tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-27 07:44:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Made adjustments to run in non-privileged scans

Browse Source
This commit is contained in:
mboelen 2014-09-09 14:49:37 +02:00
parent 3beae44e92
commit dd2ea3efaf
7 changed files with 447 additions and 406 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

402
include/tests_authentication
View File

@ -194,18 +194,18 @@
# Description : Check for non unique groups # Description : Check for non unique groups
Register --test-no AUTH-9222 --weight L --network NO --description "Check for non unique groups" Register --test-no AUTH-9222 --weight L --network NO --description "Check for non unique groups"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for non unique group ID's in /etc/group" logtext "Test: Checking for non unique group ID's in /etc/group"
FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group ID's..." --result OK --color GREEN Display --indent 2 --text "- Checking non unique group ID's..." --result OK --color GREEN
logtext "Result: All group ID's are unique" logtext "Result: All group ID's are unique"
else else
Display --indent 2 --text "- Checking non unique group ID's..." --result WARNING --color RED Display --indent 2 --text "- Checking non unique group ID's..." --result WARNING --color RED
logtext "Result: Found the same group ID multiple times" logtext "Result: Found the same group ID multiple times"
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID" ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID"
ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies" ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies"
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -277,17 +277,17 @@
if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9230 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" Register --test-no AUTH-9230 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking password file consistency (pwck)" logtext "Test: Checking password file consistency (pwck)"
FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN
logtext "Result: pwck finished didn't find problems" logtext "Result: pwck finished didn't find problems"
else else
Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED
logtext "Result: pwck found one or more errors/warnings in the password file." logtext "Result: pwck found one or more errors/warnings in the password file."
ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -377,25 +377,25 @@
# Description : Query NIS+ authentication support # Description : Query NIS+ authentication support
Register --test-no AUTH-9240 --weight L --network NO --description "Query NIS+ authentication support" Register --test-no AUTH-9240 --weight L --network NO --description "Query NIS+ authentication support"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then if [ -f /etc/nsswitch.conf ]; then
FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"` FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: NIS+ authentication not enabled" logtext "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
else else
FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nisplus"` FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nisplus"`
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"` FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"`
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
logtext "Result: NIS+ authentication enabled" logtext "Result: NIS+ authentication enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN
else else
logtext "Result: NIS+ authentication not enabled" logtext "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
fi fi
fi fi
else else
logtext "Result: /etc/nsswitch.conf not found" logtext "Result: /etc/nsswitch.conf not found"
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -404,25 +404,25 @@
# Description : Query NIS authentication support # Description : Query NIS authentication support
Register --test-no AUTH-9242 --weight L --network NO --description "Query NIS authentication support" Register --test-no AUTH-9242 --weight L --network NO --description "Query NIS authentication support"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then if [ -f /etc/nsswitch.conf ]; then
FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"` FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: NIS authentication not enabled" logtext "Result: NIS authentication not enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
else else
FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
logtext "Result: NIS authentication enabled" logtext "Result: NIS authentication enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN
else else
logtext "Result: NIS authentication not enabled" logtext "Result: NIS authentication not enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
fi fi
fi fi
else else
logtext "Result: /etc/nsswitch.conf not found" logtext "Result: /etc/nsswitch.conf not found"
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -450,22 +450,22 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
for I in ${SUDOERS_LOCATIONS}; do for I in ${SUDOERS_LOCATIONS}; do
logtext "Test: checking presence ${I}" logtext "Test: checking presence ${I}"
if [ -f ${I} ]; then if [ -f ${I} ]; then
FOUND=1 FOUND=1
SUDOERS_FILE="${I}" SUDOERS_FILE="${I}"
logtext "Result: found file (${SUDOERS_FILE})" logtext "Result: found file (${SUDOERS_FILE})"
else else
logtext "Result: file ${I} not found" logtext "Result: file ${I} not found"
fi fi
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
logtext "Result: sudoers file found (${SUDOERS_FILE})" logtext "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN
# YYY add more tests to audit sudoers file # YYY add more tests to audit sudoers file
else else
