OK --color GREEN
Display --indent 2 --text "- Checking non unique group names" --result OK --color GREEN
logtext "Result: All group names are unique"
else
Display --indent 2 --text "- Checking non unique group names..." --result WARNING --color WARNING
Display --indent 2 --text "- Checking non unique group names" --result WARNING --color WARNING
logtext "Result: Found the same group name multiple times"
logtext "Output: ${FIND}"
ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)"
@ -239,10 +239,10 @@
logtext "Test: Checking password file consistency (pwck)"
FIND=`/usr/sbin/pwck -q -r 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN
Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
logtext "Result: pwck check didn't find any problems"
else
Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED
Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
logtext "Result: pwck found one or more errors/warnings in the password file."
ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
@ -260,10 +260,10 @@
# logtext "Test: Checking password file consistency (usrck)"
# FIND=`/usr/bin/usrck -n ALL 2>; echo $?`
# if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN
# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
# logtext "Result: usrck finished didn't find problems"
# else
# Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED
# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
# logtext "Result: usrck found one or more errors/warnings in the password file."
# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file"
# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues."
@ -280,10 +280,10 @@
logtext "Test: Checking password file consistency (pwck)"
FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN
Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
logtext "Result: pwck finished didn't find problems"
else
Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED
Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
logtext "Result: pwck found one or more errors/warnings in the password file."
ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
@ -301,10 +301,10 @@
# logtext "Test: Checking password file consistency (pwck)"
# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
# if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN
# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
# logtext "Result: pwck finished didn't find problems"
# else
# Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED
# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
# logtext "Result: pwck found one or more errors/warnings in the password file."
# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
@ -321,10 +321,10 @@
# logtext "Test: Checking group file consistency (grpck)"
# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?`
# if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking group file consistency..." --result OK --color GREEN
# Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN
# logtext "Result: grpck finished didn't find problems"
# else
# Display --indent 2 --text "- Checking group file consistency..." --result WARNING --color RED
# Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED
# logtext "Result: grpck found one or more errors/warnings in the group file."
# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file"
# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues."
@ -340,7 +340,7 @@
# OpenBSD/NetBSD: unknown
Register --test-no AUTH-9234 --os Linux --weight L --network NO --description "Query user accounts"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Read real system users (including root user) from /etc/passwd..."
logtext "Test: Read real system users (including root user) from /etc/passwd"
FIND=""
if [ "${OS}" = "FreeBSD" ]; then
@ -358,7 +358,7 @@
FIND=`awk -F: '($3 > 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
fi
Display --indent 2 --text "- Query system users (non daemons)..." --result DONE --color GREEN
Display --indent 2 --text "- Query system users (non daemons)" --result DONE --color GREEN
# Check if we got any output
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "Result: No users found/unknown result"

33
include/tests_banners
View File

@ -19,7 +19,6 @@
#################################################################################
#
InsertSection "Banners and identification"
# Display --indent 2 --text "- Checking banners..."
#
#################################################################################
#
@ -67,15 +66,15 @@
logtext "Test: Testing existence /etc/motd"
if [ -f /etc/motd ]; then
logtext "Result: file /etc/motd exists"
Display --indent 2 --text "- /etc/motd..." --result FOUND --color GREEN
Display --indent 2 --text "- /etc/motd" --result FOUND --color GREEN
if [ ! -L /etc/motd ]; then
IsWorldWritable /etc/motd
if [ "${FileIsWorldWritable}" = "TRUE" ]; then
Display --indent 4 --text "- /etc/motd permissions..." --result WARNING --color RED
Display --indent 4 --text "- /etc/motd permissions" --result WARNING --color RED
logtext "Result: /etc/motd is world writable. Users can change this file!"
ReportWarning ${TEST_NO} "H" "/etc/motd is world writable"
else
Display --indent 4 --text "- /etc/motd permissions..." --result OK --color GREEN
Display --indent 4 --text "- /etc/motd permissions" --result OK --color GREEN
logtext "Result: /etc/motd is not world writable."
fi
else
@ -83,7 +82,7 @@
fi
else
logtext "Result: File /etc/motd not found"
Display --indent 2 --text "- /etc/motd..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- /etc/motd" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -107,11 +106,11 @@
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
logtext "Result: Found ${N} key words, to warn unauthorized users"
Display --indent 4 --text "- /etc/motd contents..." --result OK --color GREEN
Display --indent 4 --text "- /etc/motd contents" --result OK --color GREEN
AddHP 2 2
else
logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/motd contents..." --result WEAK --color YELLOW
Display --indent 4 --text "- /etc/motd contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users"
AddHP 0 1
fi
@ -128,13 +127,13 @@
# Check for symlink
if [ -L /etc/issue ]; then
logtext "Result: file /etc/issue exists (symlink)"
Display --indent 2 --text "- /etc/issue..." --result SYMLINK --color GREEN
Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN
else
Display --indent 2 --text "- /etc/issue..." --result FOUND --color GREEN
Display --indent 2 --text "- /etc/issue" --result FOUND --color GREEN
fi
else
logtext "Result: file /etc/issue does not exist"
Display --indent 2 --text "- /etc/issue..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- /etc/issue" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -158,11 +157,11 @@
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
logtext "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users"
Display --indent 4 --text "- /etc/issue contents..." --result OK --color GREEN
Display --indent 4 --text "- /etc/issue contents" --result OK --color GREEN
AddHP 2 2
else
logtext "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/issue contents..." --result WEAK --color YELLOW
Display --indent 4 --text "- /etc/issue contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add a legal banner to /etc/issue, to warn unauthorized users"
AddHP 0 1
fi
@ -179,14 +178,14 @@
# Check for symlink
if [ -L /etc/issue.net ]; then
logtext "Result: file /etc/issue.net exists (symlink)"
Display --indent 2 --text "- /etc/issue.net..." --result SYMLINK --color GREEN
Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN
else
logtext "Result: file /etc/issue.net exists"
Display --indent 2 --text "- /etc/issue.net..." --result FOUND --color GREEN
Display --indent 2 --text "- /etc/issue.net" --result FOUND --color GREEN
fi
else
logtext "Result: file /etc/issue.net does not exist"
Display --indent 2 --text "- /etc/issue.net..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- /etc/issue.net" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -210,11 +209,11 @@
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
logtext "Result: Found ${N} key words, to warn unauthorized users"
Display --indent 4 --text "- /etc/issue.net contents..." --result OK --color GREEN
Display --indent 4 --text "- /etc/issue.net contents" --result OK --color GREEN
AddHP 2 2
else
logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/issue.net contents..." --result WEAK --color YELLOW
Display --indent 4 --text "- /etc/issue.net contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
AddHP 0 1
fi

46
include/tests_boot_services
View File

@ -32,11 +32,11 @@
Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)..."
logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)"
if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then
FOUND=1
BOOT_LOADER="GRUB"
Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN
Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
FileIsReadable ${GRUBCONFFILE}
@ -44,7 +44,7 @@
FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED
Display --indent 6 --text "- Checking for password protection" --result WARNING --color RED
logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!"
logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them."
logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
@ -53,7 +53,7 @@
logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password"
AddHP 0 2
else
Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN
Display --indent 6 --text "- Checking for password protection" --result OK --color GREEN
logtext "Result: GRUB has password protection."
AddHP 4 4
fi
@ -66,7 +66,7 @@
if [ -f /boot/grub/grub.cfg ]; then
FOUND=1
BOOT_LOADER="GRUB2"
Display --indent 4 --text "- Checking presence GRUB2... " --result FOUND --color GREEN
Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN
logtext "Result: found GRUB2 configuration file (/boot/grub/grub.cfg)"
# YYY password check, when documentation of GRUB2 project is improved
# YYY Add check permission check (600)
@ -74,7 +74,7 @@
fi
if [ ${FOUND} -eq 0 ]; then
Display --indent 4 --text "- Checking presence GRUB... " --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking presence GRUB" --result "NOT FOUND" --color WHITE
logtext "Result: no GRUB configuration file found."
fi
fi
@ -120,13 +120,13 @@
Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
LILOCONFFILE="/etc/lilo.conf"
logtext "Test: checking for presence LILO configuration file..."
logtext "Test: checking for presence LILO configuration file"
if [ -f ${LILOCONFFILE} ]; then
FileIsReadable ${LILOCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
BOOT_LOADER="LILO"
Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN
logtext "Checking password option LILO..."
Display --indent 4 --text "- Checking presence LILO" --result "OK" --color GREEN
logtext "Checking password option LILO"
FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"`
if [ "${FIND}" = "" ]; then
Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED
@ -145,7 +145,7 @@
logtext "Result: can not read ${LILOCONFFILE} (no permission)"
fi
else
Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking presence LILO" --result "NOT FOUND" --color WHITE
logtext "Result: LILO configuration file not found"
fi
fi
@ -212,18 +212,18 @@
Register --test-no BOOT-5159 --os OpenBSD --platform i386 --weight L --network NO --description "Check for OpenBSD i386 boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/boot.conf ]; then
Display --indent 2 --text "- Checking /etc/boot.conf..." --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking /etc/boot.conf" --result "FOUND" --color GREEN
FIND=`grep '^boot' /etc/boot.conf`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking boot option..." --result WARNING --color RED
Display --indent 4 --text "- Checking boot option" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password"
else
Display --indent 4 --text "- Checking boot option..." --result OK --color GREEN
Display --indent 4 --text "- Checking boot option" --result OK --color GREEN
logtext "Ok, boot option is enabled."
fi
else
Display --indent 2 --text "- Checking /etc/boot.conf..." --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking /etc/boot.conf" --result "NOT FOUND" --color YELLOW
logtext "Result: no /etc/boot.conf found. When using the default boot loader, physical"
logtext "access to the server can be used to possibly enter single user mode."
ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time."
@ -237,7 +237,7 @@
Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot services"
if [ ${SKIPTEST} -eq 0 ]; then
# FreeBSD (Read /etc/rc.conf file for enabled services)
logtext "Searching for services at startup (rc.conf)..."
logtext "Searching for services at startup (rc.conf)"
FIND=`egrep -v -i '^#|none' /etc/rc.conf | egrep -i '_enable.*(yes|on|1)' | sort | awk -F= '{ print $1 }' | sed 's/_enable//'`
N=0
for I in ${FIND}; do
@ -245,7 +245,7 @@
report "boottask[]=${I}"
N=`expr ${N} + 1`
done
Display --indent 2 --text "- Checking services at startup (rc.conf)..." --result "DONE" --color GREEN
Display --indent 2 --text "- Checking services at startup (rc.conf)" --result "DONE" --color GREEN
Display --indent 6 --text "Result: found $N services/options set"
logtext "Found $N services/options to run at startup"
fi
@ -278,7 +278,7 @@
N=`expr ${N} + 1`
done
logtext "Suggestion: Run systemctl --full --type=service to see all services"
Display --indent 2 --text "- Check running services (systemctl)... " --result "DONE" --color GREEN
Display --indent 2 --text "- Check running services (systemctl)" --result "DONE" --color GREEN
Display --indent 8 --text "Result: found $N running services"
logtext "Result: Found $N enabled services"
@ -293,7 +293,7 @@
N=`expr ${N} + 1`
done
logtext "Suggestion: Run systemctl list-unit-files --type=service to see all services"
Display --indent 2 --text "- Check enabled services at boot (systemctl)... " --result "DONE" --color GREEN
Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "DONE" --color GREEN
Display --indent 8 --text "Result: found $N enabled services"
logtext "Result: Found $N running services"
@ -301,7 +301,7 @@
logtext "Result: systemctl binary not found, checking chkconfig binary"
if [ ! "${CHKCONFIGBINARY}" = "" ]; then
logtext "Result: chkconfig binary found, trying that to discover information"
logtext "Searching for services at startup (chkconfig, runlevel 3 and 5)... "
logtext "Searching for services at startup (chkconfig, runlevel 3 and 5)"
FIND=`${CHKCONFIGBINARY} --list | egrep '3:on|5:on' | awk '{ print $1 }'`
N=0
report "boot_service_tool=chkconfig"
@ -311,7 +311,7 @@
N=`expr ${N} + 1`
done
logtext "Suggestion: Run chkconfig --list to see all services and disable unneeded services"
Display --indent 2 --text "- Check services at startup (chkconfig)... " --result "DONE" --color GREEN
Display --indent 2 --text "- Check services at startup (chkconfig)" --result "DONE" --color GREEN
Display --indent 8 --text "Result: found $N services"
logtext "Result: Found $N services at startup"
else
@ -372,7 +372,7 @@
logtext "Found service (at boot, runlevel 2): ${I}"
N=`expr ${N} + 1`
done
Display --indent 2 --text "- Check services at startup (rc2.d)... " --result "DONE" --color WHITE
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE
Display --indent 4 --text "Result: found $N services"
logtext "Found $N services"
fi
@ -452,13 +452,13 @@
# Check results
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Check startup files (permissions)... " --result "WARNING" --color RED
Display --indent 2 --text "- Check startup files (permissions)" --result "WARNING" --color RED
ReportWarning ${TEST_NO} "H" "One or more startup files can be overwritten by all users"
ReportSuggestion ${TEST_NO} "Check startup scripts for world write access and change permissions if needed"
logtext "Result: found one or more scripts which are possibly writable by other users"
AddHP 0 3
else
Display --indent 2 --text "- Check startup files (permissions)... " --result "OK" --color GREEN
Display --indent 2 --text "- Check startup files (permissions)" --result "OK" --color GREEN
AddHP 3 3
fi
fi

4
include/tests_crypto
View File

@ -65,9 +65,9 @@
done
if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking SSL certificate expiration..." --result OK --color GREEN
Display --indent 2 --text "- Checking SSL certificate expiration" --result OK --color GREEN
else
Display --indent 2 --text "- Checking SSL certificate expiration..." --result WARNING --color RED
Display --indent 2 --text "- Checking SSL certificate expiration" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "One or more SSL certificates expired"
fi
fi

