tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Made adjustments to run in non-privileged scans

This commit is contained in:
mboelen 2014-09-09 14:49:37 +02:00
parent 3beae44e92
commit dd2ea3efaf
7 changed files with 447 additions and 406 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

404
include/tests_authentication
View File

@ -194,18 +194,18 @@
# Description : Check for non unique groups
Register --test-no AUTH-9222 --weight L --network NO --description "Check for non unique groups"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for non unique group ID's in /etc/group"
FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group ID's..." --result OK --color GREEN
logtext "Result: All group ID's are unique"
else
Display --indent 2 --text "- Checking non unique group ID's..." --result WARNING --color RED
logtext "Result: Found the same group ID multiple times"
logtext "Output: ${FIND}"
ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID"
ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies"
fi
logtext "Test: Checking for non unique group ID's in /etc/group"
FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group ID's..." --result OK --color GREEN
logtext "Result: All group ID's are unique"
else
Display --indent 2 --text "- Checking non unique group ID's..." --result WARNING --color RED
logtext "Result: Found the same group ID multiple times"
logtext "Output: ${FIND}"
ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID"
ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies"
fi
fi
#
#################################################################################
@ -277,17 +277,17 @@
if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9230 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking password file consistency (pwck)"
FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN
logtext "Result: pwck finished didn't find problems"
else
Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED
logtext "Result: pwck found one or more errors/warnings in the password file."
ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
fi
logtext "Test: Checking password file consistency (pwck)"
FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN
logtext "Result: pwck finished didn't find problems"
else
Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED
logtext "Result: pwck found one or more errors/warnings in the password file."
ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
fi
fi
#
#################################################################################
@ -342,7 +342,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Read real system users (including root user) from /etc/passwd..."
FIND=""
if [ "${OS}" = "FreeBSD" ]; then
logtext "FreeBSD real users output (ID > 1000, but not 65534):"
FIND=`awk -F: '($3 > 1000) && ($3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
@ -377,25 +377,25 @@
# Description : Query NIS+ authentication support
Register --test-no AUTH-9240 --weight L --network NO --description "Query NIS+ authentication support"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then
FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"`
if [ "${FIND}" = "" ]; then
logtext "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
else
FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nisplus"`
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"`
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
logtext "Result: NIS+ authentication enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN
else
logtext "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
fi
fi
else
logtext "Result: /etc/nsswitch.conf not found"
fi
if [ -f /etc/nsswitch.conf ]; then
FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"`
if [ "${FIND}" = "" ]; then
logtext "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
else
FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nisplus"`
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"`
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
logtext "Result: NIS+ authentication enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN
else
logtext "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
fi
fi
else
logtext "Result: /etc/nsswitch.conf not found"
fi
fi
#
#################################################################################
@ -404,25 +404,25 @@
# Description : Query NIS authentication support
Register --test-no AUTH-9242 --weight L --network NO --description "Query NIS authentication support"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then
FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"`
if [ "${FIND}" = "" ]; then
logtext "Result: NIS authentication not enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
else
FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
logtext "Result: NIS authentication enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN
else
logtext "Result: NIS authentication not enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
fi
fi
else
logtext "Result: /etc/nsswitch.conf not found"
fi
if [ -f /etc/nsswitch.conf ]; then
FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"`
if [ "${FIND}" = "" ]; then
logtext "Result: NIS authentication not enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
else
FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
logtext "Result: NIS authentication enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN
else
logtext "Result: NIS authentication not enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
fi
fi
else
logtext "Result: /etc/nsswitch.conf not found"
fi
fi
#
#################################################################################
@ -450,22 +450,22 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${SUDOERS_LOCATIONS}; do
logtext "Test: checking presence ${I}"
if [ -f ${I} ]; then
FOUND=1
SUDOERS_FILE="${I}"
logtext "Result: found file (${SUDOERS_FILE})"
else
logtext "Result: file ${I} not found"
