tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use -n instead of ! -z

This commit is contained in:
Michael Boelen 2019-07-16 13:20:30 +02:00
parent 2777caf6d2
commit fa8bad20db
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
45 changed files with 407 additions and 407 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
include/binaries
View File

@ -49,7 +49,7 @@
# Test if our PATH variable provides a set of paths. If so, reverse the order. If we discover the same binary
# multiple times, the one first in PATH should be used.
if [ ! -z "${PATH}" ]; then
if [ -n "${PATH}" ]; then
PATH_REVERSED=$(echo ${PATH} | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
BIN_PATHS=$(echo "${PATH_REVERSED}" | tr ':' ' ')
fi
@ -84,7 +84,7 @@
LogText "Result: directory exists, but is actually a symlink"
ShowSymlinkPath ${SCANDIR}
if [ ${FOUNDPATH} -eq 1 ]; then
if [ ! -z "${SYMLINK}" -a -d ${SYMLINK} ]; then
if [ -n "${SYMLINK}" -a -d ${SYMLINK} ]; then
# Set path to new location
LogText "Result: found the path behind this symlink (${SCANDIR} --> ${sFILE})"
ORGPATH="${SCANDIR}"
@ -100,7 +100,7 @@
# Add a space to make sure we discover a related directory if it was already scanned
# The grep -v is to prevent a match /usr/bin in something like /usr/bin/core_perl
FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}" | grep -v ", ${SCANDIR}/")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
SKIPDIR=1; LogText "Result: Skipping this directory as it was already scanned"
fi
@ -273,7 +273,7 @@
done
else
LogText "Result: Directory ${SCANDIR} skipped"
if [ ! -z "${ORGPATH}" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi
if [ -n "${ORGPATH}" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi
fi
else
LogText "Result: Directory ${SCANDIR} does NOT exist"

