tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Lots of cleanups (#366) 

* Description fix: SafePerms works on files not dirs.

All uses of SafePerms are on files (and indeed, it would reject
directories which would have +x set).

* Lots of whitespace cleanups.

Enforce everywhere(?) the same indentations for if/fi blocks.
The standard for the Lynis codebase is 4 spaces.  But sometimes
it's 1, sometimes 3, sometimes 8.

These patches standardize all(?) if blocks but _not_ else's (which
are usually indented 2, but sometimes zero); I was too lazy to
identify those (see below).

This diff is giant, but should not change code behavior at all;
diff -w shows no changes apart from whitespace.

FWIW I identified instances to check by using:

  perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces="";  } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1)

Which produced output like:

  ./extras/build-lynis.sh:217:            if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
  ./extras/build-lynis.sh:218:               echo "[X] Version in specfile is outdated"

  ./plugins/plugin_pam_phase1:69:        if [ -d ${PAM_DIRECTORY} ]; then
  ./plugins/plugin_pam_phase1:70:                LogText "Result: /etc/pam.d exists"

...There's probably formal shellscript-beautification tools that
I'm oblivious about.

* More whitespace standardization.

* Fix a syntax error.

This looks like an if [ foo -o bar ]; was converted to if .. elif,
but incompletely.

* Add whitespace before closing ].

Without it, the shell thinks the ] is part of the last string, and
emits warnings like:

  .../lynis/include/tests_authentication: line 1028: [: missing `]'
This commit is contained in:
hlein 2017-03-07 12:23:08 -07:00 committed by Michael Boelen
parent 7e915df1ee
commit e054e9757c
16 changed files with 591 additions and 591 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
extras/build-lynis.sh
View File

@ -112,9 +112,9 @@
NEEDED_DIRS="debbuild rpmbuild rpmbuild/BUILD rpmbuild/BUILDROOT rpmbuild/RPMS rpmbuild/SOURCES rpmbuild/SRPMS"
for I in ${NEEDED_DIRS}; do
if [ ! -d "${MYBUILDDIR}/${I}" ]; then
echo "[X] Missing directory: ${MYBUILDDIR}/${I}"
echo " Hint: create subdirs with cd ${MYBUILDDIR} && mkdir -p ${NEEDED_DIRS}"
ExitFatal
echo "[X] Missing directory: ${MYBUILDDIR}/${I}"
echo " Hint: create subdirs with cd ${MYBUILDDIR} && mkdir -p ${NEEDED_DIRS}"
ExitFatal
fi
done
@ -128,20 +128,20 @@
GITBUILDPACKAGEBINARY=$(which git-buildpackage)
if [ ! "${GITBUILDPACKAGEBINARY}" = "" ]; then
echo "[=] git-buildpackage = ${GITBUILDPACKAGEBINARY}"
else
echo "[X] Can not find git-buildpackage binary"
echo " Hint: install git-buildpackage"
ExitFatal
echo "[=] git-buildpackage = ${GITBUILDPACKAGEBINARY}"
else
echo "[X] Can not find git-buildpackage binary"
echo " Hint: install git-buildpackage"
ExitFatal
fi
RPMBUILDBINARY=$(which rpmbuild)
if [ ! "${RPMBUILDBINARY}" = "" ]; then
echo "[=] rpmbuild = ${RPMBUILDBINARY}"
else
echo "[X] Can not find rpmbuild binary"
echo " Hint: install rpmbuild"
ExitFatal
echo "[=] rpmbuild = ${RPMBUILDBINARY}"
else
echo "[X] Can not find rpmbuild binary"
echo " Hint: install rpmbuild"
ExitFatal
fi
@ -195,10 +195,10 @@
else
tar -C ${MYWORKDIR} --exclude=debian --exclude=README.md --exclude=.bzr* --exclude=.git* -c -z -f ${TARBALL} lynis 2> /dev/null
if [ -f ${TARBALL} ]; then
echo "[V] Tarball created"
else
echo "[X] Tarball ${TARBALL} could not be created"
ExitFatal
echo "[V] Tarball created"
else
echo "[X] Tarball ${TARBALL} could not be created"
ExitFatal
fi
fi
@ -215,8 +215,8 @@
VERSION_IN_SPECFILE=$(awk '/^Version:/ { print $2 }' lynis.spec)
echo "[=] Found version ${VERSION_IN_SPECFILE}"
if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
echo "[X] Version in specfile is outdated"
ExitFatal
echo "[X] Version in specfile is outdated"
ExitFatal
fi
echo "[*] Start RPM building"
#${RPMBUILDBINARY} --quiet -ba -bl lynis.spec 2> /dev/null