4
include/tests_custom.template
View File

@ -40,10 +40,10 @@
logtext "Test: checking something"
ReportWarning ${TEST_NO} "M" "Test warning"
if [ ${FOUND} -eq 0 ]; then
Display --indent 4 --text "- Performing custom test 1..." --result OK --color GREEN
Display --indent 4 --text "- Performing custom test 1" --result OK --color GREEN
logtext "Result: the test looks great!"
else
Display --indent 4 --text "- Performing custom test 1..." --result WARNING --color RED
Display --indent 4 --text "- Performing custom test 1" --result WARNING --color RED
logtext "Result: hmm bad result of this test :("
ReportSuggestion ${TEST_NO} "This could be better!"
fi

12
include/tests_databases
View File

@ -37,10 +37,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- MySQL process status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- MySQL process status" --result "NOT FOUND" --color WHITE
logtext "Result: MySQL process not active"
else
Display --indent 2 --text "- MySQL process status..." --result "FOUND" --color GREEN
Display --indent 2 --text "- MySQL process status" --result "FOUND" --color GREEN
logtext "Result: MySQL is active"
MYSQL_RUNNING=1
fi
@ -95,10 +95,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | grep "postgres:" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- PostgreSQL processes status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- PostgreSQL processes status" --result "NOT FOUND" --color WHITE
logtext "Result: PostgreSQL process not active"
else
Display --indent 2 --text "- PostgreSQL processes status..." --result "FOUND" --color GREEN
Display --indent 2 --text "- PostgreSQL processes status" --result "FOUND" --color GREEN
logtext "Result: PostgreSQL is active"
POSTGRESQL_RUNNING=1
fi
@ -120,10 +120,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Oracle processes status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Oracle processes status" --result "NOT FOUND" --color WHITE
logtext "Result: Oracle process(es) not active"
else
Display --indent 2 --text "- Oracle processes status..." --result "FOUND" --color GREEN
Display --indent 2 --text "- Oracle processes status" --result "FOUND" --color GREEN
logtext "Result: Oracle is active"
ORACLE_RUNNING=1
fi

34
include/tests_file_integrity
View File

@ -19,7 +19,7 @@
#################################################################################
#
InsertSection "Software: file integrity"
Display --indent 2 --text "- Checking file integrity tools..."
Display --indent 2 --text "- Checking file integrity tools"
# Test : FINT-4310
@ -30,10 +30,10 @@
if [ ! "${AFICKBINARY}" = "" ]; then
logtext "Result: AFICK is installed (${AFICKBINARY})"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK..." --result FOUND --color GREEN
Display --indent 4 --text "- AFICK" --result FOUND --color GREEN
else
logtext "Result: AFICK is not installed"
Display --indent 4 --text "- AFICK..." --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -47,10 +47,10 @@
if [ ! "${AIDEBINARY}" = "" ]; then
logtext "Result: AIDE is installed (${AIDEBINARY})"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE..." --result FOUND --color GREEN
Display --indent 4 --text "- AIDE" --result FOUND --color GREEN
else
logtext "Result: AIDE is not installed"
Display --indent 4 --text "- AIDE..." --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -112,10 +112,10 @@
if [ ! "${OSIRISBINARY}" = "" ]; then
logtext "Result: Osiris is installed (${OSIRISBINARY})"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris..." --result FOUND --color GREEN
Display --indent 4 --text "- Osiris" --result FOUND --color GREEN
else
logtext "Result: Osiris is not installed"
Display --indent 4 --text "- Osiris..." --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -129,10 +129,10 @@
if [ ! "${SAMHAINBINARY}" = "" ]; then
logtext "Result: Samhain is installed (${SAMHAINBINARY})"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain..." --result FOUND --color GREEN
Display --indent 4 --text "- Samhain" --result FOUND --color GREEN
else
logtext "Result: Samhain is not installed"
Display --indent 4 --text "- Samhain..." --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -146,10 +146,10 @@
if [ ! "${TRIPWIREBINARY}" = "" ]; then
logtext "Result: Tripwire is installed (${TRIPWIREBINARY})"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire..." --result FOUND --color GREEN
Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN
else
logtext "Result: Tripwire is not installed"
Display --indent 4 --text "- Tripwire..." --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -163,9 +163,9 @@
IsRunning ossec-syscheckd
if [ ${RUNNING} -eq 1 ]; then
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)..." --result FOUND --color GREEN
Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN
else
Display --indent 4 --text "- OSSEC (syscheck)..." --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -180,10 +180,10 @@
if [ ! "${MTREEBINARY}" = "" ]; then
logtext "Result: mtree is installed (${MTREEBINARY})"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree..." --result FOUND --color GREEN
Display --indent 4 --text "- mtree" --result FOUND --color GREEN
else
logtext "Result: mtree is not installed"
Display --indent 4 --text "- mtree..." --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -196,11 +196,11 @@
logtext "Test: Check if at least on file integrity tool is available/installed"
if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then
logtext "Result: found at least one file integrity tool"
Display --indent 2 --text "- Checking presence integrity tool..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking presence integrity tool" --result FOUND --color GREEN
AddHP 5 5
else
logtext "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool..." --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool"
AddHP 0 5
fi

4
include/tests_file_permissions
View File

@ -18,7 +18,7 @@
#
#################################################################################
#
InsertSection "System Tools"
InsertSection "File Permissions"
#
#################################################################################
#
@ -26,7 +26,7 @@
# Description : Perform file permissions check
Register --test-no FILE-7524 --weight L --network NO --description "Perform file permissions check"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Starting file permissions check..."
Display --indent 2 --text "- Starting file permissions check"
logtext "Test: Checking file permissions"
logtext "Using profile ${PROFILE} for baseline."
FIND=`cat ${PROFILE} | egrep '^permfile:|^permdir:' | cut -d: -f2`

68
include/tests_filesystems
View File

@ -40,16 +40,16 @@
logtext "Test: Checking if ${I} is mounted separately or mounted on / file system"
if [ -L ${I} ]; then
logtext "Result: ${I} is a symlink. Manual check required to determine exact file system"
Display --indent 4 --text "- Checking ${I} mount point..." --result SYMLINK --color WHITE
Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE
elif [ -d ${I} ]; then
logtext "Result: directory ${I} exists"
FIND=`mount | grep "${I}"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${I} as a separated mount point"
Display --indent 4 --text "- Checking ${I} mount point..." --result OK --color GREEN
Display --indent 4 --text "- Checking ${I} mount point" --result OK --color GREEN
else
logtext "Result: ${I} not found in mount list. Directory most likely stored on / file system"
Display --indent 4 --text "- Checking ${I} mount point..." --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking ${I} mount point" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition"
fi
else
@ -79,10 +79,10 @@
report "lvm_volume_group[]=${I}"
done
LVM_VG_USED=1
Display --indent 2 --text "- Checking LVM volume groups..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking LVM volume groups" --result FOUND --color GREEN
else
logtext "Result: no LVM volume groups found"
Display --indent 2 --text "- Checking LVM volume groups..." --result NONE --color WHITE
Display --indent 2 --text "- Checking LVM volume groups" --result NONE --color WHITE
fi
fi
#
@ -101,10 +101,10 @@
logtext "Found LVM volume: ${I}"
report "lvm_volume[]=${I}"
done
Display --indent 4 --text "- Checking LVM volumes..." --result FOUND --color GREEN
Display --indent 4 --text "- Checking LVM volumes" --result FOUND --color GREEN
else
logtext "Result: no LVM volume groups found"
Display --indent 4 --text "- Checking LVM volumes..." --result NONE --color WHITE
Display --indent 4 --text "- Checking LVM volumes" --result NONE --color WHITE
fi
fi
#
@ -144,10 +144,10 @@
logtext "Test: Query /etc/fstab for available FFS/UFS mount points"
FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)..." --result NONE --color WHITE
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result NONE --color WHITE
logtext "Result: unable to find any single mount point (FFS/UFS)"
else
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)..." --result FOUND --color GREEN
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result FOUND --color GREEN
report "filesystem[]=ufs"
for I in ${FIND}; do
logtext "FFS/UFS mount found: ${I}"
@ -165,10 +165,10 @@
logtext "Test: Query /etc/fstab for available ZFS mount points"
FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Querying ZFS mount points (mount -p)..." --result NONE --color WHITE
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result NONE --color WHITE
logtext "Result: unable to find any single mount point (ZFS)"
else
Display --indent 2 --text "- Querying ZFS mount points (mount -p)..." --result FOUND --color GREEN
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result FOUND --color GREEN
report "filesystem[]=zfs"
for I in ${FIND}; do
logtext "ZFS mount found: ${I}"
@ -206,9 +206,9 @@
report "swap_partition[]=${I}"
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)..." --result OK --color GREEN
Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN
else
Display --indent 2 --text "- Query swap partitions (fstab)..." --result WARNING --color YELLOW
Display --indent 2 --text "- Query swap partitions (fstab)" --result WARNING --color YELLOW
ReportWarning ${TEST_NO} "L" "No swap partion found in /etc/fstab"
logtext "Result: no swap partitions found in /etc/fstab"
fi
@ -225,10 +225,10 @@
logtext "Test: check swap partitions with incorrect mount options"
FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Testing swap partitions..." --result OK --color GREEN
Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN
logtext "Result: all swap partitions have correct options (sw or swap)"
else
Display --indent 2 --text "- Testing swap partitions..." --result WARNING --color RED
Display --indent 2 --text "- Testing swap partitions" --result WARNING --color RED
logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
#ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})"
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file. Swap partition usually have 'sw' or 'swap' in the options field (4th)."
@ -242,14 +242,14 @@
if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --description "Searching for old files in /tmp"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for old files in /tmp..."
logtext "Test: Searching for old files in /tmp"
# Search for files only in /tmp, with an access time older than X days
FIND=`find /tmp -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for old files in /tmp..." --result OK --color GREEN
Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN
logtext "Result: no files found in /tmp which are older than 3 months"
else
Display --indent 2 --text "- Checking for old files in /tmp..." --result WARNING --color RED
Display --indent 2 --text "- Checking for old files in /tmp" --result WARNING --color RED
N=0
for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'`
@ -275,7 +275,7 @@
#for I in ${SKELDIRS}; do
#
# logtext "Searching skel directory ${I}..."
# logtext "Searching skel directory ${I}"
#
# if [ -d ${I} ]; then
# logtext "Result: Directory found, scanning for unsafe file permissions"
@ -283,20 +283,20 @@
# if [ ! "${FIND}" = "0" ]; then
# FIND=`find ${I} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
# if [ "${FIND}" = "" ]; then
# Display --indent 2 --text "- Checking skel file permissions (${I})..." --result OK --color GREEN
# Display --indent 2 --text "- Checking skel file permissions (${I})" --result OK --color GREEN
# logtext "Result: Directory seems to be ok, no files found with read/write/execute bit set."
# logtext "Status: OK"
# else
# Display --indent 2 --text "- Checking skel file permissions (${I})..." --result WARNING --color RED
# Display --indent 2 --text "- Checking skel file permissions (${I})" --result WARNING --color RED
# logtext "Result: The following files do have non restrictive permissions: ${FIND}"
# ReportSuggestion ${TEST_NO} "Remove the read, write or execute bit from these files (chmod o-rwx)"
# fi
# else
# Display --indent 2 --text "- Checking skel file permissions (${I})..." --result EMPTY --color WHITE
# Display --indent 2 --text "- Checking skel file permissions (${I})" --result EMPTY --color WHITE
# logtext "Directory ${I} is empty, no scan performed"
# fi
# else
# Display --indent 2 --text "- Checking skel file permissions (${I})..." --result "NOT FOUND" --color WHITE
# Display --indent 2 --text "- Checking skel file permissions (${I})" --result "NOT FOUND" --color WHITE
# logtext "Result: Skel directory (${I}) not found"
# fi
#done
@ -311,11 +311,11 @@
# Depending on OS, number of field with 'tmp' differs
FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10`
if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then
Display --indent 2 --text "- Checking /tmp sticky bit..." --result OK --color GREEN
Display --indent 2 --text "- Checking /tmp sticky bit" --result OK --color GREEN
logtext "Result: Sticky bit (${FIND}) found on /tmp directory"
AddHP 3 3
else
Display --indent 2 --text "- Checking /tmp sticky bit..." --result WARNING --color RED
Display --indent 2 --text "- Checking /tmp sticky bit" --result WARNING --color RED
ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!"
ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory."
AddHP 0 3
@ -371,11 +371,11 @@
logtext "Result: ACL option NOT enabled on root file system"
logtext "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option"
logtext "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file"
Display --indent 2 --text "- ACL support root file system..." --result DISABLED --color YELLOW
Display --indent 2 --text "- ACL support root file system" --result DISABLED --color YELLOW
AddHP 0 1
else
logtext "Result: ACL option enabled on root file system"
Display --indent 2 --text "- ACL support root file system..." --result ENABLED --color GREEN
Display --indent 2 --text "- ACL support root file system" --result ENABLED --color GREEN
AddHP 3 3
fi
fi
@ -396,9 +396,9 @@
if [ ! "${FIND}" = "" ]; then
logtext "Result: mount system / is configured with options: ${FIND}"
if [ "${FIND}" = "defaults" ]; then
Display --indent 2 --text "- Mount options of /..." --result OK --color GREEN
Display --indent 2 --text "- Mount options of /" --result OK --color GREEN
else
Display --indent 2 --text "- Mount options of /..." --result "NON DEFAULT" --color YELLOW
Display --indent 2 --text "- Mount options of /" --result "NON DEFAULT" --color YELLOW
fi
else
logtext "Result: no mount point / or expected options found"
@ -424,16 +424,16 @@
logtext "Result: mount system /boot is configured with options: ${FIND}"
if [ ${HARDENED} -eq 1 ]; then
logtext "Result: marked /boot options as hardenened"
Display --indent 2 --text "- Mount options of /boot..." --result HARDENED --color GREEN
Display --indent 2 --text "- Mount options of /boot" --result HARDENED --color GREEN
AddHP 5 5
else
if [ "${FIND}" = "defaults" ]; then
logtext "Result: marked /boot options as default (non hardened)"
Display --indent 2 --text "- Mount options of /boot..." --result DEFAULT --color RED
Display --indent 2 --text "- Mount options of /boot" --result DEFAULT --color RED
AddHP 3 5
else
logtext "Result: marked /boot options as non default (unclear about hardening)"
Display --indent 2 --text "- Mount options of /boot..." --result "NON DEFAULT" --color YELLOW
Display --indent 2 --text "- Mount options of /boot" --result "NON DEFAULT" --color YELLOW
AddHP 4 5
fi
fi
@ -527,11 +527,11 @@
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking Locate database..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking Locate database" --result FOUND --color GREEN
report "locate_db=${LOCATE_DB}"
else
logtext "Result: database not found"
Display --indent 2 --text "- Checking Locate database..." --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking Locate database" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
fi
fi

