diff --git a/include/tests_authentication b/include/tests_authentication index a14d62ee..9e4d36db 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -194,18 +194,18 @@ # Description : Check for non unique groups Register --test-no AUTH-9222 --weight L --network NO --description "Check for non unique groups" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for non unique group ID's in /etc/group" - FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` - if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking non unique group ID's..." --result OK --color GREEN - logtext "Result: All group ID's are unique" - else - Display --indent 2 --text "- Checking non unique group ID's..." --result WARNING --color RED - logtext "Result: Found the same group ID multiple times" - logtext "Output: ${FIND}" - ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID" - ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies" - fi + logtext "Test: Checking for non unique group ID's in /etc/group" + FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` + if [ "${FIND}" = "" ]; then + Display --indent 2 --text "- Checking non unique group ID's..." --result OK --color GREEN + logtext "Result: All group ID's are unique" + else + Display --indent 2 --text "- Checking non unique group ID's..." --result WARNING --color RED + logtext "Result: Found the same group ID multiple times" + logtext "Output: ${FIND}" + ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID" + ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies" + fi fi # ################################################################################# @@ -277,17 +277,17 @@ if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9230 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking password file consistency (pwck)" - FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` - if [ "${FIND}" = "0" ]; then - Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN - logtext "Result: pwck finished didn't find problems" - else - Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED - logtext "Result: pwck found one or more errors/warnings in the password file." - ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" - ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." - fi + logtext "Test: Checking password file consistency (pwck)" + FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` + if [ "${FIND}" = "0" ]; then + Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN + logtext "Result: pwck finished didn't find problems" + else + Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED + logtext "Result: pwck found one or more errors/warnings in the password file." + ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" + ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." + fi fi # ################################################################################# @@ -342,7 +342,7 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Read real system users (including root user) from /etc/passwd..." FIND="" - + if [ "${OS}" = "FreeBSD" ]; then logtext "FreeBSD real users output (ID > 1000, but not 65534):" FIND=`awk -F: '($3 > 1000) && ($3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` @@ -377,25 +377,25 @@ # Description : Query NIS+ authentication support Register --test-no AUTH-9240 --weight L --network NO --description "Query NIS+ authentication support" if [ ${SKIPTEST} -eq 0 ]; then - if [ -f /etc/nsswitch.conf ]; then - FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"` - if [ "${FIND}" = "" ]; then - logtext "Result: NIS+ authentication not enabled" - Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE - else - FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nisplus"` - FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"` - if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then - logtext "Result: NIS+ authentication enabled" - Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN - else - logtext "Result: NIS+ authentication not enabled" - Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE - fi - fi - else - logtext "Result: /etc/nsswitch.conf not found" - fi + if [ -f /etc/nsswitch.conf ]; then + FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"` + if [ "${FIND}" = "" ]; then + logtext "Result: NIS+ authentication not enabled" + Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE + else + FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nisplus"` + FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"` + if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then + logtext "Result: NIS+ authentication enabled" + Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN + else + logtext "Result: NIS+ authentication not enabled" + Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE + fi + fi + else + logtext "Result: /etc/nsswitch.conf not found" + fi fi # ################################################################################# @@ -404,25 +404,25 @@ # Description : Query NIS authentication support Register --test-no AUTH-9242 --weight L --network NO --description "Query NIS authentication support" if [ ${SKIPTEST} -eq 0 ]; then - if [ -f /etc/nsswitch.conf ]; then - FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"` - if [ "${FIND}" = "" ]; then - logtext "Result: NIS authentication not enabled" - Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE - else - FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` - FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` - if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then - logtext "Result: NIS authentication enabled" - Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN - else - logtext "Result: NIS authentication not enabled" - Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE - fi - fi - else - logtext "Result: /etc/nsswitch.conf not found" - fi + if [ -f /etc/nsswitch.conf ]; then + FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"` + if [ "${FIND}" = "" ]; then + logtext "Result: NIS authentication not enabled" + Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE + else + FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` + FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` + if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then + logtext "Result: NIS authentication enabled" + Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN + else + logtext "Result: NIS authentication not enabled" + Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE + fi + fi + else + logtext "Result: /etc/nsswitch.conf not found" + fi fi # ################################################################################# @@ -450,22 +450,22 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 for I in ${SUDOERS_LOCATIONS}; do - logtext "Test: checking presence ${I}" - if [ -f ${I} ]; then - FOUND=1 - SUDOERS_FILE="${I}" - logtext "Result: found file (${SUDOERS_FILE})" - else - logtext "Result: file ${I} not found" - fi - done - if [ ${FOUND} -eq 1 ]; then - logtext "Result: sudoers file found (${SUDOERS_FILE})" - Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN - # YYY add more tests to audit sudoers file - else - logtext "Result: sudoers file NOT found" - Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW + logtext "Test: checking presence ${I}" + if [ -f ${I} ]; then + FOUND=1 + SUDOERS_FILE="${I}" + logtext "Result: found file (${SUDOERS_FILE})" + else + logtext "Result: file ${I} not found" + fi + done + if [ ${FOUND} -eq 1 ]; then + logtext "Result: sudoers file found (${SUDOERS_FILE})" + Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN + # YYY add more tests to audit sudoers file + else + logtext "Result: sudoers file NOT found" + Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW fi fi # @@ -476,16 +476,16 @@ if [ ! "${SUDOERS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sudoers file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking sudoers file (${SUDOERS_FILE}) permissions" - FIND=`ls -l ${SUDOERS_FILE} | cut -c 2-10` - logtext "Result: Found file permissions: ${FIND}" - if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then - logtext "Result: file ${SUDOERS_FILE} has correct permissions" - Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN - else - logtext "Result: file has possibly unsafe file permissions" - Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED - fi + logtext "Test: checking sudoers file (${SUDOERS_FILE}) permissions" + FIND=`ls -l ${SUDOERS_FILE} | cut -c 2-10` + logtext "Result: Found file permissions: ${FIND}" + if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then + logtext "Result: file ${SUDOERS_FILE} has correct permissions" + Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN + else + logtext "Result: file has possibly unsafe file permissions" + Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED + fi fi # ################################################################################# @@ -494,16 +494,16 @@ # Description : Solaris test to check passwordless accounts Register --test-no AUTH-9254 --os Solaris --weight L --network NO --description "Solaris passwordless accounts" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`logins -p | awk '{ print $1 }'` - if [ "${FIND}" = "" ]; then - logtext "Result: no passwordless accounts found" - Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN - else - for I in ${FIND}; do - ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})" - done - Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result WARNING --color RED - fi + FIND=`logins -p | awk '{ print $1 }'` + if [ "${FIND}" = "" ]; then + logtext "Result: no passwordless accounts found" + Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN + else + for I in ${FIND}; do + ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})" + done + Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result WARNING --color RED + fi fi # ################################################################################# @@ -624,25 +624,25 @@ # Description : Scan /etc/pam.conf file Register --test-no AUTH-9264 --weight L --network NO --description "Checking presence pam.conf" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking file /etc/pam.conf" - if [ -f /etc/pam.conf ]; then - logtext "Result: file /etc/pam.conf exists" - Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN - logtext "Test: searching PAM configuration files" - FIND=`cat /etc/pam.conf | grep -v "^#" | grep -v "^$" | sed 's/ /!space!