tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-09-25 18:59:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Rewritten counters and dealing with values

Browse Source
This commit is contained in:
Michael Boelen 2016-05-03 14:57:53 +02:00
parent eda79af419
commit eded02cfde
19 changed files with 74 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGELOG
View File

@ -81,6 +81,13 @@ Package manager Brew has been added
Show suggestion when weak protocol is used, like SSLv2 or SSLv3. The protocols Show suggestion when weak protocol is used, like SSLv2 or SSLv3. The protocols
are now also parsed and stored as details in the report file. are now also parsed and stored as details in the report file.
* Performance
-------------
Several performance improvements have been implemented. This includes rewriting
tests to invoke less commands and enhanced hardware detection at the beginning.
* Plugins * Plugins
--------- ---------
You can set the plugin directory now also via a profile. First match wins. You can set the plugin directory now also via a profile. First match wins.

2
include/binaries
View File

@ -74,7 +74,7 @@
LogText "Directory ${SCANDIR} exists. Starting directory scanning..." LogText "Directory ${SCANDIR} exists. Starting directory scanning..."
FIND=`ls ${SCANDIR}` FIND=`ls ${SCANDIR}`
for I in ${FIND}; do for I in ${FIND}; do
N=`expr ${N} + 1` N=$((N + 1))
BINARY="${SCANDIR}/${I}" BINARY="${SCANDIR}/${I}"
DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} " DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
# Optimized, much quicker (limited file access needed) # Optimized, much quicker (limited file access needed)

16
include/functions
View File

@ -103,8 +103,8 @@
AddHP() { AddHP() {
HPADD=$1; HPADDMAX=$2 HPADD=$1; HPADDMAX=$2
HPPOINTS=`expr ${HPPOINTS} + ${HPADD}` HPPOINTS=$((HPPOINTS + HPADD))
HPTOTAL=`expr ${HPTOTAL} + ${HPADDMAX}` HPTOTAL=$((HPTOTAL + HPADDMAX))
if [ ${HPADD} -eq ${HPADDMAX} ]; then if [ ${HPADD} -eq ${HPADDMAX} ]; then
LogText "Hardening: assigned maximum number of hardening points for this item (${HPADDMAX}). Currently having ${HPPOINTS} points (out of ${HPTOTAL})" LogText "Hardening: assigned maximum number of hardening points for this item (${HPADDMAX}). Currently having ${HPPOINTS} points (out of ${HPTOTAL})"
else else
@ -250,7 +250,7 @@
################################################################################ ################################################################################
CountTests() { CountTests() {
CTESTS_PERFORMED=`expr ${CTESTS_PERFORMED} + 1` CTESTS_PERFORMED=$((CTESTS_PERFORMED + 1))
} }
@ -406,7 +406,7 @@
# Display (counting with -m instead of -c, to support language locale) # Display (counting with -m instead of -c, to support language locale)
LINESIZE=`echo "${TEXT}" | wc -m | tr -d ' '` LINESIZE=`echo "${TEXT}" | wc -m | tr -d ' '`
if [ ${SHOWDEBUG} -eq 1 ]; then DEBUGTEXT=" [${PURPLE}DEBUG${NORMAL}]"; else DEBUGTEXT=""; fi if [ ${SHOWDEBUG} -eq 1 ]; then DEBUGTEXT=" [${PURPLE}DEBUG${NORMAL}]"; else DEBUGTEXT=""; fi
if [ ${INDENT} -gt 0 ]; then SPACES=`expr 62 - ${INDENT} - ${LINESIZE}`; fi if [ ${INDENT} -gt 0 ]; then SPACES=$((62 - INDENT - LINESIZE)); fi
if [ ${CRONJOB} -eq 0 ]; then if [ ${CRONJOB} -eq 0 ]; then
# Check if we already have already discovered a proper echo command tool. It not, set it default to 'echo'. # Check if we already have already discovered a proper echo command tool. It not, set it default to 'echo'.
if [ "${ECHOCMD}" = "" ]; then ECHOCMD="echo"; fi if [ "${ECHOCMD}" = "" ]; then ECHOCMD="echo"; fi
@ -1472,7 +1472,7 @@
Display "Can not use RandomString function, as there is no random device to be used" Display "Can not use RandomString function, as there is no random device to be used"
fi fi
if [ $# -eq 0 ]; then local SIZE=16; else local SIZE=$1; fi if [ $# -eq 0 ]; then local SIZE=16; else local SIZE=$1; fi
local CSIZE=`expr ${SIZE} / 2` local CSIZE=$((SIZE / 2))
RANDOMSTRING=`head -c ${CSIZE} /dev/urandom | od -An -x | tr -d ' ' | cut -c 1-${SIZE}` RANDOMSTRING=`head -c ${CSIZE} /dev/urandom | od -An -x | tr -d ' ' | cut -c 1-${SIZE}`
} }
@ -1489,7 +1489,7 @@
if [ ${SKIPLOGTEST} -eq 0 ]; then LogTextBreak; fi if [ ${SKIPLOGTEST} -eq 0 ]; then LogTextBreak; fi
ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; TEST_NEED_OS=""; PREQS_MET="" ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; TEST_NEED_OS=""; PREQS_MET=""
TEST_NEED_NETWORK=""; TEST_NEED_PLATFORM="" TEST_NEED_NETWORK=""; TEST_NEED_PLATFORM=""
TOTAL_TESTS=`expr ${TOTAL_TESTS} + 1` TOTAL_TESTS=$((TOTAL_TESTS + 1))
while [ $# -ge 1 ]; do while [ $# -ge 1 ]; do
case $1 in case $1 in
--description) --description)
@ -1758,7 +1758,7 @@
# Log suggestions to report file # Log suggestions to report file
ReportSuggestion() { ReportSuggestion() {
TOTAL_SUGGESTIONS=`expr ${TOTAL_SUGGESTIONS} + 1` TOTAL_SUGGESTIONS=$((TOTAL_SUGGESTIONS + 1))
# 4 parameters # 4 parameters
# <ID> <Suggestion> <Details> <Solution> # <ID> <Suggestion> <Details> <Solution>
# <ID> Lynis ID (use CUST-.... for your own tests) # <ID> Lynis ID (use CUST-.... for your own tests)
@ -1783,7 +1783,7 @@
# Log warning to report file # Log warning to report file
ReportWarning() { ReportWarning() {
TOTAL_WARNINGS=`expr ${TOTAL_WARNINGS} + 1` TOTAL_WARNINGS=$((TOTAL_WARNINGS + 1))
# Old style # Old style
# <ID> <priority/impact> <warning text> # <ID> <priority/impact> <warning text>
if [ "$2" = "L" -o "$2" = "M" -o "$2" = "H" ]; then if [ "$2" = "L" -o "$2" = "M" -o "$2" = "H" ]; then