236
include/functions
View File

@ -81,7 +81,7 @@
# ReportManual Log manual actions to report file
# ReportSuggestion Add a suggestion to report file
# ReportWarning Add a warning and priority to report file
# SafePerms Check if a directory has safe permissions
# SafePerms Check if a file has safe permissions
# SearchItem Search a string in a file
# ShowComplianceFinding Display a particular finding regarding compliance or a security standard
# ShowSymlinkPath Show a path behind a symlink
@ -214,25 +214,25 @@
ITEM_FOUND=0
RETVAL=255
if [ $# -eq 2 ]; then
# Don't search in /dev/null, it's too empty there
if [ ! "${REPORTFILE}" = "/dev/null" ]; then
# Check if we can find the main type (with or without brackets)
LogText "Test: search string $2 in earlier discovered results"
FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2")
if [ ! "${FIND}" = "" ]; then
ITEM_FOUND=1
RETVAL=0
LogText "Result: found search string (result: $FIND)"
else
LogText "Result: search string NOT found"
RETVAL=1
fi
else
LogText "Skipping search, as /dev/null is being used"
fi
return ${RETVAL}
else
ReportException ${TEST_NO} "Error in function call to CheckItem"
# Don't search in /dev/null, it's too empty there
if [ ! "${REPORTFILE}" = "/dev/null" ]; then
# Check if we can find the main type (with or without brackets)
LogText "Test: search string $2 in earlier discovered results"
FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2")
if [ ! "${FIND}" = "" ]; then
ITEM_FOUND=1
RETVAL=0
LogText "Result: found search string (result: $FIND)"
else
LogText "Result: search string NOT found"
RETVAL=1
fi
else
LogText "Skipping search, as /dev/null is being used"
fi
return ${RETVAL}
else
ReportException ${TEST_NO} "Error in function call to CheckItem"
fi
}
@ -424,9 +424,9 @@
for PLOC in ${tPROFILE_TARGETS}; do
# Only use one default.prf
if [ "${PNAME}" = "default.prf" -a ! "${DEFAULT_PROFILE}" = "" ]; then
Debug "Already discovered default.prf - skipping this file (${PLOC}/${PNAME})"
Debug "Already discovered default.prf - skipping this file (${PLOC}/${PNAME})"
elif [ "${PNAME}" = "custom.prf" -a ! "${CUSTOM_PROFILE}" = "" ]; then
Debug "Already discovered custom.prf - skipping this file (${PLOC}/${PNAME})"
Debug "Already discovered custom.prf - skipping this file (${PLOC}/${PNAME})"
else
if [ "${PLOC}" = "." ]; then FILE="${WORKDIR}/${PNAME}"; else FILE="${PLOC}/${PNAME}"; fi
if [ -r ${FILE} ]; then
@ -1310,7 +1310,7 @@
# Values: VMware Virtual Platform / VirtualBox
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/dmidecode ]; then DMIDECODE_BINARY="/usr/bin/dmidecode"
elif [ -x /usr/sbin/dmidecode ]; then DMIDECODE_BINARY="/usr/sbin/dmidecode"
elif [ -x /usr/sbin/dmidecode ]; then DMIDECODE_BINARY="/usr/sbin/dmidecode"
else DMIDECODE_BINARY=""
fi
if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then
@ -1718,7 +1718,7 @@
FILE=$(echo ${VALUE} | awk '{ print $1 }')
if [ ! "${FILE}" = "" ]; then
if [ ! -f ${FILE} ]; then
NGINX_ERROR_LOG_MISSING=1
NGINX_ERROR_LOG_MISSING=1
fi
else
LogText "Warning: did not find a filename after error_log in nginx configuration"
@ -1944,9 +1944,9 @@
--root-only)
shift
if [ "$1" = "YES" -o "$1" = "yes" ]; then
ROOT_ONLY=1
elif [ "$1" = "NO" -o "$1" = "no" ]; then
ROOT_ONLY=0
ROOT_ONLY=1
elif [ "$1" = "NO" -o "$1" = "no" ]; then
ROOT_ONLY=0
else
Debug "Invalid option for --root-only parameter of Register function"
fi
@ -1989,8 +1989,8 @@
# Skip if test is not in the list
if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then
FIND=$(echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}")
if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi
FIND=$(echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}")
if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi
fi
# Do not run scans which have a higher intensity than what we prefer
@ -2001,7 +2001,7 @@
if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_OS}" -a ! "${OS}" = "${TEST_NEED_OS}" ]; then
SKIPTEST=1; SKIPREASON="Incorrect guest OS (${TEST_NEED_OS} only)"
if [ ${LOG_INCORRECT_OS} -eq 0 ]; then
SKIPLOGTEST=1
SKIPLOGTEST=1
fi
fi
@ -2088,12 +2088,12 @@
RemovePIDFile() {
# Test if PIDFILE is defined, before checking file presence
if [ ! "${PIDFILE}" = "" ]; then
if [ -f ${PIDFILE} ]; then
rm -f $PIDFILE;
LogText "PID file removed (${PIDFILE})"
else
LogText "PID file not found (${PIDFILE})"
fi
if [ -f ${PIDFILE} ]; then
rm -f $PIDFILE;
LogText "PID file removed (${PIDFILE})"
else
LogText "PID file not found (${PIDFILE})"
fi
fi
}
@ -2543,87 +2543,87 @@
# Check for symlink
if [ -L ${sFILE} ]; then
# macOS does not know -f option, nor do some others
if [ "${OS}" = "macOS" ]; then
# If a Python binary is found, use the one in path
if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${PYTHONBINARY}" = "" ]; then
FIND=$(which python 2> /dev/null)
if [ ! "${FIND}" = "" ]; then LogText "Setting temporary pythonbinary variable"; PYTHONBINARY="${FIND}"; fi
fi
if [ ! "${PYTHONBINARY}" = "" ]; then
SYMLINK_USE_PYTHON=1
LogText "Note: using Python to determine symlinks"
tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" $1)
fi
else
if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${READLINKBINARY}" = "" ]; then
FIND=$(which readlink 2> /dev/null)
if [ ! "${FIND}" = "" ]; then LogText "Setting temporary readlinkbinary variable"; READLINKBINARY="${FIND}"; fi
fi
if [ ! "${READLINKBINARY}" = "" ]; then
SYMLINK_USE_READLINK=1
LogText "Note: Using real readlink binary to determine symlink on ${sFILE}"
tFILE=$(${READLINKBINARY} -f ${sFILE})
LogText "Result: readlink shows ${tFILE} as output"
fi
# macOS does not know -f option, nor do some others
if [ "${OS}" = "macOS" ]; then
# If a Python binary is found, use the one in path
if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${PYTHONBINARY}" = "" ]; then
FIND=$(which python 2> /dev/null)
if [ ! "${FIND}" = "" ]; then LogText "Setting temporary pythonbinary variable"; PYTHONBINARY="${FIND}"; fi
fi
# Check if we can find the file now
if [ "${tFILE}" = "" ]; then
LogText "Result: command did not return any value"
elif [ -f ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink found, pointing to file ${sFILE}"
FOUNDPATH=1
elif [ -b ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink found, pointing to block device ${sFILE}"
FOUNDPATH=1
elif [ -c ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink found, pointing to character device ${sFILE}"
FOUNDPATH=1
elif [ -d ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink found, pointing to directory ${sFILE}"
FOUNDPATH=1
else
# Check the full path of the symlink, strip the filename, copy the path and linked filename together
tDIR=$(echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}')
tFILE="${tDIR}/${tFILE}"
if [ -L ${tFILE} ]; then
LogText "Result: this symlink links to another symlink"
# Ensure that we use a second try with the right tool as well
if [ ${SYMLINK_USE_PYTHON} -eq 1 ]; then
tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" ${tFILE})
elif [ ${SYMLINK_USE_READLINK} -eq 1 ]; then
tFILE=$(${READLINKBINARY} -f ${tFILE})
fi
# Check if we now have a normal file
if [ -f ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink finally found, seems to be file ${sFILE}"
FOUNDPATH=1
elif [ -d ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink finally found, seems to be directory ${sFILE}"
FOUNDPATH=1
else
LogText "Result: could not find file ${tFILE}, most likely too complicated symlink or too often linked"
fi
elif [ -f ${tFILE} ]; then
if [ ! "${PYTHONBINARY}" = "" ]; then
SYMLINK_USE_PYTHON=1
LogText "Note: using Python to determine symlinks"
tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" $1)
fi
else
if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${READLINKBINARY}" = "" ]; then
FIND=$(which readlink 2> /dev/null)
if [ ! "${FIND}" = "" ]; then LogText "Setting temporary readlinkbinary variable"; READLINKBINARY="${FIND}"; fi
fi
if [ ! "${READLINKBINARY}" = "" ]; then
SYMLINK_USE_READLINK=1
LogText "Note: Using real readlink binary to determine symlink on ${sFILE}"
tFILE=$(${READLINKBINARY} -f ${sFILE})
LogText "Result: readlink shows ${tFILE} as output"
fi
fi
# Check if we can find the file now
if [ "${tFILE}" = "" ]; then
LogText "Result: command did not return any value"
elif [ -f ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink found, pointing to file ${sFILE}"
FOUNDPATH=1
elif [ -b ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink found, pointing to block device ${sFILE}"
FOUNDPATH=1
elif [ -c ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink found, pointing to character device ${sFILE}"
FOUNDPATH=1
elif [ -d ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink found, pointing to directory ${sFILE}"
FOUNDPATH=1
else
# Check the full path of the symlink, strip the filename, copy the path and linked filename together
tDIR=$(echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}')
tFILE="${tDIR}/${tFILE}"
if [ -L ${tFILE} ]; then
LogText "Result: this symlink links to another symlink"
# Ensure that we use a second try with the right tool as well
if [ ${SYMLINK_USE_PYTHON} -eq 1 ]; then
tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" ${tFILE})
elif [ ${SYMLINK_USE_READLINK} -eq 1 ]; then
tFILE=$(${READLINKBINARY} -f ${tFILE})
fi
# Check if we now have a normal file
if [ -f ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink found, seems to be file ${sFILE}"
LogText "Result: symlink finally found, seems to be file ${sFILE}"
FOUNDPATH=1
elif [ -d ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink found, seems to be directory ${sFILE}"
LogText "Result: symlink finally found, seems to be directory ${sFILE}"
FOUNDPATH=1
else
LogText "Result: file ${tFILE} in ${tDIR} not found"
LogText "Result: could not find file ${tFILE}, most likely too complicated symlink or too often linked"
fi
elif [ -f ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink found, seems to be file ${sFILE}"
FOUNDPATH=1
elif [ -d ${tFILE} ]; then
sFILE="${tFILE}"
LogText "Result: symlink found, seems to be directory ${sFILE}"
FOUNDPATH=1
else
LogText "Result: file ${tFILE} in ${tDIR} not found"
fi
fi
else
LogText "Result: file ${sFILE} is not a symlink"
fi
@ -2839,8 +2839,8 @@
WaitForKeyPress() {
if [ ${QUICKMODE} -eq 0 ]; then
echo ""; echo "[ Press [ENTER] to continue, or [CTRL]+C to stop ]"
read void
echo ""; echo "[ Press [ENTER] to continue, or [CTRL]+C to stop ]"
read void
fi
}
@ -2864,8 +2864,8 @@
LogText "${FUNCNAME}: check if ${1} is equal to ${2}"
if [ "$1" == "$2" ]; then
LogText "${FUNCNAME}: ${1} is equal to ${2}"
RETVAL=0
LogText "${FUNCNAME}: ${1} is equal to ${2}"
RETVAL=0
fi
if ! [ -z ${3+x} ]; then
@ -2959,14 +2959,14 @@
RETVAL=1
if [ "$#" -ne "2" ]; then
ReportException "${TEST_NO}" "Error in function call to TestCase_GreaterOrEqual"
else
else
LogText "${FUNCNAME}: checking value for application ${APP}"
LogText "${FUNCNAME}: ${OPTION} is set to ${1}"
LogText "${FUNCNAME}: checking if ${1} is less than ${2}"
if ! [ TestCase_GreaterOrEqual "${1}" "${2}" ]; then
LogText "${FUNCNAME}: ${1} is less than ${2}"
RETVAL=0
LogText "${FUNCNAME}: ${1} is less than ${2}"
RETVAL=0
fi
fi
return ${RETVAL}
@ -2983,13 +2983,13 @@
RETVAL=1
if [ "$#" -ne "2" ]; then
ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}"
else
else
LogText "${FUNCNAME}: checking value for application ${APP}"
LogText "${FUNCNAME}: ${OPTION} is set to ${1}"
LogText "${FUNCNAME}: checking if ${1} is less or equal ${2}"
if [ TestCase_Equal "${1}" "${2}" ] || [ TestCase_LessThan "${1}" "${2}" ]; then
LogText "${FUNCNAME}: ${1} is less than ${2}"
RETVAL=0
LogText "${FUNCNAME}: ${1} is less than ${2}"
RETVAL=0
fi
fi
return ${RETVAL}

