diff --git a/extras/build-lynis.sh b/extras/build-lynis.sh index 409b3c80..748bb1e2 100755 --- a/extras/build-lynis.sh +++ b/extras/build-lynis.sh @@ -112,9 +112,9 @@ NEEDED_DIRS="debbuild rpmbuild rpmbuild/BUILD rpmbuild/BUILDROOT rpmbuild/RPMS rpmbuild/SOURCES rpmbuild/SRPMS" for I in ${NEEDED_DIRS}; do if [ ! -d "${MYBUILDDIR}/${I}" ]; then - echo "[X] Missing directory: ${MYBUILDDIR}/${I}" - echo " Hint: create subdirs with cd ${MYBUILDDIR} && mkdir -p ${NEEDED_DIRS}" - ExitFatal + echo "[X] Missing directory: ${MYBUILDDIR}/${I}" + echo " Hint: create subdirs with cd ${MYBUILDDIR} && mkdir -p ${NEEDED_DIRS}" + ExitFatal fi done @@ -128,20 +128,20 @@ GITBUILDPACKAGEBINARY=$(which git-buildpackage) if [ ! "${GITBUILDPACKAGEBINARY}" = "" ]; then - echo "[=] git-buildpackage = ${GITBUILDPACKAGEBINARY}" - else - echo "[X] Can not find git-buildpackage binary" - echo " Hint: install git-buildpackage" - ExitFatal + echo "[=] git-buildpackage = ${GITBUILDPACKAGEBINARY}" + else + echo "[X] Can not find git-buildpackage binary" + echo " Hint: install git-buildpackage" + ExitFatal fi RPMBUILDBINARY=$(which rpmbuild) if [ ! "${RPMBUILDBINARY}" = "" ]; then - echo "[=] rpmbuild = ${RPMBUILDBINARY}" - else - echo "[X] Can not find rpmbuild binary" - echo " Hint: install rpmbuild" - ExitFatal + echo "[=] rpmbuild = ${RPMBUILDBINARY}" + else + echo "[X] Can not find rpmbuild binary" + echo " Hint: install rpmbuild" + ExitFatal fi @@ -195,10 +195,10 @@ else tar -C ${MYWORKDIR} --exclude=debian --exclude=README.md --exclude=.bzr* --exclude=.git* -c -z -f ${TARBALL} lynis 2> /dev/null if [ -f ${TARBALL} ]; then - echo "[V] Tarball created" - else - echo "[X] Tarball ${TARBALL} could not be created" - ExitFatal + echo "[V] Tarball created" + else + echo "[X] Tarball ${TARBALL} could not be created" + ExitFatal fi fi @@ -215,8 +215,8 @@ VERSION_IN_SPECFILE=$(awk '/^Version:/ { print $2 }' lynis.spec) echo "[=] Found version ${VERSION_IN_SPECFILE}" if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then - echo "[X] Version in specfile is outdated" - ExitFatal + echo "[X] Version in specfile is outdated" + ExitFatal fi echo "[*] Start RPM building" #${RPMBUILDBINARY} --quiet -ba -bl lynis.spec 2> /dev/null diff --git a/include/functions b/include/functions index 5ea2e6d2..ba830c69 100644 --- a/include/functions +++ b/include/functions @@ -81,7 +81,7 @@ # ReportManual Log manual actions to report file # ReportSuggestion Add a suggestion to report file # ReportWarning Add a warning and priority to report file -# SafePerms Check if a directory has safe permissions +# SafePerms Check if a file has safe permissions # SearchItem Search a string in a file # ShowComplianceFinding Display a particular finding regarding compliance or a security standard # ShowSymlinkPath Show a path behind a symlink @@ -214,25 +214,25 @@ ITEM_FOUND=0 RETVAL=255 if [ $# -eq 2 ]; then - # Don't search in /dev/null, it's too empty there - if [ ! "${REPORTFILE}" = "/dev/null" ]; then - # Check if we can find the main type (with or without brackets) - LogText "Test: search string $2 in earlier discovered results" - FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2") - if [ ! "${FIND}" = "" ]; then - ITEM_FOUND=1 - RETVAL=0 - LogText "Result: found search string (result: $FIND)" - else - LogText "Result: search string NOT found" - RETVAL=1 - fi - else - LogText "Skipping search, as /dev/null is being used" - fi - return ${RETVAL} - else - ReportException ${TEST_NO} "Error in function call to CheckItem" + # Don't search in /dev/null, it's too empty there + if [ ! "${REPORTFILE}" = "/dev/null" ]; then + # Check if we can find the main type (with or without brackets) + LogText "Test: search string $2 in earlier discovered results" + FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2") + if [ ! "${FIND}" = "" ]; then + ITEM_FOUND=1 + RETVAL=0 + LogText "Result: found search string (result: $FIND)" + else + LogText "Result: search string NOT found" + RETVAL=1 + fi + else + LogText "Skipping search, as /dev/null is being used" + fi + return ${RETVAL} + else + ReportException ${TEST_NO} "Error in function call to CheckItem" fi } @@ -424,9 +424,9 @@ for PLOC in ${tPROFILE_TARGETS}; do # Only use one default.prf if [ "${PNAME}" = "default.prf" -a ! "${DEFAULT_PROFILE}" = "" ]; then - Debug "Already discovered default.prf - skipping this file (${PLOC}/${PNAME})" + Debug "Already discovered default.prf - skipping this file (${PLOC}/${PNAME})" elif [ "${PNAME}" = "custom.prf" -a ! "${CUSTOM_PROFILE}" = "" ]; then - Debug "Already discovered custom.prf - skipping this file (${PLOC}/${PNAME})" + Debug "Already discovered custom.prf - skipping this file (${PLOC}/${PNAME})" else if [ "${PLOC}" = "." ]; then FILE="${WORKDIR}/${PNAME}"; else FILE="${PLOC}/${PNAME}"; fi if [ -r ${FILE} ]; then @@ -1310,7 +1310,7 @@ # Values: VMware Virtual Platform / VirtualBox if [ "${SHORT}" = "" ]; then if [ -x /usr/bin/dmidecode ]; then DMIDECODE_BINARY="/usr/bin/dmidecode" - elif [ -x /usr/sbin/dmidecode ]; then DMIDECODE_BINARY="/usr/sbin/dmidecode" + elif [ -x /usr/sbin/dmidecode ]; then DMIDECODE_BINARY="/usr/sbin/dmidecode" else DMIDECODE_BINARY="" fi if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then @@ -1718,7 +1718,7 @@ FILE=$(echo ${VALUE} | awk '{ print $1 }') if [ ! "${FILE}" = "" ]; then if [ ! -f ${FILE} ]; then - NGINX_ERROR_LOG_MISSING=1 + NGINX_ERROR_LOG_MISSING=1 fi else LogText "Warning: did not find a filename after error_log in nginx configuration" @@ -1944,9 +1944,9 @@ --root-only) shift if [ "$1" = "YES" -o "$1" = "yes" ]; then - ROOT_ONLY=1 - elif [ "$1" = "NO" -o "$1" = "no" ]; then - ROOT_ONLY=0 + ROOT_ONLY=1 + elif [ "$1" = "NO" -o "$1" = "no" ]; then + ROOT_ONLY=0 else Debug "Invalid option for --root-only parameter of Register function" fi @@ -1989,8 +1989,8 @@ # Skip if test is not in the list if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then - FIND=$(echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}") - if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi + FIND=$(echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}") + if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi fi # Do not run scans which have a higher intensity than what we prefer @@ -2001,7 +2001,7 @@ if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_OS}" -a ! "${OS}" = "${TEST_NEED_OS}" ]; then SKIPTEST=1; SKIPREASON="Incorrect guest OS (${TEST_NEED_OS} only)" if [ ${LOG_INCORRECT_OS} -eq 0 ]; then - SKIPLOGTEST=1 + SKIPLOGTEST=1 fi fi @@ -2088,12 +2088,12 @@ RemovePIDFile() { # Test if PIDFILE is defined, before checking file presence if [ ! "${PIDFILE}" = "" ]; then - if [ -f ${PIDFILE} ]; then - rm -f $PIDFILE; - LogText "PID file removed (${PIDFILE})" - else - LogText "PID file not found (${PIDFILE})" - fi + if [ -f ${PIDFILE} ]; then + rm -f $PIDFILE; + LogText "PID file removed (${PIDFILE})" + else + LogText "PID file not found (${PIDFILE})" + fi fi } @@ -2543,87 +2543,87 @@ # Check for symlink if [ -L ${sFILE} ]; then - # macOS does not know -f option, nor do some others - if [ "${OS}" = "macOS" ]; then - # If a Python binary is found, use the one in path - if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${PYTHONBINARY}" = "" ]; then - FIND=$(which