/g'` - if [ "${FIND}" = "" ]; then - logtext "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" - else - logtext "Result: found one or more configuration lines" - for I in ${FIND}; do - I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Found line: ${I}" - done - fi - else - logtext "Result: file /etc/pam.conf could not be found" - Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE - fi + logtext "Test: Checking file /etc/pam.conf" + if [ -f /etc/pam.conf ]; then + logtext "Result: file /etc/pam.conf exists" + Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN + logtext "Test: searching PAM configuration files" + FIND=`cat /etc/pam.conf | grep -v "^#" | grep -v "^$" | sed 's/ /!space!/g'` + if [ "${FIND}" = "" ]; then + logtext "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" + else + logtext "Result: found one or more configuration lines" + for I in ${FIND}; do + I=`echo ${I} | sed 's/!space!/ /g'` + logtext "Found line: ${I}" + done + fi + else + logtext "Result: file /etc/pam.conf could not be found" + Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE + fi fi # ################################################################################# @@ -651,19 +651,19 @@ # Description : Searching available PAM configurations (/etc/pam.d) Register --test-no AUTH-9266 --weight L --network NO --description "Checking presence pam.d files" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking directory /etc/pam.d" - if [ -d /etc/pam.d ]; then - logtext "Result: directory /etc/pam.d exists" - Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN - logtext "Test: searching PAM configuration files" - FIND=`find /etc/pam.d -type f -print | sort` - for I in ${FIND}; do - logtext "Found file: ${I}" - done - else - logtext "Result: directory /etc/pam.d could not be found" - Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE - fi + logtext "Test: Checking directory /etc/pam.d" + if [ -d /etc/pam.d ]; then + logtext "Result: directory /etc/pam.d exists" + Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN + logtext "Test: searching PAM configuration files" + FIND=`find /etc/pam.d -type f -print | sort` + for I in ${FIND}; do + logtext "Found file: ${I}" + done + else + logtext "Result: directory /etc/pam.d could not be found" + Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE + fi fi # ################################################################################# @@ -709,25 +709,25 @@ # Description : Search LDAP support in PAM files Register --test-no AUTH-9278 --weight L --network NO --description "Checking LDAP pam status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking presence /etc/pam.d/common-auth" - if [ -f /etc/pam.d/common-auth ]; then - logtext "Result: file /etc/pam.d/common-auth exists" - logtext "Test: checking presence LDAP module" - FIND=`cat /etc/pam.d/common-auth | grep "^auth" | grep "ldap"` - if [ ! "${FIND}" = "" ]; then - logtext "Result: LDAP module present" - logtext "Output: ${FIND}" - Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN + logtext "Test: checking presence /etc/pam.d/common-auth" + if [ -f /etc/pam.d/common-auth ]; then + logtext "Result: file /etc/pam.d/common-auth exists" + logtext "Test: checking presence LDAP module" + FIND=`cat /etc/pam.d/common-auth | grep "^auth" | grep "ldap"` + if [ ! "${FIND}" = "" ]; then + logtext "Result: LDAP module present" + logtext "Output: ${FIND}" + Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN LDAP_AUTH_ENABLED=1 LDAP_PAM_ENABLED=1 - else - logtext "Result: LDAP module not found" - Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE - # YYY display message when ldap is enabled in /etc/passwd, but not found in PAM - fi - else - logtext "Result: file /etc/pam.d/common-auth not found, skipping test" - fi + else + logtext "Result: LDAP module not found" + Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE + # YYY display message when ldap is enabled in /etc/passwd, but not found in PAM + fi + else + logtext "Result: file /etc/pam.d/common-auth not found, skipping test" + fi fi # ################################################################################# @@ -740,13 +740,13 @@ case ${LINUX_VERSION} in "SuSE") PREQS_MET="YES" - FIND=`passwd -a -S | awk '{ if ($2=="P" && $5=="99999") print $1 }'` - FIND2=`passwd -a -S | awk '{ if ($2=="NP") print $1 }'` + FIND=`passwd -a -S 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }'` + FIND2=`passwd -a -S 2> /dev/null | awk '{ if ($2=="NP") print $1 }'` ;; *) PREQS_MET="YES" - FIND=`passwd --all --status | awk '{ if ($2=="P" && $5=="99999") print $1 }'` - FIND2=`passwd --all --status | awk '{ if ($2=="NP") print $1 }'` + FIND=`passwd --all --status 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }'` + FIND2=`passwd --all --status 2> /dev/null | awk '{ if ($2=="NP") print $1 }'` ;; esac else @@ -803,20 +803,20 @@ if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking user password aging" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " - FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` - if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then - # YYY check if LDAP is used with password policies - logtext "Result: password aging limits are not