80
include/functions
View File

@ -267,16 +267,16 @@
if [ ${RUN_UPDATE_CHECK} -eq 1 ]; then
LYNIS_LV_RECORD="lynis-latest-version.cisofy.com."
FIND=$(which dig 2> /dev/null | grep -v "no [^ ]* in")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
PROGRAM_LV=$(dig +short +time=3 -t txt lynis-latest-version.cisofy.com 2> /dev/null | grep -v "connection timed out" | sed 's/[".]//g' | grep "^[1-9][0-9][0-9]$")
else
FIND=$(which host 2> /dev/null | grep -v "no [^ ]* in ")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
PROGRAM_LV=$(host -t txt -W 3 lynis-latest-version.cisofy.com 2> /dev/null | grep -v "connection timed out" | awk '{ if ($1=="lynis-latest-version.cisofy.com" && $3=="text") { print $4 }}' | sed 's/"//g' | grep "^[1-9][0-9][0-9]$")
if [ "${PROGRAM_LV}" = "" ]; then PROGRAM_LV=0; fi
else
FIND=$(which drill 2> /dev/null | grep -v "no [^ ]* in ")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
PROGRAM_LV=$(drill txt ${LYNIS_LV_RECORD} | awk '{ if ($1=="lynis-latest-version.cisofy.com." && $4=="TXT") { print $5 }}' | tr -d '"' | grep "^[1-9][0-9][0-9]$")
if [ -z "${PROGRAM_LV}" ]; then PROGRAM_LV=0; fi
else
@ -530,7 +530,7 @@
fi
fi
if [ ! -z "${TEXT}" ]; then
if [ -n "${TEXT}" ]; then
SHOW=0
if [ ${SHOW_WARNINGS_ONLY} -eq 1 ]; then
if [ "${RESULT}" = "WARNING" ]; then SHOW=1; fi
@ -571,7 +571,7 @@
${ECHOCMD} ""
${ECHOCMD} "${WARNING}Error${NORMAL}: ${BOLD}$1${NORMAL}"
${ECHOCMD} ""
if [ ! -z "${EXITCODE}" ]; then ExitCustom ${EXITCODE}; fi
if [ -n "${EXITCODE}" ]; then ExitCustom ${EXITCODE}; fi
}
@ -747,12 +747,12 @@
exitcode=1
file=$1
find=""
if [ ! -z "${DPKGBINARY}" ]; then
if [ -n "${DPKGBINARY}" ]; then
find=$(${DPKGBINARY} -S "${file}" 2> /dev/null | ${AWKBINARY} -F: '{print $1}')
elif [ ! -z "${RPMBINARY}" ]; then
elif [ -n "${RPMBINARY}" ]; then
find=$(${RPMBINARY} -qf "${file}" 2> /dev/null | ${AWKBINARY} -F- '{print $1}')
fi
if [ ! -z "${find}" ]; then
if [ -n "${find}" ]; then
LogText "Result: file '${file}' belongs to package (${find})"
exitcode=0
else
@ -805,7 +805,7 @@
# Check for symlink
if [ -L "${escaped_file}" ]; then
ShowSymlinkPath ${escaped_file}
if [ ! -z "${SYMLINK}" ]; then escaped_file="${SYMLINK}"; fi
if [ -n "${SYMLINK}" ]; then escaped_file="${SYMLINK}"; fi
fi
# Only check the file if it isn't a symlink (after previous check)
@ -863,7 +863,7 @@
return 2
fi
if [ ! -z "${HOSTID}" -a ! -z "${HOSTID2}" ]; then
if [ -n "${HOSTID}" -a -n "${HOSTID2}" ]; then
Debug "Skipping creation of host identifiers, as they are already configured (via profile)"
return 2
fi
@ -936,7 +936,7 @@
"HP-UX")
FIND=$(nwmgr -q info -c lan0 2> /dev/null | awk '{ if ($1=="MAC" && $2=="Address") { print $4 }}')
if HasData "${FIND}"; then
if [ ! -z "${OPENSSLBINARY}" ]; then
if [ -n "${OPENSSLBINARY}" ]; then
HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }')
else
ReportException "GetHostID" "No openssl binary available on this HP-UX system"
@ -954,7 +954,7 @@
# ip -br link show up | sort | awk '$2=="UP" && $3 ~ /^[a-f0-9][a-f0-9]:/ {print $3}'
# Use ifconfig
if [ ! -z "${IFCONFIGBINARY}" ]; then
if [ -n "${IFCONFIGBINARY}" ]; then
# Determine if we have the eth0 interface (not all Linux distro have this, e.g. Arch)
HASETH0=$(${IFCONFIGBINARY} | grep "^eth0")
# Check if we can find it with HWaddr on the line
@ -982,7 +982,7 @@
fi
fi
elif [ ! -z "${IPBINARY}" ]; then
elif [ -n "${IPBINARY}" ]; then
# Determine if we have the common available eth0 interface
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if IsEmpty "${FIND}"; then
@ -1015,10 +1015,10 @@
ReportException "GetHostID" "No MAC address returned on macOS"