logtext "Result: sudoers file NOT found" logtext "Result: sudoers file NOT found"
Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW
fi fi
fi fi
# #
@ -476,16 +476,16 @@
if [ ! "${SUDOERS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${SUDOERS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sudoers file" Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sudoers file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking sudoers file (${SUDOERS_FILE}) permissions" logtext "Test: checking sudoers file (${SUDOERS_FILE}) permissions"
FIND=`ls -l ${SUDOERS_FILE} | cut -c 2-10` FIND=`ls -l ${SUDOERS_FILE} | cut -c 2-10`
logtext "Result: Found file permissions: ${FIND}" logtext "Result: Found file permissions: ${FIND}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
logtext "Result: file ${SUDOERS_FILE} has correct permissions" logtext "Result: file ${SUDOERS_FILE} has correct permissions"
Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN
else else
logtext "Result: file has possibly unsafe file permissions" logtext "Result: file has possibly unsafe file permissions"
Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -494,16 +494,16 @@
# Description : Solaris test to check passwordless accounts # Description : Solaris test to check passwordless accounts
Register --test-no AUTH-9254 --os Solaris --weight L --network NO --description "Solaris passwordless accounts" Register --test-no AUTH-9254 --os Solaris --weight L --network NO --description "Solaris passwordless accounts"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`logins -p | awk '{ print $1 }'` FIND=`logins -p | awk '{ print $1 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: no passwordless accounts found" logtext "Result: no passwordless accounts found"
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN
else else
for I in ${FIND}; do for I in ${FIND}; do
ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})" ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
done done
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result WARNING --color RED Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result WARNING --color RED
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -624,25 +624,25 @@
# Description : Scan /etc/pam.conf file # Description : Scan /etc/pam.conf file
Register --test-no AUTH-9264 --weight L --network NO --description "Checking presence pam.conf" Register --test-no AUTH-9264 --weight L --network NO --description "Checking presence pam.conf"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking file /etc/pam.conf" logtext "Test: Checking file /etc/pam.conf"
if [ -f /etc/pam.conf ]; then if [ -f /etc/pam.conf ]; then
logtext "Result: file /etc/pam.conf exists" logtext "Result: file /etc/pam.conf exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN
logtext "Test: searching PAM configuration files" logtext "Test: searching PAM configuration files"
FIND=`cat /etc/pam.conf | grep -v "^#" | grep -v "^$" | sed 's/ /!space!/g'` FIND=`cat /etc/pam.conf | grep -v "^#" | grep -v "^$" | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" logtext "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
else else
logtext "Result: found one or more configuration lines" logtext "Result: found one or more configuration lines"
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'` I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found line: ${I}" logtext "Found line: ${I}"
done done
fi fi
else else
logtext "Result: file /etc/pam.conf could not be found" logtext "Result: file /etc/pam.conf could not be found"
Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -651,19 +651,19 @@
# Description : Searching available PAM configurations (/etc/pam.d) # Description : Searching available PAM configurations (/etc/pam.d)
Register --test-no AUTH-9266 --weight L --network NO --description "Checking presence pam.d files" Register --test-no AUTH-9266 --weight L --network NO --description "Checking presence pam.d files"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking directory /etc/pam.d" logtext "Test: Checking directory /etc/pam.d"
if [ -d /etc/pam.d ]; then if [ -d /etc/pam.d ]; then
logtext "Result: directory /etc/pam.d exists" logtext "Result: directory /etc/pam.d exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN
logtext "Test: searching PAM configuration files" logtext "Test: searching PAM configuration files"
FIND=`find /etc/pam.d -type f -print | sort` FIND=`find /etc/pam.d -type f -print | sort`
for I in ${FIND}; do for I in ${FIND}; do
logtext "Found file: ${I}" logtext "Found file: ${I}"
done done
else else
logtext "Result: directory /etc/pam.d could not be found" logtext "Result: directory /etc/pam.d could not be found"
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -709,25 +709,25 @@
# Description : Search LDAP support in PAM files # Description : Search LDAP support in PAM files
Register --test-no AUTH-9278 --weight L --network NO --description "Checking LDAP pam status" Register --test-no AUTH-9278 --weight L --network NO --description "Checking LDAP pam status"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence /etc/pam.d/common-auth" logtext "Test: checking presence /etc/pam.d/common-auth"
if [ -f /etc/pam.d/common-auth ]; then if [ -f /etc/pam.d/common-auth ]; then
logtext "Result: file /etc/pam.d/common-auth exists" logtext "Result: file /etc/pam.d/common-auth exists"
logtext "Test: checking presence LDAP module" logtext "Test: checking presence LDAP module"
FIND=`cat /etc/pam.d/common-auth | grep "^auth" | grep "ldap"` FIND=`cat /etc/pam.d/common-auth | grep "^auth" | grep "ldap"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: LDAP module present" logtext "Result: LDAP module present"