13
include/tests_hardening
View File

@ -28,11 +28,11 @@
logtext "Test: Check if one or more compilers can be found on the system"
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
logtext "Result: no compilers found"
Display --indent 4 --text "- Installed compiler(s)..." --result "NOT FOUND" --color GREEN
Display --indent 4 --text "- Installed compiler(s)" --result "NOT FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'"
Display --indent 4 --text "- Installed compiler(s)..." --result "FOUND" --color RED
Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED
ReportSuggestion ${TEST_NO} "Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed"
AddHP 1 3
fi
@ -88,7 +88,7 @@
fi
#YYY check if compilers have a specific group (like compiler, or NOT root/wheel)
# Display --indent 4 --text "- Installed compiler(s)..." --result "FOUND" --color RED
# Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED
# /usr/bin/*cc*
# /usr/bin/*++*
# /usr/bin/ld
@ -105,11 +105,11 @@
logtext "Test: Check if one or more compilers can be found on the system"
if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
logtext "Result: found at least one malware scanner"
Display --indent 4 --text "- Installed malware scanner..." --result "FOUND" --color GREEN
Display --indent 4 --text "- Installed malware scanner" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: no malware scanner found"
Display --indent 4 --text "- Installed malware scanner..." --result "NOT FOUND" --color RED
Display --indent 4 --text "- Installed malware scanner" --result "NOT FOUND" --color RED
ReportSuggestion ${TEST_NO} "Harden the system by installing one or malware scanners to perform periodic file system scans"
AddHP 1 3
fi
@ -117,7 +117,6 @@
#
#################################################################################
#
# logtext "--------------------------------------------------------------------"
# logtext "| System part | Preferred value | Actual value | Points |"
# logtext "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |"
@ -126,8 +125,6 @@
# logtext "--------------------------------------------------------------------"
# logtext "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown "
# logtext "--------------------------------------------------------------------"
#
#################################################################################
#

9
include/tests_homedirs
View File

@ -25,7 +25,6 @@
# Ignore some top level directories (not the sub directories below)
IGNORE_HOME_DIRS="/bin /boot /cdrom /dev /etc /home /lib /lib64 /media /mnt
/opt /proc /sbin /selinux /srv /sys /tmp /usr /var"
#
#################################################################################
#
@ -61,10 +60,10 @@
FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" -not -type f -print`
fi
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking shell history files... " --result OK --color GREEN
Display --indent 2 --text "- Checking shell history files" --result OK --color GREEN
logtext "Result: Ok, history files are type 'file'."
else
Display --indent 2 --text "- Checking shell history files... " --result WARNING --color RED
Display --indent 2 --text "- Checking shell history files" --result WARNING --color RED
logtext "Result: the following files seem to be of the wrong file type:"
logtext "Output: ${FIND}"
logtext "Info: above files could be redirected files to avoid logging and should be investigated"
@ -72,7 +71,7 @@
fi
logtext "Remarks: ${HOME_HISTORY_LOG_TEXT}"
else
Display --indent 2 --text "- Checking shell history files... " --result SKIPPED --color WHITE
Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE
logtext "Result: Homedirs is empty, test will be skipped"
fi
fi
@ -103,7 +102,7 @@
fi
#YYY
#echo -n " - Checking PATH variable vulnerabilities... "
#echo -n " - Checking PATH variable vulnerabilities"
#
#FIND=`find ${HOMEDIRS} -name * | grep -r 'PATH=' | egrep '=.:|:.:|:.;' | grep -v 'CDPATH'`
#if [ "${FIND}" = "" ]

20
include/tests_insecure_services
View File

@ -32,16 +32,16 @@
Register --test-no INSE-8002 --weight L --network NO --description "Check for enabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check running processes
logtext "Test: Searching for active inet daemon..."
logtext "Test: Searching for active inet daemon"
IsRunning inetd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: inetd is running"
Display --indent 2 --text "- Checking inetd status..." --result ACTIVE --color GREEN
Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN
#YYY perform manual check
INETD_ACTIVE=1
else
logtext "Result: inetd is NOT running"
Display --indent 2 --text "- Checking inetd status..." --result "NOT ACTIVE" --color GREEN
Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN
fi
fi
#
@ -53,13 +53,13 @@
Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for enabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check configuration file
logtext "Test: Searching for file ${INETD_CONFIG_FILE}..."
logtext "Test: Searching for file ${INETD_CONFIG_FILE}"
if [ -f ${INETD_CONFIG_FILE} ]; then
logtext "Result: ${INETD_CONFIG_FILE} exists"
Display --indent 4 --text "- Checking inetd.conf..." --result FOUND --color WHITE
Display --indent 4 --text "- Checking inetd.conf" --result FOUND --color WHITE
else
logtext "Result: ${INETD_CONFIG_FILE} does not exist"
Display --indent 4 --text "- Checking inetd.conf..." --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE
fi
# YYY immutable bit could be set
# YYY permission check (already set in profile)
@ -76,9 +76,9 @@
logtext "Test: check if all services are disabled if inetd is disabled"
FIND=`cat ${INETD_CONFIG_FILE} | grep -v "^#" | grep -v "^$"`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking inetd.conf services..." --result OK --color GREEN
Display --indent 4 --text "- Checking inetd.conf services" --result OK --color GREEN
else
Display --indent 4 --text "- Checking inetd.conf services..." --result SUGGESTION --color YELLOW
Display --indent 4 --text "- Checking inetd.conf services" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}"
fi
fi
@ -94,11 +94,11 @@
FIND=`grep "^telnet" ${INETD_CONFIG_FILE}`
if [ "${FIND}" = "" ]; then
logtext "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)..." --result "NOT FOUND" --color GREEN
Display --indent 2 --text "- Checking inetd (telnet)" --result "NOT FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: telnet enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)..." --result WARNING --color RED
Display --indent 2 --text "- Checking inetd (telnet)" --result WARNING --color RED
ReportSuggestion "${TEST_NO}" "Disable telnet in inetd configuration and use SSH instead"
AddHP 1 3
fi

34
include/tests_kernel
View File

@ -45,11 +45,11 @@
FIND2=`echo ${FIND} | egrep "runlevel5|graphical"`
if [ ! "${FIND2}" = "" ]; then
logtext "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel..." --result "runlevel 5" --color GREEN
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
report "linux_default_runlevel=5"
else
logtext "Result: No match found on runlevel, defaulting to runlevel 3"
Display --indent 2 --text "- Checking default runlevel..." --result "runlevel 3" --color GREEN
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
report "linux_default_runlevel=3"
fi
fi
@ -62,13 +62,13 @@
logtext "Test: Checking /etc/inittab"
if [ -f /etc/inittab ]; then
logtext "Result: file /etc/inittab found"
logtext "Test: Checking default Linux run level..."
logtext "Test: Checking default Linux run level"
FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW
logtext "Result: Can't determine default run level from /etc/inittab"
else
Display --indent 2 --text "- Checking default run level..." --result "${FIND}" --color GREEN
Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN
logtext "Found default run level '${FIND}'"
report "linux_default_runlevel=${FIND}"
fi
@ -80,10 +80,10 @@
if [ ! "${FIND}" = "" ]; then
logtext "Result: Found default run level '${FIND}'"
report "linux_default_runlevel=${FIND}"
Display --indent 2 --text "- Checking default run level..." --result "RUNLEVEL ${FIND}" --color GREEN
Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN
else
logtext "Result: Can't determine default run level from who -r"
Display --indent 2 --text "- Checking default run level..." --result UNKNOWN --color YELLOW
Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW
fi
fi
fi
@ -99,10 +99,10 @@
Register --test-no KRNL-5677 --os Linux --weight L --network NO --description "Check CPU options and support"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking CPU support (NX/PAE)"
logtext "Test: Checking /proc/cpuinfo..."
logtext "Test: Checking /proc/cpuinfo"
if [ -f /proc/cpuinfo ]; then
logtext "Result: found /proc/cpuinfo"
logtext "Test: Checking CPU options (XD/NX/PAE)..."
logtext "Test: Checking CPU options (XD/NX/PAE)"
FIND_PAE_NX=`cat /proc/cpuinfo | grep " pae " | grep " nx "`
FIND_PAE=`cat /proc/cpuinfo | grep " pae "`
FIND_NX=`cat /proc/cpuinfo | grep " nx "`
@ -271,7 +271,7 @@
# Description : Checking FreeBSD loaded kernel modules
Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking active kernel modules..."
Display --indent 2 --text "- Checking active kernel modules"
logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}"
logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}"
logtext "Action: Checking modules"
@ -339,17 +339,17 @@
logtext "Kernel installed: ${FINDINST}"
logtext "Kernel candidate: ${FINDCAND}"
if [ "${FINDINST}" = "" ]; then
Display --indent 2 --text "- Checking for available kernel update... " --result UNKNOWN --color YELLOW
Display --indent 2 --text "- Checking for available kernel update" --result UNKNOWN --color YELLOW
logtext "Result: Exception occured, no output from apt-cache policy"
ReportException "${TEST_NO}:01"
logtext "Exception: apt-cache policy did not return an installed kernel version"
ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty"
else
if [ "${FINDINST}" = "${FINDCAND}" ]; then
Display --indent 2 --text "- Checking for available kernel update... " --result OK --color GREEN
Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN
logtext "Result: no kernel update available"
else
Display --indent 2 --text "- Checking for available kernel update... " --result "UPDATE AVAILABLE" --color YELLOW
Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
logtext "Result: kernel update available according 'apt-cache policy'."
ReportSuggestion ${TEST_NO} "Determine priority for available kernel update"
fi
@ -373,12 +373,12 @@
FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core") { print "hard core enabled" } }'`
if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
logtext "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration... " --result ENABLED --color YELLOW
Display --indent 2 --text "- Checking core dumps configuration" --result ENABLED --color YELLOW
#YYY suggestion
AddHP 1 2
else
logtext "Result: core dumps (soft and hard) are both disabled"
Display --indent 2 --text "- Checking core dumps configuration... " --result DISABLED --color GREEN
Display --indent 2 --text "- Checking core dumps configuration" --result DISABLED --color GREEN
CORE_DUMPS_DISABLED=1
AddHP 3 3
fi
@ -393,16 +393,16 @@
fi
if [ "${FIND}" = "2" ]; then
logtext "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
Display --indent 4 --text "- Checking setuid core dumps configuration... " --result PROTECTED --color GREEN
Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN
AddHP 1 1
elif [ "${FIND}" = "1" ]; then
logtext "Result: all programs can perform core dumps (value 1, for debugging)"
Display --indent 2 --text "- Checking setuid core dumps configuration... " --result DEBUG --color YELLOW
Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW
ReportSuggestion ${TEST_NO} "Determine if really all binaries need to be able to core dump"
AddHP 0 1
else
logtext "Result: found default option, some programs can dump (not processes which need to change credentials)"
Display --indent 4 --text "- Checking setuid core dumps configuration... " --result DEFAULT --color YELLOW
Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW
AddHP 1 1
fi
# Check ulimit settings and harden it

2
include/tests_kernel_hardening
View File

@ -29,7 +29,7 @@
Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sysctl key pairs in scan profile"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 2 --text "- Comparing sysctl key pairs with scan profile..."
Display --indent 2 --text "- Comparing sysctl key pairs with scan profile"
FIND=`grep "^sysctl:" ${PROFILE} | sed 's/ /:space:/g'`
for I in ${FIND}; do
tFINDkey=`echo ${I} | awk -F: '{ print $2 }'`

13
include/tests_ldap
View File

@ -33,12 +33,12 @@
Register --test-no LDAP-2219 --weight L --network NO --description "Check running OpenLDAP instance"
if [ ${SKIPTEST} -eq 0 ]; then
#YYY add additional slash
FIND=`${PSBINARY} ax | grep "slapd" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking OpenLDAP instance..." --result "NOT FOUND" --color WHITE
IsRunning slapd
if [ ${RUNNING} -eq 0 ]; then
Display --indent 2 --text "- Checking OpenLDAP instance" --result "NOT FOUND" --color WHITE
logtext "Result: No running slapd process found."
else
Display --indent 2 --text "- Checking OpenLDAP instance..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking OpenLDAP instance" --result FOUND --color GREEN
logtext "Result: Found running slapd process"
SLAPDFOUND=1
SLAPD_RUNNING=1
@ -63,9 +63,9 @@
done
# Check if we found a valid location
if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking slapd.conf..." --result FOUND --color GREEN
Display --indent 4 --text "- Checking slapd.conf" --result FOUND --color GREEN
else
Display --indent 4 --text "- Checking slapd.conf..." --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking slapd.conf" --result "NOT FOUND" --color YELLOW
fi
fi
#
@ -97,7 +97,6 @@
#################################################################################
#
wait_for_keypress
#