fi
LYNIS_HOSTID2_PART1=$(hostname -s)
if [ ! -z "${LYNIS_HOSTID2_PART1}" ]; then
if [ -n "${LYNIS_HOSTID2_PART1}" ]; then
LogText "Info: using hostname ${LYNIS_HOSTID2_PART1}"
LYNIS_HOSTID2_PART2=$(sysctl -n kern.uuid 2> /dev/null)
if [ ! -z "${LYNIS_HOSTID2_PART2}" ]; then
if [ -n "${LYNIS_HOSTID2_PART2}" ]; then
LogText "Info: using UUID ${LYNIS_HOSTID2_PART2}"
else
LogText "Info: could not create HOSTID2 as kern.uuid sysctl key is missing"
@ -1143,17 +1143,17 @@
fi
STRING_TO_HASH=""
if [ ${FOUND} -eq 1 -a ! -z "${DATA_SSH}" ]; then
if [ ${FOUND} -eq 1 -a -n "${DATA_SSH}" ]; then
LogText "Using SSH public key to create the second host identifier"
STRING_TO_HASH="${DATA_SSH}"
else
if [ ! -z "${MACHINEID}" ]; then
if [ -n "${MACHINEID}" ]; then
LogText "Using the machine ID to create the second host identifier"
STRING_TO_HASH="${MACHINEID}"
fi
fi
# Check if we have a string to turn into a host identifier
if [ ! -z "${STRING_TO_HASH}" ]; then
if [ -n "${STRING_TO_HASH}" ]; then
# Create hashes
if [ ! "${SHA256SUMBINARY}" = "" ]; then
HASH2=$(echo ${STRING_TO_HASH} | ${SHA256SUMBINARY} | awk '{ print $1 }')
@ -1172,7 +1172,7 @@
if [ -z "${HOSTID}" ]; then
ReportException "GetHostID" "No unique host identifier could be created."
return 1
elif [ ! -z "${HOSTID2}" ]; then
elif [ -n "${HOSTID2}" ]; then
return 0
fi
}
@ -1228,7 +1228,7 @@
HasData() {
if [ $# -eq 1 ]; then
if [ ! -z "$1" ]; then return 0; else return 1; fi
if [ -n "$1" ]; then return 0; else return 1; fi
else
ExitFatal "Function HasData called without parameters - look in log to determine where this happened, or use sh -x lynis to see all details."
fi
@ -1386,7 +1386,7 @@
if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi
RUNNING=0
# AIX does not fully support pgrep options, so using ps instead
if [ ! -z "${PGREPBINARY}" -a ! "${OS}" = "AIX" ]; then
if [ -n "${PGREPBINARY}" -a ! "${OS}" = "AIX" ]; then
FIND=$(${PGREPBINARY} ${pgrep_options} "${search}" | ${TRBINARY} '\n' ' ')
else
if [ -z "${PSOPTIONS}" ]; then
@ -1402,7 +1402,7 @@
FIND=$(${PSBINARY} ${PSOPTIONS} | egrep "( |/)${search}" | grep -v "grep")
fi
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
RUNNING=1
LogText "IsRunning: process '${search}' found (${FIND})"
return 0
@ -1421,7 +1421,7 @@
IsNotebook() {
FIND=$(which laptop-detect 2> /dev/null | grep -v "no [^ ]* in ")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Debug "Testing if we are a notebook"
laptop-detect
if [ $? -eq 0 ]; then SYSTEM_IS_NOTEBOOK=1; Debug "System is a notebook according to laptop-detect"
@ -1535,7 +1535,7 @@
if [ -x /usr/bin/systemd-detect-virt ]; then
LogText "Test: trying to guess virtualization technology with systemd-detect-virt"
FIND=$(/usr/bin/systemd-detect-virt)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found ${FIND}"
SHORT="${FIND}"
fi
@ -1552,7 +1552,7 @@
if [ -x /usr/bin/lscpu ]; then
LogText "Test: trying to guess virtualization with lscpu"
FIND=$(lscpu | grep -i "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found ${FIND}"
SHORT="${FIND}"
else
@ -1576,7 +1576,7 @@
if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then
LogText "Test: trying to guess virtualization with dmidecode"
FIND=$(/usr/sbin/dmidecode -s system-product-name | awk '{ print $1 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found ${FIND}"
SHORT="${FIND}"
else
@ -1820,24 +1820,24 @@
Fatal "Incorrect usage of PackageIsInstalled function"
fi
if [ ! -z "${DNFBINARY}" ]; then
if [ -n "${DNFBINARY}" ]; then
output=$(${DNFBINARY} --quiet --cacheonly --noplugins --assumeno info --installed ${package} > /dev/null 2>&1)
exit_code=$?