4
include/report
View File

@ -33,8 +33,8 @@
# #
# If no hardening has been found, set value to 1 # If no hardening has been found, set value to 1
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
HPINDEX=`expr $HPPOINTS \* 100 / $HPTOTAL` HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
HPAOBLOCKS=`expr $HPPOINTS \* 20 / $HPTOTAL` HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL))
# Set color related to rating # Set color related to rating
if [ ${HPINDEX} -lt 50 ]; then if [ ${HPINDEX} -lt 50 ]; then
HPCOLOR="${RED}" HPCOLOR="${RED}"

6
include/tests_banners
View File

@ -103,7 +103,7 @@
# FIND=`grep -i "${I}" /etc/motd` # FIND=`grep -i "${I}" /etc/motd`
# if [ ! "${FIND}" = "" ]; then # if [ ! "${FIND}" = "" ]; then
# LogText "Result: found string '${I}'" # LogText "Result: found string '${I}'"
# N=`expr ${N} + 1` # N=$((N + 1))
# fi # fi
# done # done
# # Check if we have 5 or more key words # # Check if we have 5 or more key words
@ -154,7 +154,7 @@
FIND=`grep -i "${I}" /etc/issue` FIND=`grep -i "${I}" /etc/issue`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found string '${I}'" LogText "Result: found string '${I}'"
N=`expr ${N} + 1` N=$((N + 1))
fi fi
done done
# Check if we have 5 or more key words # Check if we have 5 or more key words
@ -206,7 +206,7 @@
FIND=`grep -i "${I}" /etc/issue.net` FIND=`grep -i "${I}" /etc/issue.net`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found string '${I}'" LogText "Result: found string '${I}'"
N=`expr ${N} + 1` N=$((N + 1))
fi fi
done done
# Check if we have 5 or more key words # Check if we have 5 or more key words