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN
LDAP_AUTH_ENABLED=1 LDAP_AUTH_ENABLED=1
LDAP_PAM_ENABLED=1 LDAP_PAM_ENABLED=1
else else
logtext "Result: LDAP module not found" logtext "Result: LDAP module not found"
Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE
# YYY display message when ldap is enabled in /etc/passwd, but not found in PAM # YYY display message when ldap is enabled in /etc/passwd, but not found in PAM
fi fi
else else
logtext "Result: file /etc/pam.d/common-auth not found, skipping test" logtext "Result: file /etc/pam.d/common-auth not found, skipping test"
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -740,13 +740,13 @@
case ${LINUX_VERSION} in case ${LINUX_VERSION} in
"SuSE") "SuSE")
PREQS_MET="YES" PREQS_MET="YES"
FIND=`passwd -a -S | awk '{ if ($2=="P" && $5=="99999") print $1 }'` FIND=`passwd -a -S 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }'`
FIND2=`passwd -a -S | awk '{ if ($2=="NP") print $1 }'` FIND2=`passwd -a -S 2> /dev/null | awk '{ if ($2=="NP") print $1 }'`
;; ;;
*) *)
PREQS_MET="YES" PREQS_MET="YES"
FIND=`passwd --all --status | awk '{ if ($2=="P" && $5=="99999") print $1 }'` FIND=`passwd --all --status 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }'`
FIND2=`passwd --all --status | awk '{ if ($2=="NP") print $1 }'` FIND2=`passwd --all --status 2> /dev/null | awk '{ if ($2=="NP") print $1 }'`
;; ;;
esac esac
else else
@ -803,20 +803,20 @@
if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking user password aging" Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking user password aging"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
# YYY check if LDAP is used with password policies # YYY check if LDAP is used with password policies
logtext "Result: password aging limits are not configured" logtext "Result: password aging limits are not configured"
Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base" ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
AddHP 0 1 AddHP 0 1
else else
logtext "Result: accounts with password aging set are checked against PASS_MAX_DAYS" logtext "Result: accounts with password aging set are checked against PASS_MAX_DAYS"
logtext "Result: value of PASS_MAX_DAYS is ${FIND}" logtext "Result: value of PASS_MAX_DAYS is ${FIND}"
Display --indent 2 --text "- Checking user password aging" --result OK --color GREEN Display --indent 2 --text "- Checking user password aging" --result OK --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -831,24 +831,24 @@
# Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY) # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY)
Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration" Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check if file exists (Solaris 10 does not have this file by default) # Check if file exists (Solaris 10 does not have this file by default)
if [ -f /etc/default/sulogin ]; then if [ -f /etc/default/sulogin ]; then
logtext "Result: file /etc/default/sulogin exists" logtext "Result: file /etc/default/sulogin exists"
logtext "Test: checking presence PASSREQ=NO" logtext "Test: checking presence PASSREQ=NO"
FIND=`grep "^PASSREQ=NO" /etc/default/sulogin` FIND=`grep "^PASSREQ=NO" /etc/default/sulogin`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: option not present or configured to request a password at single user mode login" logtext "Result: option not present or configured to request a password at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN
AddHP 1 1 AddHP 1 1
else else
logtext "Result: option present, no password needed at single user mode login" logtext "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED
ReportWarning ${TEST_NO} "H" "No password needed for single user mode login" ReportWarning ${TEST_NO} "H" "No password needed for single user mode login"
AddHP 0 1 AddHP 0 1
fi fi
else else
logtext "Result: file /etc/default/sulogin does not exist" logtext "Result: file /etc/default/sulogin does not exist"
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -860,25 +860,25 @@
# disabled a required login. # disabled a required login.
Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --description "Check single boot authentication" Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --description "Check single boot authentication"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check if file exists # Check if file exists
logtext "Test: Searching /tcb/files/auth/system/default" logtext "Test: Searching /tcb/files/auth/system/default"
if [ -f /tcb/files/auth/system/default ]; then if [ -f /tcb/files/auth/system/default ]; then
logtext "Result: file /tcb/files/auth/system/default exists" logtext "Result: file /tcb/files/auth/system/default exists"
logtext "Test: checking presence :d_boot_authenticate@:" logtext "Test: checking presence :d_boot_authenticate@:"
FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default` FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: option not set, password is needed at boot" logtext "Result: option not set, password is needed at boot"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN
AddHP 1 1 AddHP 1 1
else else
logtext "Result: option present, no password needed at single user mode login" logtext "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Set password for system boot" ReportSuggestion ${TEST_NO} "Set password for system boot"
AddHP 0 1 AddHP 0 1
fi fi
else else
logtext "Result: file /tcb/files/auth/system/default does not exist" logtext "Result: file /tcb/files/auth/system/default does not exist"
fi fi
fi fi
# #
################################################################################# #################################################################################