elif [ ! -z "${DPKGBINARY}" ]; then
elif [ -n "${DPKGBINARY}" ]; then
output=$(${DPKGBINARY} -l ${package} 2> /dev/null | ${GREPBINARY} "^ii")
exit_code=$?
elif [ ! -z "${EQUERYBINARY}" ]; then
elif [ -n "${EQUERYBINARY}" ]; then
output=$(${EQUERYBINARY} --quiet ${package} > /dev/null 2>&1)
exit_code=$? # 0=package installed, 3=package not installed
elif [ ! -z "${PKG_BINARY}" ]; then
elif [ -n "${PKG_BINARY}" ]; then
output=$(${PKG_BINARY} -N info ${package} >/dev/null 2>&1)
exit_code=$? # 0=package installed, 70=invalid package
elif [ ! -z "${RPMBINARY}" ]; then
elif [ -n "${RPMBINARY}" ]; then
output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1)
exit_code=$?
elif [ ! -z "${ZYPPERBINARY}" ]; then
elif [ -n "${ZYPPERBINARY}" ]; then
output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${PACKAGE} 2> /dev/null | grep "^i")
if [ ! -z "${output}" ]; then exit_code=0; else exit_code=1; fi
if [ -n "${output}" ]; then exit_code=0; else exit_code=1; fi
else
ReportException "PackageIsInstalled:01"
fi
@ -2363,7 +2363,7 @@
if [ ${SKIPTEST} -eq 0 -a "${TEST_WEIGHT}" = "M" -a "${SCAN_TEST_MEDIUM}" = "NO" ]; then SKIPTEST=1; SKIPREASON="Test to system intensive for scan mode (M)"; fi
# Test if our OS is the same as the requested OS (can be multiple values)
if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_OS}" ]; then
if [ ${SKIPTEST} -eq 0 -a -n "${TEST_NEED_OS}" ]; then
HASMATCH=0
for I in ${TEST_NEED_OS}; do
if [ "${I}" = "${OS}" ]; then HASMATCH=1; fi
@ -2375,12 +2375,12 @@
fi
# Skip test when it belongs to another category (default is 'all')
if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_CATEGORY_TO_CHECK}" -a ! "${TEST_CATEGORY_TO_CHECK}" = "all" -a ! "${TEST_CATEGORY}" = "${TEST_CATEGORY_TO_CHECK}" ]; then
if [ ${SKIPTEST} -eq 0 -a -n "${TEST_CATEGORY_TO_CHECK}" -a ! "${TEST_CATEGORY_TO_CHECK}" = "all" -a ! "${TEST_CATEGORY}" = "${TEST_CATEGORY_TO_CHECK}" ]; then
SKIPTEST=1; SKIPREASON="Incorrect category (${TEST_CATEGORY_TO_CHECK} only)"
fi
# Check for correct hardware platform
if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi
if [ ${SKIPTEST} -eq 0 -a -n "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi
# Not all prerequisites met, like missing tool
if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if [ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisites not met (ie missing tool, other type of Linux distribution)"; fi; fi
@ -2462,7 +2462,7 @@
# Remove PID file
RemovePIDFile() {
# Test if PIDFILE is defined, before checking file presence
if [ ! -z "${PIDFILE}" ]; then
if [ -n "${PIDFILE}" ]; then
if [ -f "${PIDFILE}" ]; then
rm -f "${PIDFILE}"
LogText "PID file removed (${PIDFILE})"
@ -2486,7 +2486,7 @@
for FILE in ${TEMP_FILES}; do
# Temporary files should be in /tmp
TMPFILE=$(echo ${FILE} | egrep "^/tmp/lynis" | grep -v "\.\.")
if [ ! -z "${TMPFILE}" ]; then
if [ -n "${TMPFILE}" ]; then
if [ -f "${TMPFILE}" ]; then
LogText "Action: removing temporary file ${TMPFILE}"
rm -f "${TMPFILE}"
@ -2887,7 +2887,7 @@
# Check if we can find the main type (with or without brackets)
LogText "Test: search string ${STRING} in file ${FILE}"
FIND=$(egrep "${STRING}" ${FILE})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found search string '${STRING}'"
if [ ${MASK_LOG} -eq 0 ]; then LogText "Full string returned: ${FIND}"; fi
RETVAL=0
@ -3285,7 +3285,7 @@
################################################################################
ViewGroups() {
if [ ! -z "${INCLUDEDIR}" ]; then
if [ -n "${INCLUDEDIR}" ]; then
for I in $(ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"); do
echo "${I}"
done