fi
done
if [ ${FOUND} -eq 1 ]; then
logtext "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN
# YYY add more tests to audit sudoers file
else
logtext "Result: sudoers file NOT found"
Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW
logtext "Test: checking presence ${I}"
if [ -f ${I} ]; then
FOUND=1
SUDOERS_FILE="${I}"
logtext "Result: found file (${SUDOERS_FILE})"
else
logtext "Result: file ${I} not found"
fi
done
if [ ${FOUND} -eq 1 ]; then
logtext "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN
# YYY add more tests to audit sudoers file
else
logtext "Result: sudoers file NOT found"
Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW
fi
fi
#
@ -476,16 +476,16 @@
if [ ! "${SUDOERS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sudoers file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking sudoers file (${SUDOERS_FILE}) permissions"
FIND=`ls -l ${SUDOERS_FILE} | cut -c 2-10`
logtext "Result: Found file permissions: ${FIND}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
logtext "Result: file ${SUDOERS_FILE} has correct permissions"
Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN
else
logtext "Result: file has possibly unsafe file permissions"
Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED
fi
logtext "Test: checking sudoers file (${SUDOERS_FILE}) permissions"
FIND=`ls -l ${SUDOERS_FILE} | cut -c 2-10`
logtext "Result: Found file permissions: ${FIND}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
logtext "Result: file ${SUDOERS_FILE} has correct permissions"
Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN
else
logtext "Result: file has possibly unsafe file permissions"
Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED
fi
fi
#
#################################################################################
@ -494,16 +494,16 @@
# Description : Solaris test to check passwordless accounts
Register --test-no AUTH-9254 --os Solaris --weight L --network NO --description "Solaris passwordless accounts"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`logins -p | awk '{ print $1 }'`
if [ "${FIND}" = "" ]; then
logtext "Result: no passwordless accounts found"
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN
else
for I in ${FIND}; do
ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
done
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result WARNING --color RED
fi
FIND=`logins -p | awk '{ print $1 }'`
if [ "${FIND}" = "" ]; then
logtext "Result: no passwordless accounts found"
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN
else
for I in ${FIND}; do
ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
done
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result WARNING --color RED
fi
fi
#
#################################################################################
@ -624,25 +624,25 @@
# Description : Scan /etc/pam.conf file
Register --test-no AUTH-9264 --weight L --network NO --description "Checking presence pam.conf"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking file /etc/pam.conf"
if [ -f /etc/pam.conf ]; then
logtext "Result: file /etc/pam.conf exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN
logtext "Test: searching PAM configuration files"
FIND=`cat /etc/pam.conf | grep -v "^#" | grep -v "^$" | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
logtext "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
else
logtext "Result: found one or more configuration lines"
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found line: ${I}"
done
fi
else
logtext "Result: file /etc/pam.conf could not be found"
Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE
fi
logtext "Test: Checking file /etc/pam.conf"
if [ -f /etc/pam.conf ]; then
logtext "Result: file /etc/pam.conf exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN
logtext "Test: searching PAM configuration files"
FIND=`cat /etc/pam.conf | grep -v "^#" | grep -v "^$" | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
logtext "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
else
logtext "Result: found one or more configuration lines"
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found line: ${I}"
done
fi
else
logtext "Result: file /etc/pam.conf could not be found"
Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
@ -651,19 +651,19 @@
# Description : Searching available PAM configurations (/etc/pam.d)
Register --test-no AUTH-9266 --weight L --network NO --description "Checking presence pam.d files"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking directory /etc/pam.d"
if [ -d /etc/pam.d ]; then
logtext "Result: directory /etc/pam.d exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN
logtext "Test: searching PAM configuration files"
FIND=`find /etc/pam.d -type f -print | sort`
for I in ${FIND}; do
logtext "Found file: ${I}"
done
else
logtext "Result: directory /etc/pam.d could not be found"
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE
fi
logtext "Test: Checking directory /etc/pam.d"
if [ -d /etc/pam.d ]; then
logtext "Result: directory /etc/pam.d exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN
logtext "Test: searching PAM configuration files"
FIND=`find /etc/pam.d -type f -print | sort`
for I in ${FIND}; do
logtext "Found file: ${I}"
done
else
logtext "Result: directory /etc/pam.d could not be found"
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
@ -709,25 +709,25 @@
# Description : Search LDAP support in PAM files
Register --test-no AUTH-9278 --weight L --network NO --description "Checking LDAP pam status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence /etc/pam.d/common-auth"
if [ -f /etc/pam.d/common-auth ]; then
logtext "Result: file /etc/pam.d/common-auth exists"
logtext "Test: checking presence LDAP module"
FIND=`cat /etc/pam.d/common-auth | grep "^auth" | grep "ldap"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: LDAP module present"
logtext "Output: ${FIND}"
Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN
logtext "Test: checking presence /etc/pam.d/common-auth"
if [ -f /etc/pam.d/common-auth ]; then
logtext "Result: file /etc/pam.d/common-auth exists"
logtext "Test: checking presence LDAP module"
FIND=`cat /etc/pam.d/common-auth | grep "^auth" | grep "ldap"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: LDAP module present"
logtext "Output: ${FIND}"
Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN
LDAP_AUTH_ENABLED=1
LDAP_PAM_ENABLED=1
else
logtext "Result: LDAP module not found"
Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE
# YYY display message when ldap is enabled in /etc/passwd, but not found in PAM
fi
else
logtext "Result: file /etc/pam.d/common-auth not found, skipping test"
fi
else
logtext "Result: LDAP module not found"
Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE
# YYY display message when ldap is enabled in /etc/passwd, but not found in PAM
fi
else
logtext "Result: file /etc/pam.d/common-auth not found, skipping test"
fi
fi
#
#################################################################################
@ -740,13 +740,13 @@
case ${LINUX_VERSION} in
"SuSE")
PREQS_MET="YES"
FIND=`passwd -a -S | awk '{ if ($2=="P" && $5=="99999") print $1 }'`
FIND2=`passwd -a -S | awk '{ if ($2=="NP") print $1 }'`
FIND=`passwd -a -S 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }'`
FIND2=`passwd -a -S 2> /dev/null | awk '{ if ($2=="NP") print $1 }'`
;;
*)
PREQS_MET="YES"
FIND=`passwd --all --status | awk '{ if ($2=="P" && $5=="99999") print $1 }'`
FIND2=`passwd --all --status | awk '{ if ($2=="NP") print $1 }'`
FIND=`passwd --all --status 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }'`
FIND2=`passwd --all --status 2> /dev/null | awk '{ if ($2=="NP") print $1 }'`
;;
esac
else
@ -803,20 +803,20 @@
if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking user password aging"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
# YYY check if LDAP is used with password policies
logtext "Result: password aging limits are not configured"
Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
AddHP 0 1
else
logtext "Result: accounts with password aging set are checked against PASS_MAX_DAYS"
logtext "Result: value of PASS_MAX_DAYS is ${FIND}"
Display --indent 2 --text "- Checking user password aging" --result OK --color GREEN
AddHP 3 3
fi
logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
# YYY check if LDAP is used with password policies
logtext "Result: password aging limits are not configured"
Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
AddHP 0 1
else
logtext "Result: accounts with password aging set are checked against PASS_MAX_DAYS"
logtext "Result: value of PASS_MAX_DAYS is ${FIND}"
Display --indent 2 --text "- Checking user password aging" --result OK --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
@ -831,24 +831,24 @@
# Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY)
Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if file exists (Solaris 10 does not have this file by default)
if [ -f /etc/default/sulogin ]; then
logtext "Result: file /etc/default/sulogin exists"
logtext "Test: checking presence PASSREQ=NO"
FIND=`grep "^PASSREQ=NO" /etc/default/sulogin`
if [ "${FIND}" = "" ]; then
logtext "Result: option not present or configured to request a password at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN
AddHP 1 1
else
logtext "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED
ReportWarning ${TEST_NO} "H" "No password needed for single user mode login"
AddHP 0 1
fi
else
logtext "Result: file /etc/default/sulogin does not exist"
fi
# Check if file exists (Solaris 10 does not have this file by default)
if [ -f /etc/default/sulogin ]; then
logtext "Result: file /etc/default/sulogin exists"
logtext "Test: checking presence PASSREQ=NO"
FIND=`grep "^PASSREQ=NO" /etc/default/sulogin`
if [ "${FIND}" = "" ]; then
logtext "Result: option not present or configured to request a password at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN
AddHP 1 1
else
logtext "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED
ReportWarning ${TEST_NO} "H" "No password needed for single user mode login"
AddHP 0 1
fi
else
logtext "Result: file /etc/default/sulogin does not exist"
fi
fi
#
#################################################################################
@ -860,25 +860,25 @@
# disabled a required login.
Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --description "Check single boot authentication"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if file exists
logtext "Test: Searching /tcb/files/auth/system/default"
if [ -f /tcb/files/auth/system/default ]; then
logtext "Result: file /tcb/files/auth/system/default exists"
logtext "Test: checking presence :d_boot_authenticate@:"
FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default`
if [ "${FIND}" = "" ]; then
logtext "Result: option not set, password is needed at boot"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN
AddHP 1 1
else
logtext "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Set password for system boot"
AddHP 0 1
fi
else
logtext "Result: file /tcb/files/auth/system/default does not exist"
fi
# Check if file exists
logtext "Test: Searching /tcb/files/auth/system/default"
if [ -f /tcb/files/auth/system/default ]; then
logtext "Result: file /tcb/files/auth/system/default exists"
logtext "Test: checking presence :d_boot_authenticate@:"
FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default`
if [ "${FIND}" = "" ]; then
logtext "Result: option not set, password is needed at boot"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN
AddHP 1 1
else
logtext "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Set password for system boot"
AddHP 0 1
fi
else
logtext "Result: file /tcb/files/auth/system/default does not exist"
fi
fi
#
#################################################################################