16
include/osdetection
View File

@ -302,21 +302,21 @@
# PCLinuxOS
if [ -f /etc/pclinuxos-release ]; then
FIND=$(grep "^PCLinuxOS" /etc/pclinuxos-release)
FIND=$(grep "^PCLinuxOS" /etc/pclinuxos-release)
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME="PCLinuxOS Linux"
LINUX_VERSION="PCLinuxOS"
OS_VERSION=$(grep "^PCLinuxOS" /etc/pclinuxos-release | awk '{ if ($2=="release") { print $3 } }')
OS_FULLNAME="PCLinuxOS Linux"
LINUX_VERSION="PCLinuxOS"
OS_VERSION=$(grep "^PCLinuxOS" /etc/pclinuxos-release | awk '{ if ($2=="release") { print $3 } }')
fi
fi
# Sabayon Linux
if [ -f /etc/sabayon-edition ]; then
FIND=$(grep "Sabayon Linux" /etc/sabayon-edition)
FIND=$(grep "Sabayon Linux" /etc/sabayon-edition)
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME="Sabayon Linux"
LINUX_VERSION="Sabayon"
OS_VERSION=$(awk '{ print $3 }' /etc/sabayon-edition)
OS_FULLNAME="Sabayon Linux"
LINUX_VERSION="Sabayon"
OS_VERSION=$(awk '{ print $3 }' /etc/sabayon-edition)
fi
fi

12
include/tests_authentication
View File

@ -996,7 +996,7 @@
for FILE in ${FIND}; do
HAS_MASK=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }')
for MASK in ${HAS_MASK}; do
if [ "${MASK}" = "077" -o "${MASK}" = "027" -o "${MASK}" = "0077" -o "${MASK}" = "0027"]; then
if [ "${MASK}" = "077" -o "${MASK}" = "027" -o "${MASK}" = "0077" -o "${MASK}" = "0027" ]; then
LogText "Result: found a strong umask '${MASK}' set in ${FILE}"
GOOD_UMASK=1
else
@ -1025,7 +1025,7 @@
elif [ "${FIND2}" = "1" ]; then
LogText "Result: found umask (prefixed with spaces)"
FOUND_UMASK=1
if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" -a ! "${FIND}" = "0077" -a ! "${FIND}" = "0027"]; then
if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" -a ! "${FIND}" = "0077" -a ! "${FIND}" = "0027" ]; then
LogText "Result: found umask ${FIND}, which could be more strict"
WEAK_UMASK=1
else
@ -1037,7 +1037,7 @@
LogText "Result: found multiple umask values configured in /etc/profile"
FOUND_UMASK=1
for I in ${FIND}; do
if [ ! "${I}" = "077" -a ! "${I}" = "027" -a ! "${I}" = "0077" -a ! "${I}" = "0027"]; then
if [ ! "${I}" = "077" -a ! "${I}" = "027" -a ! "${I}" = "0077" -a ! "${I}" = "0027" ]; then
LogText "Result: umask ${I} could be more strict"
WEAK_UMASK=1
AddHP 1 2
@ -1094,7 +1094,7 @@
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027"]; then
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then
LogText "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
@ -1117,7 +1117,7 @@
if [ "${FIND}" = "" ]; then
LogText "Result: umask is not configured"
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027"]; then
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then
LogText "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
@ -1141,7 +1141,7 @@
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027"]; then
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then
LogText "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- umask (/etc/init.d/rc)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2

2
include/tests_boot_services
View File

@ -388,7 +388,7 @@
ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportWarning ${TEST_NO} "No password set on LILO bootloader"
AddHP 0 2
elif [ "${MACHINE_ROLE}" = "personal"]; then
elif [ "${MACHINE_ROLE}" = "personal" ]; then
Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color yellow
LogText "Result: no password set for LILO. Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data."
ReportSuggestion ${TEST_NO} "No password set on LILO bootloader. Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"

4
include/tests_file_integrity
View File

@ -77,8 +77,8 @@
LogText "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}"
for I in ${AIDE_CONFIG_LOCS}; do
if [ -f ${I}/aide.conf ]; then
LogText "Result: found aide.conf in directory ${I}"
AIDECONFIG="${I}/aide.conf"
LogText "Result: found aide.conf in directory ${I}"
AIDECONFIG="${I}/aide.conf"
fi
done