14
include/tests_boot_services
View File

@ -489,7 +489,7 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found service (service/rc.conf): ${I}" LogText "Found service (service/rc.conf): ${I}"
Report "boottask[]=${I}" Report "boottask[]=${I}"
N=`expr ${N} + 1` N=$((N + 1))
done done
Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "DONE" --color GREEN Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "DONE" --color GREEN
Display --indent 6 --text "Result: found $N services/options set" Display --indent 6 --text "Result: found $N services/options set"
@ -516,7 +516,7 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found running service: ${I}" LogText "Found running service: ${I}"
Report "running_service[]=${I}" Report "running_service[]=${I}"
N=`expr ${N} + 1` N=$((N + 1))
done done
LogText "Note: Run systemctl --full --type=service to see all services" LogText "Note: Run systemctl --full --type=service to see all services"
Display --indent 2 --text "- Check running services (systemctl)" --result "DONE" --color GREEN Display --indent 2 --text "- Check running services (systemctl)" --result "DONE" --color GREEN
@ -531,7 +531,7 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found enabled service at boot: ${I}" LogText "Found enabled service at boot: ${I}"
Report "boot_service[]=${I}" Report "boot_service[]=${I}"
N=`expr ${N} + 1` N=$((N + 1))
done done
LogText "Note: Run systemctl list-unit-files --type=service to see all services" LogText "Note: Run systemctl list-unit-files --type=service to see all services"
Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "DONE" --color GREEN Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "DONE" --color GREEN
@ -549,7 +549,7 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found service (at boot, runlevel 3 or 5): ${I}" LogText "Found service (at boot, runlevel 3 or 5): ${I}"
Report "boot_service[]=${I}" Report "boot_service[]=${I}"
N=`expr ${N} + 1` N=$((N + 1))
done done
LogText "Hint: Run chkconfig --list to see all services and disable unneeded services" LogText "Hint: Run chkconfig --list to see all services and disable unneeded services"
Display --indent 2 --text "- Check services at startup (chkconfig)" --result "DONE" --color GREEN Display --indent 2 --text "- Check services at startup (chkconfig)" --result "DONE" --color GREEN
@ -579,7 +579,7 @@
N=0 N=0
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found service (at boot, runlevel 2): ${I}" LogText "Found service (at boot, runlevel 2): ${I}"
N=`expr ${N} + 1` N=$((N + 1))
done done
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE
Display --indent 4 --text "Result: found $N services" Display --indent 4 --text "Result: found $N services"
@ -712,7 +712,7 @@
LogText "Boot time: ${TIME_BOOT}" LogText "Boot time: ${TIME_BOOT}"
LogText "Current time: ${TIME_NOW}" LogText "Current time: ${TIME_NOW}"
if [ ! "${TIME_BOOT}" = "" -a ! "${TIME_NOW}" = "" ]; then if [ ! "${TIME_BOOT}" = "" -a ! "${TIME_NOW}" = "" ]; then
UPTIME_IN_SECS=`expr ${TIME_NOW} - ${TIME_BOOT}` UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
else else
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime" ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
fi fi
@ -740,7 +740,7 @@
esac esac
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
UPTIME_IN_SECS="${FIND}" UPTIME_IN_SECS="${FIND}"
UPTIME_IN_DAYS=`expr ${UPTIME_IN_SECS} / 60 / 60 / 24` UPTIME_IN_DAYS=$((UPTIME_IN_SECS / 60 / 60 / 24))
LogText "Uptime (in seconds): ${UPTIME_IN_SECS}" LogText "Uptime (in seconds): ${UPTIME_IN_SECS}"
LogText "Uptime (in days): ${UPTIME_IN_DAYS}" LogText "Uptime (in days): ${UPTIME_IN_DAYS}"
Report "uptime_in_seconds=${UPTIME_IN_SECS}" Report "uptime_in_seconds=${UPTIME_IN_SECS}"

8
include/tests_containers
View File

@ -40,7 +40,7 @@
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
N=0 N=0
for I in ${FIND}; do for I in ${FIND}; do
N=`expr ${N} + 1` N=$((N + 1))
ZONEID=`echo ${I} | cut -d ':' -f1` ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2` ZONENAME=`echo ${I} | cut -d ':' -f2`
LogText "Result: found zone ${ZONENAME} (running)" LogText "Result: found zone ${ZONENAME} (running)"
@ -102,7 +102,7 @@
for I in ${FIND}; do for I in ${FIND}; do
J=`echo ${I} | sed 's/:space:/ /g'` J=`echo ${I} | sed 's/:space:/ /g'`
LogText "Output: ${J}" LogText "Output: ${J}"
COUNT=`expr ${COUNT} + 1` COUNT=$((COUNT + 1))
done done
Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color RED Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color RED
ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon" ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon"
@ -154,7 +154,7 @@
# Check if there aren't too many unused containers on the system # Check if there aren't too many unused containers on the system
if [ ${DOCKER_CONTAINERS_TOTAL} -gt 0 ]; then if [ ${DOCKER_CONTAINERS_TOTAL} -gt 0 ]; then
DOCKER_CONTAINERS_UNUSED=`expr ${DOCKER_CONTAINERS_TOTAL} - ${DOCKER_CONTAINERS_RUNNING}` DOCKER_CONTAINERS_UNUSED=$((DOCKER_CONTAINERS_TOTAL - DOCKER_CONTAINERS_RUNNING))
if [ ${DOCKER_CONTAINERS_UNUSED} -gt 10 ]; then if [ ${DOCKER_CONTAINERS_UNUSED} -gt 10 ]; then
ReportSuggestion "${TEST_NO}" "More than 10 unused containers found on the system. Clean up old containers by using output of 'docker ps -a' command" ReportSuggestion "${TEST_NO}" "More than 10 unused containers found on the system. Clean up old containers by using output of 'docker ps -a' command"
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color RED Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color RED
@ -183,7 +183,7 @@
if IsWorldWritable ${I}; then if IsWorldWritable ${I}; then
LogText "Result: file is writable by others, which is a security risk (e.g. privilege escalation)" LogText "Result: file is writable by others, which is a security risk (e.g. privilege escalation)"
ReportWarning "${TEST_NO}" "Docker file is world writable" "${I}" "-" ReportWarning "${TEST_NO}" "Docker file is world writable" "${I}" "-"
DOCKER_FILE_PERMISSIONS_WARNINGS=`expr ${DOCKER_FILE_PERMISSIONS_WARNINGS} + 1` DOCKER_FILE_PERMISSIONS_WARNINGS=$((DOCKER_FILE_PERMISSIONS_WARNINGS + 1))
else else
LogText "Result: file is not writable by others, which is fine" LogText "Result: file is not writable by others, which is fine"
fi fi