73
include/tests_boot_services
View File

@ -39,21 +39,26 @@
Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED
logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!"
logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them."
logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access."
ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader"
logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password"
AddHP 0 2
FileIsReadable ${GRUBCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED
logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!"
logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them."
logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access."
ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader"
logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password"
AddHP 0 2
else
Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN
logtext "Result: GRUB has password protection."
AddHP 4 4
fi
else
Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN
logtext "Result: GRUB has password protection."
AddHP 4 4
logtext "Warning: can not read ${GRUBCONFFILE}"
fi
fi
@ -86,7 +91,7 @@
BOOT_LOADER="FreeBSD"
else
logtext "Result: Not all expected files found in /boot"
Display --indent 4 --text "- Checking presence FreeBSD loader" --result "NOT FOUND" --color WHITE
Display --indent 4 --text "- Checking presence FreeBSD loader" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -114,25 +119,31 @@
# Notes : password= or password =
Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
LILOCONFFILE="/etc/lilo.conf"
logtext "Test: checking for presence LILO configuration file..."
if [ -f /etc/lilo.conf ]; then
BOOT_LOADER="LILO"
Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN
logtext "Checking password option LILO..."
FIND=`cat /etc/lilo.conf | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"`
if [ "${FIND}" = "" ]; then
Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED
logtext "Result: no password set for LILO. Bootloader is unprotected to"
logtext "dropping to single user mode or unauthorized access to devices/data."
ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader"
AddHP 0 2
if [ -f ${LILOCONFFILE} ]; then
FileIsReadable ${LILOCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
BOOT_LOADER="LILO"
Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN
logtext "Checking password option LILO..."
FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"`
if [ "${FIND}" = "" ]; then
Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED
logtext "Result: no password set for LILO. Bootloader is unprotected to"
logtext "dropping to single user mode or unauthorized access to devices/data."
ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader"
AddHP 0 2
else
Display --indent 6 --text "- Password option presence " --result "OK" --color GREEN
logtext "Result: LILO password option set"
AddHP 4 4
fi
#YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
else
Display --indent 6 --text "- Password option presence " --result "OK" --color GREEN
logtext "Result: LILO password option set"
AddHP 4 4
logtext "Warning: can not access ${LILOCONFFILE}"
fi
#YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
else
Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE
logtext "Result: LILO configuration file not found"