54
include/tests_firewalls
View File

@ -51,7 +51,7 @@
for I in ${FIND}; do
LogText "Found module: ${I}"
done
else
else
Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_NOT_FOUND}" --color WHITE
# If we can't find an active module, try to find the Linux configuration file and check that
@ -75,16 +75,16 @@
# Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
# active list.
if [ "${HAVEMOD}" = "y" ]; then
LogText "Result: iptables available as a module in the configuration"
IPTABLES_ACTIVE=1
IPTABLES_INKERNEL_ACTIVE=1
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="iptables"
Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: iptables available as a module in the configuration"
IPTABLES_ACTIVE=1
IPTABLES_INKERNEL_ACTIVE=1
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="iptables"
Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: no iptables found in Linux kernel config file"
fi
else
else
LogText "Result: no Linux configuration file found"
Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@ -157,7 +157,7 @@
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active"
else
else
LogText "Result: one or more rules are available (${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
fi
@ -175,7 +175,7 @@
if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN
LogText "Result: There are no unused rules present"
else
else
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW
LogText "Result: Found one or more possible unused rules"
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
@ -209,7 +209,7 @@
LogText "Result: pf is enabled"
PFFOUND=1
AddHP 3 3
else
else
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportException ${TEST_NO} "Unknown status of pf firewall"
fi
@ -223,7 +223,7 @@
FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko')
if [ -z "${FIND}" ]; then
LogText "Result: Can not find pf KLD"
else
else
LogText "Result: pf KLD loaded"
PFFOUND=1
fi
@ -237,7 +237,7 @@
Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN
PFFOUND=1
PFLOGDFOUND=1
else
else
LogText "Result: pflog daemon not found in process list"
fi
fi
@ -246,7 +246,7 @@
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="pf"
Report "firewall_software[]=pf"
else
else
LogText "Result: pf not running on this system"
fi
fi
@ -267,12 +267,12 @@
if [ -z "${PFWARNINGS}" ]; then
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN
LogText "Result: no pf filter warnings found"
else
else
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
LogText "Result: found one or more warnings in the pf filter rules"
ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
fi
else
else
LogText "Result: /etc/pf.conf does NOT exist"
fi
fi
@ -296,7 +296,7 @@
FIREWALL_SOFTWARE="csf"
Report "firewall_software[]=csf"
Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN
else
else
LogText "Result: ${FILE} does NOT exist"
fi
fi
@ -315,7 +315,7 @@
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipf"
Report "firewall_software[]=ipf"
else
else
Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
LogText "Result: ipf is not running"
fi
@ -340,15 +340,15 @@
if [ "${IPFW_ENABLED}" = "ipfw" ]; then
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN
LogText "Result: IPFW is enabled at start-up for IPv4"
else
else
Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW
LogText "Result: IPFW is disabled at start-up for IPv4"
fi
else
else
if IsVerbose; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW; fi
LogText "Result: IPFW is not running for IPv4"
fi
else
else
ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)"
fi
fi
@ -369,7 +369,7 @@
APPLICATION_FIREWALL_ACTIVE=1
Report "firewall_software[]=macosx-app-fw"
Report "app_fw[]=macosx-app-fw"
else
else
if IsVerbose; then Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_DISABLED}" --color YELLOW; fi
AddHP 1 3
LogText "Result: application firewall of macOS is disabled"
@ -390,7 +390,7 @@
APPLICATION_FIREWALL_ACTIVE=1
Report "app_fw[]=little-snitch"
Report "firewall_software[]=little-snitch"
else
else
if IsVerbose; then Display --indent 2 --text "- Checking Little Snitch Daemon" --result "${STATUS_DISABLED}" --color YELLOW; fi
AddHP 1 3
LogText "Result: could not find Little Snitch"
@ -411,7 +411,7 @@
FIREWALL_ACTIVE=1
NFTABLES_ACTIVE=1
Report "firewall_software[]=nftables"
else
else
LogText "Result: no nftables kernel module found"
fi
fi
@ -441,7 +441,7 @@
if [ ${NFT_RULES_LENGTH} -le 16 ]; then
FIREWALL_EMPTY_RULESET=1
LogText "Result: this firewall set has 16 rules or less and is considered to be empty"
else
else
LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration"
fi
fi
@ -484,7 +484,7 @@
# YYY Solaris ipf (determine default policy)
Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
AddHP 5 5
else
else
Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
LogText "Result: no host based firewall/packet filter found or configured"
ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic"

82
include/tests_kernel
View File

@ -561,55 +561,55 @@
LogText "Result: using ${MYKERNEL} as my kernel version (stripped)"
FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
for ITEM in ${FIND}; do
LogText "Result: found ${ITEM}"
done
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
# Ignore rescue images. Remove generic. and huge. for Slackware machines
LogText "Action: checking relevant kernels"
KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ')
LogText "Output: ${KERNELS_ONE_LINE}"
for ITEM in ${FIND}; do
LogText "Result: found ${ITEM}"
done
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
# Ignore rescue images. Remove generic. and huge. for Slackware machines
LogText "Action: checking relevant kernels"
KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ')
LogText "Output: ${KERNELS_ONE_LINE}"
elif [ ! "$(ls ${ROOTDIR}boot/kernel* 2> /dev/null)" = "" ]; then
LogText "Output: Found a kernel file in ${ROOTDIR}boot"
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
# Examples:
# /boot/kernel-genkernel-x86_64-3.14.14-gentoo
KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
if [ ! -z "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi
LogText "Output: Found a kernel file in ${ROOTDIR}boot"
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
# Examples:
# /boot/kernel-genkernel-x86_64-3.14.14-gentoo
KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
if [ ! -z "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi
else
ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected"
fi
if [ ! -z "${KERNELS}" ]; then
FOUND_KERNEL=0
for I in ${KERNELS}; do
# Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist)
if [ ${FOUND_KERNEL} -eq 1 -a ! "${MYKERNEL}" = "${I}" ]; then
LogText "Result: found a kernel (${I}) later than running one (${MYKERNEL})"
REBOOT_NEEDED=1
fi
if [ "${MYKERNEL}" = "${I}" ]; then
FOUND_KERNEL=1
LogText "Result: Found ${I} (= our kernel)"
else
LogText "Result: Found ${I}"
fi
done
# Check if we at least found the kernel on disk
if [ ${FOUND_KERNEL} -eq 0 ]; then
ReportException "${TEST_NO}:3" "Could not find our running kernel on disk, which is unexpected"
else
# If we are not sure yet reboot it needed, but we found running kernel as last one on disk, we run latest kernel
if [ ${REBOOT_NEEDED} -eq 2 ]; then
LogText "Result: we found our kernel on disk as last entry, so seems to be up-to-date"
REBOOT_NEEDED=0
fi
fi
fi
FOUND_KERNEL=0
for I in ${KERNELS}; do
# Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist)
if [ ${FOUND_KERNEL} -eq 1 -a ! "${MYKERNEL}" = "${I}" ]; then
LogText "Result: found a kernel (${I}) later than running one (${MYKERNEL})"
REBOOT_NEEDED=1
fi
if [ "${MYKERNEL}" = "${I}" ]; then
FOUND_KERNEL=1
LogText "Result: Found ${I} (= our kernel)"
else
LogText "Result: Found ${I}"
fi
done
# Check if we at least found the kernel on disk
if [ ${FOUND_KERNEL} -eq 0 ]; then
ReportException "${TEST_NO}:3" "Could not find our running kernel on disk, which is unexpected"
else
# If we are not sure yet reboot it needed, but we found running kernel as last one on disk, we run latest kernel
if [ ${REBOOT_NEEDED} -eq 2 ]; then
LogText "Result: we found our kernel on disk as last entry, so seems to be up-to-date"
REBOOT_NEEDED=0
fi
fi
fi
fi
# No files in /boot
else
LogText "Result: Skipping this test, as there are no files in /boot"
LogText "Result: Skipping this test, as there are no files in /boot"
fi
else
LogText "Result: /boot does not exist"

50
include/tests_mac_frameworks
View File

@ -132,28 +132,28 @@
# Status: Enabled/Disabled
FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }')
if [ "${FIND}" = "enabled" ]; then
MAC_FRAMEWORK_ACTIVE=1
LogText "Result: SELinux framework is enabled"
Report "selinux_status=1"
SELINUXFOUND=1
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN
FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }')
Report "selinux_mode=${FIND}"
FIND2=$(${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }')
LogText "Result: current SELinux mode is ${FIND}"
LogText "Result: mode configured in config file is ${FIND2}"
if [ "${FIND}" = "${FIND2}" ]; then
LogText "Result: Current SELinux mode is the same as in config file."
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
ReportWarning ${TEST_NO} "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
MAC_FRAMEWORK_ACTIVE=1
LogText "Result: SELinux framework is enabled"
Report "selinux_status=1"
SELINUXFOUND=1
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN
FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }')
Report "selinux_mode=${FIND}"
FIND2=$(${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }')
LogText "Result: current SELinux mode is ${FIND}"
LogText "Result: mode configured in config file is ${FIND2}"
if [ "${FIND}" = "${FIND2}" ]; then
LogText "Result: Current SELinux mode is the same as in config file."
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
ReportWarning ${TEST_NO} "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
else
LogText "Result: SELinux framework is disabled"
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW
LogText "Result: SELinux framework is disabled"
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW
fi
fi
#
@ -181,10 +181,10 @@
Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
if [ ! -z "${GRADMBINARY}" ]; then
FIND=$(${GRADMBINARY} --status)
if [ "${FIND}" = "The RBAC system is currently enabled." ]; then
MAC_FRAMEWORK_ACTIVE=1
fi
FIND=$(${GRADMBINARY} --status)
if [ "${FIND}" = "The RBAC system is currently enabled." ]; then
MAC_FRAMEWORK_ACTIVE=1
fi
fi
fi
#