2
include/tests_filesystems
View File

@ -308,7 +308,7 @@
for I in ${FIND}; do for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'` FILE=`echo ${I} | sed 's/!space!/ /g'`
LogText "Old temporary file: ${FILE}" LogText "Old temporary file: ${FILE}"
N=`expr ${N} + 1` N=$((N + 1))
done done
LogText "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days" LogText "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
LogText "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain" LogText "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain"

4
include/tests_kernel
View File

@ -215,7 +215,7 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Loaded module: ${I}" LogText "Loaded module: ${I}"
Report "loaded_kernel_module[]=${I}" Report "loaded_kernel_module[]=${I}"
N=`expr ${N} + 1` N=$((N + 1))
done done
Display --indent 6 --text "Found ${N} active modules" Display --indent 6 --text "Found ${N} active modules"
else else
@ -299,7 +299,7 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Loaded module: ${I}" LogText "Loaded module: ${I}"
Report "loaded_kernel_module[]=${I}" Report "loaded_kernel_module[]=${I}"
N=`expr ${N} + 1` N=$((N + 1))
done done
Display --indent 4 --text "Found ${N} kernel modules" --result DONE --color GREEN Display --indent 4 --text "Found ${N} kernel modules" --result DONE --color GREEN
else else

2
include/tests_kernel_hardening
View File

@ -53,7 +53,7 @@
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
AddHP 0 ${tFINDhp} AddHP 0 ${tFINDhp}
FOUND=1 FOUND=1
N=`expr ${N} + 1` N=$((N + 1))
ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}" ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}"
fi fi
else else

2
include/tests_nameservices
View File

@ -78,7 +78,7 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found search domain: ${I}" LogText "Found search domain: ${I}"
Report "resolv_conf_search_domain[]=${I}" Report "resolv_conf_search_domain[]=${I}"
N=`expr ${N} + 1` N=$((N + 1))
done done
# Warn if we have more than 6 search domains, which is maximum in most resolvers # Warn if we have more than 6 search domains, which is maximum in most resolvers
if [ ${N} -gt 6 ]; then if [ ${N} -gt 6 ]; then