10
include/helper_audit_dockerfile
View File

@ -59,11 +59,11 @@ fi
IS_ALPINE=$(echo ${IMAGE} | grep -i alpine)
IS_LATEST=$(echo ${TAG} | grep -i latest)
if [ ! -z "${IS_DEBIAN}" ]; then IMAGE="debian"; fi
if [ ! -z "${IS_FEDORA}" ]; then IMAGE="fedora"; fi
if [ ! -z "${IS_UBUNTU}" ]; then IMAGE="ubuntu"; fi
if [ ! -z "${IS_ALPINE}" ]; then IMAGE="alpine"; fi
if [ ! -z "${IS_LATEST}" ]; then
if [ -n "${IS_DEBIAN}" ]; then IMAGE="debian"; fi
if [ -n "${IS_FEDORA}" ]; then IMAGE="fedora"; fi
if [ -n "${IS_UBUNTU}" ]; then IMAGE="ubuntu"; fi
if [ -n "${IS_ALPINE}" ]; then IMAGE="alpine"; fi
if [ -n "${IS_LATEST}" ]; then
ReportWarning "dockerfile" "latest TAG used. Specifying a targeted OS image and version is better for reproducible results."
fi

8
include/helper_show
View File

@ -154,7 +154,7 @@ if [ $# -gt 0 ]; then
# Check also for gzipped changelog
elif [ -f ${FILEPATH}/changelog.gz ]; then
ZCAT=$(which zcat 2> /dev/null | grep -v "no [^ ]* in ")
if [ ! -z "${ZCAT}" ]; then
if [ -n "${ZCAT}" ]; then
CreateTempFile
CHANGELOG="${TEMP_FILE}"
LogText "Result: found gzipped changelog in ${FILEPATH}"
@ -164,9 +164,9 @@ if [ $# -gt 0 ]; then
DisplayError "Could not find zcat utility to use on gzipped changelog"
fi
fi
if [ ! -z "${CHANGELOG}" ]; then LogText "Result: found changelog file: ${CHANGELOG}"; break; fi
if [ -n "${CHANGELOG}" ]; then LogText "Result: found changelog file: ${CHANGELOG}"; break; fi
done
if [ ! -z "${CHANGELOG}" ]; then
if [ -n "${CHANGELOG}" ]; then
SEARCH=$(sed 's/^## //' ${CHANGELOG} | grep -E "^${PROGRAM_NAME} ${SEARCH_VERSION}")
if [ $? -eq 0 ]; then
while read -r LINE; do
@ -358,7 +358,7 @@ if [ $# -gt 0 ]; then
VALUE=$(echo ${LINE} | awk -F';' '{print $2}')
DESCRIPTION=$(echo ${LINE} | awk -F';' '{print $3}' | sed 's/:space:/ /g')
if [ -z "${VALUE}" -a ${CONFIGURED_ONLY_OUTPUT} -eq 0 ]; then VALUE="${GRAY}[not configured]${NORMAL}"; fi
if [ ! -z "${VALUE}" ]; then
if [ -n "${VALUE}" ]; then
if [ ${BRIEF_OUTPUT} -eq 0 ]; then ${ECHOCMD} "${GRAY}# ${DESCRIPTION}${NORMAL}"; fi
${ECHOCMD} "${WHITE}${SETTING}${NORMAL}=${CYAN}${VALUE}${NORMAL}"
if [ ${BRIEF_OUTPUT} -eq 0 ]; then ${ECHOCMD} ""; fi

8
include/osdetection
View File

@ -139,7 +139,7 @@
# Generic
if [ -e /etc/os-release ]; then
OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
if [ ! -z "${OS_ID}" ]; then
if [ -n "${OS_ID}" ]; then
case ${OS_ID} in
"arch")
LINUX_VERSION="Arch Linux"
@ -513,14 +513,14 @@
EOL=255
EOL_DATE=""
EOL_TIMESTAMP=0
if [ ! -z "${OS_VERSION}" ]; then
if [ -n "${OS_VERSION}" ]; then
if [ -f "${DBDIR}/software-eol.db" ]; then
FIND="${OS_FULLNAME}"
EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1)
if [ ! -z "${EOL_TIMESTAMP}" ]; then
if [ -n "${EOL_TIMESTAMP}" ]; then
EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
NOW=$(date "+%s")
if [ ! -z "${NOW}" ]; then
if [ -n "${NOW}" ]; then
if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then
EOL=1
else