21
include/tests_logging
View File

@ -41,16 +41,16 @@
# Notes : Log which syslog daemon is found YYY
Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a logging daemon... "
logtext "Test: Searching for a logging daemon"
FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for a running log daemon..." --result WARNING --color RED
Display --indent 2 --text "- Checking for a running log daemon" --result WARNING --color RED
logtext "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
ReportWarning ${TEST_NO} "H" "No syslog daemon found"
AddHP 0 3
else
Display --indent 2 --text "- Checking for a running log daemon..." --result OK --color GREEN
Display --indent 2 --text "- Checking for a running log daemon" --result OK --color GREEN
logtext "Result: Found a logging daemon"
SYSLOG_DAEMON_PRESENT=1
SYSLOG_DAEMON_RUNNING=1
@ -64,7 +64,7 @@
# Description : Check for a running syslog-ng daemon
Register --test-no LOGG-2132 --weight L --network NO --description "Check for running syslog-ng daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for syslog-ng daemon in process list... "
logtext "Test: Searching for syslog-ng daemon in process list"
FIND=`${PSBINARY} ax | grep "/syslog-ng" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Found syslog-ng in process list"
@ -102,7 +102,7 @@
# Description : Check for a running metalog daemon
Register --test-no LOGG-2210 --weight L --network NO --description "Check for running metalog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for metalog daemon in process list... "
logtext "Test: Searching for metalog daemon in process list"
FIND=`${PSBINARY} ax | grep "metalog" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Found metalog in process list"
@ -121,7 +121,7 @@
# Description : Check for a running rsyslog daemon
Register --test-no LOGG-2230 --weight L --network NO --description "Check for running RSyslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for RSyslog daemon in process list... "
logtext "Test: Searching for RSyslog daemon in process list"
FIND=`${PSBINARY} ax | grep "rsyslogd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Found rsyslogd in process list"
@ -140,7 +140,7 @@
# Description : Check for a running RFC 3195 compliant daemon (syslog via TCP)
Register --test-no LOGG-2240 --weight L --network NO --description "Check for running RFC 3195 compliant daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list... "
logtext "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list"
FIND=`${PSBINARY} ax | grep "rfc3195d" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Found rfc3195d in process list"
@ -187,18 +187,17 @@
# Description : Check for minilogd presence on Linux systems
Register --test-no LOGG-2142 --os Linux --weight L --network NO --description "Checking minilog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Result: Checking for unkilled minilogd instances.."
logtext "Result: Checking for unkilled minilogd instances"
# Search for minilogd. It shouldn't be running normally, if another syslog daemon is started
FIND=`${PSBINARY} ax | grep "minilogd" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE
logtext "Result: No minilogd is running.."
logtext "Result: No minilogd is running"
else
Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED
logtext "Result: minilogd found in process list"
# minilogd daemon seems to be running..
# minilogd daemon seems to be running
ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running"
ReportSuggestion ${TEST_NO} "Check minilogd is active and if other syslog daemons are started up properly"
fi
fi
#

36
include/tests_mail_messaging
View File

@ -40,12 +40,12 @@
IsRunning exim
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running Exim process"
Display --indent 2 --text "- Checking Exim status..." --result RUNNING --color GREEN
Display --indent 2 --text "- Checking Exim status" --result RUNNING --color GREEN
EXIM_RUNNING=1
SMTP_DAEMON="exim"
else
logtext "Result: no running Exim processes found"
Display --indent 2 --text "- Checking Exim status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Exim status" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -57,15 +57,15 @@
#Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
# if [ ! "${EXIMBINARY}" = "" ]; then
# logtext "Test: Searching Exim configuration file..."
# logtext "Test: Searching Exim configuration file"
# FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'`
# if [ ! "${FIND}" = "" ]; then
# Display --indent 2 --text "- Checking Exim configuration..." --result FOUND --color GREEN
# Display --indent 2 --text "- Checking Exim configuration" --result FOUND --color GREEN
# Display --indent 4 --text "Result: configuration file is ${FIND}"
# logtext "Result: found Exim"
# logtext "Result: configuration file is ${FIND}"
# else
# Display --indent 2 --text "- Checking Exim configuration..." --result WARNING --color RED
# Display --indent 2 --text "- Checking Exim configuration" --result WARNING --color RED
# logtext "Couldn't find the Exim configuration file, however Exim seems to be installed."
# fi
# else
@ -86,12 +86,12 @@
#FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
if [ ! "${FIND1}" = "" ]; then
logtext "Result: found running Postfix process"
Display --indent 2 --text "- Checking Postfix status..." --result RUNNING --color GREEN
Display --indent 2 --text "- Checking Postfix status" --result RUNNING --color GREEN
POSTFIX_RUNNING=1
SMTP_DAEMON="postfix"
else
logtext "Result: no running Postfix processes found"
Display --indent 2 --text "- Checking Postfix status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Postfix status" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -102,7 +102,7 @@
if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking Postfix configuration..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking Postfix configuration" --result FOUND --color GREEN
POSTFIX_CONFIGDIR=`${POSTCONFBINARY} | grep '^config_directory' | awk '{ print $3 }'`
POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
logtext "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
@ -129,11 +129,11 @@
if [ ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then
SHOWWARNING=1
else
Display --indent 4 --text "- Checking Postfix banner..." --result OK --color GREEN
Display --indent 4 --text "- Checking Postfix banner" --result OK --color GREEN
fi
fi
if [ ${SHOWWARNING} -eq 1 ]; then
Display --indent 4 --text "- Checking Postfix banner..." --result WARNING --color RED
Display --indent 4 --text "- Checking Postfix banner" --result WARNING --color RED
logtext "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'"
ReportSuggestion ${TEST_NO} "You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
@ -150,13 +150,13 @@
IsRunning dovecot
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running dovecot process"
Display --indent 2 --text "- Checking Dovecot status..." --result RUNNING --color GREEN
Display --indent 2 --text "- Checking Dovecot status" --result RUNNING --color GREEN
DOVECOT_RUNNING=1
IMAP_DAEMON="dovecot"
POP3_DAEMON="dovecot"
else
logtext "Result: dovecot not found"
Display --indent 2 --text "- Checking Dovecot status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Dovecot status" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -190,12 +190,12 @@
IsRunning qmail-smtpd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running Qmail process"
Display --indent 2 --text "- Checking Qmail status..." --result RUNNING --color GREEN
Display --indent 2 --text "- Checking Qmail status" --result RUNNING --color GREEN
QMAIL_RUNNING=1
SMTP_DAEMON="qmail"
else
logtext "Result: no running Qmail processes found"
Display --indent 2 --text "- Checking Qmail status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Qmail status" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -209,12 +209,12 @@
IsRunning sendmail
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running Sendmail process"
Display --indent 2 --text "- Checking Sendmail status..." --result RUNNING --color GREEN
Display --indent 2 --text "- Checking Sendmail status" --result RUNNING --color GREEN
SENDMAIL_RUNNING=1
SMTP_DAEMON="sendmail"
else
logtext "Result: no running Sendmail processes found"
Display --indent 2 --text "- Checking Sendmail status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Sendmail status" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -228,12 +228,12 @@
FIND=`${PSBINARY} ax | grep "/smtpd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found running smtpd process"
Display --indent 2 --text "- Checking OpenBSD smtpd status..." --result RUNNING --color GREEN
Display --indent 2 --text "- Checking OpenBSD smtpd status" --result RUNNING --color GREEN
SMTPD_RUNNING=1
SMTP_DAEMON="smtpd"
else
logtext "Result: smtpd not found"
Display --indent 2 --text "- Checking OpenBSD smtpd status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking OpenBSD smtpd status" --result "NOT FOUND" --color WHITE
fi
fi
#

30
include/tests_malware
View File

@ -33,12 +33,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence chkrootkit"
if [ ! "${CHKROOTKITBINARY}" = "" ]; then
Display --indent 2 --text "- Checking chkrootkit..." --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking chkrootkit" --result "FOUND" --color GREEN
logtext "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
else
Display --indent 2 --text "- Checking chkrootkit..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking chkrootkit" --result "NOT FOUND" --color WHITE
logtext "Result: chkrootkit not found"
fi
fi
@ -51,12 +51,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence Rootkit Hunter"
if [ ! "${RKHUNTERBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Rootkit Hunter..." --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking Rootkit Hunter" --result "FOUND" --color GREEN
logtext "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
else
Display --indent 2 --text "- Checking Rootkit Hunter..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking Rootkit Hunter" --result "NOT FOUND" --color WHITE
logtext "Result: Rootkit Hunter not found"
fi
fi
@ -101,12 +101,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence clamscan"
if [ ! "${CLAMSCANBINARY}" = "" ]; then
Display --indent 2 --text "- Checking ClamAV scanner..." --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking ClamAV scanner" --result "FOUND" --color GREEN
logtext "Result: Found ${CLAMSCANBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
else
Display --indent 2 --text "- Checking ClamAV scanner..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking ClamAV scanner" --result "NOT FOUND" --color WHITE
logtext "Result: clamscan couldn't be found"
fi
fi
@ -121,12 +121,12 @@
logtext "Test: checking running ClamAV daemon (clamd)"
FIND=`${PSBINARY} ax | grep "/clamd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking ClamAV daemon..." --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking ClamAV daemon" --result "FOUND" --color GREEN
logtext "Result: found running clamd process"
MALWARE_SCANNER_INSTALLED=1
CLAMD_RUNNING=1
else
Display --indent 2 --text "- Checking ClamAV daemon..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking ClamAV daemon" --result "NOT FOUND" --color WHITE
logtext "Result: clamd not running"
fi
fi
@ -141,11 +141,11 @@
logtext "Test: checking running freshclam daemon"
FIND=`${PSBINARY} ax | grep "/freshclam" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking freshclam..." --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking freshclam" --result "FOUND" --color GREEN
logtext "Result: found running freshclam process"
AddHP 2 2
else
Display --indent 4 --text "- Checking freshclam..." --result "SUGGESTION" --color YELLOW
Display --indent 4 --text "- Checking freshclam" --result "SUGGESTION" --color YELLOW
logtext "Result: freshclam is not running"
ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
fi
@ -153,17 +153,23 @@
#
#################################################################################
#
# Test : MALW-3288
# Description : Check for LMD
#
#################################################################################
#
# Test : MALW-3292
# Description : Check if at least one malware scanner is installed
# Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner"
# if [ ${SKIPTEST} -eq 0 ]; then
# if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
# logtext "Result: At least one malware scanner is installed"
# Display --indent 2 --text "- Checking presence malware scanner..." --result "FOUND" --color GREEN
# Display --indent 2 --text "- Checking presence malware scanner" --result "FOUND" --color GREEN
# #AddHP 3 3
# else
# logtext "Result: No malware scanners found"
# Display --indent 2 --text "- Checking presence malware scanner..." --result "NOT FOUND" --color YELLOW
# Display --indent 2 --text "- Checking presence malware scanner" --result "NOT FOUND" --color YELLOW
# ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system"
# #AddHP 0 3
# fi

14
include/tests_memory_processes
View File

@ -28,7 +28,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /proc/meminfo ]; then
logtext "Result: found /proc/meminfo"
Display --indent 2 --text "- Checking /proc/meminfo... " --result FOUND --color GREEN
Display --indent 2 --text "- Checking /proc/meminfo" --result FOUND --color GREEN
FIND=`cat /proc/meminfo | grep "^MemTotal" | tr -s ' ' | awk '{ print $2" "$3 }'`
MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'`
MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'`
@ -48,14 +48,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching /usr/sbin/prtconf"
if [ -x /usr/sbin/prtconf ]; then
Display --indent 2 --text "- Querying prtconf for installed memory..." --result DONE --color GREEN
Display --indent 2 --text "- Querying prtconf for installed memory" --result DONE --color GREEN
MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3`
MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4`
logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
report "memory_size=${MEMORY_SIZE}"
report "memory_units=${MEMORY_UNITS}"
else
Display --indent 2 --text "- Querying prtconf for installed memory..." --result SKIPPED --color WHITE
Display --indent 2 --text "- Querying prtconf for installed memory" --result SKIPPED --color WHITE
logtext "Result: /usr/sbin/prtconf not found"
fi
fi
@ -75,11 +75,11 @@
fi
if [ "${FIND}" = "" ]; then
logtext "Result: no zombie processes found"
Display --indent 2 --text "- Searching for dead/zombie processes..." --result OK --color GREEN
Display --indent 2 --text "- Searching for dead/zombie processes" --result OK --color GREEN
else
logtext "Result: found one or more dead or zombie processes"
logtext "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for dead/zombie processes..." --result WARNING --color RED
Display --indent 2 --text "- Searching for dead/zombie processes" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes"
fi
fi
@ -99,12 +99,12 @@
fi
if [ "${FIND}" = "" ]; then
logtext "Result: No processes were waiting for IO requests to be handled first"
Display --indent 2 --text "- Searching for IO waiting processes..." --result OK --color GREEN
Display --indent 2 --text "- Searching for IO waiting processes" --result OK --color GREEN
else
logtext "Result: found one or more processes which were waiting to get IO requests handled first"
logtext "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
logtext "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for IO waiting processes..." --result WARNING --color RED
Display --indent 2 --text "- Searching for IO waiting processes" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests"
fi
fi