14
include/tests_networking
View File

@ -141,7 +141,7 @@
Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN
LogText "Nameserver ${I} seems to respond to queries from this host." LogText "Nameserver ${I} seems to respond to queries from this host."
# Count responsive nameservers # Count responsive nameservers
NUMBERACTIVENS=`expr ${NUMBERACTIVENS} + 1` NUMBERACTIVENS=$((NUMBERACTIVENS + 1))
else else
Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED
LogText "Result: nameserver ${I} does NOT respond" LogText "Result: nameserver ${I} does NOT respond"
@ -242,7 +242,7 @@
for I in ${FIND}; do for I in ${FIND}; do
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${I}" NETWORK_INTERFACES="${NETWORK_INTERFACES}|${I}"
LogText "Found network interface: ${I}" LogText "Found network interface: ${I}"
N=`expr ${N} + 1` N=$((N + 1))
Report "network_interface[]=${I}" Report "network_interface[]=${I}"
done done
else else
@ -296,7 +296,7 @@
N=0 N=0
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found MAC address: ${I}" LogText "Found MAC address: ${I}"
N=`expr ${N} + 1` N=$((N + 1))
Report "network_mac_address[]=${I}" Report "network_mac_address[]=${I}"
done done
fi fi
@ -353,13 +353,13 @@
# IPv4 # IPv4
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found IPv4 address: ${I}" LogText "Found IPv4 address: ${I}"
N=`expr ${N} + 1` N=$((N + 1))
Report "network_ipv4_address[]=${I}" Report "network_ipv4_address[]=${I}"
done done
# IPv6 # IPv6
for I in ${FIND2}; do for I in ${FIND2}; do
LogText "Found IPv6 address: ${I}" LogText "Found IPv6 address: ${I}"
N=`expr ${N} + 1` N=$((N + 1))
Report "network_ipv6_address[]=${I}" Report "network_ipv6_address[]=${I}"
done done
@ -441,7 +441,7 @@
LogText "Test: Retrieving sockstat information to find listening ports" LogText "Test: Retrieving sockstat information to find listening ports"
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do for I in ${FIND}; do
N=`expr ${N} + 1` N=$((N + 1))
LogText "Found listening info: ${I}" LogText "Found listening info: ${I}"
Report "network_listen_port[]=${I}" Report "network_listen_port[]=${I}"
done done
@ -449,7 +449,7 @@
if [ ! "${FIND2}" = "" ]; then if [ ! "${FIND2}" = "" ]; then
for I in ${FIND2}; do for I in ${FIND2}; do
N=`expr ${N} + 1` N=$((N + 1))
LogText "Found listening info: ${I}" LogText "Found listening info: ${I}"
Report "network_listen_port[]=${I}" Report "network_listen_port[]=${I}"
done done

18
include/tests_ports_packages
View File

@ -75,7 +75,7 @@
LogText "Output:"; LogText "-----" LogText "Output:"; LogText "-----"
SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'` SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
N=`expr ${N} + 1` N=$((N + 1))
sPKG_NAME=`echo ${J} | cut -d ',' -f1` sPKG_NAME=`echo ${J} | cut -d ',' -f1`
sPKG_VERSION=`echo ${J} | cut -d ',' -f2` sPKG_VERSION=`echo ${J} | cut -d ',' -f2`
LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
@ -175,7 +175,7 @@
ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages" ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages"
else else
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
N=`expr ${N} + 1` N=$((N + 1))
PACKAGE_NAME=`echo ${J} | awk -F, '{print $1}'` PACKAGE_NAME=`echo ${J} | awk -F, '{print $1}'`
PACKAGE_VERSION=`echo ${J} | awk -F, '{print $2}'` PACKAGE_VERSION=`echo ${J} | awk -F, '{print $2}'`
LogText "Found package: ${J}" LogText "Found package: ${J}"
@ -207,7 +207,7 @@
LogText "Info: looks like the pacman binary is installed, but not used for package installation" LogText "Info: looks like the pacman binary is installed, but not used for package installation"
else else
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
N=`expr ${N} + 1` N=$((N + 1))
PACKAGE_NAME=`echo ${J} | awk -F, '{ print $1 }'` PACKAGE_NAME=`echo ${J} | awk -F, '{ print $1 }'`
PACKAGE_VERSION=`echo ${J} | awk -F, '{ print $2 }'` PACKAGE_VERSION=`echo ${J} | awk -F, '{ print $2 }'`
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
@ -269,7 +269,7 @@
LogText "Test: checking available repositories" LogText "Test: checking available repositories"
FIND=`grep "^\[.*\]$" ${PACMANCONF} | tr -d '[]'` FIND=`grep "^\[.*\]$" ${PACMANCONF} | tr -d '[]'`
for I in ${FIND}; do for I in ${FIND}; do
COUNT=`expr ${COUNT} + 1` COUNT=$((COUNT + 1))
Report "package_repository[]=${I}" Report "package_repository[]=${I}"
done done
LogText "Result: found ${COUNT} repositories" LogText "Result: found ${COUNT} repositories"
@ -288,7 +288,7 @@
FIND=`${ZYPPERBINARY} se -i | awk '{ if ($1=="i") { print $3 } }'` FIND=`${ZYPPERBINARY} se -i | awk '{ if ($1=="i") { print $3 } }'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do for I in ${FIND}; do
N=`expr ${N} + 1` N=$((N + 1))
LogText "Installed package: ${I}" LogText "Installed package: ${I}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
done done
@ -343,7 +343,7 @@
LogText "Output:" LogText "Output:"
SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' ',' | sort` SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' ',' | sort`
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
N=`expr ${N} + 1` N=$((N + 1))
PACKAGE_NAME=`echo ${J} | cut -d ',' -f2` PACKAGE_NAME=`echo ${J} | cut -d ',' -f2`
PACKAGE_VERSION=`echo ${J} | cut -d ',' -f3` PACKAGE_VERSION=`echo ${J} | cut -d ',' -f3`
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
@ -373,7 +373,7 @@
LogText "Result: found one or more packages with left over configuration files, cron jobs etc" LogText "Result: found one or more packages with left over configuration files, cron jobs etc"
LogText "Output:" LogText "Output:"
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
N=`expr ${N} + 1` N=$((N + 1))
LogText "Found unpurged package: ${J}" LogText "Found unpurged package: ${J}"
done done
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts." ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
@ -421,7 +421,7 @@
PACKAGE_AUDIT_TOOL="dnf" PACKAGE_AUDIT_TOOL="dnf"
SPACKAGES=`${DNFBINARY} -q list installed 2> /dev/null | awk '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}'` SPACKAGES=`${DNFBINARY} -q list installed 2> /dev/null | awk '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}'`
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
N=`expr ${N} + 1` N=$((N + 1))
PACKAGE_NAME=`echo ${J} | cut -d ',' -f1` PACKAGE_NAME=`echo ${J} | cut -d ',' -f1`
PACKAGE_VERSION=`echo ${J} | cut -d ',' -f2` PACKAGE_VERSION=`echo ${J} | cut -d ',' -f2`
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
@ -555,7 +555,7 @@
LogText "Test: Querying portmaster for possible port upgrades" LogText "Test: Querying portmaster for possible port upgrades"
UPACKAGES=`/usr/local/sbin/portmaster -L | grep "version available" | awk '{ print $5 }'` UPACKAGES=`/usr/local/sbin/portmaster -L | grep "version available" | awk '{ print $5 }'`
for J in ${UPACKAGES}; do for J in ${UPACKAGES}; do
N=`expr ${N} + 1` N=$((N + 1))
LogText "Upgrade available (new version): ${J}" LogText "Upgrade available (new version): ${J}"
Report "upgrade_available[]=${J}" Report "upgrade_available[]=${J}"
done done