71
include/tests_boot_services
View File

@ -39,21 +39,26 @@
Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
logtext "Found file ${GRUBCONFFILE}, proceeding with tests." logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'` FileIsReadable ${GRUBCONFFILE}
FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'` if [ ${CANREAD} -eq 1 ]; then
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!" if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them." Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED
logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!" logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!"
logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access." logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them."
ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader" logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password" logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access."
AddHP 0 2 ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader"
logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password"
AddHP 0 2
else
Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN
logtext "Result: GRUB has password protection."
AddHP 4 4
fi
else else
Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN logtext "Warning: can not read ${GRUBCONFFILE}"
logtext "Result: GRUB has password protection."
AddHP 4 4
fi fi
fi fi
@ -114,25 +119,31 @@
# Notes : password= or password = # Notes : password= or password =
Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence" Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LILOCONFFILE="/etc/lilo.conf"
logtext "Test: checking for presence LILO configuration file..." logtext "Test: checking for presence LILO configuration file..."
if [ -f /etc/lilo.conf ]; then if [ -f ${LILOCONFFILE} ]; then
BOOT_LOADER="LILO" FileIsReadable ${LILOCONFFILE}
Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN if [ ${CANREAD} -eq 1 ]; then
logtext "Checking password option LILO..." BOOT_LOADER="LILO"
FIND=`cat /etc/lilo.conf | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"` Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN
if [ "${FIND}" = "" ]; then logtext "Checking password option LILO..."
Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"`
logtext "Result: no password set for LILO. Bootloader is unprotected to" if [ "${FIND}" = "" ]; then
logtext "dropping to single user mode or unauthorized access to devices/data." Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED
ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>" logtext "Result: no password set for LILO. Bootloader is unprotected to"
ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader" logtext "dropping to single user mode or unauthorized access to devices/data."
AddHP 0 2 ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader"
AddHP 0 2
else
Display --indent 6 --text "- Password option presence " --result "OK" --color GREEN
logtext "Result: LILO password option set"
AddHP 4 4
fi
#YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
else else
Display --indent 6 --text "- Password option presence " --result "OK" --color GREEN logtext "Warning: can not access ${LILOCONFFILE}"
logtext "Result: LILO password option set"
AddHP 4 4
fi fi
#YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
else else
Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE
logtext "Result: LILO configuration file not found" logtext "Result: LILO configuration file not found"