2
include/tests_networking
View File

@ -132,7 +132,7 @@
Report "nameserver[]=${I}"
# Check if a local resolver is available (like DNSMasq)
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then
LOCAL_DNSRESOLVER_FOUND=1
LOCAL_DNSRESOLVER_FOUND=1
fi
if [ ! "${DIGBINARY}" = "" ]; then
# See if we can query something at the nameserver

2
include/tests_ports_packages
View File

@ -797,7 +797,7 @@
if [ ${DO_TEST} -eq 0 ]; then
FileExists /usr/share/yum-cli/cli.py
if [ ${FILE_FOUND} -eq 1 ]; then
SearchItem "\-\-security" "/usr/share/yum-cli/cli.py"
SearchItem "\-\-security" "/usr/share/yum-cli/cli.py"
if [ ${ITEM_FOUND} -eq 1 ]; then
DO_TEST=1
LogText "Result: found built-in security in yum"

2
include/tests_printers_spools
View File

@ -147,7 +147,7 @@
FOUND=1
done
if [ ${FOUND} -eq 0 ]; then
ReportException "${TEST_NO}:1" "No listen statement found in CUPS configuration file"
ReportException "${TEST_NO}:1" "No listen statement found in CUPS configuration file"
fi
# Check if daemon is only running on localhost

8
include/tests_squid
View File

@ -64,13 +64,13 @@
for I in ${SQUID_DAEMON_CONFIG_LOCS}; do
# Checking squid.conf
if [ -f "${I}/squid.conf" ]; then
LogText "Result: ${I}/squid.conf exists"
SQUID_DAEMON_CONFIG="${I}/squid.conf"
LogText "Result: ${I}/squid.conf exists"
SQUID_DAEMON_CONFIG="${I}/squid.conf"
fi
# Checking squid3.conf
if [ -f "${I}/squid3.conf" ]; then
LogText "Result: ${I}/squid3.conf exists"
SQUID_DAEMON_CONFIG="${I}/squid3.conf"
LogText "Result: ${I}/squid3.conf exists"
SQUID_DAEMON_CONFIG="${I}/squid3.conf"
fi
done
if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then

24
include/tests_ssh
View File

@ -63,18 +63,18 @@
LogText "Test: searching for sshd_config file"
for I in ${SSH_DAEMON_CONFIG_LOCS}; do
if [ -f "${I}/sshd_config" ]; then
LogText "Result: ${I}/sshd_config exists"
if [ ${FOUND} -eq 1 ]; then
ReportException "${TEST_NO}:01"
LogText "Result: we already had found another sshd_config file. Using this new file then."
fi
FileIsReadable ${I}/sshd_config
if [ ${CANREAD} -eq 1 ]; then
FOUND=1
SSH_DAEMON_CONFIG="${I}/sshd_config"
else
LogText "Result: can not read ${I}/sshd_config file (no permission)"
fi
LogText "Result: ${I}/sshd_config exists"
if [ ${FOUND} -eq 1 ]; then
ReportException "${TEST_NO}:01"
LogText "Result: we already had found another sshd_config file. Using this new file then."
fi
FileIsReadable ${I}/sshd_config
if [ ${CANREAD} -eq 1 ]; then
FOUND=1
SSH_DAEMON_CONFIG="${I}/sshd_config"
else
LogText "Result: can not read ${I}/sshd_config file (no permission)"
fi
fi
done
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then

4
lynis
View File

@ -165,7 +165,7 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
done
if [ ${SHOWPERMERROR} -eq 1 ]; then
printf "%s" "
printf "%s" "
[!] Change ownership of ${INCLUDEDIR}/${ISSUE_FILE} to 'root' or similar (found: ${ISSUE_OWNER} with UID ${ISSUE_OWNERID}).
@ -621,7 +621,7 @@ ${NORMAL}
if [ ! "${OS_MODE}" = "" ]; then LogText "Operating system mode: ${OS_MODE}"; fi
LogText "Kernel version: ${OS_KERNELVERSION}"
if [ ! "${OS_KERNELVERSION_FULL}" = "" ]; then
LogText "Kernel version (full): ${OS_KERNELVERSION_FULL}"
LogText "Kernel version (full): ${OS_KERNELVERSION_FULL}"
fi
LogText "Hardware platform: ${HARDWARE}"
LogText "-----------------------------------------------------"