44
include/tests_crypto
View File

@ -32,23 +32,33 @@
sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3`
for I in ${sSSL_PATHS}; do
if [ -d ${I} ]; then
logtext "Result: found directory ${I}"
# Search for CRT files
sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null`
for J in ${sFINDCRTS}; do
logtext "Test: checking certificate ${J}"
# Check certificate where 'end date' has been expired
FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: certificate ${J} seems to be correct and still valid"
report "valid_certificate[]=${J}|unknown entity|"
else
FOUNDPROBLEM=1
logtext "Result: certificate ${J} has been expired"
report "expired_certificate[]=${J}"
#YYY Dump more information to log file
fi
done
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
logtext "Result: found directory ${I}"
# Search for CRT files
sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null`
for J in ${sFINDCRTS}; do
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
logtext "Test: checking certificate ${J}"
# Check certificate where 'end date' has been expired
FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: certificate ${J} seems to be correct and still valid"
report "valid_certificate[]=${J}|unknown entity|"
else
FOUNDPROBLEM=1
logtext "Result: certificate ${J} has been expired"
report "expired_certificate[]=${J}"
#YYY Dump more information to log file
fi
else
logtext "Warning: can not read file ${J}"
fi
done
else
logtext "Warning: No read access to path ${I}"
fi
else
logtext "Result: SSL path ${I} does not exist"
fi

8
include/tests_mail_messaging
View File

@ -82,9 +82,9 @@
logtext "Test: check Postfix status"
# Some other processes also use master, therefore it should include both master and postfix
FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"`
FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"`
FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
if [ ! "${FIND1}" = "" -a ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then
#FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"`
#FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
if [ ! "${FIND1}" = "" ]; then
logtext "Result: found running Postfix process"
Display --indent 2 --text "- Checking Postfix status..." --result RUNNING --color GREEN
POSTFIX_RUNNING=1
@ -121,7 +121,7 @@
FIND2=`${POSTCONFBINARY} | grep '^smtpd_banner' | grep '$mail_name'`
FIND3=`${POSTCONFBINARY} | grep '^mail_name' | grep -i 'postfix'`
#YYY Check if OS name shows up in banner
#FIND4=`${POSTCONFBINARY} | grep '^smtpd_banner' | egrep "${OS}|${LINUX_VERSION}`
#FIND4=`${POSTCONFBINARY} | grep '^smtpd_banner' | egrep "${OS}|${LINUX_VERSION}`
SHOWWARNING=0
if [ ! "${FIND1}" = "" ]; then
SHOWWARNING=1

2
include/tests_ports_packages
View File

@ -702,7 +702,7 @@
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
# Show packages which would be upgraded and match 'security' in repository name
FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq`
FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq`
if [ ! "${FIND}" = "" ]; then
#Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED
VULNERABLE_PACKAGES_FOUND=1