44
include/tests_crypto
View File

@ -32,23 +32,33 @@
sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3` sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3`
for I in ${sSSL_PATHS}; do for I in ${sSSL_PATHS}; do
if [ -d ${I} ]; then if [ -d ${I} ]; then
logtext "Result: found directory ${I}" FileIsReadable ${I}
# Search for CRT files if [ ${CANREAD} -eq 1 ]; then
sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null` logtext "Result: found directory ${I}"
for J in ${sFINDCRTS}; do # Search for CRT files
logtext "Test: checking certificate ${J}" sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null`
# Check certificate where 'end date' has been expired for J in ${sFINDCRTS}; do
FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?` FileIsReadable ${J}
if [ "${FIND}" = "0" ]; then if [ ${CANREAD} -eq 1 ]; then
logtext "Result: certificate ${J} seems to be correct and still valid" logtext "Test: checking certificate ${J}"
report "valid_certificate[]=${J}|unknown entity|" # Check certificate where 'end date' has been expired
else FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?`
FOUNDPROBLEM=1 if [ "${FIND}" = "0" ]; then
logtext "Result: certificate ${J} has been expired" logtext "Result: certificate ${J} seems to be correct and still valid"
report "expired_certificate[]=${J}" report "valid_certificate[]=${J}|unknown entity|"
#YYY Dump more information to log file else
fi FOUNDPROBLEM=1
done logtext "Result: certificate ${J} has been expired"
report "expired_certificate[]=${J}"
#YYY Dump more information to log file
fi
else
logtext "Warning: can not read file ${J}"
fi
done
else
logtext "Warning: No read access to path ${I}"
fi
else else
logtext "Result: SSL path ${I} does not exist" logtext "Result: SSL path ${I} does not exist"
fi fi

6
include/tests_mail_messaging
View File

@ -82,9 +82,9 @@
logtext "Test: check Postfix status" logtext "Test: check Postfix status"
# Some other processes also use master, therefore it should include both master and postfix # Some other processes also use master, therefore it should include both master and postfix
FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"` FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"`
FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"` #FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"`
FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"` #FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
if [ ! "${FIND1}" = "" -a ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then if [ ! "${FIND1}" = "" ]; then
logtext "Result: found running Postfix process" logtext "Result: found running Postfix process"
Display --indent 2 --text "- Checking Postfix status..." --result RUNNING --color GREEN Display --indent 2 --text "- Checking Postfix status..." --result RUNNING --color GREEN
POSTFIX_RUNNING=1 POSTFIX_RUNNING=1

2
include/tests_ports_packages
View File

@ -702,7 +702,7 @@
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates) # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
# Show packages which would be upgraded and match 'security' in repository name # Show packages which would be upgraded and match 'security' in repository name
FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq` FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
#Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED #Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED
VULNERABLE_PACKAGES_FOUND=1 VULNERABLE_PACKAGES_FOUND=1