646
plugins/plugin_pam_phase1
View File

@ -67,289 +67,289 @@
FOUNDPROBLEM=0
# Check if the PAM directory structure exists
if [ -d ${PAM_DIRECTORY} ]; then
LogText "Result: /etc/pam.d exists"
FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print)
# First check /etc/pam.conf if it exists.
#if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi
for PAM_FILE in ${FIND_FILES}; do
LogText "Now checking PAM file ${PAM_FILE}"
while read line; do
# Strip empty lines, commented lines, tabs, line breaks (\), then finally remove all double spaces
LINE=$(echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//')
if [ ! "${LINE}" = "" ]; then
PAM_SERVICE=$(echo ${PAM_FILE} | awk -F/ '{ print $NF }')
PAM_CONTROL_FLAG="-"
PAM_CONTROL_OPTIONS="-"
PAM_MODULE="-"
PAM_MODULE_OPTIONS="-"
PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }')
PARSELINE=0
case ${PAM_TYPE} in
"@include")
FILE=$(echo ${LINE} | awk '{ print $2 }')
Debug "Result: Found @include in ${PAM_FILE}. Does include PAM settings from file ${FILE} (which is individually processed)"
;;
"account")
PARSELINE=1
;;
"auth")
PARSELINE=1
;;
"password")
PARSELINE=1
;;
"session")
PARSELINE=1
;;
*)
LogText "Exception: Unknown PAM type found (${PAM_TYPE})"
;;
esac
if [ ${PARSELINE} -eq 1 ]; then
MULTIPLE_OPTIONS=$(echo ${LINE} | awk '$2 ~ /^\[/')
if [ ! "${MULTIPLE_OPTIONS}" = "" ]; then
# Needs more parsing, depending on the options found
PAM_CONTROL_OPTIONS=$(echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//")
LogText "Result: Found brackets in line, indicating multiple options for control flags: ${PAM_CONTROL_OPTIONS}"
LINE=$(echo ${LINE} | sed "s/ \[.*\] / other /")
fi
PAM_MODULE=$(echo ${LINE} | awk '{ print $3 }')
PAM_MODULE_OPTIONS=$(echo ${LINE} | cut -d ' ' -f 4-)
PAM_CONTROL_FLAG=$(echo ${LINE} | awk '{ print $2 }')
case ${PAM_CONTROL_FLAG} in
"optional"|"required"|"requisite"|"sufficient")
#Debug "Found a common control flag: ${PAM_CONTROL_FLAG} for ${PAM_MODULE}"
X=0 # do nothing
;;
"other")
LogText "Result: brackets used, ignoring control flags"
;;
*)
LogText "Unknown control flag found (${PAM_CONTROL_FLAG})"
;;
esac
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) with options ${PAM_MODULE_OPTIONS}"
else
PAM_MODULE_OPTIONS="-"
LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) without options configured"
fi
PAM_MODULE_NAME=$(echo ${PAM_MODULE} | sed 's/.so$//')
#
# Specific PAMs are commonly seen on these platforms:
#
# FreeBSD Linux
# pam_access v
# pam_deny v v
# pam_group v
# pam_krb5 v
# pam_lastlog v
# pam_login_access v
# pam_nologin v
# pam_opie v
# pam_opieaccess v
# pam_passwdqc v
# pam_permit v
# pam_rhosts v
# pam_rootok v
# pam_securetty v
# pam_self v
# pam_ssh v
# pam_unix v
case ${PAM_MODULE_NAME} in
pam_access) ;;
pam_cap) ;;
pam_debug | pam_deny) ;;
pam_echo| pam_env | pam_exec | pam_faildelay) ;;
pam_filter | pam_ftp) ;;
# Google Authenticator / YubiKey
# Common to find it only enabled for SSH
pam_google_authenticator | pam_yubico)
LogText "Result: found pam_google_authenticator"
if [ "${PAM_CONTROL_FLAG}" = "required" ]; then
PAM_2F_AUTH_ENABLED=1
PAM_2F_AUTH_REQUIRED=1
Report "authentication_2f_provider[]=${PAM_MODULE_NAME}"
Report "authentication_2f_service[]=${PAM_SERVICE}"
elif -o "${PAM_CONTROL_FLAG}" = "sufficient" ]; then
PAM_2F_AUTH_ENABLED=1
Report "authentication_2f_provider[]=${PAM_MODULE_NAME}"
Report "authentication_2f_service[]=${PAM_SERVICE}"
else
LogText "exception: found 2F authenticator enabled with uncommon control flag: ${PAM_CONTROL_FLAG}"
fi
LogText "Result: /etc/pam.d exists"
FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print)
# First check /etc/pam.conf if it exists.
#if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi
for PAM_FILE in ${FIND_FILES}; do
LogText "Now checking PAM file ${PAM_FILE}"
while read line; do
# Strip empty lines, commented lines, tabs, line breaks (\), then finally remove all double spaces
LINE=$(echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//')
if [ ! "${LINE}" = "" ]; then
PAM_SERVICE=$(echo ${PAM_FILE} | awk -F/ '{ print $NF }')
PAM_CONTROL_FLAG="-"
PAM_CONTROL_OPTIONS="-"
PAM_MODULE="-"
PAM_MODULE_OPTIONS="-"
PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }')
PARSELINE=0
case ${PAM_TYPE} in
"@include")
FILE=$(echo ${LINE} | awk '{ print $2 }')
Debug "Result: Found @include in ${PAM_FILE}. Does include PAM settings from file ${FILE} (which is individually processed)"
;;
"account")
PARSELINE=1
;;
"auth")
PARSELINE=1
;;
"password")
PARSELINE=1
;;
"session")
PARSELINE=1
;;
*)
LogText "Exception: Unknown PAM type found (${PAM_TYPE})"
;;
esac
if [ ${PARSELINE} -eq 1 ]; then
MULTIPLE_OPTIONS=$(echo ${LINE} | awk '$2 ~ /^\[/')
if [ ! "${MULTIPLE_OPTIONS}" = "" ]; then
# Needs more parsing, depending on the options found
PAM_CONTROL_OPTIONS=$(echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//")
LogText "Result: Found brackets in line, indicating multiple options for control flags: ${PAM_CONTROL_OPTIONS}"
LINE=$(echo ${LINE} | sed "s/ \[.*\] / other /")
fi
PAM_MODULE=$(echo ${LINE} | awk '{ print $3 }')
PAM_MODULE_OPTIONS=$(echo ${LINE} | cut -d ' ' -f 4-)
PAM_CONTROL_FLAG=$(echo ${LINE} | awk '{ print $2 }')
case ${PAM_CONTROL_FLAG} in
"optional"|"required"|"requisite"|"sufficient")
#Debug "Found a common control flag: ${PAM_CONTROL_FLAG} for ${PAM_MODULE}"
X=0 # do nothing
;;
pam_group) ;;
pam_issue) ;;
pam_keyinit | pam_krb5) ;;
pam_lastlog | pam_limits) ;;
# Log UID for auditd
pam_loginuid)
PAM_LOGINUID_FOUND=1
;;
pam_listfile | pam_localuser) ;;
pam_mail | pam_mkhomedir | pam_motd) ;;
pam_namespace | pam_nologin) ;;
pam_permit) ;;
# Password history - Can be configured via pam_unix or pam_pwhistory
pam_pwhistory)
LogText "Result: found ${PAM_MODULE} module (password history)"
# set default for having pam_pwhistory enabled
PAM_PASSWORD_PWHISTORY_ENABLED=1
if [ "${PAM_PASSWORD_PWHISTORY_AMOUNT}" = "" ]; then PAM_PASSWORD_PWHISTORY_AMOUNT=10; fi
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0
case ${OPTION} in
remember)
LogText "Result: password history (remember) configured for pam_pwhistory"
DigitsOnly ${VALUE}
PAM_PASSWORD_PWHISTORY_AMOUNT=${VALUE}
Debug "Found password history enabled with module ${PAM_MODULE_NAME} and password amount ${PAM_PASSWORD_PWHISTORY_AMOUNT}"
;;
esac
done
fi
;;
pam_rootok) ;;
pam_rhosts) ;;
pam_securetty) ;;
pam_self) ;;
pam_shells) ;;
pam_stress | pam_succeed_if | pam_systemd) ;;
pam_time | pam_timestamp) ;;
pam_umask) ;;
# Password history - Can be configured via pam_unix or pam_pwhistory
pam_unix)
LogText "Result: found ${PAM_MODULE} module (generic)"
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0
case ${OPTION} in
remember)
LogText "Result: password history configured for pam_unix"
DigitsOnly ${VALUE}
PAM_PASSWORD_UXHISTORY_AMOUNT=${VALUE}
PAM_PASSWORD_UXHISTORY_ENABLED=1
Debug "Found password history enabled with module ${PAM_MODULE_NAME} and password amount ${PAM_PASSWORD_UXHISTORY_AMOUNT}"
;;
esac
done
fi
;;