138
include/tests_scheduling
View File

@ -47,20 +47,25 @@
for I in ${CRON_DIRS}; do
logtext "Test: checking directory ${I}"
if [ -d ${I} ]; then
logtext "Result: found directory ${I}"
logtext "Test: searching files in ${I}"
FIND=`find ${I} -type f -print`
if [ "${FIND}" = "" ]; then
logtext "Result: no files found in ${I}"
else
logtext "Result: found one or more files in ${I}. Analyzing files.."
for J in ${FIND}; do
FindCronJob ${J}
for K in ${sCRONJOBS}; do
logtext "Result: Found cronjob (${I}): ${K}"
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
logtext "Result: found directory ${I}"
logtext "Test: searching files in ${I}"
FIND=`find ${I} -type f -print`
if [ "${FIND}" = "" ]; then
logtext "Result: no files found in ${I}"
else
logtext "Result: found one or more files in ${I}. Analyzing files.."
for J in ${FIND}; do
FindCronJob ${J}
for K in ${sCRONJOBS}; do
logtext "Result: Found cronjob (${I}): ${K}"
done
done
done
logtext "Result: done with analyzing files in ${I}"
logtext "Result: done with analyzing files in ${I}"
fi
else
logtext "Result: can not read file or directory ${I}"
fi
else
logtext "Result: directory ${I} does not exist"
@ -159,47 +164,56 @@
if [ ${SKIPTEST} -eq 0 ]; then
AT_UNKNOWN=0
case ${OS} in
FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;;
HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;;
Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;;
OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;;
SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;;
*) AT_UNKNOWN=1; logtext "Test skipped, files for at unknown" ;;
esac
FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;;
HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;;
Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;;
OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;;
SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;;
*) AT_UNKNOWN=1; logtext "Test skipped, files for at unknown" ;;
esac
if [ ${AT_UNKNOWN} -eq 0 ]; then
logtext "Test: checking for file ${AT_ALLOW}"
if [ -f ${AT_ALLOW} ]; then
logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
FIND=`cat ${AT_ALLOW} | sort`
if [ "${FIND}" = "" ]; then
logtext "Result: File empty, no users are allowed to schedule at jobs"
else
for I in ${FIND}; do
logtext "Allowed at user: ${I}"
done
fi
else
logtext "Result: file ${AT_ALLOW} does not exist"
logtext "Test: checking for file ${AT_DENY}"
if [ -f ${AT_DENY} ]; then
logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs"
FIND=`cat ${AT_DENY} | sort`
if [ "${FIND}" = "" ]; then
logtext "Result: file is empty, no users are denied access to schedule jobs"
else
for I in ${FIND}; do
logtext "Denied at user: ${I}"
done
fi
else
logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist"
logtext "Note: only root can schedule at jobs"
fi
fi
Display --indent 4 --text "- Checking at users" --result DONE --color GREEN
else
if [ -f ${AT_ALLOW} ]; then
FileIsReadable ${AT_ALLOW}
if [ ${CANREAD} -eq 1 ]; then
logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
FIND=`cat ${AT_ALLOW} | sort`
if [ "${FIND}" = "" ]; then
logtext "Result: File empty, no users are allowed to schedule at jobs"
else
for I in ${FIND}; do
logtext "Allowed at user: ${I}"
done
fi
else
logtext "Warning: can not read ${AT_ALLOW}"
fi
else
logtext "Result: file ${AT_ALLOW} does not exist"
logtext "Test: checking for file ${AT_DENY}"
if [ -f ${AT_DENY} ]; then
if [ -f ${AT_ALLOW} ]; then
logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs"
FIND=`cat ${AT_DENY} | sort`
if [ "${FIND}" = "" ]; then
logtext "Result: file is empty, no users are denied access to schedule jobs"
else
for I in ${FIND}; do
logtext "Denied at user: ${I}"
done
fi
else
logtext "Warning: can not read ${AT_DENY}"
fi
else
logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist"
logtext "Note: only root can schedule at jobs"
fi
fi
Display --indent 4 --text "- Checking at users" --result DONE --color GREEN
else
Display --indent 4 --text "- Checking at users" --result SKIPPED --color YELLOW
fi
fi
fi
#
#################################################################################
@ -209,19 +223,19 @@
if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at jobs"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check scheduled at jobs"
FIND=`atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more jobs"
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found at job: ${I}"
done
logtext "Test: Check scheduled at jobs"
FIND=`atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more jobs"
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found at job: ${I}"
done
Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN
else
logtext "Result: no pending at jobs"
else
logtext "Result: no pending at jobs"
Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN
fi
fi
fi
#
#################################################################################