138
include/tests_scheduling
View File

@ -47,20 +47,25 @@
for I in ${CRON_DIRS}; do for I in ${CRON_DIRS}; do
logtext "Test: checking directory ${I}" logtext "Test: checking directory ${I}"
if [ -d ${I} ]; then if [ -d ${I} ]; then
logtext "Result: found directory ${I}" FileIsReadable ${I}
logtext "Test: searching files in ${I}" if [ ${CANREAD} -eq 1 ]; then
FIND=`find ${I} -type f -print` logtext "Result: found directory ${I}"
if [ "${FIND}" = "" ]; then logtext "Test: searching files in ${I}"
logtext "Result: no files found in ${I}" FIND=`find ${I} -type f -print`
else if [ "${FIND}" = "" ]; then
logtext "Result: found one or more files in ${I}. Analyzing files.." logtext "Result: no files found in ${I}"
for J in ${FIND}; do else
FindCronJob ${J} logtext "Result: found one or more files in ${I}. Analyzing files.."
for K in ${sCRONJOBS}; do for J in ${FIND}; do
logtext "Result: Found cronjob (${I}): ${K}" FindCronJob ${J}
for K in ${sCRONJOBS}; do
logtext "Result: Found cronjob (${I}): ${K}"
done
done done
done logtext "Result: done with analyzing files in ${I}"
logtext "Result: done with analyzing files in ${I}" fi
else
logtext "Result: can not read file or directory ${I}"
fi fi
else else
logtext "Result: directory ${I} does not exist" logtext "Result: directory ${I} does not exist"
@ -159,47 +164,56 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
AT_UNKNOWN=0 AT_UNKNOWN=0
case ${OS} in case ${OS} in
FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;; FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;;
HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;; HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;;
Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;; Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;;
OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;; OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;;
SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;; SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;;
*) AT_UNKNOWN=1; logtext "Test skipped, files for at unknown" ;; *) AT_UNKNOWN=1; logtext "Test skipped, files for at unknown" ;;
esac esac
if [ ${AT_UNKNOWN} -eq 0 ]; then if [ ${AT_UNKNOWN} -eq 0 ]; then
logtext "Test: checking for file ${AT_ALLOW}" logtext "Test: checking for file ${AT_ALLOW}"
if [ -f ${AT_ALLOW} ]; then if [ -f ${AT_ALLOW} ]; then
logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs" FileIsReadable ${AT_ALLOW}
FIND=`cat ${AT_ALLOW} | sort` if [ ${CANREAD} -eq 1 ]; then
if [ "${FIND}" = "" ]; then logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
logtext "Result: File empty, no users are allowed to schedule at jobs" FIND=`cat ${AT_ALLOW} | sort`
else if [ "${FIND}" = "" ]; then
for I in ${FIND}; do logtext "Result: File empty, no users are allowed to schedule at jobs"
logtext "Allowed at user: ${I}" else
done for I in ${FIND}; do
fi logtext "Allowed at user: ${I}"
else done
logtext "Result: file ${AT_ALLOW} does not exist" fi
logtext "Test: checking for file ${AT_DENY}" else
if [ -f ${AT_DENY} ]; then logtext "Warning: can not read ${AT_ALLOW}"
logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs" fi
FIND=`cat ${AT_DENY} | sort` else
if [ "${FIND}" = "" ]; then logtext "Result: file ${AT_ALLOW} does not exist"
logtext "Result: file is empty, no users are denied access to schedule jobs" logtext "Test: checking for file ${AT_DENY}"
else if [ -f ${AT_DENY} ]; then
for I in ${FIND}; do if [ -f ${AT_ALLOW} ]; then
logtext "Denied at user: ${I}" logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs"
done FIND=`cat ${AT_DENY} | sort`
fi if [ "${FIND}" = "" ]; then
else logtext "Result: file is empty, no users are denied access to schedule jobs"
logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist" else
logtext "Note: only root can schedule at jobs" for I in ${FIND}; do
fi logtext "Denied at user: ${I}"
fi done
Display --indent 4 --text "- Checking at users" --result DONE --color GREEN fi
else else
logtext "Warning: can not read ${AT_DENY}"
fi
else
logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist"
logtext "Note: only root can schedule at jobs"
fi
fi
Display --indent 4 --text "- Checking at users" --result DONE --color GREEN
else
Display --indent 4 --text "- Checking at users" --result SKIPPED --color YELLOW Display --indent 4 --text "- Checking at users" --result SKIPPED --color YELLOW
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -209,19 +223,19 @@
if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at jobs" Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at jobs"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check scheduled at jobs" logtext "Test: Check scheduled at jobs"
FIND=`atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` FIND=`atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more jobs" logtext "Result: found one or more jobs"
for I in ${FIND}; do for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'` I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found at job: ${I}" logtext "Found at job: ${I}"
done done
Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN
else else
logtext "Result: no pending at jobs" logtext "Result: no pending at jobs"
Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN
fi fi
fi fi
# #
################################################################################# #################################################################################