6
include/tests_printers_spools
View File

@ -141,7 +141,7 @@
N=0 N=0
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found network address: ${I}" LogText "Found network address: ${I}"
N=`expr ${N} + 1` N=$((N + 1))
FOUND=1 FOUND=1
done done
if [ ${FOUND} -eq 0 ]; then if [ ${FOUND} -eq 0 ]; then
@ -169,7 +169,7 @@
FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep "/" | awk '{ print $2 }'` FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep "/" | awk '{ print $2 }'`
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found socket address: ${I}" LogText "Found socket address: ${I}"
N=`expr ${N} + 1` N=$((N + 1))
done done
if [ ${N} -eq 0 ]; then if [ ${N} -eq 0 ]; then
@ -275,7 +275,7 @@
for I in ${FIND}; do for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'` FILE=`echo ${I} | sed 's/!space!/ /g'`
LogText "Found old print job: ${FILE}" LogText "Found old print job: ${FILE}"
N=`expr ${N} + 1` N=$((N + 1))
done done
LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir" LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result FOUND --color YELLOW Display --indent 4 --text "- Checking old print jobs" --result FOUND --color YELLOW

12
include/tests_shells
View File

@ -79,12 +79,12 @@
CSSHELLS=0; CSSHELLS_ALL=0 CSSHELLS=0; CSSHELLS_ALL=0
Display --indent 2 --text "- Checking shells from /etc/shells" Display --indent 2 --text "- Checking shells from /etc/shells"
for I in ${SSHELLS}; do for I in ${SSHELLS}; do
CSSHELLS_ALL=`expr ${CSSHELLS_ALL} + 1` CSSHELLS_ALL=$((CSSHELLS_ALL + 1))
Report "available_shell[]=${I}" Report "available_shell[]=${I}"
# YYY add check for symlinked shells # YYY add check for symlinked shells
if [ -f ${I} ]; then if [ -f ${I} ]; then
LogText "Found installed shell: ${I}" LogText "Found installed shell: ${I}"
CSSHELLS=`expr ${CSSHELLS} + 1` CSSHELLS=$((CSSHELLS + 1))
else else
LogText "Shell ${I} not installed. Probably a dummy or non existing shell." LogText "Shell ${I} not installed. Probably a dummy or non existing shell."
fi fi
@ -125,7 +125,7 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Output: ${I}" LogText "Output: ${I}"
Report "session_timeout_value[]=${I}" Report "session_timeout_value[]=${I}"
N=`expr ${N} + 1` N=$((N + 1))
done done
if [ ${N} -eq 1 ]; then if [ ${N} -eq 1 ]; then
LogText "Result: found TMOUT value configured in /etc/profile" LogText "Result: found TMOUT value configured in /etc/profile"
@ -142,7 +142,7 @@
for I in ${FIND2}; do for I in ${FIND2}; do
LogText "Output: ${I}" LogText "Output: ${I}"
if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then
N=`expr ${N} + 1` N=$((N + 1))
fi fi
done done
if [ ${N} -gt 0 ]; then if [ ${N} -gt 0 ]; then
@ -172,7 +172,7 @@
for I in ${FIND}; do for I in ${FIND}; do
LogText "Output: ${I}" LogText "Output: ${I}"
Report "session_timeout_value[]=${I}" Report "session_timeout_value[]=${I}"
N=`expr ${N} + 1` N=$((N + 1))
done done
if [ ${N} -eq 1 ]; then if [ ${N} -eq 1 ]; then
LogText "Result: found TMOUT value configured in one of the files in /etc/profile.d directory" LogText "Result: found TMOUT value configured in one of the files in /etc/profile.d directory"
@ -189,7 +189,7 @@
for I in ${FIND2}; do for I in ${FIND2}; do
LogText "Output: ${I}" LogText "Output: ${I}"
if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then
N=`expr ${N} + 1` N=$((N + 1))
fi fi
done done
if [ ${N} -gt 0 ]; then if [ ${N} -gt 0 ]; then