70
include/tests_nameservices
View File

@ -44,12 +44,12 @@
FIND=`cat /etc/resolv.conf | grep "^domain" | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
logtext "Result: no default domain found"
Display --indent 2 --text "- Checking default DNS search domain..." --result NONE --color WHITE
Display --indent 2 --text "- Checking default DNS search domain" --result NONE --color WHITE
else
logtext "Result: found default domain"
logtext "Output: ${FIND}"
report "resolv_conf_domain=${FIND}"
Display --indent 2 --text "- Checking default DNS search domain..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking default DNS search domain" --result FOUND --color GREEN
RESOLV_DOMAINNAME="${FIND}"
fi
fi
@ -78,23 +78,23 @@
# Warn if we have more than 6 search domains, which is maximum in most resolvers
if [ ${N} -gt 6 ]; then
logtext "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains..." --result WARNING --color YELLOW
Display --indent 2 --text "- Checking search domains" --result WARNING --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
else
logtext "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking search domains" --result FOUND --color GREEN
fi
fi
else
logtext "Result: /etc/resolv.conf does not exist, skipping test"
Display --indent 2 --text "- Checking search domains..." --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking search domains" --result "NOT FOUND" --color YELLOW
fi
# Check amount of search domains (max 1)
FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '`
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines..." --result "CONFIG ERROR" --color YELLOW
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
else
logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
@ -113,7 +113,7 @@
FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
logtext "Result: no specific other options configured in /etc/resolv.conf"
Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "NONE" --color WHITE
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NONE" --color WHITE
else
for I in ${FIND}; do
logtext "Found option: ${I}"
@ -121,11 +121,11 @@
#rotate --> add performance tune point
#timeout <3 --> add performe tune point
done
Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "FOUND" --color GREEN
fi
else
logtext "Result: /etc/resolv.conf not found, test skipped"
Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "NOT FOUND" --color YELLOW
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NOT FOUND" --color YELLOW
fi
fi
#
@ -137,7 +137,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`uname -n`
logtext "Result: 'uname -n' returned ${FIND}"
Display --indent 2 --text "- Checking uname -n output..." --result DONE --color GREEN
Display --indent 2 --text "- Checking uname -n output" --result DONE --color GREEN
fi
#
#################################################################################
@ -152,10 +152,10 @@
logtext "Result: file /etc/nodename exists"
FIND=`cat /etc/nodename`
logtext "Output: ${FIND}"
Display --indent 2 --text "- Checking /etc/nodename..." --result "DONE" --color GREEN
Display --indent 2 --text "- Checking /etc/nodename" --result "DONE" --color GREEN
else
logtext "Result: file /etc/nodename could not be found"
Display --indent 2 --text "- Checking /etc/nodename..." --result "NONE FOUND" --color YELLOW
Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW
fi
fi
#
@ -210,10 +210,10 @@
if [ ! "${DOMAINNAME}" = "" ]; then
logtext "Result: found domain name"
report "domainname=${DOMAINNAME}"
Display --indent 2 --text "- Searching DNS domain name..." --result "FOUND" --color GREEN
Display --indent 2 --text "- Searching DNS domain name" --result "FOUND" --color GREEN
Display --indent 6 --text "Domain name: ${DOMAINNAME}"
else
Display --indent 2 --text "- Searching DNS domain name..." --result "UNKNOWN" --color YELLOW
Display --indent 2 --text "- Searching DNS domain name" --result "UNKNOWN" --color YELLOW
ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name"
fi
fi
@ -228,10 +228,10 @@
FIND=`${PSBINARY} ax | grep "nscd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: nscd is running"
Display --indent 2 --text "- Checking nscd status..." --result RUNNING --color GREEN
Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN
else
logtext "Result: nscd is not running"
Display --indent 2 --text "- Checking nscd status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE
#YYY show performance suggestion if LDAP is used
fi
fi
@ -246,11 +246,11 @@
FIND=`${PSBINARY} ax | grep "/named" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found BIND process"
Display --indent 2 --text "- Checking BIND status..." --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking BIND status" --result "FOUND" --color GREEN
BIND_RUNNING=1
else
logtext "Result: BIND not running"
Display --indent 2 --text "- Checking BIND status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking BIND status" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -270,9 +270,9 @@
fi
done
if [ ! "${BIND_CONFIG_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking BIND configuration file..." --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking BIND configuration file" --result "FOUND" --color GREEN
else
Display --indent 4 --text "- Checking BIND configuration file..." --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking BIND configuration file" --result "NOT FOUND" --color YELLOW
fi
fi
#
@ -289,10 +289,10 @@
FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
Display --indent 4 --text "- Checking BIND configuration consistency..." --result "OK" --color GREEN
Display --indent 4 --text "- Checking BIND configuration consistency" --result "OK" --color GREEN
else
logtext "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
Display --indent 4 --text "- Checking BIND configuration consistency..." --result WARNING --color RED
Display --indent 4 --text "- Checking BIND configuration consistency" --result WARNING --color RED
ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
fi
else
@ -318,11 +318,11 @@
FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"`
if [ "${FIND}" = "" ]; then
logtext "Result: no useful information in banner found"
Display --indent 4 --text "- Checking BIND version in banner ..." --result "OK" --color GREEN
Display --indent 4 --text "- Checking BIND version in banner" --result "OK" --color GREEN
AddHP 2 2
else
logtext "Result: possible BIND version available in version banner"
Display --indent 4 --text "- Checking BIND version in banner..." --result WARNING --color RED
Display --indent 4 --text "- Checking BIND version in banner" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Found BIND version in banner"
ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file"
AddHP 0 2
@ -360,11 +360,11 @@
FIND=`${PSBINARY} ax | grep "/pdns_server" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found PowerDNS process"
Display --indent 2 --text "- Checking PowerDNS status..." --result "RUNNING" --color GREEN
Display --indent 2 --text "- Checking PowerDNS status" --result "RUNNING" --color GREEN
POWERDNS_RUNNING=1
else
logtext "Result: PowerDNS not running"
Display --indent 2 --text "- Checking PowerDNS status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking PowerDNS status" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -384,9 +384,9 @@
fi
done
if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking PowerDNS configuration file..." --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "FOUND" --color GREEN
else
Display --indent 4 --text "- Checking PowerDNS configuration file..." --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "NOT FOUND" --color YELLOW
fi
fi
#
@ -412,10 +412,10 @@
for I in ${FIND}; do
logtext "Found backend: ${I}"
done
Display --indent 4 --text "- Checking PowerDNS backends..." --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking PowerDNS backends" --result "FOUND" --color GREEN
else
logtext "Result: no PowerDNS backends found"
Display --indent 4 --text "- Checking PowerDNS backends..." --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking PowerDNS backends" --result "NOT FOUND" --color YELLOW
fi
fi
#
@ -458,12 +458,12 @@
FIND=`${PSBINARY} ax | grep "ypbind" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: ypbind is running"
Display --indent 2 --text "- Checking ypbind status..." --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking ypbind status" --result "FOUND" --color GREEN
YPBIND_RUNNING=1
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
else
logtext "Result: ypbind is not active"
Display --indent 2 --text "- Checking ypbind status..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking ypbind status" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -522,10 +522,10 @@
if [ ! "${NISDOMAIN}" = "" ]; then
logtext "Found NIS domain: ${NISDOMAIN}"
report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain..." --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN
else
logtext "Result: No NIS domain found"
Display --indent 4 --text "- Checking NIS domain..." --result "UNKNOWN" --color YELLOW
Display --indent 4 --text "- Checking NIS domain" --result "UNKNOWN" --color YELLOW
fi
fi
#
@ -553,7 +553,7 @@
fi
else
logtext "Result: /etc/hosts not found, test skipped"
Display --indent 4 --text "Searching duplicate line..." --result "SKIPPED" --color YELLOW
Display --indent 4 --text "Searching duplicate line" --result "SKIPPED" --color YELLOW
fi
fi
#

52
include/tests_networking
View File

@ -33,13 +33,13 @@
# Description : Basic nameserver configuration tests (connectivity)
Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking configured nameservers..."
Display --indent 2 --text "- Checking configured nameservers"
logtext "Test: Checking /etc/resolv.conf file"
if [ -f /etc/resolv.conf ]; then
logtext "Result: Found /etc/resolv.conf file"
FIND=`grep '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g'`
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Testing nameservers..."
Display --indent 4 --text "- Testing nameservers"
logtext "Test: Querying nameservers"
for I in ${FIND}; do
logtext "Found nameserver: ${I}"
@ -53,12 +53,12 @@
# 0=good, other=bad
DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?`
if [ "${DNSRESPONSE}" = "0" ]; then
Display --indent 8 --text "Nameserver: ${I}..." --result OK --color GREEN
Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN
logtext "Nameserver ${I} seems to respond to queries from this host."
# Count responsive nameservers
NUMBERACTIVENS=`expr ${NUMBERACTIVENS} + 1`
else
Display --indent 8 --text "Nameserver: ${I}..." --result "NO RESPONSE" --color RED
Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED
logtext "Result: nameserver ${I} does NOT respond"
logtext "Exit-code from dig: ${DNSRESPONSE}"
ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
@ -66,7 +66,7 @@
fi
else
logtext "Result: Nameserver test for ${I} skipped, 'dig' not installed"
Display --indent 6 --text "Nameserver: ${I}... " --result SKIPPED --color YELLOW
Display --indent 6 --text "Nameserver: ${I}" --result SKIPPED --color YELLOW
fi
done
fi
@ -82,19 +82,19 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DIGBINARY}" = "" ]; then
if [ ${NUMBERACTIVENS} -lt 2 ]; then
Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result WARNING --color RED
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result WARNING --color RED
logtext "Result: less than 2 responsive nameservers found"
ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers"
logtext "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
AddHP 1 2
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result OK --color GREEN
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result OK --color GREEN
logtext "Result: found at least 2 responsive nameservers"
AddHP 3 3
fi
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result SKIPPED --color YELLOW
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result SKIPPED --color YELLOW
logtext "Result: dig not installed, test can't be fully performed"
fi
else
@ -109,17 +109,17 @@
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then
logtext "Test: Searching default gateway(s)..."
logtext "Test: Searching default gateway(s)"
FIND=`${NETSTATBINARY} -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
logtext "Result: Found default gateway ${I}"
report "default_gateway[]=${I}"
done
Display --indent 2 --text "- Checking default gateway..." --result DONE --color GREEN
Display --indent 2 --text "- Checking default gateway" --result DONE --color GREEN
else
logtext "Result: No default gateway found"
Display --indent 2 --text "- Checking default gateway..." --result "NONE FOUND" --color WHITE
Display --indent 2 --text "- Checking default gateway" --result "NONE FOUND" --color WHITE
fi
fi
#
@ -279,7 +279,7 @@
esac
# Retrieve information from sockstat, when available
logtext "Test: Retrieving sockstat information to find listening ports..."
logtext "Test: Retrieving sockstat information to find listening ports"
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
N=`expr ${N} + 1`
@ -296,9 +296,9 @@
done
fi
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 2 --text "- Getting listening ports (TCP/UDP)..." --result SKIPPED --color YELLOW
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result SKIPPED --color YELLOW
else
Display --indent 2 --text "- Getting listening ports (TCP/UDP)..." --result DONE --color GREEN
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result DONE --color GREEN
Display --indent 6 --text "* Found ${N} ports"
fi
fi
@ -311,7 +311,7 @@
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking promiscuous interfaces (BSD)"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking promiscuous interfaces (FreeBSD)..."
logtext "Test: Checking promiscuous interfaces (FreeBSD)"
FIND=`${IFCONFIGBINARY} | grep PROMISC | cut -d ':' -f1`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Promiscuous interfaces: ${FIND}"
@ -329,10 +329,10 @@
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces..." --result OK --color GREEN
Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN
logtext "Result: No promiscuous interfaces found"
else
Display --indent 2 --text "- Checking promiscuous interfaces..." --result WARNING --color RED
Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED
fi
fi
#
@ -364,10 +364,10 @@
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces..." --result OK --color GREEN
Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN
logtext "Result: No promiscuous interfaces found"
else
Display --indent 2 --text "- Checking promiscuous interfaces..." --result WARNING --color RED
Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED
fi
fi
#
@ -380,8 +380,8 @@
#
# Test : NETW-3024
# Description : Netstat/socktstat compare (FreeBSD)
# echo -n " - Comparing output sockstat and netstat... "
# logtext "Comparing output of sockstat and netstat... "
# echo -n " - Comparing output sockstat and netstat"
# logtext "Comparing output of sockstat and netstat"
# NETSTATOUTPUT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort | uniq`
#
# if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then
@ -401,15 +401,15 @@
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Using netstat for check for connections in WAIT state..."
logtext "Test: Using netstat for check for connections in WAIT state"
FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'`
if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="100"; fi
logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections..." --result WARNING --color YELLOW
Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW
ReportWarning ${TEST_NO} "H" "Found too much connections in WAIT state (${FIND})"
else
Display --indent 2 --text "- Checking waiting connections..." --result OK --color GREEN
Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN
logtext "Result: ${FIND} connections are in WAIT state"
fi
fi
@ -422,12 +422,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning dhclient
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking status DHCP client..." --result RUNNING --color WHITE
Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE
#YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine
#report "manual[]=System is running DHCP client"
DHCP_CLIENT_RUNNING=1
else
Display --indent 2 --text "- Checking status DHCP client..." --result "NOT ACTIVE" --color WHITE
Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
fi
fi
#