34
include/profiles
View File

@ -77,7 +77,7 @@
# Is Lynis Enterprise allowed to purge this system when it is becomes outdated?
allow-auto-purge)
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Report "allow-auto-purge=1"
else
Report "allow-auto-purge=0"
@ -110,7 +110,7 @@
# Quick mode (SKIP_PLUGINS) might already be set outside profile, so store in different variable
SETTING_COLORS=1 # default is yes
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && COLORS=0
if [ ! -z "${FIND}" ]; then SETTING_COLORS=0; RemoveColors; fi
if [ -n "${FIND}" ]; then SETTING_COLORS=0; RemoveColors; fi
Debug "Colors set to ${SETTING_COLORS}"
AddSetting "colors" "${SETTING_COLORS}" "Colored screen output"
unset SETTING_COLORS
@ -204,7 +204,7 @@
;;
hostalias | host-alias)
if [ ! -z "${VALUE}" ]; then Report "hostname_alias=${VALUE}"; fi
if [ -n "${VALUE}" ]; then Report "hostname_alias=${VALUE}"; fi
;;
hostid)
@ -223,13 +223,13 @@
# Language
language | lang)
LogText "Language set via profile to '${VALUE}'"
if [ ! -z "${VALUE}" ]; then LANGUAGE="${VALUE}"; fi
if [ -n "${VALUE}" ]; then LANGUAGE="${VALUE}"; fi
AddSetting "language" "${LANGUAGE}" "Language"
;;
# Lynis Enterprise license key
license-key | license_key)
if [ ! -z "${VALUE}" ]; then
if [ -n "${VALUE}" ]; then
LICENSE_KEY="${VALUE}"
Report "license_key=${VALUE}"
fi
@ -291,7 +291,7 @@
# Quick mode might already be set outside profile, so store in different variable
SETTING_QUICK_MODE=1 # default is yes
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && QUICKMODE=0
if [ ! -z "${FIND}" ]; then SETTING_QUICK_MODE=1; fi
if [ -n "${FIND}" ]; then SETTING_QUICK_MODE=1; fi
Debug "Quickmode set to ${SETTING_QUICK_MODE}"
AddSetting "quick" "${SETTING_QUICK_MODE}" "Quick mode (non-interactive)"
;;
@ -300,7 +300,7 @@
refresh-repositories)
SETTING_REFRESH_REPOSITORIES=1 # default is yes
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && REFRESH_REPOSITORIES=0
if [ ! -z "${FIND}" ]; then SETTING_REFRESH_REPOSITORIES=0; fi
if [ -n "${FIND}" ]; then SETTING_REFRESH_REPOSITORIES=0; fi
Debug "Refreshing repositories set to ${SETTING_REFRESH_REPOSITORIES}"
AddSetting "refresh-repositories" "${SETTING_REFRESH_REPOSITORIES}" "Refresh repositories (for vulnerable package detection)"
;;
@ -309,7 +309,7 @@
show-report-solution)
SETTING_SHOW_REPORT_SOLUTION=${SHOW_REPORT_SOLUTION}
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && SHOW_REPORT_SOLUTION=0
if [ ! -z "${FIND}" ]; then SETTING_SHOW_REPORT_SOLUTION=0; fi
if [ -n "${FIND}" ]; then SETTING_SHOW_REPORT_SOLUTION=0; fi
Debug "Show report details (solution) set to ${SETTING_SHOW_REPORT_SOLUTION}"
;;
@ -317,7 +317,7 @@
show_tool_tips | show-tool-tips)
SETTING_SHOW_TOOL_TIPS=1 # default is yes
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && SHOW_TOOL_TIPS=0
if [ ! -z "${FIND}" ]; then SETTING_SHOW_TOOL_TIPS=0; fi
if [ -n "${FIND}" ]; then SETTING_SHOW_TOOL_TIPS=0; fi
Debug "Show tool tips set to ${SETTING_SHOW_TOOL_TIPS}"
AddSetting "show-tool-tips" "${SETTING_SHOW_TOOL_TIPS}" "Show tool tips"
;;
@ -336,7 +336,7 @@
# Skip plugins (SKIP_PLUGINS) might already be set, so store in different variable
SETTING_SKIP_PLUGINS=0 # default is no
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && SKIP_PLUGINS=1
if [ ! -z "${FIND}" ]; then SETTING_SKIP_PLUGINS=1; fi
if [ -n "${FIND}" ]; then SETTING_SKIP_PLUGINS=1; fi
Debug "Skip plugins is set to ${SETTING_SKIP_PLUGINS}"
AddSetting "skip-plugins" "${SETTING_SKIP_PLUGINS}" "Skip plugins"
;;
@ -374,17 +374,17 @@
# The name of the customer/client that uses this system
system-customer-name)
if [ ! -z "${VALUE}" ]; then Report "system-customer-name=${VALUE}"; fi
if [ -n "${VALUE}" ]; then Report "system-customer-name=${VALUE}"; fi
;;
# The groups linked to a system (system-groups=customers,webservers,production)
system-groups)
if [ ! -z "${VALUE}" ]; then Report "system-groups=${VALUE}"; fi
if [ -n "${VALUE}" ]; then Report "system-groups=${VALUE}"; fi
;;
# Tags (tags=db,production,ssn-1304)
tags)
if [ ! -z "${VALUE}" ]; then Report "tags=${VALUE}"; fi
if [ -n "${VALUE}" ]; then Report "tags=${VALUE}"; fi
;;
# Define what kind of scan we are performing
@ -399,7 +399,7 @@
upload)
SETTING_UPLOAD=no # default
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && UPLOAD_DATA=1
if [ ! -z "${FIND}" ]; then SETTING_UPLOAD=1; fi
if [ -n "${FIND}" ]; then SETTING_UPLOAD=1; fi
Debug "Upload set to ${SETTING_UPLOAD}"
AddSetting "upload" "${SETTING_UPLOAD}" "Data upload after scanning"
unset SETTING_UPLOAD
@ -499,12 +499,12 @@
#################################################################################
#
SKIP_TESTS=$(echo ${SKIP_TESTS} | sed "s/^ //")
if [ ! -z "${SKIP_TESTS}" ]; then LogText "Skip tests: ${SKIP_TESTS}"; fi
if [ -n "${SKIP_TESTS}" ]; then LogText "Skip tests: ${SKIP_TESTS}"; fi
#
#################################################################################
#
# Add group name to report - deprecated
if [ ! -z "${GROUP_NAME}" ]; then Report "group=${GROUP_NAME}"; fi
if [ -n "${GROUP_NAME}" ]; then Report "group=${GROUP_NAME}"; fi
#
#################################################################################
#
@ -531,7 +531,7 @@
#
#################################################################################
#
if [ ! -z "${DEPRECATED_OPTION}" ]; then
if [ -n "${DEPRECATED_OPTION}" ]; then
ReportWarning "LYNIS" "One or more deprecated options used" "${DEPRECATED_OPTION}" "Update your profile"
fi
#