configured" - Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW - ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base" - AddHP 0 1 - else - logtext "Result: accounts with password aging set are checked against PASS_MAX_DAYS" - logtext "Result: value of PASS_MAX_DAYS is ${FIND}" - Display --indent 2 --text "- Checking user password aging" --result OK --color GREEN - AddHP 3 3 - fi + logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " + FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` + if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then + # YYY check if LDAP is used with password policies + logtext "Result: password aging limits are not configured" + Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW + ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base" + AddHP 0 1 + else + logtext "Result: accounts with password aging set are checked against PASS_MAX_DAYS" + logtext "Result: value of PASS_MAX_DAYS is ${FIND}" + Display --indent 2 --text "- Checking user password aging" --result OK --color GREEN + AddHP 3 3 + fi fi # ################################################################################# @@ -831,24 +831,24 @@ # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY) Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration" if [ ${SKIPTEST} -eq 0 ]; then - # Check if file exists (Solaris 10 does not have this file by default) - if [ -f /etc/default/sulogin ]; then - logtext "Result: file /etc/default/sulogin exists" - logtext "Test: checking presence PASSREQ=NO" - FIND=`grep "^PASSREQ=NO" /etc/default/sulogin` - if [ "${FIND}" = "" ]; then - logtext "Result: option not present or configured to request a password at single user mode login" - Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN - AddHP 1 1 - else - logtext "Result: option present, no password needed at single user mode login" - Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED - ReportWarning ${TEST_NO} "H" "No password needed for single user mode login" - AddHP 0 1 - fi - else - logtext "Result: file /etc/default/sulogin does not exist" - fi + # Check if file exists (Solaris 10 does not have this file by default) + if [ -f /etc/default/sulogin ]; then + logtext "Result: file /etc/default/sulogin exists" + logtext "Test: checking presence PASSREQ=NO" + FIND=`grep "^PASSREQ=NO" /etc/default/sulogin` + if [ "${FIND}" = "" ]; then + logtext "Result: option not present or configured to request a password at single user mode login" + Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN + AddHP 1 1 + else + logtext "Result: option present, no password needed at single user mode login" + Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED + ReportWarning ${TEST_NO} "H" "No password needed for single user mode login" + AddHP 0 1 + fi + else + logtext "Result: file /etc/default/sulogin does not exist" + fi fi # ################################################################################# @@ -860,25 +860,25 @@ # disabled a required login. Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --description "Check single boot authentication" if [ ${SKIPTEST} -eq 0 ]; then - # Check if file exists - logtext "Test: Searching /tcb/files/auth/system/default" - if [ -f /tcb/files/auth/system/default ]; then - logtext "Result: file /tcb/files/auth/system/default exists" - logtext "Test: checking presence :d_boot_authenticate@:" - FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default` - if [ "${FIND}" = "" ]; then - logtext "Result: option not set, password is needed at boot" - Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN - AddHP 1 1 - else - logtext "Result: option present, no password needed at single user mode login" - Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW - ReportSuggestion ${TEST_NO} "Set password for system boot" - AddHP 0 1 - fi - else - logtext "Result: file /tcb/files/auth/system/default does not exist" - fi + # Check if file exists + logtext "Test: Searching /tcb/files/auth/system/default" + if [ -f /tcb/files/auth/system/default ]; then + logtext "Result: file /tcb/files/auth/system/default exists" + logtext "Test: checking presence :d_boot_authenticate@:" + FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default` + if [ "${FIND}" = "" ]; then + logtext "Result: option not set, password is needed at boot" + Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN + AddHP 1 1 + else + logtext "Result: option present, no password needed at single user mode login" + Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW + ReportSuggestion ${TEST_NO} "Set password for system boot" + AddHP 0 1 + fi + else + logtext "Result: file /tcb/files/auth/system/default does not exist" + fi fi # ################################################################################# diff --git a/include/tests_boot_services b/include/tests_boot_services index 2755460d..3d8ce7c1 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -39,21 +39,26 @@ Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi logtext "Found file ${GRUBCONFFILE}, proceeding with tests." - FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'` - FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'` - if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then - Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED - logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!" - logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them." - logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!" - logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access." - ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader" - logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=, add: password --md5 or password --encrypted for SHA1 encrypted password" - AddHP 0 2 + FileIsReadable ${GRUBCONFFILE} + if [ ${CANREAD} -eq 1 ]; then + FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'` + FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'` + if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then + Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED + logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!" + logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them." + logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!" + logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access." + ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader" + logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=, add: password --md5 or password --encrypted for SHA1 encrypted password" + AddHP 0 2 + else + Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN + logtext "Result: GRUB has password protection." + AddHP 4 4 + fi else - Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN - logtext "Result: GRUB has password protection." - AddHP 4 4 + logtext "Warning: can not read ${GRUBCONFFILE}" fi fi @@ -86,7 +91,7 @@ BOOT_LOADER="FreeBSD" else logtext "Result: Not all expected files found in /boot" - Display --indent 4 --text "- Checking presence FreeBSD loader" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking presence FreeBSD loader" --result "NOT FOUND" --color WHITE fi fi # @@ -114,25 +119,31 @@ # Notes : password= or password = Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then + LILOCONFFILE="/etc/lilo.conf" logtext "Test: checking for presence LILO configuration file..." - if [ -f /etc/lilo.conf ]; then - BOOT_LOADER="LILO" - Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN - logtext "Checking password option LILO..." - FIND=`cat /etc/lilo.conf | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"` - if [ "${FIND}" = "" ]; then - Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED - logtext "Result: no password set for LILO. Bootloader is unprotected to" - logtext "dropping to single user mode or unauthorized access to devices/data." - ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=': password=" - ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader" - AddHP 0 2 + if [ -f ${LILOCONFFILE} ]; then + FileIsReadable ${LILOCONFFILE} + if [ ${CANREAD} -eq 1 ]; then + BOOT_LOADER="LILO" + Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN + logtext "Checking password option LILO..." + FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"` + if [ "${FIND}" = "" ]; then + Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED + logtext "Result: no password set for LILO. Bootloader is unprotected to" + logtext "dropping to single user mode or unauthorized access to devices/data." + ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=': password=" + ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader" + AddHP 0 2 + else + Display --indent 6 --text "- Password option presence " --result "OK" --color GREEN + logtext "Result: LILO password option set" + AddHP 4 4 + fi + #YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf) else - Display --indent 6 --text "- Password option presence " --result "OK" --color GREEN - logtext "Result: LILO password option set" - AddHP 4 4 + logtext "Warning: can not access ${LILOCONFFILE}" fi - #YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf) else Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE logtext "Result: LILO configuration file not found" diff --git a/include/tests_crypto b/include/tests_crypto index af73fd6c..719617a0 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -32,23 +32,33 @@ sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3` for I in ${sSSL_PATHS}; do if [ -d ${I} ]; then - logtext "Result: found directory ${I}" - # Search for CRT files - sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null` - for J in ${sFINDCRTS}; do - logtext "Test: checking certificate ${J}" - # Check certificate where 'end date' has been expired - FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?` - if [ "${FIND}" = "0" ]; then - logtext "Result: certificate ${J} seems to be correct and still valid" - report "valid_certificate[]=${J}|unknown entity|" - else - FOUNDPROBLEM=1 - logtext "Result: certificate ${J} has been expired" - report "expired_certificate[]=${J}" - #YYY Dump more information to log file - fi - done + FileIsReadable ${I} + if [ ${CANREAD} -eq 1 ]; then + logtext "Result: found directory ${I}" + # Search for CRT files + sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null` + for J in ${sFINDCRTS}; do + FileIsReadable ${J} + if [ ${CANREAD} -eq 1 ]; then + logtext "Test: checking certificate ${J}" + # Check certificate where 'end date' has been expired + FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?