2
include/tests_squid
View File

@ -209,7 +209,7 @@
Display --indent 6 --text "- Checking Access Control Lists" --result "NONE" --color RED Display --indent 6 --text "- Checking Access Control Lists" --result "NONE" --color RED
else else
for I in ${FIND}; do for I in ${FIND}; do
N=`expr ${N} + 1` N=$((N + 1))
I=`echo ${I} | sed 's/!space!/ /g'` I=`echo ${I} | sed 's/!space!/ /g'`
LogText "Found ACL: ${I}" LogText "Found ACL: ${I}"
#Report "squid_acl=${I}" #Report "squid_acl=${I}"

2
include/tests_time
View File

@ -246,7 +246,7 @@
LogText "Found stratum 16 peer: ${I}" LogText "Found stratum 16 peer: ${I}"
FIND2=`egrep "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE}` FIND2=`egrep "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE}`
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
N=`expr ${N} + 1` N=$((N + 1))
else else
LogText "Output: host ${I} ignored by profile" LogText "Output: host ${I} ignored by profile"
fi fi

12
include/tests_webservers
View File

@ -150,14 +150,14 @@
for J in `grep "ServerName" ${I} | grep -v "^#" | awk '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'`; do for J in `grep "ServerName" ${I} | grep -v "^#" | awk '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'`; do
if [ ! -z ${J} ]; then if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}" tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=`expr ${cVHOSTS} + 1` cVHOSTS=$((cVHOSTS + 1))
fi fi
done done
# Search Server aliases # Search Server aliases
for J in `grep "ServerAlias" ${I} | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do for J in `grep "ServerAlias" ${I} | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do
if [ ! -z ${J} ]; then if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}" tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=`expr ${cVHOSTS} + 1` cVHOSTS=$((cVHOSTS + 1))
fi fi
done done
else else
@ -275,7 +275,7 @@
for J in ${FIND}; do for J in ${FIND}; do
Report "apache_module[]=${J}" Report "apache_module[]=${J}"
LogText "Result: found Apache module ${J}" LogText "Result: found Apache module ${J}"
N=`expr ${N} + 1` N=$((N + 1))
done done
fi fi
done done
@ -431,7 +431,7 @@
for J in ${FIND2}; do for J in ${FIND2}; do
# Ensure that we are parsing normal files # Ensure that we are parsing normal files
if [ -f ${J} ]; then if [ -f ${J} ]; then
N=`expr ${N} + 1` N=$((N + 1))
LogText "Result: found Nginx configuration file ${J}" LogText "Result: found Nginx configuration file ${J}"
Report "nginx_sub_conf_file=${J}" Report "nginx_sub_conf_file=${J}"
FileIsReadable ${J} FileIsReadable ${J}
@ -621,7 +621,7 @@
# FIND=`grep "proxy_pass" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/proxy_pass//g' | tr -d ';'` # FIND=`grep "proxy_pass" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/proxy_pass//g' | tr -d ';'`
# for I in ${FIND}; do # for I in ${FIND}; do
# LogText "Found reverse proxy configuration for: ${I}" # LogText "Found reverse proxy configuration for: ${I}"
# N=`expr ${N} + 1` # N=$((N + 1))
# done # done
# if [ ${N} -eq 0 ]; then # if [ ${N} -eq 0 ]; then
# LogText "Result: no reverse proxying functionality found" # LogText "Result: no reverse proxying functionality found"
@ -647,7 +647,7 @@
# if [ "${I}" = "_" ]; then I="Default virtual host"; fi # if [ "${I}" = "_" ]; then I="Default virtual host"; fi
# LogText "Found virtual host: ${I}" # LogText "Found virtual host: ${I}"
# Report "nginx_vhost_name[]=${I}" # Report "nginx_vhost_name[]=${I}"
# N=`expr ${N} + 1` # N=$((N + 1))
# done # done
# if [ ${N} -eq 0 ]; then # if [ ${N} -eq 0 ]; then
# LogText "Result: no virtual hosts found" # LogText "Result: no virtual hosts found"