40
include/tests_php
View File

@ -61,7 +61,7 @@
if [ "${tFILES}" = "" ]; then
logtext "Result: no files found for ${I}"
else
logtext "Result: found files in location ${I}, checking.."
logtext "Result: found files in location ${I}, checking"
for I in ${tFILES}; do
if [ -f ${I} ]; then
logtext "Result: file ${I} exists, adding to php.ini array"
@ -72,11 +72,11 @@
done
if [ ! "${PHPINIFILE}" = "" ]; then
Display --indent 2 --text "- Checking PHP..." --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking PHP" --result "FOUND" --color GREEN
logtext "Result: using single file ${PHPINIFILE} for main php.ini tests"
logtext "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
else
Display --indent 2 --text "- Checking PHP..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking PHP" --result "NOT FOUND" --color WHITE
logtext "Result: no php.ini file found"
fi
fi
@ -109,13 +109,13 @@
done
if [ ${FOUND} -eq 0 ]; then
logtext "Result: all PHP functions can be executed"
Display --indent 4 --text "- Checking PHP disabled functions..." --result "NONE" --color YELLOW
Display --indent 4 --text "- Checking PHP disabled functions" --result "NONE" --color YELLOW
ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions"
logtext "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
AddHP 0 1
else
logtext "Result: one or more PHP functions are disabled/blacklisted"
Display --indent 4 --text "- Checking PHP disabled functions..." --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking PHP disabled functions" --result "FOUND" --color GREEN
AddHP 3 3
fi
fi
@ -139,16 +139,16 @@
fi
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP register_globals option.."
logtext "Test: Checking PHP register_globals option"
FIND=`cat ${PHPINIFILE} | egrep -i 'register_globals.*(on|yes|1)' | grep -v '^;'`
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking register_globals option..." --result WARNING --color RED
Display --indent 4 --text "- Checking register_globals option" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
logtext "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
AddHP 1 2
else
Display --indent 4 --text "- Checking register_globals option..." --result OK --color GREEN
Display --indent 4 --text "- Checking register_globals option" --result OK --color GREEN
logtext "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value."
ReportManual ${TEST_NO}:01
AddHP 2 2
@ -163,16 +163,16 @@
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking expose_php option.."
logtext "Test: Checking expose_php option"
FIND=`cat ${PHPINIFILE} | egrep -i 'expose_php.*(off|no|0)' | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking expose_php option..." --result ON --color RED
Display --indent 4 --text "- Checking expose_php option" --result ON --color RED
ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
report "Result: expose_php option is turned on, which can expose useful information for an attacker"
AddHP 1 2
else
Display --indent 4 --text "- Checking expose_php option..." --result OFF --color GREEN
Display --indent 4 --text "- Checking expose_php option" --result OFF --color GREEN
logtext "Result: Found 'expose_php' in disabled state (0, no, or off)"
AddHP 2 2
fi
@ -187,15 +187,15 @@
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP enable_dl option.."
logtext "Test: Checking PHP enable_dl option"
FIND=`cat ${PHPINIFILE} | egrep -i 'enable_dl.*(off|no|0)' | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking enable_dl option..." --result ON --color YELLOW
Display --indent 4 --text "- Checking enable_dl option" --result ON --color YELLOW
report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking enable_dl option..." --result OFF --color GREEN
Display --indent 4 --text "- Checking enable_dl option" --result OFF --color GREEN
logtext "Result: Found 'enable_dl' in disabled state (0, no, or off)"
AddHP 2 2
fi
@ -210,15 +210,15 @@
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP allow_url_fopen option.."
logtext "Test: Checking PHP allow_url_fopen option"
FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_fopen.*(off|no|0)' | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option..." --result ON --color YELLOW
Display --indent 4 --text "- Checking allow_url_fopen option" --result ON --color YELLOW
report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking allow_url_fopen option..." --result OFF --color GREEN
Display --indent 4 --text "- Checking allow_url_fopen option" --result OFF --color GREEN
logtext "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
AddHP 2 2
fi
@ -233,15 +233,15 @@
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP allow_url_include option.."
logtext "Test: Checking PHP allow_url_include option"
FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_include.*(off|no|0)' | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_include option..." --result ON --color YELLOW
Display --indent 4 --text "- Checking allow_url_include option" --result ON --color YELLOW
report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking allow_url_include option..." --result OFF --color GREEN
Display --indent 4 --text "- Checking allow_url_include option" --result OFF --color GREEN
logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
AddHP 2 2
fi

62
include/tests_ports_packages
View File

@ -24,7 +24,7 @@
#
#################################################################################
#
Display --indent 2 --text "- Searching package managers..."
Display --indent 2 --text "- Searching package managers"
# Test : PKGS-7301
# Description : Query FreeBSD pkg
@ -33,12 +33,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`pkg -N 2>&1; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 4 --text "- Searching packages with pkg..." --result FOUND --color GREEN
Display --indent 4 --text "- Searching packages with pkg" --result FOUND --color GREEN
report "package_manager[]=pkg"
PACKAGE_MGR_PKG=1
#logtext "Result: Found pkg"
#logtext "Test: Querying pkg to get package list..."
#Display --indent 6 --text "- Querying pkg for installed packages..."
#logtext "Test: Querying pkg to get package list"
#Display --indent 6 --text "- Querying pkg for installed packages"
#logtext "Output:"; logtext "-----"
#SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
#for J in ${SPACKAGES}; do
@ -48,7 +48,7 @@
# report "installed_package[]=${sPKG_NAME}|${sPKG_VERSION}|"
#done
else
Display --indent 4 --text "- Searching pkg..." --result "NOT INSTALLED" --color YELLOW
Display --indent 4 --text "- Searching pkg" --result "NOT INSTALLED" --color YELLOW
fi
fi
#
@ -60,11 +60,11 @@
Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD/NetBSD pkg_info"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Checking pkg_info..." --result FOUND --color GREEN
Display --indent 4 --text "- Checking pkg_info" --result FOUND --color GREEN
logtext "Result: Found pkg_info"
report "package_manager[]=pkg_info"
logtext "Test: Querying pkg_info to get package list..."
Display --indent 6 --text "- Querying pkg_info for installed packages..."
logtext "Test: Querying pkg_info to get package list"
Display --indent 6 --text "- Querying pkg_info for installed packages"
logtext "Output:"; logtext "-----"
SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
for J in ${SPACKAGES}; do
@ -88,10 +88,10 @@
# if [ ${SKIPTEST} -eq 0 ]; then
# SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3`
# if [ "${SDOUBLEINSTALLED}" = "" ]; then
# Display --indent 6 --text "- Querying pkg_info for double installed packages..." --result OK --color GREEN
# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result OK --color GREEN
# logtext "Ok, no packages show up twice or more in the package listing."
# else
# Display --indent 6 --text "- Querying pkg_info for double installed packages..." --result WARNING --color RED
# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result WARNING --color RED
# for J in ${SDOUBLEINSTALLED}; do
# ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})"
# logtext "This package ${J} is visible twice or more in the pkg_info listing."
@ -102,7 +102,7 @@
# done
# fi
# else
# Display --indent 4 --text "- Searching pkg_info..." --result "NOT FOUND" --color WHITE
# Display --indent 4 --text "- Searching pkg_info" --result "NOT FOUND" --color WHITE
# logtext "Result: pkg_info can NOT be found on this system"
# fi
#
@ -113,11 +113,11 @@
if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching pkginfo..." --result FOUND --color GREEN
Display --indent 4 --text "- Searching pkginfo" --result FOUND --color GREEN
logtext "Result: Found Solaris pkginfo"
report "package_manager[]=pkginfo"
logtext "Test: Querying pkginfo to get package list"
Display --indent 4 --text "- Querying pkginfo for installed packages..."
Display --indent 4 --text "- Querying pkginfo for installed packages"
logtext "Output:"; logtext "-----"
# Strip SUNW from strings
SPACKAGES=`/usr/bin/pkginfo -i | tr -s ' ' | cut -d ' ' -f2 | sed "s#^SUNW##"`
@ -138,11 +138,11 @@
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with RPM"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Searching RPM package manager..." --result FOUND --color GREEN
Display --indent 4 --text "- Searching RPM package manager" --result FOUND --color GREEN
logtext "Result: Found rpm binary (${RPMBINARY})"
report "package_manager[]=rpm"
logtext "Test: Querying 'rpm -qa' to get package list"
Display --indent 6 --text "- Querying RPM package manager..."
Display --indent 6 --text "- Querying RPM package manager"
logtext "Output:"; logtext "--------"
SPACKAGES=`${RPMBINARY} -qa | sort`
if [ "${SPACKAGES}" = "" ]; then
@ -169,11 +169,11 @@
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with pacman"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Searching pacman package manager..." --result FOUND --color GREEN
Display --indent 4 --text "- Searching pacman package manager" --result FOUND --color GREEN
logtext "Result: Found pacman binary (${PACMANBINARY})"
report "package_manager[]=pacman"
logtext "Test: Querying 'pacman -Q' to get package list"
Display --indent 6 --text "- Querying pacman package manager..."
Display --indent 6 --text "- Querying pacman package manager"
logtext "Output:"; logtext "--------"
SPACKAGES=`${PACMANBINARY} -Q | sort | sed 's/ /,/g'`
if [ "${SPACKAGES}" = "" ]; then
@ -266,7 +266,7 @@
logtext "Result: Found dpkg binary"
report "package_manager[]=dpkg"
logtext "Test: Querying dpkg -l to get package list"
Display --indent 6 --text "- Querying package manager..."
Display --indent 6 --text "- Querying package manager"
logtext "Output:"
SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' '#' | sort`
for J in ${SPACKAGES}; do
@ -403,7 +403,7 @@
# Don't check yet, output of found vulnerable packages unclear (YYY)
else
logtext "Result: ${FIND}"
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages..." --result WARNING --color RED
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED
#logtext "Result: pkg audit found one or more installed packages which are vulnerable."
#ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
#ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
@ -593,7 +593,7 @@
# Test : PKGS-7388
# Description : Check security repository in Debian/ubuntu apt sources.list file
if [ -f /etc/apt/sources.list -a -d /etc/apt/sources.list.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7388 --os preqs-met ${PREQS_MET} --weight L --network NO --description "Check security repository in Debian/ubuntu apt sources.list file"
Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check security repository in Debian/ubuntu apt sources.list file"
if [ $SKIPTEST -eq 0 ]; then
FOUND=0
if [ ! "${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY}" = "yes" ]; then
@ -646,11 +646,11 @@
logtext "Test: Package database consistency by running apt-get check"
FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking APT package database..." --result OK --color GREEN
Display --indent 2 --text "- Checking APT package database" --result OK --color GREEN
logtext "Result: package database seems to be consistent."
else
logtext "Result: package database is most likely NOT consistent"
Display --indent 2 --text "- Checking APT package database..." --result WARNING --color RED
Display --indent 2 --text "- Checking APT package database" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code."
ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check."
fi
@ -701,7 +701,7 @@
# Show packages which would be upgraded and match 'security' in repository name
FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq`
if [ ! "${FIND}" = "" ]; then
#Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED
#Display --indent 2 --text "- Checking vulnerable packages" --result WARNING --color RED
VULNERABLE_PACKAGES_FOUND=1
SCAN_PERFORMED=1
logtext "Result: found vulnerable package(s) via apt-get (-security channel)"
@ -716,13 +716,13 @@
if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED
Display --indent 2 --text "- Checking vulnerable packages" --result WARNING --color RED
else
Display --indent 2 --text "- Checking vulnerable packages..." --result OK --color GREEN
Display --indent 2 --text "- Checking vulnerable packages" --result OK --color GREEN
logtext "Result: no vulnerable packages found"
fi
else
Display --indent 2 --text "- Checking vulnerable packages (apt-get only)..." --result DONE --color GREEN
Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result DONE --color GREEN
logtext "Result: test not fully executed (missing apt-check output)"
fi
fi
@ -741,11 +741,11 @@
FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
logtext "Result: no packages found which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages..." --result NONE --color GREEN
Display --indent 2 --text "- Checking upgradeable packages" --result NONE --color GREEN
AddHP 3 3
else
logtext "Result: found one or more packages which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages..." --result FOUND --color YELLOW
Display --indent 2 --text "- Checking upgradeable packages" --result FOUND --color YELLOW
# output: program/repository upgradeable from version X to Y
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
@ -754,7 +754,7 @@
fi
else
logtext "Result: /usr/bin/apt-show-versions not found"
Display --indent 2 --text "- Checking upgradeable packages..." --result SKIPPED --color WHITE
Display --indent 2 --text "- Checking upgradeable packages" --result SKIPPED --color WHITE
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
fi
fi
@ -768,11 +768,11 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking for package audit tool"
if [ ${PKG_AUDIT_TOOL_FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking package audit tool..." --result NONE --color RED
Display --indent 2 --text "- Checking package audit tool" --result NONE --color RED
ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
logtext "Result: no package audit tool found"
else
Display --indent 2 --text "- Checking package audit tool..." --result INSTALLED --color GREEN
Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN
Display --indent 4 --text "Found: ${PKG_AUDIT_TOOL}"
logtext "Result: found package audit tool: ${PKG_AUDIT_TOOL}"
fi

16
include/tests_printers_spools
View File

@ -37,7 +37,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching /usr/sbin/chkprintcap"
if [ ! -f /usr/sbin/chkprintcap ]; then
Display --indent 2 --text "- Checking chkprintcap..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking chkprintcap" --result "NOT FOUND" --color WHITE
logtext "Result: /usr/sbin/chkprintcap NOT found, test skipped."
else
logtext "Result: /usr/sbin/chkprintcap found"
@ -64,11 +64,11 @@
logtext "Test: Checking cupsd status"
FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking cups daemon..." --result RUNNING --color GREEN
Display --indent 2 --text "- Checking cups daemon" --result RUNNING --color GREEN
logtext "Result: cups daemon running"
CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
else
Display --indent 2 --text "- Checking cups daemon..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking cups daemon" --result "NOT FOUND" --color WHITE
logtext "Result: cups daemon not running, cups daemon tests skipped"
fi
fi
@ -88,11 +88,11 @@
fi
done
if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then
Display --indent 2 --text "- Checking CUPS configuration file..." --result OK --color GREEN
Display --indent 2 --text "- Checking CUPS configuration file" --result OK --color GREEN
logtext "Result: configuration file found (${CUPSD_CONFIG_FILE})"
CUPSD_FOUND=1
else
Display --indent 2 --text "- Checking CUPS configuration file..." --result "NOT FOUND" --color RED
Display --indent 2 --text "- Checking CUPS configuration file" --result "NOT FOUND" --color RED
logtext "Result: configuration file not found"
logtext "Development: no CUPS configuration file found"
fi
@ -164,10 +164,10 @@
done
if [ ${N} -eq 0 ]; then
Display --indent 2 --text "- Checking CUPS addresses/sockets..." --result "NONE" --color WHITE
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "NONE" --color WHITE
logtext "Result: no addresses found on which CUPS daemon is listening"
else
Display --indent 2 --text "- Checking CUPS addresses/sockets..." --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "FOUND" --color GREEN
logtext "Result: CUPS daemon is listening on network/socket"
fi
fi
@ -199,7 +199,7 @@
#Register --test-no PRNT-23xx--preqs-met ${PREQS_MET} --weight L --network NO --description "Check cupsd address configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
#if [ "${OS}" = "Linux" ]; then
# echo " - Testing printcap file... [Test not implemented yet]"
# echo " - Testing printcap file [Test not implemented yet]"
# # Check printcap with checkpc command
#fi
#