` + if [ "${FIND}" = "0" ]; then + logtext "Result: certificate ${J} seems to be correct and still valid" + report "valid_certificate[]=${J}|unknown entity|" + else + FOUNDPROBLEM=1 + logtext "Result: certificate ${J} has been expired" + report "expired_certificate[]=${J}" + #YYY Dump more information to log file + fi + else + logtext "Warning: can not read file ${J}" + fi + done + else + logtext "Warning: No read access to path ${I}" + fi else logtext "Result: SSL path ${I} does not exist" fi diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index 69be839c..9dc588a6 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -82,9 +82,9 @@ logtext "Test: check Postfix status" # Some other processes also use master, therefore it should include both master and postfix FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"` - FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"` - FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"` - if [ ! "${FIND1}" = "" -a ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then + #FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"` + #FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"` + if [ ! "${FIND1}" = "" ]; then logtext "Result: found running Postfix process" Display --indent 2 --text "- Checking Postfix status..." --result RUNNING --color GREEN POSTFIX_RUNNING=1 @@ -121,7 +121,7 @@ FIND2=`${POSTCONFBINARY} | grep '^smtpd_banner' | grep '$mail_name'` FIND3=`${POSTCONFBINARY} | grep '^mail_name' | grep -i 'postfix'` #YYY Check if OS name shows up in banner - #FIND4=`${POSTCONFBINARY} | grep '^smtpd_banner' | egrep "${OS}|${LINUX_VERSION}` + #FIND4=`${POSTCONFBINARY} | grep '^smtpd_banner' | egrep "${OS}|${LINUX_VERSION}` SHOWWARNING=0 if [ ! "${FIND1}" = "" ]; then SHOWWARNING=1 diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 00e62817..d87056b0 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -702,7 +702,7 @@ # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates) # Show packages which would be upgraded and match 'security' in repository name - FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq` + FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq` if [ ! "${FIND}" = "" ]; then #Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED VULNERABLE_PACKAGES_FOUND=1 diff --git a/include/tests_scheduling b/include/tests_scheduling index be3ced5d..14359189 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -47,20 +47,25 @@ for I in ${CRON_DIRS}; do logtext "Test: checking directory ${I}" if [ -d ${I} ]; then - logtext "Result: found directory ${I}" - logtext "Test: searching files in ${I}" - FIND=`find ${I} -type f -print` - if [ "${FIND}" = "" ]; then - logtext "Result: no files found in ${I}" - else - logtext "Result: found one or more files in ${I}. Analyzing files.." - for J in ${FIND}; do - FindCronJob ${J} - for K in ${sCRONJOBS}; do - logtext "Result: Found cronjob (${I}): ${K}" + FileIsReadable ${I} + if [ ${CANREAD} -eq 1 ]; then + logtext "Result: found directory ${I}" + logtext "Test: searching files in ${I}" + FIND=`find ${I} -type f -print` + if [ "${FIND}" = "" ]; then + logtext "Result: no files found in ${I}" + else + logtext "Result: found one or more files in ${I}. Analyzing files.." + for J in ${FIND}; do + FindCronJob ${J} + for K in ${sCRONJOBS}; do + logtext "Result: Found cronjob (${I}): ${K}" + done done - done - logtext "Result: done with analyzing files in ${I}" + logtext "Result: done with analyzing files in ${I}" + fi + else + logtext "Result: can not read file or directory ${I}" fi else logtext "Result: directory ${I} does not exist" @@ -159,47 +164,56 @@ if [ ${SKIPTEST} -eq 0 ]; then AT_UNKNOWN=0 case ${OS} in - FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;; - HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;; - Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;; - OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;; - SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;; - *) AT_UNKNOWN=1; logtext "Test skipped, files for at unknown" ;; - esac + FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;; + HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;; + Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;; + OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;; + SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;; + *) AT_UNKNOWN=1; logtext "Test skipped, files for at unknown" ;; + esac if [ ${AT_UNKNOWN} -eq 0 ]; then logtext "Test: checking for file ${AT_ALLOW}" - if [ -f ${AT_ALLOW} ]; then - logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs" - FIND=`cat ${AT_ALLOW} | sort` - if [ "${FIND}" = "" ]; then - logtext "Result: File empty, no users are allowed to schedule at jobs" - else - for I in ${FIND}; do - logtext "Allowed at user: ${I}" - done - fi - else - logtext "Result: file ${AT_ALLOW} does not exist" - logtext "Test: checking for file ${AT_DENY}" - if [ -f ${AT_DENY} ]; then - logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs" - FIND=`cat ${AT_DENY} | sort` - if [ "${FIND}" = "" ]; then - logtext "Result: file is empty, no users are denied access to schedule jobs" - else - for I in ${FIND}; do - logtext "Denied at user: ${I}" - done - fi - else - logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist" - logtext "Note: only root can schedule at jobs" - fi - fi - Display --indent 4 --text "- Checking at users" --result DONE --color GREEN - else + if [ -f ${AT_ALLOW} ]; then + FileIsReadable ${AT_ALLOW} + if [ ${CANREAD} -eq 1 ]; then + logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs" + FIND=`cat ${AT_ALLOW} | sort` + if [ "${FIND}" = "" ]; then + logtext "Result: File empty, no users are allowed to schedule at jobs" + else + for I in ${FIND}; do + logtext "Allowed at user: ${I}" + done + fi + else + logtext "Warning: can not read ${AT_ALLOW}" + fi + else + logtext "Result: file ${AT_ALLOW} does not exist" + logtext "Test: checking for file ${AT_DENY}" + if [ -f ${AT_DENY} ]; then + if [ -f ${AT_ALLOW} ]; then + logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs" + FIND=`cat ${AT_DENY} | sort` + if [ "${FIND}" = "" ]; then + logtext "Result: file is empty, no users are denied access to schedule jobs" + else + for I in ${FIND}; do + logtext "Denied at user: ${I}" + done + fi + else + logtext "Warning: can not read ${AT_DENY}" + fi + else + logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist" + logtext "Note: only root can schedule at jobs" + fi + fi + Display --indent 4 --text "- Checking at users" --result DONE --color GREEN + else Display --indent 4 --text "- Checking at users" --result SKIPPED --color YELLOW - fi + fi fi # ################################################################################# @@ -209,19 +223,19 @@ if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at jobs" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check scheduled at jobs" - FIND=`atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` - if [ ! "${FIND}" = "" ]; then - logtext "Result: found one or more jobs" - for I in ${FIND}; do - I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Found at job: ${I}" - done + logtext "Test: Check scheduled at jobs" + FIND=`atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found one or more jobs" + for I in ${FIND}; do + I=`echo ${I} | sed 's/!space!/ /g'` + logtext "Found at job: ${I}" + done Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN - else - logtext "Result: no pending at jobs" + else + logtext "Result: no pending at jobs" Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN - fi + fi fi # ################################################################################# diff --git a/include/tests_ssh b/include/tests_ssh index 91da5f0d..8905511b 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -59,17 +59,23 @@ ReportException "${TEST_NO}:01" logtext "Result: we already had found another sshd_config file. Using this new file then." fi - FOUND=1 - SSH_DAEMON_CONFIG="${I}/sshd_config" - fi - done - if [ "${SSH_DAEMON_CONFIG}" = "" ]; then - logtext "Result: No sshd configuration found" - Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW - else - logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" - Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN - fi + FileIsReadable ${I}/sshd_config + if [ ${CANREAD} -eq 1 ]; then + FOUND=1 + SSH_DAEMON_CONFIG="${I}/sshd_config" + else + logtext "Warning: can not read ${I}/sshd_config file" + fi + fi + done + if [ "${SSH_DAEMON_CONFIG}" = "" ]; then + logtext "Result: No sshd configuration found" + Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW + ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found" + else + logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" + Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN + fi fi # ################################################################################# @@ -117,24 +123,24 @@ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SSH-7412 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: PermitRootLogin" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check PermitRootLogin option" - FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'` - if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then - logtext "Result: PermitRootLogin is enabled, root can login directly" - Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED + logtext "Test: check PermitRootLogin option" + FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'` + if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then + logtext "Result: PermitRootLogin is enabled, root can login directly" + Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED ReportWarning ${TEST_NO} "M" "Root can directly login via SSH" - AddHP 0 3 - else - # YYY add test for DenyUsers root - if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then - logtext "Result: PermitRootLogin is disabled. Root can't login directly" - Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN - AddHP 3 3 - else - logtext "Result: Value of PermitRootLogin is unknown (not defined)" - Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE - fi - fi + AddHP 0 3 + else + # YYY add test for DenyUsers root + if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then + logtext "Result: PermitRootLogin is disabled. Root can't login directly" + Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN + AddHP 3 3 + else + logtext "Result: Value