8
lynis
View File

@ -620,7 +620,7 @@ ${NORMAL}
LogText "Latest stable version : ${PROGRAM_LV}" LogText "Latest stable version : ${PROGRAM_LV}"
if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
# Check if current version is REALLY outdated (10 versions ago) # Check if current version is REALLY outdated (10 versions ago)
PROGRAM_MINVERSION=`expr ${PROGRAM_LV} - 10` PROGRAM_MINVERSION=$((${PROGRAM_LV} - 10))
LogText "Minimum required version : ${PROGRAM_MINVERSION}" LogText "Minimum required version : ${PROGRAM_MINVERSION}"
if [ ${PROGRAM_MINVERSION} -gt ${PROGRAM_AC} ]; then if [ ${PROGRAM_MINVERSION} -gt ${PROGRAM_AC} ]; then
Display --indent 2 --text "- Program update status... " --result "WARNING" --color RED Display --indent 2 --text "- Program update status... " --result "WARNING" --color RED
@ -652,7 +652,7 @@ ${NORMAL}
NOW=`date +%s` NOW=`date +%s`
OLD_RELEASE=0 OLD_RELEASE=0
TIME_DIFFERENCE_CHECK=10368000 # 4 months TIME_DIFFERENCE_CHECK=10368000 # 4 months
RELEASE_PLUS_TIMEDIFF=`expr ${PROGRAM_RELEASE_TIMESTAMP} + ${TIME_DIFFERENCE_CHECK}` RELEASE_PLUS_TIMEDIFF=$((${PROGRAM_RELEASE_TIMESTAMP} + ${TIME_DIFFERENCE_CHECK}))
if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then
# Show if release is old, only if we didn't show it with normal update check # Show if release is old, only if we didn't show it with normal update check
if [ ${UPDATE_AVAILABLE} -eq 0 ]; then if [ ${UPDATE_AVAILABLE} -eq 0 ]; then
@ -757,7 +757,7 @@ ${NORMAL}
if [ -f ${PLUGIN_FILE} ]; then if [ -f ${PLUGIN_FILE} ]; then
FIND2=`grep "^# PLUGIN_NAME=" ${PLUGIN_FILE} | awk -F= '{ print $2 }'` FIND2=`grep "^# PLUGIN_NAME=" ${PLUGIN_FILE} | awk -F= '{ print $2 }'`
if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then
if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=`expr ${N_PLUGIN} + 1`; fi if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=$((${N_PLUGIN} + 1)); fi
# Check if the plugin is enabled in any of the profiles # Check if the plugin is enabled in any of the profiles
PLUGIN_ENABLED_STATE=0 PLUGIN_ENABLED_STATE=0
for PROFILE in ${PROFILES}; do for PROFILE in ${PROFILES}; do
@ -779,7 +779,7 @@ ${NORMAL}
if [ "${FIND4}" = "rw-r--r--" -o "${FIND4}" = "rw-r-----" -o "${FIND4}" = "rw-------" -o "${FIND4}" = "r--------" ]; then if [ "${FIND4}" = "rw-r--r--" -o "${FIND4}" = "rw-r-----" -o "${FIND4}" = "rw-------" -o "${FIND4}" = "r--------" ]; then
LogText "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})" LogText "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})"
Report "plugin_enabled_phase${PLUGIN_PHASE}[]=${FIND2}|${PLUGIN_VERSION}|" Report "plugin_enabled_phase${PLUGIN_PHASE}[]=${FIND2}|${PLUGIN_VERSION}|"
if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN_ENABLED=`expr ${N_PLUGIN_ENABLED} + 1`; fi if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN_ENABLED=$((${N_PLUGIN_ENABLED} + 1)); fi
Display --indent 2 --text "- ${CYAN}Plugin${NORMAL}: ${WHITE}${FIND2}${NORMAL}" Display --indent 2 --text "- ${CYAN}Plugin${NORMAL}: ${WHITE}${FIND2}${NORMAL}"
if [ ${PLUGIN_PHASE} -eq 1 ]; then Progress " ["; fi if [ ${PLUGIN_PHASE} -eq 1 ]; then Progress " ["; fi
. ${PLUGINFILE} . ${PLUGINFILE}