6
include/report
View File

@ -31,7 +31,7 @@
Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}"
Report "firewall_installed=${FIREWALL_ACTIVE}"
if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi
if [ -n "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi
Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}"
Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}"
@ -139,7 +139,7 @@
done
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
echo " ${RED}!${NORMAL} ${SHOWWARNING}"
if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
if [ -z "${IS_CUSTOM}" ]; then
echo " ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}"
@ -172,7 +172,7 @@
done
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}"
if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
if [ -z "${IS_CUSTOM}" ]; then
echo " ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"

26
include/tests_accounting
View File

@ -105,7 +105,7 @@
if [ -f ${ROOTDIR}etc/default/sysstat ]; then
LogText "Result: ${ROOTDIR}etc/default/sysstat found"
FIND=$(${GREPBINARY} "^ENABLED" ${ROOTDIR}etc/default/sysstat | ${GREPBINARY} -i true)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: sysstat enabled via ${ROOTDIR}etc/default/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
else
@ -115,7 +115,7 @@
fi
elif [ -f ${ROOTDIR}etc/cron.d/sysstat ]; then
FIND=$(${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: sysstat enabled via ${ROOTDIR}etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
else
@ -134,7 +134,7 @@
#
# Test : ACCT-9628
# Description : Check auditd status
if [ ! -z "${AUDITDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${AUDITDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9628 --os Linux --weight L --network NO --category security --description "Check for auditd"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check auditd status"
@ -163,7 +163,7 @@
#
# Test : ACCT-9630
# Description : Check auditd rules
if [ ! -z "${AUDITDBINARY}" -a ! -z "${AUDITCTLBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${AUDITDBINARY}" -a -n "${AUDITCTLBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for auditd rules"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking auditd rules"
@ -189,7 +189,7 @@
#
# Test : ACCT-9632
# Description : Check auditd configuration file
if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking auditd configuration file"
@ -202,7 +202,7 @@
fi
done
# Check if we discovered the configuration file. It should be there is the binaries are available and process is running
if [ ! -z "${AUDITD_CONF_FILE}" ]; then
if [ -n "${AUDITD_CONF_FILE}" ]; then
Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: could not find auditd configuration file"
@ -215,12 +215,12 @@
#
# Test : ACCT-9634
# Description : Check auditd log file
if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a ! -z "${AUDITD_CONF_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a -n "${AUDITD_CONF_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking auditd log file"
FIND=$(${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: log file is defined"
LogText "Defined value: ${FIND}"
if [ -f ${FIND} ]; then
@ -252,7 +252,7 @@
if [ -f ${ROOTDIR}etc/ld.so.preload ]; then
LogText "Result: found ${ROOTDIR}etc/ld.so.preload, testing if snoopy.so is listed"
FIND=$(${GREPBINARY} ${FILE} ${ROOTDIR}etc/ld.so.preload)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found snoopy in ld.so.preload"
LogText "Output: ${FIND}"
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
@ -298,7 +298,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check if auditd service is enabled and online"
FIND=$(${ROOTDIR}usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: auditd service is online"
Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN
else
@ -317,7 +317,7 @@
LogText "Test: check if BSM is enabled in ${ROOTDIR}etc/system"
if [ -f ${ROOTDIR}etc/system ]; then
FIND=$(${GREPBINARY} 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: BSM is enabled in ${ROOTDIR}etc/system"
Display --indent 4 --text "- Checking Solaris BSM (${ROOTDIR}etc/system)" --result "${STATUS_ENABLED}" --color GREEN
else
@ -339,7 +339,7 @@
LogText "Test: check if c2audit module is active"
if [ -x ${ROOTDIR}usr/sbin/modinfo ]; then
FIND=$(${ROOTDIR}usr/sbin/modinfo | ${GREPBINARY} c2audit)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: c2audit found in modinfo output"
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN
else
@ -362,7 +362,7 @@
if [ -f ${ROOTDIR}etc/security/audit_control ]; then
LogText "Result: file ${ROOTDIR}etc/security/audit_control found"
FIND=$(${GREPBINARY} "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found location ${FIND}"
LogText "Test: Checking if location is a valid directory"
if [ -d ${FIND} ]; then