182
include/tests_ssh
View File

@ -59,17 +59,23 @@
ReportException "${TEST_NO}:01" ReportException "${TEST_NO}:01"
logtext "Result: we already had found another sshd_config file. Using this new file then." logtext "Result: we already had found another sshd_config file. Using this new file then."
fi fi
FOUND=1 FileIsReadable ${I}/sshd_config
SSH_DAEMON_CONFIG="${I}/sshd_config" if [ ${CANREAD} -eq 1 ]; then
fi FOUND=1
done SSH_DAEMON_CONFIG="${I}/sshd_config"
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then else
logtext "Result: No sshd configuration found" logtext "Warning: can not read ${I}/sshd_config file"
Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW fi
else fi
logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" done
Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
fi logtext "Result: No sshd configuration found"
Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW
ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found"
else
logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN
fi
fi fi
# #
################################################################################# #################################################################################
@ -117,24 +123,24 @@
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7412 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: PermitRootLogin" Register --test-no SSH-7412 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: PermitRootLogin"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check PermitRootLogin option" logtext "Test: check PermitRootLogin option"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'` FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'`
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: PermitRootLogin is enabled, root can login directly" logtext "Result: PermitRootLogin is enabled, root can login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Root can directly login via SSH" ReportWarning ${TEST_NO} "M" "Root can directly login via SSH"
AddHP 0 3 AddHP 0 3
else else
# YYY add test for DenyUsers root # YYY add test for DenyUsers root
if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then
logtext "Result: PermitRootLogin is disabled. Root can't login directly" logtext "Result: PermitRootLogin is disabled. Root can't login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN
AddHP 3 3 AddHP 3 3
else else
logtext "Result: Value of PermitRootLogin is unknown (not defined)" logtext "Result: Value of PermitRootLogin is unknown (not defined)"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE
fi fi
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -144,23 +150,23 @@
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7414 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Protocol" Register --test-no SSH-7414 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Protocol"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check allowed SSH protocol versions" logtext "Test: check allowed SSH protocol versions"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'` FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'`
if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
logtext "Result: Protocol option is set to allow SSH protocol version 1" logtext "Result: Protocol option is set to allow SSH protocol version 1"
Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed" ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
AddHP 0 3 AddHP 0 3
else else
if [ "${FIND}" = "2" ]; then if [ "${FIND}" = "2" ]; then
logtext "Result: only protocol 2 is allowed" logtext "Result: only protocol 2 is allowed"
Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN
AddHP 3 3 AddHP 3 3
else else
logtext "Result: value of Protocol is unknown (not defined)" logtext "Result: value of Protocol is unknown (not defined)"
Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE
fi fi
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -170,24 +176,24 @@
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7416 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: StrictModes" Register --test-no SSH-7416 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: StrictModes"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check configured StrictModes option" logtext "Test: Check configured StrictModes option"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'` FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'`
if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then
logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked" logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked"
Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "StrictModes is turned off" ReportWarning ${TEST_NO} "M" "StrictModes is turned off"
ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config" ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config"
AddHP 0 3 AddHP 0 3
else else
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: StrictModes active, file permissions are checked" logtext "Result: StrictModes active, file permissions are checked"
Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN
AddHP 3 3 AddHP 3 3
else else
logtext "Result: value of StrictModes is unknown (not defined)" logtext "Result: value of StrictModes is unknown (not defined)"
Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE
fi fi
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -225,35 +231,35 @@
Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups" Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
# AllowUsers # AllowUsers
FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set, with value ${FIND}" logtext "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN
FOUND=1 FOUND=1
else else
logtext "Result: AllowUsers is not set" logtext "Result: AllowUsers is not set"
Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE
fi fi
# AllowGroups # AllowGroups
FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set ${FIND}" logtext "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN
FOUND=1 FOUND=1
else else
logtext "Result: AllowGroups is not set" logtext "Result: AllowGroups is not set"
Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE
fi fi
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
logtext "Result: SSH is limited to a specific set of users, which is good" logtext "Result: SSH is limited to a specific set of users, which is good"
AddHP 2 2 AddHP 2 2
else else
logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine." logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine."
AddHP 0 1 AddHP 0 1
fi fi
fi fi
# #
################################################################################# #################################################################################