pam_unix_acct| pam_unix_auth | pam_unix_passwd | pam_unix_session | pam_unix2) ;;
pam_vbox) ;;
pam_warn | pam_wheel) ;;
pam_xauth) ;;
# Password strength testing
pam_cracklib | pam_pwquality)
LogText "Result: found module ${PAM_MODULE} for password strength testing"
# Set default values
if [ "${CREDITS_D_PASSWORD}" = "" ]; then CREDITS_D_PASSWORD=1; fi
if [ "${CREDITS_L_PASSWORD}" = "" ]; then CREDITS_L_PASSWORD=1; fi
if [ "${CREDITS_O_PASSWORD}" = "" ]; then CREDITS_O_PASSWORD=1; fi
if [ "${CREDITS_U_PASSWORD}" = "" ]; then CREDITS_U_PASSWORD=1; fi
if [ "${MIN_PASSWORD_CLASS}" = "" ]; then MIN_PASSWORD_CLASS=0; fi
if [ "${MIN_PASSWORD_LENGTH}" = "" ]; then MIN_PASSWORD_LENGTH=6; fi
PAM_PASSWORD_STRENGTH_TESTED=1
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
Debug "Module options configured"
for I in ${PAM_MODULE_OPTIONS}; do
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
Debug ${OPTION}
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0
case ${OPTION} in
minlen)
# Minimum length (remove 1 if credits are configured, at later stage in function)
LogText "Result: minlen configured"
DigitsOnly ${VALUE}
MIN_PASSWORD_LENGTH=${VALUE}
;;
retry)
# Maximum password retry
LogText "Result: Max password Retry configured"
DigitsOnly ${VALUE}
MAX_PASSWORD_RETRY=${VALUE}
;;
minclass)
# Minimum number of class required out of upper, lower, digit and others
LogText "Result: Min number of password class is configured"
MIN_PASSWORD_CLASS=${VALUE}
;;
dcredit)
CREDITS_D_PASSWORD=${VALUE}
;;
lcredit)
CREDITS_L_PASSWORD=${VALUE}
;;
ocredit)
CREDITS_O_PASSWORD=${VALUE}
;;
ucredit)
CREDITS_U_PASSWORD=${VALUE}
;;
*)
LogText "Result: unknown option found: ${OPTION} with value ${VALUE}"
;;
esac
done
fi
;;
pam_tally | pam_tally2)
if [ "${PAM_CONTROL_FLAG}" = "required" ]; then
LogText "Result: found a required module for countering brute force cracking attempts"
Report "pam_auth_brute_force_protection_module[]=${PAM_MODULE_NAME}"
PAM_AUTH_BRUTE_FORCE_PROTECTION=1
fi
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
case ${OPTION} in
deny)
AUTH_BLOCK_BAD_LOGIN_ATTEMPTS="${VALUE}"
;;
unlock_time)
AUTH_UNLOCK_TIME="${VALUE}"
;;
esac
done
fi
;;
"-")
LogText "NOTE: this module is not parsed, as it uses an unknown control flag or type"
"other")
LogText "Result: brackets used, ignoring control flags"
;;
*)
LogText "Result: found pluggable authentication module ${PAM_MODULE}, which is unknown"
LogText "Unknown control flag found (${PAM_CONTROL_FLAG})"
;;
esac
esac
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) with options ${PAM_MODULE_OPTIONS}"
else
PAM_MODULE_OPTIONS="-"
LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) without options configured"
fi
#Debug "Service: ${PAM_SERVICE}"
#Debug "Type: ${PAM_TYPE}"
#Debug "Control: ${PAM_CONTROL_FLAG}"
#Debug "Control options: ${PAM_CONTROL_OPTIONS}"
#Debug "Module: ${PAM_MODULE_NAME}"
#Debug "Module options: ${PAM_MODULE_OPTIONS}"
PAM_MODULE_NAME=$(echo ${PAM_MODULE} | sed 's/.so$//')
#
# Specific PAMs are commonly seen on these platforms:
#
# FreeBSD Linux
# pam_access v
# pam_deny v v
# pam_group v
# pam_krb5 v
# pam_lastlog v
# pam_login_access v
# pam_nologin v
# pam_opie v
# pam_opieaccess v
# pam_passwdqc v
# pam_permit v
# pam_rhosts v
# pam_rootok v
# pam_securetty v
# pam_self v
# pam_ssh v
# pam_unix v
case ${PAM_MODULE_NAME} in
pam_access) ;;
pam_cap) ;;
pam_debug | pam_deny) ;;
pam_echo| pam_env | pam_exec | pam_faildelay) ;;
pam_filter | pam_ftp) ;;
# Google Authenticator / YubiKey
# Common to find it only enabled for SSH
pam_google_authenticator | pam_yubico)
LogText "Result: found pam_google_authenticator"
if [ "${PAM_CONTROL_FLAG}" = "required" ]; then
PAM_2F_AUTH_ENABLED=1
PAM_2F_AUTH_REQUIRED=1
Report "authentication_2f_provider[]=${PAM_MODULE_NAME}"
Report "authentication_2f_service[]=${PAM_SERVICE}"
elif [ "${PAM_CONTROL_FLAG}" = "sufficient" ]; then
PAM_2F_AUTH_ENABLED=1
Report "authentication_2f_provider[]=${PAM_MODULE_NAME}"
Report "authentication_2f_service[]=${PAM_SERVICE}"
else
LogText "exception: found 2F authenticator enabled with uncommon control flag: ${PAM_CONTROL_FLAG}"
fi
;;
pam_group) ;;
pam_issue) ;;
pam_keyinit | pam_krb5) ;;
pam_lastlog | pam_limits) ;;
# Log UID for auditd
pam_loginuid)
PAM_LOGINUID_FOUND=1
;;
pam_listfile | pam_localuser) ;;
pam_mail | pam_mkhomedir | pam_motd) ;;
pam_namespace | pam_nologin) ;;
pam_permit) ;;
# Password history - Can be configured via pam_unix or pam_pwhistory
pam_pwhistory)
LogText "Result: found ${PAM_MODULE} module (password history)"
# set default for having pam_pwhistory enabled
PAM_PASSWORD_PWHISTORY_ENABLED=1
if [ "${PAM_PASSWORD_PWHISTORY_AMOUNT}" = "" ]; then PAM_PASSWORD_PWHISTORY_AMOUNT=10; fi
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0
case ${OPTION} in
remember)
LogText "Result: password history (remember) configured for pam_pwhistory"
DigitsOnly ${VALUE}
PAM_PASSWORD_PWHISTORY_AMOUNT=${VALUE}
Debug "Found password history enabled with module ${PAM_MODULE_NAME} and password amount ${PAM_PASSWORD_PWHISTORY_AMOUNT}"
;;
esac
done
fi
;;
pam_rootok) ;;
pam_rhosts) ;;
pam_securetty) ;;
pam_self) ;;
pam_shells) ;;
pam_stress | pam_succeed_if | pam_systemd) ;;
pam_time | pam_timestamp) ;;
pam_umask) ;;
# Password history - Can be configured via pam_unix or pam_pwhistory
pam_unix)
LogText "Result: found ${PAM_MODULE} module (generic)"
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0
case ${OPTION} in
remember)
LogText "Result: password history configured for pam_unix"
DigitsOnly ${VALUE}
PAM_PASSWORD_UXHISTORY_AMOUNT=${VALUE}
PAM_PASSWORD_UXHISTORY_ENABLED=1
Debug "Found password history enabled with module ${PAM_MODULE_NAME} and password amount ${PAM_PASSWORD_UXHISTORY_AMOUNT}"
;;
esac
done
fi
;;
pam_unix_acct| pam_unix_auth | pam_unix_passwd | pam_unix_session | pam_unix2) ;;
pam_vbox) ;;
pam_warn | pam_wheel) ;;
pam_xauth) ;;
# Password strength testing
pam_cracklib | pam_pwquality)
LogText "Result: found module ${PAM_MODULE} for password strength testing"
# Set default values
if [ "${CREDITS_D_PASSWORD}" = "" ]; then CREDITS_D_PASSWORD=1; fi
if [ "${CREDITS_L_PASSWORD}" = "" ]; then CREDITS_L_PASSWORD=1; fi
if [ "${CREDITS_O_PASSWORD}" = "" ]; then CREDITS_O_PASSWORD=1; fi
if [ "${CREDITS_U_PASSWORD}" = "" ]; then CREDITS_U_PASSWORD=1; fi
if [ "${MIN_PASSWORD_CLASS}" = "" ]; then MIN_PASSWORD_CLASS=0; fi
if [ "${MIN_PASSWORD_LENGTH}" = "" ]; then MIN_PASSWORD_LENGTH=6; fi
PAM_PASSWORD_STRENGTH_TESTED=1
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
Debug "Module options configured"
for I in ${PAM_MODULE_OPTIONS}; do
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
Debug ${OPTION}
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0
case ${OPTION} in
minlen)
# Minimum length (remove 1 if credits are configured, at later stage in function)
LogText "Result: minlen configured"
DigitsOnly ${VALUE}
MIN_PASSWORD_LENGTH=${VALUE}
;;
retry)
# Maximum password retry
LogText "Result: Max password Retry configured"