of PermitRootLogin is unknown (not defined)" + Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE + fi + fi fi # ################################################################################# @@ -144,23 +150,23 @@ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SSH-7414 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Protocol" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check allowed SSH protocol versions" - FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'` - if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then - logtext "Result: Protocol option is set to allow SSH protocol version 1" - Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED + logtext "Test: check allowed SSH protocol versions" + FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'` + if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then + logtext "Result: Protocol option is set to allow SSH protocol version 1" + Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed" - AddHP 0 3 - else - if [ "${FIND}" = "2" ]; then - logtext "Result: only protocol 2 is allowed" - Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN - AddHP 3 3 - else - logtext "Result: value of Protocol is unknown (not defined)" - Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE - fi - fi + AddHP 0 3 + else + if [ "${FIND}" = "2" ]; then + logtext "Result: only protocol 2 is allowed" + Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN + AddHP 3 3 + else + logtext "Result: value of Protocol is unknown (not defined)" + Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE + fi + fi fi # ################################################################################# @@ -170,24 +176,24 @@ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SSH-7416 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: StrictModes" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check configured StrictModes option" - FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'` - if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then - logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked" - Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED + logtext "Test: Check configured StrictModes option" + FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'` + if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then + logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked" + Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED ReportWarning ${TEST_NO} "M" "StrictModes is turned off" - ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config" - AddHP 0 3 - else - if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then - logtext "Result: StrictModes active, file permissions are checked" - Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN - AddHP 3 3 - else - logtext "Result: value of StrictModes is unknown (not defined)" - Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE - fi - fi + ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config" + AddHP 0 3 + else + if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then + logtext "Result: StrictModes active, file permissions are checked" + Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN + AddHP 3 3 + else + logtext "Result: value of StrictModes is unknown (not defined)" + Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE + fi + fi fi # ################################################################################# @@ -225,35 +231,35 @@ Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - # AllowUsers - FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` - if [ ! "${FIND}" = "" ]; then - logtext "Result: AllowUsers set, with value ${FIND}" - Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN - FOUND=1 - else - logtext "Result: AllowUsers is not set" - Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE - fi - - # AllowGroups - FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` - if [ ! "${FIND}" = "" ]; then - logtext "Result: AllowUsers set ${FIND}" - Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN - FOUND=1 - else - logtext "Result: AllowGroups is not set" - Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE - fi + # AllowUsers + FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: AllowUsers set, with value ${FIND}" + Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN + FOUND=1 + else + logtext "Result: AllowUsers is not set" + Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE + fi - if [ ${FOUND} -eq 1 ]; then - logtext "Result: SSH is limited to a specific set of users, which is good" - AddHP 2 2 - else - logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine." - AddHP 0 1 - fi + # AllowGroups + FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: AllowUsers set ${FIND}" + Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN + FOUND=1 + else + logtext "Result: AllowGroups is not set" + Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE + fi + + if [ ${FOUND} -eq 1 ]; then + logtext "Result: SSH is limited to a specific set of users, which is good" + AddHP 2 2 + else + logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine." + AddHP 0 1 + fi fi # #################################################################################