python 2> /dev/null) - if [ ! "${FIND}" = "" ]; then LogText "Setting temporary pythonbinary variable"; PYTHONBINARY="${FIND}"; fi - fi - - if [ ! "${PYTHONBINARY}" = "" ]; then - SYMLINK_USE_PYTHON=1 - LogText "Note: using Python to determine symlinks" - tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" $1) - fi - else - if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${READLINKBINARY}" = "" ]; then - FIND=$(which readlink 2> /dev/null) - if [ ! "${FIND}" = "" ]; then LogText "Setting temporary readlinkbinary variable"; READLINKBINARY="${FIND}"; fi - fi - - if [ ! "${READLINKBINARY}" = "" ]; then - SYMLINK_USE_READLINK=1 - LogText "Note: Using real readlink binary to determine symlink on ${sFILE}" - tFILE=$(${READLINKBINARY} -f ${sFILE}) - LogText "Result: readlink shows ${tFILE} as output" - fi + # macOS does not know -f option, nor do some others + if [ "${OS}" = "macOS" ]; then + # If a Python binary is found, use the one in path + if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${PYTHONBINARY}" = "" ]; then + FIND=$(which python 2> /dev/null) + if [ ! "${FIND}" = "" ]; then LogText "Setting temporary pythonbinary variable"; PYTHONBINARY="${FIND}"; fi fi - # Check if we can find the file now - if [ "${tFILE}" = "" ]; then - LogText "Result: command did not return any value" - elif [ -f ${tFILE} ]; then - sFILE="${tFILE}" - LogText "Result: symlink found, pointing to file ${sFILE}" - FOUNDPATH=1 - elif [ -b ${tFILE} ]; then - sFILE="${tFILE}" - LogText "Result: symlink found, pointing to block device ${sFILE}" - FOUNDPATH=1 - elif [ -c ${tFILE} ]; then - sFILE="${tFILE}" - LogText "Result: symlink found, pointing to character device ${sFILE}" - FOUNDPATH=1 - elif [ -d ${tFILE} ]; then - sFILE="${tFILE}" - LogText "Result: symlink found, pointing to directory ${sFILE}" - FOUNDPATH=1 - else - # Check the full path of the symlink, strip the filename, copy the path and linked filename together - tDIR=$(echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}') - tFILE="${tDIR}/${tFILE}" - if [ -L ${tFILE} ]; then - LogText "Result: this symlink links to another symlink" - # Ensure that we use a second try with the right tool as well - if [ ${SYMLINK_USE_PYTHON} -eq 1 ]; then - tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" ${tFILE}) - elif [ ${SYMLINK_USE_READLINK} -eq 1 ]; then - tFILE=$(${READLINKBINARY} -f ${tFILE}) - fi - # Check if we now have a normal file - if [ -f ${tFILE} ]; then - sFILE="${tFILE}" - LogText "Result: symlink finally found, seems to be file ${sFILE}" - FOUNDPATH=1 - elif [ -d ${tFILE} ]; then - sFILE="${tFILE}" - LogText "Result: symlink finally found, seems to be directory ${sFILE}" - FOUNDPATH=1 - else - LogText "Result: could not find file ${tFILE}, most likely too complicated symlink or too often linked" - fi - elif [ -f ${tFILE} ]; then + + if [ ! "${PYTHONBINARY}" = "" ]; then + SYMLINK_USE_PYTHON=1 + LogText "Note: using Python to determine symlinks" + tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" $1) + fi + else + if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${READLINKBINARY}" = "" ]; then + FIND=$(which readlink 2> /dev/null) + if [ ! "${FIND}" = "" ]; then LogText "Setting temporary readlinkbinary variable"; READLINKBINARY="${FIND}"; fi + fi + + if [ ! "${READLINKBINARY}" = "" ]; then + SYMLINK_USE_READLINK=1 + LogText "Note: Using real readlink binary to determine symlink on ${sFILE}" + tFILE=$(${READLINKBINARY} -f ${sFILE}) + LogText "Result: readlink shows ${tFILE} as output" + fi + fi + # Check if we can find the file now + if [ "${tFILE}" = "" ]; then + LogText "Result: command did not return any value" + elif [ -f ${tFILE} ]; then + sFILE="${tFILE}" + LogText "Result: symlink found, pointing to file ${sFILE}" + FOUNDPATH=1 + elif [ -b ${tFILE} ]; then + sFILE="${tFILE}" + LogText "Result: symlink found, pointing to block device ${sFILE}" + FOUNDPATH=1 + elif [ -c ${tFILE} ]; then + sFILE="${tFILE}" + LogText "Result: symlink found, pointing to character device ${sFILE}" + FOUNDPATH=1 + elif [ -d ${tFILE} ]; then + sFILE="${tFILE}" + LogText "Result: symlink found, pointing to directory ${sFILE}" + FOUNDPATH=1 + else + # Check the full path of the symlink, strip the filename, copy the path and linked filename together + tDIR=$(echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}') + tFILE="${tDIR}/${tFILE}" + if [ -L ${tFILE} ]; then + LogText "Result: this symlink links to another symlink" + # Ensure that we use a second try with the right tool as well + if [ ${SYMLINK_USE_PYTHON} -eq 1 ]; then + tFILE=$(python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" ${tFILE}) + elif [ ${SYMLINK_USE_READLINK} -eq 1 ]; then + tFILE=$(${READLINKBINARY} -f ${tFILE}) + fi + # Check if we now have a normal file + if [ -f ${tFILE} ]; then sFILE="${tFILE}" - LogText "Result: symlink found, seems to be file ${sFILE}" + LogText "Result: symlink finally found, seems to be file ${sFILE}" FOUNDPATH=1 elif [ -d ${tFILE} ]; then sFILE="${tFILE}" - LogText "Result: symlink found, seems to be directory ${sFILE}" + LogText "Result: symlink finally found, seems to be directory ${sFILE}" FOUNDPATH=1 else - LogText "Result: file ${tFILE} in ${tDIR} not found" + LogText "Result: could not find file ${tFILE}, most likely too complicated symlink or too often linked" fi + elif [ -f ${tFILE} ]; then + sFILE="${tFILE}" + LogText "Result: symlink found, seems to be file ${sFILE}" + FOUNDPATH=1 + elif [ -d ${tFILE} ]; then + sFILE="${tFILE}" + LogText "Result: symlink found, seems to be directory ${sFILE}" + FOUNDPATH=1 + else + LogText "Result: file ${tFILE} in ${tDIR} not found" fi + fi else LogText "Result: file ${sFILE} is not a symlink" fi @@ -2839,8 +2839,8 @@ WaitForKeyPress() { if [ ${QUICKMODE} -eq 0 ]; then - echo ""; echo "[ Press [ENTER] to continue, or [CTRL]+C to stop ]" - read void + echo ""; echo "[ Press [ENTER] to continue, or [CTRL]+C to stop ]" + read void fi } @@ -2864,8 +2864,8 @@ LogText "${FUNCNAME}: check if ${1} is equal to ${2}" if [ "$1" == "$2" ]; then - LogText "${FUNCNAME}: ${1} is equal to ${2}" - RETVAL=0 + LogText "${FUNCNAME}: ${1} is equal to ${2}" + RETVAL=0 fi if ! [ -z ${3+x} ]; then @@ -2959,14 +2959,14 @@ RETVAL=1 if [ "$#" -ne "2" ]; then ReportException "${TEST_NO}" "Error in function call to TestCase_GreaterOrEqual" - else + else LogText "${FUNCNAME}: checking value for application ${APP}" LogText "${FUNCNAME}: ${OPTION} is set to ${1}" LogText "${FUNCNAME}: checking if ${1} is less than ${2}" if ! [ TestCase_GreaterOrEqual "${1}" "${2}" ]; then - LogText "${FUNCNAME}: ${1} is less than ${2}" - RETVAL=0 + LogText "${FUNCNAME}: ${1} is less than ${2}" + RETVAL=0 fi fi return ${RETVAL} @@ -2983,13 +2983,13 @@ RETVAL=1 if [ "$#" -ne "2" ]; then ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}" - else + else LogText "${FUNCNAME}: checking value for application ${APP}" LogText "${FUNCNAME}: ${OPTION} is set to ${1}" LogText "${FUNCNAME}: checking if ${1} is less or equal ${2}" if [ TestCase_Equal "${1}" "${2}" ] || [ TestCase_LessThan "${1}" "${2}" ]; then - LogText "${FUNCNAME}: ${1} is less than ${2}" - RETVAL=0 + LogText "${FUNCNAME}: ${1} is less than ${2}" + RETVAL=0 fi fi return ${RETVAL} diff --git a/include/osdetection