DigitsOnly ${VALUE}
MAX_PASSWORD_RETRY=${VALUE}
;;
minclass)
# Minimum number of class required out of upper, lower, digit and others
LogText "Result: Min number of password class is configured"
MIN_PASSWORD_CLASS=${VALUE}
;;
dcredit)
CREDITS_D_PASSWORD=${VALUE}
;;
lcredit)
CREDITS_L_PASSWORD=${VALUE}
;;
ocredit)
CREDITS_O_PASSWORD=${VALUE}
;;
ucredit)
CREDITS_U_PASSWORD=${VALUE}
;;
*)
LogText "Result: unknown option found: ${OPTION} with value ${VALUE}"
;;
esac
done
fi
;;
pam_tally | pam_tally2)
if [ "${PAM_CONTROL_FLAG}" = "required" ]; then
LogText "Result: found a required module for countering brute force cracking attempts"
Report "pam_auth_brute_force_protection_module[]=${PAM_MODULE_NAME}"
PAM_AUTH_BRUTE_FORCE_PROTECTION=1
fi
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
case ${OPTION} in
deny)
AUTH_BLOCK_BAD_LOGIN_ATTEMPTS="${VALUE}"
;;
unlock_time)
AUTH_UNLOCK_TIME="${VALUE}"
;;
esac
done
fi
;;
"-")
LogText "NOTE: this module is not parsed, as it uses an unknown control flag or type"
;;
*)
LogText "Result: found pluggable authentication module ${PAM_MODULE}, which is unknown"
;;
esac
fi
done < ${PAM_FILE}
#ParsePAMLine ${J}
#StoreSetting "pam" "
done
#Debug "Service: ${PAM_SERVICE}"
#Debug "Type: ${PAM_TYPE}"
#Debug "Control: ${PAM_CONTROL_FLAG}"
#Debug "Control options: ${PAM_CONTROL_OPTIONS}"
#Debug "Module: ${PAM_MODULE_NAME}"
#Debug "Module options: ${PAM_MODULE_OPTIONS}"
fi
done < ${PAM_FILE}
#ParsePAMLine ${J}
#StoreSetting "pam" "
done
fi
fi
#
@ -391,54 +391,54 @@ LogText "[PAM] Password strength testing enabled: ${PAM_PASSWORD_STRENGTH_TESTED
if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
Report "password_strength_tested=1"
if [ ${CREDITS_D_PASSWORD} -ge 1 -a ${CREDITS_L_PASSWORD} -ge 1 -a ${CREDITS_O_PASSWORD} -ge 1 -a ${CREDITS_U_PASSWORD} -ge 1 ]; then
# Show how many password class are required out of 4
LogText "[PAM] Minimum password class out of 4: ${MIN_PASSWORD_CLASS}"
Report "min_password_class=${MIN_PASSWORD_CLASS}"
else
LogText "[PAM] Minimum password class setting of ${MIN_PASSWORD_CLASS} out of 4 is ignored since at least 1 class are forced"
Report "min_password_class=ignored"
fi
if [ ${CREDITS_D_PASSWORD} -ge 1 -a ${CREDITS_L_PASSWORD} -ge 1 -a ${CREDITS_O_PASSWORD} -ge 1 -a ${CREDITS_U_PASSWORD} -ge 1 ]; then
# Show how many password class are required out of 4
LogText "[PAM] Minimum password class out of 4: ${MIN_PASSWORD_CLASS}"
Report "min_password_class=${MIN_PASSWORD_CLASS}"
else
LogText "[PAM] Minimum password class setting of ${MIN_PASSWORD_CLASS} out of 4 is ignored since at least 1 class are forced"
Report "min_password_class=ignored"
fi
# Digits
if [ ${CREDITS_D_PASSWORD} -lt 0 ]; then
CREDITS_D_PASSWORD=$(echo ${CREDITS_D_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Digital characters required: ${CREDITS_D_PASSWORD}"
Report "password_min_digital_required=${CREDITS_D_PASSWORD}"
elif [ ${CREDITS_D_PASSWORD} -ge 0 ]; then
LogText "[PAM] Maximum credit for Digital characters: ${CREDITS_D_PASSWORD}"
Report "password_max_digital_credit=${CREDITS_D_PASSWORD}"
fi
# Digits
if [ ${CREDITS_D_PASSWORD} -lt 0 ]; then
CREDITS_D_PASSWORD=$(echo ${CREDITS_D_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Digital characters required: ${CREDITS_D_PASSWORD}"
Report "password_min_digital_required=${CREDITS_D_PASSWORD}"
elif [ ${CREDITS_D_PASSWORD} -ge 0 ]; then
LogText "[PAM] Maximum credit for Digital characters: ${CREDITS_D_PASSWORD}"
Report "password_max_digital_credit=${CREDITS_D_PASSWORD}"
fi
# Lowercase
if [ ${CREDITS_L_PASSWORD} -lt 0 ]; then
CREDITS_L_PASSWORD=$(echo ${CREDITS_L_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Lowercase characters required: ${CREDITS_L_PASSWORD}"
Report "password_min_l_required=${CREDITS_L_PASSWORD}"
elif [ ${CREDITS_L_PASSWORD} -ge 0 ]; then
LogText "[PAM] Maximum credit for Lowercase characters: ${CREDITS_L_PASSWORD}"
Report "password_max_l_credit=${CREDITS_L_PASSWORD}"
fi
# Lowercase
if [ ${CREDITS_L_PASSWORD} -lt 0 ]; then
CREDITS_L_PASSWORD=$(echo ${CREDITS_L_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Lowercase characters required: ${CREDITS_L_PASSWORD}"
Report "password_min_l_required=${CREDITS_L_PASSWORD}"
elif [ ${CREDITS_L_PASSWORD} -ge 0 ]; then
LogText "[PAM] Maximum credit for Lowercase characters: ${CREDITS_L_PASSWORD}"
Report "password_max_l_credit=${CREDITS_L_PASSWORD}"
fi
# Other characters
if [ ${CREDITS_O_PASSWORD} -lt 0 ]; then
CREDITS_O_PASSWORD=$(echo ${CREDITS_O_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Other characters required: ${CREDITS_O_PASSWORD}"
Report "password_min_other_required=${CREDITS_O_PASSWORD}"
elif [ ${CREDITS_O_PASSWORD} -ge 0 ]; then
LogText "[PAM] Maximum credit for Other characters: ${CREDITS_O_PASSWORD}"
Report "password_max_other_credit=${CREDITS_O_PASSWORD}"
fi
# Other characters
if [ ${CREDITS_O_PASSWORD} -lt 0 ]; then
CREDITS_O_PASSWORD=$(echo ${CREDITS_O_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Other characters required: ${CREDITS_O_PASSWORD}"
Report "password_min_other_required=${CREDITS_O_PASSWORD}"
elif [ ${CREDITS_O_PASSWORD} -ge 0 ]; then
LogText "[PAM] Maximum credit for Other characters: ${CREDITS_O_PASSWORD}"
Report "password_max_other_credit=${CREDITS_O_PASSWORD}"
fi
# Uppercase
if [ ${CREDITS_U_PASSWORD} -lt 0 ]; then
CREDITS_U_PASSWORD=$(echo ${CREDITS_U_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Uppercase characters required: ${CREDITS_U_PASSWORD}"
Report "password_min_u_required=${CREDITS_U_PASSWORD}"
elif [ ${CREDITS_U_PASSWORD} -ge 0 ]; then
LogText "[PAM] Maximum credit for Uppercase characters: ${CREDITS_U_PASSWORD}"
Report "password_max_u_credit=${CREDITS_U_PASSWORD}"
fi
# Uppercase
if [ ${CREDITS_U_PASSWORD} -lt 0 ]; then
CREDITS_U_PASSWORD=$(echo ${CREDITS_U_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Uppercase characters required: ${CREDITS_U_PASSWORD}"
Report "password_min_u_required=${CREDITS_U_PASSWORD}"
elif [ ${CREDITS_U_PASSWORD} -ge 0 ]; then
LogText "[PAM] Maximum credit for Uppercase characters: ${CREDITS_U_PASSWORD}"
Report "password_max_u_credit=${CREDITS_U_PASSWORD}"
fi
fi
# Show how many retries are allowed to change password
@ -460,7 +460,7 @@ if [ ${PAM_PASSWORD_PWHISTORY_ENABLED} -eq 1 ]; then
LogText "[PAM] Password history with pam_pwhistory enabled: ${PAM_PASSWORD_PWHISTORY_ENABLED}"
LogText "[PAM] Password history with pam_pwhistory amount: ${PAM_PASSWORD_PWHISTORY_AMOUNT}"
Report "password_history_amount=${PAM_PASSWORD_PWHISTORY_AMOUNT}"
else
else
LogText "[PAM] Password history with pam_pwhistory IS NOT enabled"
fi
@ -468,7 +468,7 @@ if [ ${PAM_PASSWORD_UXHISTORY_ENABLED} -eq 1 ]; then
LogText "[PAM] Password history with pam_unix enabled: ${PAM_PASSWORD_UXHISTORY_ENABLED}"
LogText "[PAM] Password history with pam_unix amount: ${PAM_PASSWORD_UXHISTORY_AMOUNT}"
Report "password_history_amount=${PAM_PASSWORD_UXHISTORY_AMOUNT}"
else
else
LogText "[PAM] Password history with pam_unix IS NOT enabled"
fi