16
include/tests_shells
View File

@ -46,13 +46,13 @@
# Description : check all console TTYs in which root user can enter single user mode without password
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking console TTYs..."
logtext "Test: Checking console TTYs"
FIND=`cat /etc/ttys | egrep '^console' | grep -v 'insecure'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking console TTYs... " --result OK --color GREEN
Display --indent 2 --text "- Checking console TTYs" --result OK --color GREEN
logtext "Result: console is secured against single user mode without password."
else
Display --indent 2 --text "- Checking console TTYs... " --result WARNING --color RED
Display --indent 2 --text "- Checking console TTYs" --result WARNING --color RED
logtext "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!"
logtext "Output /etc/ttys:"
logtext "${FIND}"
@ -74,13 +74,13 @@
# Description : which shells are available according /etc/shells
Register --test-no SHLL-6211 --weight L --network NO --description "Checking available and valid shells"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for /etc/shells..."
logtext "Test: Searching for /etc/shells"
if [ -f /etc/shells ]; then
logtext "Result: Found /etc/shells file"
logtext "Test: Reading available shells from /etc/shells"
SSHELLS=`cat /etc/shells | grep "^/"`
CSSHELLS=0; CSSHELLS_ALL=0
Display --indent 2 --text "- Checking shells from /etc/shells..."
Display --indent 2 --text "- Checking shells from /etc/shells"
for I in ${SSHELLS}; do
CSSHELLS_ALL=`expr ${CSSHELLS_ALL} + 1`
report "available_shell[]=${I}"
@ -181,15 +181,15 @@
# Description : Check default umask
# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking /etc/profile..."
# logtext "Test: Checking /etc/profile"
# if [ -f /etc/profile ]; then
# FIND=`grep "^umask" | awk '{ print $2 }'`
# if [ "${FIND}" = "" ]; then
# logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask... " --result OK --color GREEN
# Display --indent 2 --text "- Checking default umask" --result OK --color GREEN
# else
# logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask... " --result WARNING --color RED
# Display --indent 2 --text "- Checking default umask" --result WARNING --color RED
# #ReportWarning ${TEST_NO} "M" "xxx"
# #ReportSuggestion ${TEST_NO} "xxx"
# fi

18
include/tests_snmp
View File

@ -30,16 +30,16 @@
# Description : Check for a running SNMP daemon
Register --test-no SNMP-3302 --weight L --network NO --description "Check for running SNMP daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a SNMP daemon..."
logtext "Test: Searching for a SNMP daemon"
# Check running processes
FIND=`${PSBINARY} ax | grep "snmpd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
IsRunning snmpd
if [ ${RUNNING} -eq 1 ]; then
SNMP_DAEMON_RUNNING=1
logtext "Result: SNMP daemon is running"
Display --indent 2 --text "- Checking running SNMP daemon..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking running SNMP daemon" --result FOUND --color GREEN
else
logtext "Result: No running SNMP daemon found"
Display --indent 2 --text "- Checking running SNMP daemon..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking running SNMP daemon" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -59,10 +59,10 @@
done
if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No snmpd configuration found"
Display --indent 4 --text "- Checking SNMP configuration..." --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking SNMP configuration" --result "NOT FOUND" --color WHITE
else
logtext "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}"
Display --indent 4 --text "- Checking SNMP configuration..." --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking SNMP configuration" --result "FOUND" --color GREEN
fi
fi
#
@ -87,10 +87,10 @@
# Check status of test
if [ ${WARN} -eq 0 ]; then
Display --indent 2 --text "- Checking SNMP community strings..." --result OK --color GREEN
Display --indent 2 --text "- Checking SNMP community strings" --result OK --color GREEN
AddHP 2 2
else
Display --indent 2 --text "- Checking SNMP community strings..." --result WARNING --color RED
Display --indent 2 --text "- Checking SNMP community strings" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Found easy guessable SNMP community string"
fi
fi

16
include/tests_solaris
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2014, Michael Boelen (michael.boelen@cisofy.com), The Netherlands
# Web site: http://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -26,16 +26,16 @@
# Description : Check if Stop-A is disabled
# Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon..."
# logtext "Test: Searching for a SSH daemon"
# # Check running processes
# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"`
# if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1
# logtext "Result: Stop-A is disabled"
# Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN
# Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN
# else
# logtext "Result: Stop-A is NOT disabled"
# Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE
# Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE
# fi
# fi
#
@ -45,16 +45,16 @@
# Description : Check if vold is disabled, to disallow unaudited mounts
# Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon..."
# logtext "Test: Searching for a SSH daemon"
# # Check running processes
# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"`
# if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1
# logtext "Result: Stop-A is disabled"
# Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN
# Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN
# else
# logtext "Result: Stop-A is NOT disabled"
# Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE
# Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE
# fi
# fi

49
include/tests_squid
View File

@ -35,17 +35,17 @@
# programs.
Register --test-no SQD-3602 --weight L --network NO --description "Check for running Squid daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a Squid daemon..."
logtext "Test: Searching for a Squid daemon"
FOUND=0
# Check running processes
FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
SQUID_DAEMON_RUNNING=1
logtext "Result: Squid daemon is running"
Display --indent 2 --text "- Checking running Squid daemon..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking running Squid daemon" --result FOUND --color GREEN
else
logtext "Result: No running Squid daemon found"
Display --indent 2 --text "- Checking running Squid daemon..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking running Squid daemon" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -71,10 +71,10 @@
done
if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No Squid configuration file found"
Display --indent 4 --text "- Searching Squid configuration file..." --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Searching Squid configuration file" --result "NOT FOUND" --color YELLOW
else
logtext "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching Squid configuration..." --result FOUND --color GREEN
Display --indent 4 --text "- Searching Squid configuration" --result FOUND --color GREEN
fi
fi
#
@ -91,11 +91,11 @@
FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print`
if [ "${FIND}" = "" ]; then
FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'`
Display --indent 4 --text "- Checking Squid version..." --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking Squid version" --result "FOUND" --color GREEN
SQUID_VERSION="${FIND2}"
else
logtext "Result: test skipped for security reasons, setuid/setgid bit set"
Display --indent 4 --text "- Checking Squid version..." --result "SKIPPED" --color RED
Display --indent 4 --text "- Checking Squid version" --result "SKIPPED" --color RED
fi
else
logtext "Result: no Squid binary found"
@ -123,8 +123,9 @@
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found Squid option: ${I}"
report "squid_option=${I}"
done
Display --indent 4 --text "- Checking defined Squid options..." --result "DONE" --color GREEN
Display --indent 4 --text "- Checking defined Squid options" --result "DONE" --color GREEN
fi
#
#################################################################################
@ -147,13 +148,13 @@
FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
if [ ! "${FIND}" = "" ]; then
logtext "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
Display --indent 4 --text "- Checking Squid configuration file permissions..." --result WARNING --color RED
Display --indent 4 --text "- Checking Squid configuration file permissions" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
AddHP 0 2
else
logtext "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
Display --indent 4 --text "- Checking Squid configuration file permissions..." --result OK --color GREEN
Display --indent 4 --text "- Checking Squid configuration file permissions" --result OK --color GREEN
AddHP 2 2
fi
fi
@ -161,7 +162,7 @@
#################################################################################
#
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
Display --indent 4 --text "- Checking Squid access control..."
Display --indent 4 --text "- Checking Squid access control"
fi
#
#################################################################################
@ -175,9 +176,9 @@
FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
Display --indent 6 --text "- Checking Squid authentication methods..." --result "NONE" --color YELLOW
Display --indent 6 --text "- Checking Squid authentication methods" --result "NONE" --color YELLOW
else
Display --indent 6 --text "- Checking Squid authentication methods..." --result "FOUND" --color GREEN
Display --indent 6 --text "- Checking Squid authentication methods" --result "FOUND" --color GREEN
for I in ${FIND}; do
logtext "Result: found authentication method ${I}"
report "squid_auth_method=${I}"
@ -196,9 +197,9 @@
FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND}" = "" ]; then
logtext "No external_acl_type found"
Display --indent 6 --text "- Checking Squid external authentication methods..." --result "NONE" --color YELLOW
Display --indent 6 --text "- Checking Squid external authentication methods" --result "NONE" --color YELLOW
else
Display --indent 6 --text "- Checking Squid external authentication methods..." --result "FOUND" --color GREEN
Display --indent 6 --text "- Checking Squid external authentication methods" --result "FOUND" --color GREEN
for I in ${FIND}; do
logtext "Result: found external authentication method helper"
logtext "Output: ${FIND}"
@ -219,7 +220,7 @@
FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
logtext "Result: No ACLs found"
Display --indent 6 --text "- Checking Access Control Lists..." --result "NONE" --color RED
Display --indent 6 --text "- Checking Access Control Lists" --result "NONE" --color RED
else
for I in ${FIND}; do
N=`expr ${N} + 1`
@ -228,7 +229,7 @@
#report "squid_acl=${I}"
done
logtext "Result: Found ${N} ACLs"
Display --indent 6 --text "- Checking Access Control Lists..." --result "${N} ACLs FOUND" --color GREEN
Display --indent 6 --text "- Checking Access Control Lists" --result "${N} ACLs FOUND" --color GREEN
fi
fi
#
@ -244,13 +245,13 @@
FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"`
if [ "${FIND}" = "" ]; then
logtext "Result: no Safe_ports found"
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option..." --result "NOT FOUND" --color YELLOW
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
else
logtext "Result: checking ACL safe ports"
FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'`
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "NONE FOUND" --color YELLOW
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
AddHP 0 1
else
@ -258,7 +259,7 @@
for I in ${FIND}; do
logtext "Found safe port: ${I}"
done
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "FOUND" --color GREEN
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "FOUND" --color GREEN
AddHP 1 1
fi
#SQUID_DAEMON_UNSAFE_PORTS_LIST
@ -266,10 +267,10 @@
logtext "Test: Checking port ${I} in Safe_ports list"
FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "NOT FOUND" --color GREEN
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN
AddHP 1 1
else
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "FOUND" --color RED
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "FOUND" --color RED
ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
AddHP 0 1
fi
@ -280,7 +281,7 @@
#################################################################################
#
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
Display --indent 4 --text "- Checking Squid Denial of Service tuning options..."
Display --indent 4 --text "- Checking Squid Denial of Service tuning options"
fi
#
#################################################################################
@ -309,7 +310,7 @@
#################################################################################
#
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
Display --indent 4 --text "- Checking Squid general options..."
Display --indent 4 --text "- Checking Squid general options"
fi
#
#################################################################################

50
include/tests_ssh
View File

@ -33,13 +33,13 @@
# Description : Check for a running SSH daemon
Register --test-no SSH-7402 --weight L --network NO --description "Check for running SSH daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a SSH daemon..."
logtext "Test: Searching for a SSH daemon"
IsRunning sshd
if [ ${RUNNING} -eq 1 ]; then
SSH_DAEMON_RUNNING=1
Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN
else
Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -70,11 +70,11 @@
done
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No sshd configuration found"
Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Searching SSH configuration" --result "NOT FOUND" --color YELLOW
ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found"
else
logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN
Display --indent 4 --text "- Searching SSH configuration" --result FOUND --color GREEN
fi
fi
#
@ -85,16 +85,16 @@
# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon..."
# logtext "Test: Searching for a SSH daemon"
# CheckOption "^Port " ${SSH_DAEMON_CONFIG}
# if [ ${FOUND} -eq 1 ]; then
# FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'`
# # Check if this output is numeric and usuable for later (e.g. in netstat output)
# Display --indent 2 --text "- Checking SSH listening port..." --result FOUND --color GREEN
# Display --indent 2 --text "- Checking SSH listening port" --result FOUND --color GREEN
# logtext "Result: setting port number to ${FIND}"
# SSH_DAEMON_PORT="${FIND}"
# else
# Display --indent 2 --text "- Checking SSH listening port..." --result "NOT FOUND" --color WHITE
# Display --indent 2 --text "- Checking SSH listening port" --result "NOT FOUND" --color WHITE
# logtext "Result: setting port to default number, as no other port has been configured"
# SSH_DAEMON_PORT="22"
# fi
@ -113,7 +113,7 @@
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found SSH option: ${I}"
done
Display --indent 4 --text "- Checking defined SSH options..." --result "DONE" --color GREEN
Display --indent 4 --text "- Checking defined SSH options" --result "DONE" --color GREEN
fi
#
#################################################################################
@ -127,18 +127,18 @@
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'`
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: PermitRootLogin is enabled, root can login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED
Display --indent 4 --text "- SSH option: PermitRootLogin" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Root can directly login via SSH"
AddHP 0 3
else
# YYY add test for DenyUsers root
if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then
logtext "Result: PermitRootLogin is disabled. Root can't login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN
Display --indent 4 --text "- SSH option: PermitRootLogin" --result DISABLED --color GREEN
AddHP 3 3
else
logtext "Result: Value of PermitRootLogin is unknown (not defined)"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE
Display --indent 4 --text "- SSH option: PermitRootLogin" --result DEFAULT --color WHITE
fi
fi
fi
@ -154,17 +154,17 @@
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'`
if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
logtext "Result: Protocol option is set to allow SSH protocol version 1"
Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED
Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
AddHP 0 3
else
if [ "${FIND}" = "2" ]; then
logtext "Result: only protocol 2 is allowed"
Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN
Display --indent 4 --text "- SSH option: Protocol" --result OK --color GREEN
AddHP 3 3
else
logtext "Result: value of Protocol is unknown (not defined)"
Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE
Display --indent 4 --text "- SSH option: Protocol" --result DEFAULT --color WHITE
fi
fi
fi
@ -180,18 +180,18 @@
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'`
if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then
logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked"
Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED
Display --indent 4 --text "- SSH option: StrictModes" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "StrictModes is turned off"
ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config"
AddHP 0 3
else
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: StrictModes active, file permissions are checked"
Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN
Display --indent 4 --text "- SSH option: StrictModes" --result OK --color GREEN
AddHP 3 3
else
logtext "Result: value of StrictModes is unknown (not defined)"
Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE
Display --indent 4 --text "- SSH option: StrictModes" --result DEFAULT --color WHITE
fi
fi
fi
@ -207,17 +207,17 @@
# FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'`
# if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
# logtext "Result: Protocol option is set to allow SSH protocol version 1"
# Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED
# Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED
# ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
# AddHP 0 3
# else
# if [ "${FIND}" = "2" ]; then
# logtext "Result: only protocol 2 is allowed"
# Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN
# Display --indent 4 --text "- SSH option: Protocol" --result OK --color GREEN
# AddHP 3 3
# else
# logtext "Result: value of Protocol is unknown (not defined)"
# Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE
# Display --indent 4 --text "- SSH option: Protocol" --result DEFAULT --color WHITE
# fi
# fi
# fi
@ -235,22 +235,22 @@
FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN
Display --indent 4 --text "- SSH option: AllowUsers" --result FOUND --color GREEN
FOUND=1
else
logtext "Result: AllowUsers is not set"
Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- SSH option: AllowUsers" --result "NOT FOUND" --color WHITE
fi
# AllowGroups
FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN
Display --indent 4 --text "- SSH option: AllowGroups" --result FOUND --color GREEN
FOUND=1
else
logtext "Result: AllowGroups is not set"
Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- SSH option: AllowGroups" --result "NOT FOUND" --color WHITE
fi
if [ ${FOUND} -eq 1 ]; then