b/include/osdetection index 1dcb917f..aad5cf18 100644 --- a/include/osdetection +++ b/include/osdetection @@ -302,21 +302,21 @@ # PCLinuxOS if [ -f /etc/pclinuxos-release ]; then - FIND=$(grep "^PCLinuxOS" /etc/pclinuxos-release) + FIND=$(grep "^PCLinuxOS" /etc/pclinuxos-release) if [ ! "${FIND}" = "" ]; then - OS_FULLNAME="PCLinuxOS Linux" - LINUX_VERSION="PCLinuxOS" - OS_VERSION=$(grep "^PCLinuxOS" /etc/pclinuxos-release | awk '{ if ($2=="release") { print $3 } }') + OS_FULLNAME="PCLinuxOS Linux" + LINUX_VERSION="PCLinuxOS" + OS_VERSION=$(grep "^PCLinuxOS" /etc/pclinuxos-release | awk '{ if ($2=="release") { print $3 } }') fi fi # Sabayon Linux if [ -f /etc/sabayon-edition ]; then - FIND=$(grep "Sabayon Linux" /etc/sabayon-edition) + FIND=$(grep "Sabayon Linux" /etc/sabayon-edition) if [ ! "${FIND}" = "" ]; then - OS_FULLNAME="Sabayon Linux" - LINUX_VERSION="Sabayon" - OS_VERSION=$(awk '{ print $3 }' /etc/sabayon-edition) + OS_FULLNAME="Sabayon Linux" + LINUX_VERSION="Sabayon" + OS_VERSION=$(awk '{ print $3 }' /etc/sabayon-edition) fi fi diff --git a/include/tests_authentication b/include/tests_authentication index 80d81a26..9ab7bf43 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -996,7 +996,7 @@ for FILE in ${FIND}; do HAS_MASK=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }') for MASK in ${HAS_MASK}; do - if [ "${MASK}" = "077" -o "${MASK}" = "027" -o "${MASK}" = "0077" -o "${MASK}" = "0027"]; then + if [ "${MASK}" = "077" -o "${MASK}" = "027" -o "${MASK}" = "0077" -o "${MASK}" = "0027" ]; then LogText "Result: found a strong umask '${MASK}' set in ${FILE}" GOOD_UMASK=1 else @@ -1025,7 +1025,7 @@ elif [ "${FIND2}" = "1" ]; then LogText "Result: found umask (prefixed with spaces)" FOUND_UMASK=1 - if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" -a ! "${FIND}" = "0077" -a ! "${FIND}" = "0027"]; then + if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" -a ! "${FIND}" = "0077" -a ! "${FIND}" = "0027" ]; then LogText "Result: found umask ${FIND}, which could be more strict" WEAK_UMASK=1 else @@ -1037,7 +1037,7 @@ LogText "Result: found multiple umask values configured in /etc/profile" FOUND_UMASK=1 for I in ${FIND}; do - if [ ! "${I}" = "077" -a ! "${I}" = "027" -a ! "${I}" = "0077" -a ! "${I}" = "0027"]; then + if [ ! "${I}" = "077" -a ! "${I}" = "027" -a ! "${I}" = "0077" -a ! "${I}" = "0027" ]; then LogText "Result: umask ${I} could be more strict" WEAK_UMASK=1 AddHP 1 2 @@ -1094,7 +1094,7 @@ Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 - elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027"]; then + elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then LogText "Result: umask is ${FIND}, which is fine" Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 @@ -1117,7 +1117,7 @@ if [ "${FIND}" = "" ]; then LogText "Result: umask is not configured" Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE - elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027"]; then + elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then LogText "Result: umask is ${FIND}, which is fine" Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 @@ -1141,7 +1141,7 @@ Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 - elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027"]; then + elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then LogText "Result: umask is ${FIND}, which is fine" Display --indent 4 --text "- umask (/etc/init.d/rc)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 diff --git a/include/tests_boot_services b/include/tests_boot_services index f7591acd..475b326f 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -388,7 +388,7 @@ ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=': password=" ReportWarning ${TEST_NO} "No password set on LILO bootloader" AddHP 0 2 - elif [ "${MACHINE_ROLE}" = "personal"]; then + elif [ "${MACHINE_ROLE}" = "personal" ]; then Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color yellow LogText "Result: no password set for LILO. Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data." ReportSuggestion ${TEST_NO} "No password set on LILO bootloader. Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=': password=" diff --git a/include/tests_file_integrity b/include/tests_file_integrity index ece861a5..7243a89e 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -77,8 +77,8 @@ LogText "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}" for I in ${AIDE_CONFIG_LOCS}; do if [ -f ${I}/aide.conf ]; then - LogText "Result: found aide.conf in directory ${I}" - AIDECONFIG="${I}/aide.conf" + LogText "Result: found aide.conf in directory ${I}" + AIDECONFIG="${I}/aide.conf" fi done diff --git a/include/tests_firewalls b/include/tests_firewalls index 4fe18533..27883c91 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -51,7 +51,7 @@ for I in ${FIND}; do LogText "Found module: ${I}" done - else + else Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_NOT_FOUND}" --color WHITE # If we can't find an active module, try to find the Linux configuration file and check that @@ -75,16 +75,16 @@ # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the # active list. if [ "${HAVEMOD}" = "y" ]; then - LogText "Result: iptables available as a module in the configuration" - IPTABLES_ACTIVE=1 - IPTABLES_INKERNEL_ACTIVE=1 - FIREWALL_ACTIVE=1 - FIREWALL_SOFTWARE="iptables" - Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN - else + LogText "Result: iptables available as a module in the configuration" + IPTABLES_ACTIVE=1 + IPTABLES_INKERNEL_ACTIVE=1 + FIREWALL_ACTIVE=1 + FIREWALL_SOFTWARE="iptables" + Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN + else LogText "Result: no iptables found in Linux kernel config file" fi - else + else LogText "Result: no Linux configuration file found" Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -157,7 +157,7 @@ LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active" - else + else LogText "Result: one or more rules are available (${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN fi @@ -175,7 +175,7 @@ if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN LogText "Result: There are no unused rules present" - else + else Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW LogText "Result: Found one or more possible unused rules" LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" @@ -209,7 +209,7 @@ LogText "Result: pf is enabled" PFFOUND=1 AddHP 3 3 - else + else Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW ReportException ${TEST_NO} "Unknown status of pf firewall" fi @@ -223,7 +223,7 @@ FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko') if [ -z "${FIND}" ]; then LogText "Result: Can not find pf KLD" - else + else LogText "Result: pf KLD loaded" PFFOUND=1 fi @@ -237,7 +237,7 @@ Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN PFFOUND=1 PFLOGDFOUND=1 - else + else LogText "Result: pflog daemon not found in process list" fi fi @@ -246,7 +246,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="pf" Report "firewall_software[]=pf" - else + else LogText "Result: pf not running on this system" fi fi @@ -267,12 +267,12 @@ if [ -z "${PFWARNINGS}" ]; then Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN LogText "Result: no pf filter warnings