184
include/tests_ssh
View File

@ -59,17 +59,23 @@
ReportException "${TEST_NO}:01"
logtext "Result: we already had found another sshd_config file. Using this new file then."
fi
FOUND=1
SSH_DAEMON_CONFIG="${I}/sshd_config"
fi
done
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No sshd configuration found"
Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW
else
logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN
fi
FileIsReadable ${I}/sshd_config
if [ ${CANREAD} -eq 1 ]; then
FOUND=1
SSH_DAEMON_CONFIG="${I}/sshd_config"
else
logtext "Warning: can not read ${I}/sshd_config file"
fi
fi
done
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No sshd configuration found"
Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW
ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found"
else
logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN
fi
fi
#
#################################################################################
@ -117,24 +123,24 @@
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7412 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: PermitRootLogin"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check PermitRootLogin option"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'`
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: PermitRootLogin is enabled, root can login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED
logtext "Test: check PermitRootLogin option"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'`
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: PermitRootLogin is enabled, root can login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Root can directly login via SSH"
AddHP 0 3
else
# YYY add test for DenyUsers root
if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then
logtext "Result: PermitRootLogin is disabled. Root can't login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN
AddHP 3 3
else
logtext "Result: Value of PermitRootLogin is unknown (not defined)"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE
fi
fi
AddHP 0 3
else
# YYY add test for DenyUsers root
if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then
logtext "Result: PermitRootLogin is disabled. Root can't login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN
AddHP 3 3
else
logtext "Result: Value of PermitRootLogin is unknown (not defined)"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE
fi
fi
fi
#
#################################################################################
@ -144,23 +150,23 @@
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7414 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Protocol"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check allowed SSH protocol versions"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'`
if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
logtext "Result: Protocol option is set to allow SSH protocol version 1"
Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED
logtext "Test: check allowed SSH protocol versions"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'`
if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
logtext "Result: Protocol option is set to allow SSH protocol version 1"
Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
AddHP 0 3
else
if [ "${FIND}" = "2" ]; then
logtext "Result: only protocol 2 is allowed"
Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN
AddHP 3 3
else
logtext "Result: value of Protocol is unknown (not defined)"
Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE
fi
fi
AddHP 0 3
else
if [ "${FIND}" = "2" ]; then
logtext "Result: only protocol 2 is allowed"
Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN
AddHP 3 3
else
logtext "Result: value of Protocol is unknown (not defined)"
Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE
fi
fi
fi
#
#################################################################################
@ -170,24 +176,24 @@
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7416 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: StrictModes"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check configured StrictModes option"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'`
if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then
logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked"
Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED
logtext "Test: Check configured StrictModes option"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'`
if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then
logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked"
Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "StrictModes is turned off"
ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config"
AddHP 0 3
else
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: StrictModes active, file permissions are checked"
Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN
AddHP 3 3
else
logtext "Result: value of StrictModes is unknown (not defined)"
Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE
fi
fi
ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config"
AddHP 0 3
else
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: StrictModes active, file permissions are checked"
Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN
AddHP 3 3
else
logtext "Result: value of StrictModes is unknown (not defined)"
Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE
fi
fi
fi
#
#################################################################################
@ -225,35 +231,35 @@
Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# AllowUsers
FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN
FOUND=1
else
logtext "Result: AllowUsers is not set"
Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE
fi
# AllowGroups
FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN
FOUND=1
else
logtext "Result: AllowGroups is not set"
Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE
fi
# AllowUsers
FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN
FOUND=1
else
logtext "Result: AllowUsers is not set"
Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE
fi
if [ ${FOUND} -eq 1 ]; then
logtext "Result: SSH is limited to a specific set of users, which is good"
AddHP 2 2
else
logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine."
AddHP 0 1
fi
# AllowGroups
FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN
FOUND=1
else
logtext "Result: AllowGroups is not set"
Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE
fi
if [ ${FOUND} -eq 1 ]; then
logtext "Result: SSH is limited to a specific set of users, which is good"
AddHP 2 2
else
logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine."
AddHP 0 1
fi
fi
#
#################################################################################