8
include/tests_storage
View File

@ -52,12 +52,12 @@
fi
if [ ${FOUND} -eq 0 ]; then
logtext "Result: usb-storage driver is not explicitly disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)..." --result "NOT DISABLED" --color WHITE
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
AddHP 2 3
else
logtext "Result: usb-storage driver is disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)..." --result "DISABLED" --color GREEN
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "DISABLED" --color GREEN
AddHP 3 3
fi
fi
@ -94,13 +94,13 @@
if [ ${FOUND} -eq 0 ]; then
logtext "Result: firewire ohci driver is not explicitly disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)..." --result "NOT DISABLED" --color WHITE
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "NOT DISABLED" --color WHITE
ReportSuggestion ${TEST_NO} "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft"
# after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u
AddHP 2 3
else
logtext "Result: firewire ohci driver is disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)..." --result "DISABLED" --color GREEN
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "DISABLED" --color GREEN
AddHP 3 3
fi
fi

21
include/tests_storage_nfs
View File

@ -27,7 +27,6 @@
#
#################################################################################
#
# Test : STRG-1902
# Description : Check rpcinfo
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@ -38,7 +37,7 @@
for I in ${FIND}; do
logtext "rpcinfo: ${I}"
done
Display --indent 2 --text "- Query rpc registered programs..." --result "DONE" --color GREEN
Display --indent 2 --text "- Query rpc registered programs" --result "DONE" --color GREEN
fi
#
#################################################################################
@ -53,7 +52,7 @@
for I in ${FIND}; do
logtext "Found version: ${I}"
done
Display --indent 2 --text "- Query NFS versions..." --result "DONE" --color GREEN
Display --indent 2 --text "- Query NFS versions" --result "DONE" --color GREEN
fi
#
#################################################################################
@ -81,7 +80,7 @@
if [ "${FIND}" = "" ]; then
logtext "Output: no NFS port number found"
fi
Display --indent 2 --text "- Query NFS protocols..." --result "DONE" --color GREEN
Display --indent 2 --text "- Query NFS protocols" --result "DONE" --color GREEN
fi
#
#################################################################################
@ -94,10 +93,10 @@
FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
logtext "Output: NFS daemon is not running"
Display --indent 2 --text "- Check running NFS daemon..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Check running NFS daemon" --result "NOT FOUND" --color WHITE
else
logtext "Output: NFS daemon is running"
Display --indent 2 --text "- Check running NFS daemon.." --result "FOUND" --color GREEN
Display --indent 2 --text "- Check running NFS daemon" --result "FOUND" --color GREEN
NFS_DAEMON_RUNNING=1
fi
fi
@ -129,10 +128,10 @@
logtext "Result: /etc/exports does not contain exported file systems"
NFS_EXPORTS_EMPTY=1
fi
Display --indent 4 --text "- Checking /etc/exports..." --result "FOUND" --color GREEN
Display --indent 4 --text "- Checking /etc/exports" --result "FOUND" --color GREEN
else
logtext "Result: file /etc/exports does not exist"
Display --indent 4 --text "- Checking /etc/exports..." --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking /etc/exports" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -144,7 +143,7 @@
Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
Display --indent 6 --text "- Checking empty /etc/exports..." --result SUGGESTION --color YELLOW
Display --indent 6 --text "- Checking empty /etc/exports" --result SUGGESTION --color YELLOW
logtext "Result: /etc/exports seems to have no exported file systems"
ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
fi
@ -161,12 +160,12 @@
sFIND=`${SHOWMOUNTBINARY} -e | awk '{ print $2 }' | sed '1d'| grep "\*"`
if [ "${sFIND}" != "" ]; then
logtext "Result: all client are allowed to access a NFS share in /etc/exports"
Display --indent 4 --text "- Checking NFS client access..." --result "ALL CLIENTS" --color YELLOW
Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW
ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports"
AddHP 2 3
else
logtext "Result: only some clients are allowed to access a NFS share"
Display --indent 4 --text "- Checking NFS client access..." --result OK --color GREEN
Display --indent 4 --text "- Checking NFS client access" --result OK --color GREEN
AddHP 3 3
fi
fi

4
include/tests_tcpwrappers
View File

@ -30,9 +30,9 @@
# Description : Basic nameserver configuration tests (connectivity)
# Register --test-no TCPW-xxxx --weight L --network YES --description "Basic nameserver configuration tests"
# if [ ${SKIPTEST} -eq 0 ]; then
# Display --indent 2 --text "- Checking configured nameservers..."
# Display --indent 2 --text "- Checking configured nameservers"
# logtext "Test: Checking /etc/resolv.conf file"
# Display --indent 8 --text "Nameserver: ${I}..." --result OK --color GREEN
# Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN
# ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
# ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
# fi

20
include/tests_time
View File

@ -47,7 +47,7 @@
Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client"
if [ ${SKIPTEST} -eq 0 ]; then
# Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate)
logtext "Test: Searching for a running NTP daemon or available client... "
logtext "Test: Searching for a running NTP daemon or available client"
FOUND=0
# Check running processes
@ -140,10 +140,10 @@
done
if [ ${FOUND_IN_CRON} -eq 1 ]; then
Display --indent 2 --text "- Checking NTP client in cron files..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate in cron directory"
else
Display --indent 2 --text "- Checking NTP client in cron.d files..." --result "NOT FOUND" --color WHITE
Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate found in cron directories"
fi
@ -154,7 +154,7 @@
logtext "Result: found ntpdate action when network interface comes up"
FOUND=1
NTP_CONFIG_TYPE_EVENTBASED=1
Display --indent 2 --text "- Checking event based ntpdate (if-up)..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking event based ntpdate (if-up)" --result FOUND --color GREEN
else
logtext "Result: file /etc/network/if-up.d/ntpdate does not exist"
fi
@ -297,11 +297,11 @@
logtext "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking time source candidates..." --result NONE --color YELLOW
Display --indent 2 --text "- Checking time source candidates" --result NONE --color YELLOW
logtext "Result: No other time source candidates found"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates"
else
Display --indent 2 --text "- Checking time source candidates..." --result OK --color GREEN
Display --indent 2 --text "- Checking time source candidates" --result OK --color GREEN
logtext "Result: Found one or more candidates to synchronize time with."
for I in ${FIND}; do
I=`echo ${I} | sed 's/+//g'`
@ -320,10 +320,10 @@
logtext "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^x'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking falsetickers..." --result OK --color GREEN
Display --indent 2 --text "- Checking falsetickers" --result OK --color GREEN
logtext "Result: No falsetickers found (items preceeding with an 'x')"
else
Display --indent 2 --text "- Checking falsetickers..." --result NONE --color YELLOW
Display --indent 2 --text "- Checking falsetickers" --result NONE --color YELLOW
logtext "Result: Found one or more falsetickers (items preceeding with an 'x')"
for I in ${FIND}; do
I=`echo ${I} | sed 's/x//g'`
@ -345,11 +345,11 @@
logtext "Test: Checking NTP protocol version (ntpq -c ntpversion)"
FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking NTP version..." --result UNKNOWN --color YELLOW
Display --indent 2 --text "- Checking NTP version" --result UNKNOWN --color YELLOW
logtext "Result: No NTP version found"
ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version"
else
Display --indent 2 --text "- Checking NTP version..." --result FOUND --color GREEN
Display --indent 2 --text "- Checking NTP version" --result FOUND --color GREEN
logtext "Result: Found NTP version ${FIND}"
report "ntp_version=${FIND}"
fi

2
include/tests_tooling
View File

@ -35,7 +35,7 @@ PUPPET_MASTER_RUNNING=0
Register --test-no TOOL-5002 --weight L --network NO --description "Checking for automation tools"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking automation tooling..."
Display --indent 2 --text "- Checking automation tooling"
# Cfengine
if [ ! "${CFAGENTBINARY}" = "" ]; then

6
include/tests_virtualization
View File

@ -39,10 +39,10 @@
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones..." --result "FOUND ${N} zones" --color GREEN
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones..." --result NONE --color WHITE
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi
fi
#
@ -71,7 +71,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then
# # Initialise
# VMWARE_GUEST=0
# Display --indent 2 --text "- Checking VMware guest status..."
# Display --indent 2 --text "- Checking VMware guest status"
# #YYY check memory driver file
# #YYY check LKM list
# #YYY check vmware tools

24
include/tests_webservers
View File

@ -56,7 +56,7 @@
if [ "${HTTPDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE
else
logtext "Test: Scanning for Apache binary..."
logtext "Test: Scanning for Apache binary"
IS_APACHE=`${HTTPDBINARY} -v | egrep '[aA]pache'`
if [ "${IS_APACHE}" = "" ]; then
logtext "Result: ${HTTPDBINARY} is not Apache"
@ -121,7 +121,7 @@
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6626 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing other Apache configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
#Display --indent 4 --text "- Searching Apache virtual hosts..."
#Display --indent 4 --text "- Searching Apache virtual hosts"
for I in ${sTEST_APACHE_TARGETS}; do
if [ -d ${I} ]; then
find ${I} -name "*.conf" -print >> ${TMPFILE2}
@ -200,7 +200,7 @@
# # Check if option ServerTokens is configured
# SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'`
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then
# Display --indent 4 --text "- Checking option ServerTokens..." --result FOUND --color WHITE
# Display --indent 4 --text "- Checking option ServerTokens" --result FOUND --color WHITE
# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '`
# logtext "Option ServerTokens found: ${SERVERTOKENSTEST}"
# SERVERTOKENSEXPECTED=`cat ${PROFILE} | grep 'apache' | grep 'ServerTokens' | cut -d ':' -f3`
@ -213,7 +213,7 @@
# logtext "Expected: ${SERVERTOKENSEXPECTED}"
# fi
# else
# Display --indent 4 --text "- Checking option ServerTokens..." --result "NOT FOUND" --color WHITE
# Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE
# fi
#
# else
@ -224,9 +224,9 @@
#
# # Display results from checks
# if [ ${SERVERTOKENSFOUND} -eq 1 ]; then
# Display --indent 6 --text "- Value of ServerTokens..." --result OK --color GREEN
# Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN
# else
# Display --indent 6 --text "- Value of ServerTokens..." --result WARNING --color RED
# Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED
# ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template"
# fi
# fi
@ -467,7 +467,7 @@
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check discovered nginx configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: start parsing all discovered nginx options"
Display --indent 4 --text "- Parsing configuration options..."
Display --indent 4 --text "- Parsing configuration options"
ParseNginx
fi
#
@ -527,7 +527,7 @@
Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx access logging"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
Display --indent 6 --text "- Checking log file configuration..."
Display --indent 6 --text "- Checking log file configuration"
# Check for missing access log
if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then
@ -616,10 +616,10 @@
# done
# if [ ${N} -eq 0 ]; then
# logtext "Result: no reverse proxying functionality found"
# Display --indent 4 --text "- Searching reverse proxy functionality..." --result "NOT FOUND" --color WHITE
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "NOT FOUND" --color WHITE
# else
# logtext "Result: found ${N} addresses for which nginx will be a reverse proxy"
# Display --indent 4 --text "- Searching reverse proxy functionality..." --result "${N} FOUND" --color GREEN
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "${N} FOUND" --color GREEN
# fi
# fi
#
@ -642,10 +642,10 @@
# done
# if [ ${N} -eq 0 ]; then
# logtext "Result: no virtual hosts found"
# Display --indent 4 --text "- Searching virtual hosts..." --result "NOT FOUND" --color WHITE
# Display --indent 4 --text "- Searching virtual hosts" --result "NOT FOUND" --color WHITE
# else
# logtext "Result: found ${N} virtual hosts"
# Display --indent 4 --text "- Searching virtual hosts..." --result "${N} FOUND" --color GREEN
# Display --indent 4 --text "- Searching virtual hosts" --result "${N} FOUND" --color GREEN
# fi
# fi
#