found" - else + else Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED LogText "Result: found one or more warnings in the pf filter rules" ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" fi - else + else LogText "Result: /etc/pf.conf does NOT exist" fi fi @@ -296,7 +296,7 @@ FIREWALL_SOFTWARE="csf" Report "firewall_software[]=csf" Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: ${FILE} does NOT exist" fi fi @@ -315,7 +315,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipf" Report "firewall_software[]=ipf" - else + else Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW LogText "Result: ipf is not running" fi @@ -340,15 +340,15 @@ if [ "${IPFW_ENABLED}" = "ipfw" ]; then Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN LogText "Result: IPFW is enabled at start-up for IPv4" - else + else Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW LogText "Result: IPFW is disabled at start-up for IPv4" fi - else + else if IsVerbose; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW; fi LogText "Result: IPFW is not running for IPv4" fi - else + else ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)" fi fi @@ -369,7 +369,7 @@ APPLICATION_FIREWALL_ACTIVE=1 Report "firewall_software[]=macosx-app-fw" Report "app_fw[]=macosx-app-fw" - else + else if IsVerbose; then Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_DISABLED}" --color YELLOW; fi AddHP 1 3 LogText "Result: application firewall of macOS is disabled" @@ -390,7 +390,7 @@ APPLICATION_FIREWALL_ACTIVE=1 Report "app_fw[]=little-snitch" Report "firewall_software[]=little-snitch" - else + else if IsVerbose; then Display --indent 2 --text "- Checking Little Snitch Daemon" --result "${STATUS_DISABLED}" --color YELLOW; fi AddHP 1 3 LogText "Result: could not find Little Snitch" @@ -411,7 +411,7 @@ FIREWALL_ACTIVE=1 NFTABLES_ACTIVE=1 Report "firewall_software[]=nftables" - else + else LogText "Result: no nftables kernel module found" fi fi @@ -441,7 +441,7 @@ if [ ${NFT_RULES_LENGTH} -le 16 ]; then FIREWALL_EMPTY_RULESET=1 LogText "Result: this firewall set has 16 rules or less and is considered to be empty" - else + else LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration" fi fi @@ -484,7 +484,7 @@ # YYY Solaris ipf (determine default policy) Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" AddHP 5 5 - else + else Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW LogText "Result: no host based firewall/packet filter found or configured" ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic" diff --git a/include/tests_kernel b/include/tests_kernel index 096c0957..feead1a0 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -561,55 +561,55 @@ LogText "Result: using ${MYKERNEL} as my kernel version (stripped)" FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null) if [ ! -z "${FIND}" ]; then - for ITEM in ${FIND}; do - LogText "Result: found ${ITEM}" - done - # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) - # Ignore rescue images. Remove generic. and huge. for Slackware machines - LogText "Action: checking relevant kernels" - KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.) - KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ') - LogText "Output: ${KERNELS_ONE_LINE}" + for ITEM in ${FIND}; do + LogText "Result: found ${ITEM}" + done + # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) + # Ignore rescue images. Remove generic. and huge. for Slackware machines + LogText "Action: checking relevant kernels" + KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.) + KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ') + LogText "Output: ${KERNELS_ONE_LINE}" elif [ ! "$(ls ${ROOTDIR}boot/kernel* 2> /dev/null)" = "" ]; then - LogText "Output: Found a kernel file in ${ROOTDIR}boot" - # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) - # Examples: - # /boot/kernel-genkernel-x86_64-3.14.14-gentoo - KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.) - if [ ! -z "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi + LogText "Output: Found a kernel file in ${ROOTDIR}boot" + # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) + # Examples: + # /boot/kernel-genkernel-x86_64-3.14.14-gentoo + KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.) + if [ ! -z "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi else ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected" fi if [ ! -z "${KERNELS}" ]; then - FOUND_KERNEL=0 - for I in ${KERNELS}; do - # Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist) - if [ ${FOUND_KERNEL} -eq 1 -a ! "${MYKERNEL}" = "${I}" ]; then - LogText "Result: found a kernel (${I}) later than running one (${MYKERNEL})" - REBOOT_NEEDED=1 - fi - if [ "${MYKERNEL}" = "${I}" ]; then - FOUND_KERNEL=1 - LogText "Result: Found ${I} (= our kernel)" - else - LogText "Result: Found ${I}" - fi - done - # Check if we at least found the kernel on disk - if [ ${FOUND_KERNEL} -eq 0 ]; then - ReportException "${TEST_NO}:3" "Could not find our running kernel on disk, which is unexpected" - else - # If we are not sure yet reboot it needed, but we found running kernel as last one on disk, we run latest kernel - if [ ${REBOOT_NEEDED} -eq 2 ]; then - LogText "Result: we found our kernel on disk as last entry, so seems to be up-to-date" - REBOOT_NEEDED=0 - fi - fi - fi + FOUND_KERNEL=0 + for I in ${KERNELS}; do + # Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist) + if [ ${FOUND_KERNEL} -eq 1 -a ! "${MYKERNEL}" = "${I}" ]; then + LogText "Result: found a kernel (${I}) later than running one (${MYKERNEL})" + REBOOT_NEEDED=1 + fi + if [ "${MYKERNEL}" = "${I}" ]; then + FOUND_KERNEL=1 + LogText "Result: Found ${I} (= our kernel)" + else + LogText "Result: Found ${I}" + fi + done + # Check if we at least found the kernel on disk + if [ ${FOUND_KERNEL} -eq 0 ]; then + ReportException "${TEST_NO}:3" "Could not find our running kernel on disk, which is unexpected" + else + # If we are not sure yet reboot it needed, but we found running kernel as last one on disk, we run latest kernel + if [ ${REBOOT_NEEDED} -eq 2 ]; then + LogText "Result: we found our kernel on disk as last entry, so seems to be up-to-date" + REBOOT_NEEDED=0 + fi + fi + fi fi # No files in /boot else - LogText "Result: Skipping this test, as there are no files in /boot" + LogText "Result: Skipping this test, as there are no files in /boot" fi else LogText "Result: /boot does not exist" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index b1b9b861..7d4cc2ad 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -132,28 +132,28 @@ # Status: Enabled/Disabled FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }') if [ "${FIND}" = "enabled" ]; then - MAC_FRAMEWORK_ACTIVE=1 - LogText "Result: SELinux framework is enabled" - Report "selinux_status=1" - SELINUXFOUND=1 - Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN - FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }') - Report "selinux_mode=${FIND}" - FIND2=$(${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }') - LogText "Result: current SELinux mode is ${FIND}" - LogText "Result: mode configured in config file is ${FIND2}" - if [ "${FIND}" = "${FIND2}" ]; then - LogText "Result: Current SELinux mode is the same as in config file." - Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN - else - LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." - ReportWarning ${TEST_NO} "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" - Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED - fi - Display --indent 8 --text "Current SELinux mode: ${FIND}" + MAC_FRAMEWORK_ACTIVE=1 + LogText "Result: SELinux framework is enabled" + Report "selinux_status=1" + SELINUXFOUND=1 + Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN + FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }') + Report "selinux_mode=${FIND}" + FIND2=$(${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }') + LogText "Result: current SELinux mode is ${FIND}" + LogText "Result: mode configured in config file is ${FIND2}" + if [ "${FIND}" = "${FIND2}" ]; then + LogText "Result: Current SELinux mode is the same as in config file." + Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." + ReportWarning ${TEST_NO} "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" + Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED + fi + Display --indent 8 --text "Current SELinux mode: ${FIND}" else - LogText "Result: SELinux framework is disabled" - Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW + LogText "Result: SELinux framework is disabled" + Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW fi fi # @@ -181,10 +181,10 @@ Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE fi if [ ! -z "${GRADMBINARY}" ]; then - FIND=$(${GRADMBINARY} --status) - if [ "${FIND}" = "The RBAC system is currently enabled." ]; then - MAC_FRAMEWORK_ACTIVE=1 - fi + FIND=$(${GRADMBINARY} --status) + if [ "${FIND}" = "The RBAC system is currently enabled." ]; then + MAC_FRAMEWORK_ACTIVE=1 + fi fi fi # diff --git a/include/tests_networking b/include/tests_networking index f8b189ca..ad69e498 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -132,7 +132,7 @@ Report "nameserver[]=${I}" # Check if a local resolver is available (like DNSMasq) if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then - LOCAL_DNSRESOLVER_FOUND=1 + LOCAL_DNSRESOLVER_FOUND=1 fi if [ ! "${DIGBINARY}" = "" ]; then # See if we can query something at the nameserver diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 273265e9..c1727a46 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -797,7 +797,7 @@ if [ ${DO_TEST} -eq 0 ]; then FileExists /usr/share/yum-cli/cli.py if [ ${FILE_FOUND} -eq 1 ]; then - SearchItem "\-\-security" "/usr/share/yum-cli/cli.py" + SearchItem "\-\-security" "/usr/share/yum-cli/cli.py" if [ ${ITEM_FOUND} -eq 1 ]; then DO_TEST=1 LogText "Result: found built-in security in yum" diff --git a/include/tests_printers_spools b/include/tests_printers_spools index 66a8e619..5a5515b9 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -147,7 +147,7 @@ FOUND=1 done if [ ${FOUND} -eq 0 ]; then - ReportException "${TEST_NO}:1" "No listen statement found in CUPS configuration file" + ReportException "${TEST_NO}:1" "No listen statement found in CUPS configuration file" fi # Check if daemon is only running on localhost diff --git a/include/tests_squid b/include/tests_squid index 3ae7d7a0..d1ce53d6 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -64,13 +64,13 @@ for I in ${SQUID_DAEMON_CONFIG_LOCS}; do # Checking squid.conf if [ -f "${I}/squid.conf" ]; then - LogText "Result: ${I}/squid.conf exists" - SQUID_DAEMON_CONFIG="${I}/squid.conf" + LogText "Result: ${I}/squid.conf exists" + SQUID_DAEMON_CONFIG="${I}/squid.conf" fi # Checking squid3.conf if [ -f "${I}/squid3.conf" ]; then - LogText "Result: ${I}/squid3.conf exists" - SQUID_DAEMON_CONFIG="${I}/squid3.conf" + LogText "Result: ${I}/squid3.conf exists" + SQUID_DAEMON_CONFIG="${I}/squid3.conf" fi done if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then diff --git a/include/tests_ssh b/include/tests_ssh index 581f253e..2edaf1f6 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -63,18 +63,18 @@ LogText "Test: searching for sshd_config file" for I in ${SSH_DAEMON_CONFIG_LOCS}; do if [ -f "${I}/sshd_config" ]; then - LogText "Result: ${I}/sshd_config exists" - if [ ${FOUND} -eq 1 ]; then - ReportException "${TEST_NO}:01" - LogText "Result: we already had found another sshd_config file. Using this new file then." - fi - FileIsReadable ${I}/sshd_config - if [ ${CANREAD} -eq 1 ]; then - FOUND=1 - SSH_DAEMON_CONFIG="${I}/sshd_config" - else - LogText "Result: can not read ${I}/sshd_config file (no permission)" - fi + LogText "Result: ${I}/sshd_config exists" + if [ ${FOUND} -eq 1 ]; then + ReportException "${TEST_NO}:01" + LogText "Result: we already had found another sshd_config file. Using this new file then." + fi + FileIsReadable ${I}/sshd_config + if [ ${CANREAD} -eq 1 ]; then + FOUND=1 + SSH_DAEMON_CONFIG="${I}/sshd_config" + else + LogText "Result: can not read ${I}/sshd_config file (no permission)" + fi fi done if [ "${SSH_DAEMON_CONFIG}" = "" ]; then diff --git a/lynis b/lynis index a7625381..f4250bc9 100755 --- a/lynis +++ b/lynis @@ -165,7 +165,7 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta done if [ ${SHOWPERMERROR} -eq 1 ]; then - printf "%s" " + printf "%s" " [!] Change ownership of ${INCLUDEDIR}/${ISSUE_FILE} to 'root' or similar (found: ${ISSUE_OWNER} with UID ${ISSUE_OWNERID}). @@ -621,7 +621,7 @@ ${NORMAL} if [ ! "${OS_MODE}" = "" ]; then LogText "Operating system mode: ${OS_MODE}"; fi LogText "Kernel version: ${OS_KERNELVERSION}" if [ ! "${OS_KERNELVERSION_FULL}" = "" ]; then - LogText "Kernel version (full): ${OS_KERNELVERSION_FULL}" + LogText "Kernel version (full): ${OS_KERNELVERSION_FULL}" fi LogText "Hardware platform: ${HARDWARE}" LogText "-----------------------------------------------------" diff --git a/plugins/plugin_pam_phase1 b/plugins/plugin_pam_phase1 index 55583f0d..2d890a1f 100644 --- a/plugins/plugin_pam_phase1 +++ b/plugins/plugin_pam_phase1 @@ -67,289 +67,289 @@ FOUNDPROBLEM=0 # Check if the PAM directory structure exists if [ -d ${PAM_DIRECTORY} ]; then - LogText "Result: /etc/pam.d exists" - FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print) - # First check /etc/pam.conf if it exists. - #if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi - for PAM_FILE in ${FIND_FILES}; do - LogText "Now checking PAM file ${PAM_FILE}" - while read line; do - # Strip empty lines, commented lines, tabs, line breaks (\), then finally remove all double spaces - LINE=$(echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//') - if [ ! "${LINE}" = "" ]; then - PAM_SERVICE=$(echo ${PAM_FILE} | awk -F/ '{ print $NF }') - PAM_CONTROL_FLAG="-" - PAM_CONTROL_OPTIONS="-" - PAM_MODULE="-" - PAM_MODULE_OPTIONS="-" - PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }') - PARSELINE=0 - case ${PAM_TYPE} in - "@include") - FILE=$(echo ${LINE} | awk '{ print $2 }') - Debug "Result: Found @include in ${PAM_FILE}. Does include PAM settings from file ${FILE} (which is individually processed)" - ;; - "account") - PARSELINE=1 - ;; - "auth") - PARSELINE=1 - ;; - "password") - PARSELINE=1 - ;; - "session") - PARSELINE=1 - ;; - *) - LogText "Exception: Unknown PAM type found (${PAM_TYPE})" - ;; - esac - if [ ${PARSELINE} -eq 1 ]; then - MULTIPLE_OPTIONS=$(echo ${LINE} | awk '$2 ~ /^\[/') - if [ ! "${MULTIPLE_OPTIONS}" = "" ]; then - # Needs more parsing, depending on the options found - PAM_CONTROL_OPTIONS=$(echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//") - LogText "Result: Found brackets in line, indicating multiple options for control flags: ${PAM_CONTROL_OPTIONS}" - LINE=$(echo ${LINE} | sed "s/ \[.*\] / other /") - fi - PAM_MODULE=$(echo ${LINE} | awk '{ print $3 }') - PAM_MODULE_OPTIONS=$(echo ${LINE} | cut -d ' ' -f 4-) - PAM_CONTROL_FLAG=$(echo ${LINE} | awk '{ print $2 }') - case ${PAM_CONTROL_FLAG} in - "optional"|"required"|"requisite"|"sufficient") - #Debug "Found a common control flag: ${PAM_CONTROL_FLAG} for ${PAM_MODULE}" - X=0 # do nothing - ;; - "other") - LogText "Result: brackets used, ignoring control flags" - ;; - *) - LogText "Unknown control flag found (${PAM_CONTROL_FLAG})" - ;; - esac - if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then - LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) with options ${PAM_MODULE_OPTIONS}" - else - PAM_MODULE_OPTIONS="-" - LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) without options configured" - fi - - PAM_MODULE_NAME=$(echo ${PAM_MODULE} | sed 's/.so$//') - # - # Specific PAMs are commonly seen on these platforms: - # - # FreeBSD Linux - # pam_access v - # pam_deny v v - # pam_group v - # pam_krb5 v - # pam_lastlog v - # pam_login_access v - # pam_nologin v - # pam_opie v - # pam_opieaccess v - # pam_passwdqc v - # pam_permit v - # pam_rhosts v - # pam_rootok v - # pam_securetty v - # pam_self v - # pam_ssh v - # pam_unix v - - case ${PAM_MODULE_NAME} in - pam_access) ;; - pam_cap) ;; - pam_debug | pam_deny) ;; - pam_echo| pam_env | pam_exec | pam_faildelay) ;; - pam_filter | pam_ftp) ;; - # Google Authenticator / YubiKey - # Common to find it only enabled for SSH - pam_google_authenticator | pam_yubico) - LogText "Result: found pam_google_authenticator" - if [ "${PAM_CONTROL_FLAG}" = "required" ]; then - PAM_2F_AUTH_ENABLED=1 - PAM_2F_AUTH_REQUIRED=1 - Report "authentication_2f_provider[]=${PAM_MODULE_NAME}" - Report "authentication_2f_service[]=${PAM_SERVICE}" - elif -o "${PAM_CONTROL_FLAG}" = "sufficient" ]; then - PAM_2F_AUTH_ENABLED=1 - Report "authentication_2f_provider[]=${PAM_MODULE_NAME}" - Report "authentication_2f_service[]=${PAM_SERVICE}" - else - LogText "exception: found 2F authenticator enabled with uncommon control flag: ${PAM_CONTROL_FLAG}" - fi + LogText "Result: /etc/pam.d exists" + FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print) + # First check /etc/pam.conf if it exists. + #if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi + for PAM_FILE in ${FIND_FILES}; do + LogText "Now checking PAM file ${PAM_FILE}" + while read line; do + # Strip empty lines, commented lines, tabs, line breaks (\), then finally remove all double spaces + LINE=$(echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//') + if [ ! "${LINE}" = "" ]; then + PAM_SERVICE=$(echo ${PAM_FILE} | awk -F/ '{ print $NF }') + PAM_CONTROL_FLAG="-" + PAM_CONTROL_OPTIONS="-" + PAM_MODULE="-" + PAM_MODULE_OPTIONS="-" + PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }') + PARSELINE=0 + case ${PAM_TYPE} in + "@include") + FILE=$(echo ${LINE} | awk '{ print $2 }') + Debug "Result: Found @include in ${PAM_FILE}. Does include PAM settings from file ${FILE} (which is individually processed)" + ;; + "account") + PARSELINE=1 + ;; + "auth") + PARSELINE=1 + ;; + "password") + PARSELINE=1 + ;; + "session") + PARSELINE=1 + ;; + *) + LogText "Exception: Unknown PAM type found (${PAM_TYPE})" + ;; + esac + if [ ${PARSELINE} -eq 1 ]; then + MULTIPLE_OPTIONS=$(echo ${LINE} | awk '$2 ~ /^\[/') + if [ ! "${MULTIPLE_OPTIONS}" = "" ]; then + # Needs more parsing, depending on the options found + PAM_CONTROL_OPTIONS=$(echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//") + LogText "Result: Found brackets in line, indicating multiple options for control flags: ${PAM_CONTROL_OPTIONS}" + LINE=$(echo ${LINE} | sed "s/ \[.*\] / other /") + fi + PAM_MODULE=$(echo ${LINE} | awk '{ print $3 }') + PAM_MODULE_OPTIONS=$(echo ${LINE} | cut -d ' ' -f 4-) + PAM_CONTROL_FLAG=$(echo ${LINE} | awk '{ print $2 }') + case ${PAM_CONTROL_FLAG} in + "optional"|"required"|"requisite"|"sufficient") + #Debug "Found a common control flag: ${PAM_CONTROL_FLAG} for ${PAM_MODULE}" + X=0 # do nothing ;; - pam_group) ;; - pam_issue) ;; - pam_keyinit | pam_krb5) ;; - pam_lastlog | pam_limits) ;; - # Log UID for auditd - pam_loginuid) - PAM_LOGINUID_FOUND=1 - ;; - pam_listfile | pam_localuser) ;; - pam_mail | pam_mkhomedir | pam_motd) ;; - pam_namespace | pam_nologin) ;; - pam_permit) ;; - - # Password history - Can be configured via pam_unix or pam_pwhistory - pam_pwhistory) - LogText "Result: found ${PAM_MODULE} module (password history)" - # set default for having pam_pwhistory enabled - PAM_PASSWORD_PWHISTORY_ENABLED=1 - if [ "${PAM_PASSWORD_PWHISTORY_AMOUNT}" = "" ]; then PAM_PASSWORD_PWHISTORY_AMOUNT=10; fi - if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then - for I in ${PAM_MODULE_OPTIONS}; do - OPTION=$(echo ${I} | awk -F= '{ print $1 }') - VALUE=$(echo ${I} | awk -F= '{ print $2 }') - CREDITS_CONFIGURED=0 - case ${OPTION} in - remember) - LogText "Result: password history (remember) configured for pam_pwhistory" - DigitsOnly ${VALUE} - PAM_PASSWORD_PWHISTORY_AMOUNT=${VALUE} - Debug "Found password history enabled with module ${PAM_MODULE_NAME} and password amount ${PAM_PASSWORD_PWHISTORY_AMOUNT}" - ;; - esac - done - fi - ;; - - pam_rootok) ;; - pam_rhosts) ;; - pam_securetty) ;; - pam_self) ;; - pam_shells) ;; - pam_stress | pam_succeed_if | pam_systemd) ;; - pam_time | pam_timestamp) ;; - pam_umask) ;; - - # Password history - Can be configured via pam_unix or pam_pwhistory - pam_unix) - LogText "Result: found ${PAM_MODULE} module (generic)" - if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then - for I in ${PAM_MODULE_OPTIONS}; do - OPTION=$(echo ${I} | awk -F= '{ print $1 }') - VALUE=$(echo ${I} | awk -F= '{ print $2 }') - CREDITS_CONFIGURED=0 - case ${OPTION} in - remember) - LogText "Result: password history configured for pam_unix" - DigitsOnly ${VALUE} - PAM_PASSWORD_UXHISTORY_AMOUNT=${VALUE} - PAM_PASSWORD_UXHISTORY_ENABLED=1 - Debug "Found password history enabled with module ${PAM_MODULE_NAME} and password amount ${PAM_PASSWORD_UXHISTORY_AMOUNT}" - ;; - esac - done - fi - ;; - - pam_unix_acct| pam_unix_auth | pam_unix_passwd | pam_unix_session | pam_unix2) ;; - pam_vbox) ;; - pam_warn | pam_wheel) ;; - pam_xauth) ;; - - # Password strength testing - pam_cracklib | pam_pwquality) - LogText "Result: found module ${PAM_MODULE} for password strength testing" - - # Set default values - if [ "${CREDITS_D_PASSWORD}" = "" ]; then CREDITS_D_PASSWORD=1; fi - if [ "${CREDITS_L_PASSWORD}" = "" ]; then CREDITS_L_PASSWORD=1; fi - if [ "${CREDITS_O_PASSWORD}" = "" ]; then CREDITS_O_PASSWORD=1; fi - if [ "${CREDITS_U_PASSWORD}" = "" ]; then CREDITS_U_PASSWORD=1; fi - if [ "${MIN_PASSWORD_CLASS}" = "" ]; then MIN_PASSWORD_CLASS=0; fi - if [ "${MIN_PASSWORD_LENGTH}" = "" ]; then MIN_PASSWORD_LENGTH=6; fi - - PAM_PASSWORD_STRENGTH_TESTED=1 - if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then - Debug "Module options configured" - for I in ${PAM_MODULE_OPTIONS}; do - OPTION=$(echo ${I} | awk -F= '{ print $1 }') - Debug ${OPTION} - VALUE=$(echo ${I} | awk -F= '{ print $2 }') - CREDITS_CONFIGURED=0 - case ${OPTION} in - minlen) - # Minimum length (remove 1 if credits are configured, at later stage in function) - LogText "Result: minlen configured" - DigitsOnly ${VALUE} - MIN_PASSWORD_LENGTH=${VALUE} - ;; - retry) - # Maximum password retry - LogText "Result: Max password Retry configured" - DigitsOnly ${VALUE} - MAX_PASSWORD_RETRY=${VALUE} - ;; - minclass) - # Minimum number of class required out of upper, lower, digit and others - LogText "Result: Min number of password class is configured" - MIN_PASSWORD_CLASS=${VALUE} - ;; - dcredit) - CREDITS_D_PASSWORD=${VALUE} - ;; - lcredit) - CREDITS_L_PASSWORD=${VALUE} - ;; - ocredit) - CREDITS_O_PASSWORD=${VALUE} - ;; - ucredit) - CREDITS_U_PASSWORD=${VALUE} - ;; - *) - LogText "Result: unknown option found: ${OPTION} with value ${VALUE}" - ;; - esac - done - fi - ;; - - pam_tally | pam_tally2) - if [ "${PAM_CONTROL_FLAG}" = "required" ]; then - LogText "Result: found a required module for countering brute force cracking attempts" - Report "pam_auth_brute_force_protection_module[]=${PAM_MODULE_NAME}" - PAM_AUTH_BRUTE_FORCE_PROTECTION=1 - fi - if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then - for I in ${PAM_MODULE_OPTIONS}; do - OPTION=$(echo ${I} | awk -F= '{ print $1 }') - VALUE=$(echo ${I} | awk -F= '{ print $2 }') - case ${OPTION} in - deny) - AUTH_BLOCK_BAD_LOGIN_ATTEMPTS="${VALUE}" - ;; - unlock_time) - AUTH_UNLOCK_TIME="${VALUE}" - ;; - esac - done - fi - ;; - "-") - LogText "NOTE: this module is not parsed, as it uses an unknown control flag or type" + "other") + LogText "Result: brackets used, ignoring control flags" ;; *) - LogText "Result: found pluggable authentication module ${PAM_MODULE}, which is unknown" + LogText "Unknown control flag found (${PAM_CONTROL_FLAG})" ;; - esac + esac + if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then + LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) with options ${PAM_MODULE_OPTIONS}" + else + PAM_MODULE_OPTIONS="-" + LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) without options configured" fi - #Debug "Service: ${PAM_SERVICE}" - #Debug "Type: ${PAM_TYPE}" - #Debug "Control: ${PAM_CONTROL_FLAG}" - #Debug "Control options: ${PAM_CONTROL_OPTIONS}" - #Debug "Module: ${PAM_MODULE_NAME}" - #Debug "Module options: ${PAM_MODULE_OPTIONS}" + + PAM_MODULE_NAME=$(echo ${PAM_MODULE} | sed 's/.so$//') + # + # Specific PAMs are commonly seen on these platforms: + # + # FreeBSD Linux + # pam_access v + # pam_deny v v + # pam_group v + # pam_krb5 v + # pam_lastlog v + # pam_login_access v + # pam_nologin v + # pam_opie v + # pam_opieaccess v + # pam_passwdqc v + # pam_permit v + # pam_rhosts v + # pam_rootok v + # pam_securetty v + # pam_self v + # pam_ssh v + # pam_unix v + + case ${PAM_MODULE_NAME} in + pam_access) ;; + pam_cap) ;; + pam_debug | pam_deny) ;; + pam_echo| pam_env | pam_exec | pam_faildelay) ;; + pam_filter | pam_ftp) ;; + # Google Authenticator / YubiKey + # Common to find it only enabled for SSH + pam_google_authenticator | pam_yubico) + LogText "Result: found pam_google_authenticator" + if [ "${PAM_CONTROL_FLAG}" = "required" ]; then + PAM_2F_AUTH_ENABLED=1 + PAM_2F_AUTH_REQUIRED=1 + Report "authentication_2f_provider[]=${PAM_MODULE_NAME}" + Report "authentication_2f_service[]=${PAM_SERVICE}" + elif [ "${PAM_CONTROL_FLAG}" = "sufficient" ]; then + PAM_2F_AUTH_ENABLED=1 + Report "authentication_2f_provider[]=${PAM_MODULE_NAME}" + Report "authentication_2f_service[]=${PAM_SERVICE}" + else + LogText "exception: found 2F authenticator enabled with uncommon control flag: ${PAM_CONTROL_FLAG}" + fi + ;; + pam_group) ;; + pam_issue) ;; + pam_keyinit | pam_krb5) ;; + pam_lastlog | pam_limits) ;; + # Log UID for auditd + pam_loginuid) + PAM_LOGINUID_FOUND=1 + ;; + pam_listfile | pam_localuser) ;; + pam_mail | pam_mkhomedir | pam_motd) ;; + pam_namespace | pam_nologin) ;; + pam_permit) ;; + + # Password history - Can be configured via pam_unix or pam_pwhistory + pam_pwhistory) + LogText "Result: found ${PAM_MODULE} module (password history)" + # set default for having pam_pwhistory enabled + PAM_PASSWORD_PWHISTORY_ENABLED=1 + if [ "${PAM_PASSWORD_PWHISTORY_AMOUNT}" = "" ]; then PAM_PASSWORD_PWHISTORY_AMOUNT=10; fi + if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then + for I in ${PAM_MODULE_OPTIONS}; do + OPTION=$(echo ${I} | awk -F= '{ print $1 }') + VALUE=$(echo ${I} | awk -F= '{ print $2 }') + CREDITS_CONFIGURED=0 + case ${OPTION} in + remember) + LogText "Result: password history (remember) configured for pam_pwhistory" + DigitsOnly ${VALUE} + PAM_PASSWORD_PWHISTORY_AMOUNT=${VALUE} + Debug "Found password history enabled with module ${PAM_MODULE_NAME} and password amount ${PAM_PASSWORD_PWHISTORY_AMOUNT}" + ;; + esac + done + fi + ;; + + pam_rootok) ;; + pam_rhosts) ;; + pam_securetty) ;; + pam_self) ;; + pam_shells) ;; + pam_stress | pam_succeed_if | pam_systemd) ;; + pam_time | pam_timestamp) ;; + pam_umask) ;; + + # Password history - Can be configured via pam_unix or pam_pwhistory + pam_unix) + LogText "Result: found ${PAM_MODULE} module (generic)" + if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then + for I in ${PAM_MODULE_OPTIONS}; do + OPTION=$(echo ${I} | awk -F= '{ print $1 }') + VALUE=$(echo ${I} | awk -F= '{ print $2 }') + CREDITS_CONFIGURED=0 + case ${OPTION} in + remember) + LogText "Result: password history configured for pam_unix" + DigitsOnly ${VALUE} + PAM_PASSWORD_UXHISTORY_AMOUNT=${VALUE} + PAM_PASSWORD_UXHISTORY_ENABLED=1 + Debug "Found password history enabled with module ${PAM_MODULE_NAME} and password amount ${PAM_PASSWORD_UXHISTORY_AMOUNT}" + ;; + esac + done + fi + ;; + + pam_unix_acct| pam_unix_auth | pam_unix_passwd | pam_unix_session | pam_unix2) ;; + pam_vbox) ;; + pam_warn | pam_wheel) ;; + pam_xauth) ;; + + # Password strength testing + pam_cracklib | pam_pwquality) + LogText "Result: found module ${PAM_MODULE} for password strength testing" + + # Set default values + if [ "${CREDITS_D_PASSWORD}" = "" ]; then CREDITS_D_PASSWORD=1; fi + if [ "${CREDITS_L_PASSWORD}" = "" ]; then CREDITS_L_PASSWORD=1; fi + if [ "${CREDITS_O_PASSWORD}" = "" ]; then CREDITS_O_PASSWORD=1; fi + if [ "${CREDITS_U_PASSWORD}" = "" ]; then CREDITS_U_PASSWORD=1; fi + if [ "${MIN_PASSWORD_CLASS}" = "" ]; then MIN_PASSWORD_CLASS=0; fi + if [ "${MIN_PASSWORD_LENGTH}" = "" ]; then MIN_PASSWORD_LENGTH=6; fi + + PAM_PASSWORD_STRENGTH_TESTED=1 + if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then + Debug "Module options configured" + for I in ${PAM_MODULE_OPTIONS}; do + OPTION=$(echo ${I} | awk -F= '{ print $1 }') + Debug ${OPTION} + VALUE=$(echo ${I} | awk -F= '{ print $2 }') + CREDITS_CONFIGURED=0 + case ${OPTION} in + minlen) + # Minimum length (remove 1 if credits are configured, at later stage in function) + LogText "Result: minlen configured" + DigitsOnly ${VALUE} + MIN_PASSWORD_LENGTH=${VALUE} + ;; + retry) + # Maximum password retry + LogText "Result: Max password Retry configured" + DigitsOnly ${VALUE} + MAX_PASSWORD_RETRY=${VALUE} + ;; + minclass) + # Minimum number of class required out of upper, lower, digit and others + LogText "Result: Min number of password class is configured" + MIN_PASSWORD_CLASS=${VALUE} + ;; + dcredit) + CREDITS_D_PASSWORD=${VALUE} + ;; + lcredit) + CREDITS_L_PASSWORD=${VALUE} + ;; + ocredit) + CREDITS_O_PASSWORD=${VALUE} + ;; + ucredit) + CREDITS_U_PASSWORD=${VALUE} + ;; + *) + LogText "Result: unknown option found: ${OPTION} with value ${VALUE}" + ;; + esac + done + fi + ;; + + pam_tally | pam_tally2) + if [ "${PAM_CONTROL_FLAG}" = "required" ]; then + LogText "Result: found a required module for countering brute force cracking attempts" + Report "pam_auth_brute_force_protection_module[]=${PAM_MODULE_NAME}" + PAM_AUTH_BRUTE_FORCE_PROTECTION=1 + fi + if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then + for I in ${PAM_MODULE_OPTIONS}; do + OPTION=$(echo ${I} | awk -F= '{ print $1 }') + VALUE=$(echo ${I} | awk -F= '{ print $2 }') + case ${OPTION} in + deny) + AUTH_BLOCK_BAD_LOGIN_ATTEMPTS="${VALUE}" + ;; + unlock_time) + AUTH_UNLOCK_TIME="${VALUE}" + ;; + esac + done + fi + ;; + "-") + LogText "NOTE: this module is not parsed, as it uses an unknown control flag or type" + ;; + *) + LogText "Result: found pluggable authentication module ${PAM_MODULE}, which is unknown" + ;; + esac fi - done < ${PAM_FILE} - #ParsePAMLine ${J} - #StoreSetting "pam" " - done + #Debug "Service: ${PAM_SERVICE}" + #Debug "Type: ${PAM_TYPE}" + #Debug "Control: ${PAM_CONTROL_FLAG}" + #Debug "Control options: ${PAM_CONTROL_OPTIONS}" + #Debug "Module: ${PAM_MODULE_NAME}" + #Debug "Module options: ${PAM_MODULE_OPTIONS}" + fi + done < ${PAM_FILE} + #ParsePAMLine ${J} + #StoreSetting "pam" " + done fi fi # @@ -391,54 +391,54 @@ LogText "[PAM] Password strength testing enabled: ${PAM_PASSWORD_STRENGTH_TESTED if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then Report "password_strength_tested=1" - if [ ${CREDITS_D_PASSWORD} -ge 1 -a ${CREDITS_L_PASSWORD} -ge 1 -a ${CREDITS_O_PASSWORD} -ge 1 -a ${CREDITS_U_PASSWORD} -ge 1 ]; then - # Show how many password class are required out of 4 - LogText "[PAM] Minimum password class out of 4: ${MIN_PASSWORD_CLASS}" - Report "min_password_class=${MIN_PASSWORD_CLASS}" - else - LogText "[PAM] Minimum password class setting of ${MIN_PASSWORD_CLASS} out of 4 is ignored since at least 1 class are forced" - Report "min_password_class=ignored" - fi + if [ ${CREDITS_D_PASSWORD} -ge 1 -a ${CREDITS_L_PASSWORD} -ge 1 -a ${CREDITS_O_PASSWORD} -ge 1 -a ${CREDITS_U_PASSWORD} -ge 1 ]; then + # Show how many password class are required out of 4 + LogText "[PAM] Minimum password class out of 4: ${MIN_PASSWORD_CLASS}" + Report "min_password_class=${MIN_PASSWORD_CLASS}" + else + LogText "[PAM] Minimum password class setting of ${MIN_PASSWORD_CLASS} out of 4 is ignored since at least 1 class are forced" + Report "min_password_class=ignored" + fi - # Digits - if [ ${CREDITS_D_PASSWORD} -lt 0 ]; then - CREDITS_D_PASSWORD=$(echo ${CREDITS_D_PASSWORD} | cut -b 2-) - LogText "[PAM] Minimum number of Digital characters required: ${CREDITS_D_PASSWORD}" - Report "password_min_digital_required=${CREDITS_D_PASSWORD}" - elif [ ${CREDITS_D_PASSWORD} -ge 0 ]; then - LogText "[PAM] Maximum credit for Digital characters: ${CREDITS_D_PASSWORD}" - Report "password_max_digital_credit=${CREDITS_D_PASSWORD}" - fi + # Digits + if [ ${CREDITS_D_PASSWORD} -lt 0 ]; then + CREDITS_D_PASSWORD=$(echo ${CREDITS_D_PASSWORD} | cut -b 2-) + LogText "[PAM] Minimum number of Digital characters required: ${CREDITS_D_PASSWORD}" + Report "password_min_digital_required=${CREDITS_D_PASSWORD}" + elif [ ${CREDITS_D_PASSWORD} -ge 0 ]; then + LogText "[PAM] Maximum credit for Digital characters: ${CREDITS_D_PASSWORD}" + Report "password_max_digital_credit=${CREDITS_D_PASSWORD}" + fi - # Lowercase - if [ ${CREDITS_L_PASSWORD} -lt 0 ]; then - CREDITS_L_PASSWORD=$(echo ${CREDITS_L_PASSWORD} | cut -b 2-) - LogText "[PAM] Minimum number of Lowercase characters required: ${CREDITS_L_PASSWORD}" - Report "password_min_l_required=${CREDITS_L_PASSWORD}" - elif [ ${CREDITS_L_PASSWORD} -ge 0 ]; then - LogText "[PAM] Maximum credit for Lowercase characters: ${CREDITS_L_PASSWORD}" - Report "password_max_l_credit=${CREDITS_L_PASSWORD}" - fi + # Lowercase + if [ ${CREDITS_L_PASSWORD} -lt 0 ]; then + CREDITS_L_PASSWORD=$(echo ${CREDITS_L_PASSWORD} | cut -b 2-) + LogText "[PAM] Minimum number of Lowercase characters required: ${CREDITS_L_PASSWORD}" + Report "password_min_l_required=${CREDITS_L_PASSWORD}" + elif [ ${CREDITS_L_PASSWORD} -ge 0 ]; then + LogText "[PAM] Maximum credit for Lowercase characters: ${CREDITS_L_PASSWORD}" + Report "password_max_l_credit=${CREDITS_L_PASSWORD}" + fi - # Other characters - if [ ${CREDITS_O_PASSWORD} -lt 0 ]; then - CREDITS_O_PASSWORD=$(echo ${CREDITS_O_PASSWORD} | cut -b 2-) - LogText "[PAM] Minimum number of Other characters required: ${CREDITS_O_PASSWORD}" - Report "password_min_other_required=${CREDITS_O_PASSWORD}" - elif [ ${CREDITS_O_PASSWORD} -ge 0 ]; then - LogText "[PAM] Maximum credit for Other characters: ${CREDITS_O_PASSWORD}" - Report "password_max_other_credit=${CREDITS_O_PASSWORD}" - fi + # Other characters + if [ ${CREDITS_O_PASSWORD} -lt 0 ]; then + CREDITS_O_PASSWORD=$(echo ${CREDITS_O_PASSWORD} | cut -b 2-) + LogText "[PAM] Minimum number of Other characters required: ${CREDITS_O_PASSWORD}" + Report "password_min_other_required=${CREDITS_O_PASSWORD}" + elif [ ${CREDITS_O_PASSWORD} -ge 0 ]; then + LogText "[PAM] Maximum credit for Other characters: ${CREDITS_O_PASSWORD}" + Report "password_max_other_credit=${CREDITS_O_PASSWORD}" + fi - # Uppercase - if [ ${CREDITS_U_PASSWORD} -lt 0 ]; then - CREDITS_U_PASSWORD=$(echo ${CREDITS_U_PASSWORD} | cut -b 2-) - LogText "[PAM] Minimum number of Uppercase characters required: ${CREDITS_U_PASSWORD}" - Report "password_min_u_required=${CREDITS_U_PASSWORD}" - elif [ ${CREDITS_U_PASSWORD} -ge 0 ]; then - LogText "[PAM] Maximum credit for Uppercase characters: ${CREDITS_U_PASSWORD}" - Report "password_max_u_credit=${CREDITS_U_PASSWORD}" - fi + # Uppercase + if [ ${CREDITS_U_PASSWORD} -lt 0 ]; then + CREDITS_U_PASSWORD=$(echo ${CREDITS_U_PASSWORD} | cut -b 2-) + LogText "[PAM] Minimum number of Uppercase characters required: ${CREDITS_U_PASSWORD}" + Report "password_min_u_required=${CREDITS_U_PASSWORD}" + elif [ ${CREDITS_U_PASSWORD} -ge 0 ]; then + LogText "[PAM] Maximum credit for Uppercase characters: ${CREDITS_U_PASSWORD}" + Report "password_max_u_credit=${CREDITS_U_PASSWORD}" + fi fi # Show how many retries are allowed to change password @@ -460,7 +460,7 @@ if [ ${PAM_PASSWORD_PWHISTORY_ENABLED} -eq 1 ]; then LogText "[PAM] Password history with pam_pwhistory enabled: ${PAM_PASSWORD_PWHISTORY_ENABLED}" LogText "[PAM] Password history with pam_pwhistory amount: ${PAM_PASSWORD_PWHISTORY_AMOUNT}" Report "password_history_amount=${PAM_PASSWORD_PWHISTORY_AMOUNT}" -else + else LogText "[PAM] Password history with pam_pwhistory IS NOT enabled" fi @@ -468,7 +468,7 @@ if [ ${PAM_PASSWORD_UXHISTORY_ENABLED} -eq 1 ]; then LogText "[PAM] Password history with pam_unix enabled: ${PAM_PASSWORD_UXHISTORY_ENABLED}" LogText "[PAM] Password history with pam_unix amount: ${PAM_PASSWORD_UXHISTORY_AMOUNT}" Report "password_history_amount=${PAM_PASSWORD_UXHISTORY_AMOUNT}" -else + else LogText "[PAM] Password history with pam_unix IS NOT enabled" fi