32
include/tests_authentication
View File

@ -46,7 +46,7 @@
else
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
fi
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found more than one administrator accounts"
ReportWarning "${TEST_NO}" "Multiple users with UID 0 found in passwd file"
@ -124,7 +124,7 @@
# Test : AUTH-9216
# Description : Check /etc/group and shadow group files
# Notes : Run grpck to test group files (most likely /etc/group and shadow group files)
if [ ! -z "${GRPCKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${GRPCKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check group and shadow group files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for grpck binary output"
@ -363,7 +363,7 @@
"macOS")
LogText "macOS real users output (ID = 0, or 500-599) using dscacheutil"
FIND_USERS=$(dscacheutil -q user | ${GREPBINARY} -A 3 -B 2 -e "^uid: 5[0-9][0-9]" | ${GREPBINARY} "^name: " | ${AWKBINARY} '{print $2}')
if [ ! -z "${FIND_USERS}" ]; then
if [ -n "${FIND_USERS}" ]; then
for FUSERNAME in ${FIND_USERS}; do
FDETAILS=$(dscacheutil -q user -a name ${FUSERNAME} | ${GREPBINARY} "^uid: " | ${AWKBINARY} '{print $2}')
FIND="${FUSERNAME},${FDETAILS} ${FIND}"
@ -397,7 +397,7 @@
else
Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_DONE}" --color GREEN
for I in ${FIND}; do
if [ ! -z "${I}" ]; then
if [ -n "${I}" ]; then
LogText "Real user: ${I}"
Report "real_user[]=${I}"
fi
@ -419,7 +419,7 @@
else
FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
if [ ! -z "${FIND2}" -o ! -z "${FIND3}" ]; then
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
LogText "Result: NIS+ authentication enabled"
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
else
@ -446,7 +446,7 @@
else
FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
if [ ! -z "${FIND2}" -o ! -z "${FIND3}" ]; then
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
LogText "Result: NIS authentication enabled"
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
else
@ -489,7 +489,7 @@
#
# Test : AUTH-9252
# Description : Check ownership and permissions for sudo configuration files
if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
SUDO_CONFIG_FILES="${SUDOERS_FILE}"
@ -680,7 +680,7 @@
else
FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort)
fi
if [ ! -z "${FIND}" ]; then FOUND=1; fi
if [ -n "${FIND}" ]; then FOUND=1; fi
for FILE in ${FIND}; do
LogText "Found file: ${FILE}"
Report "pam_module[]=${FILE}"
@ -712,7 +712,7 @@
LogText "Result: file ${FILE} exists"
LogText "Test: checking presence LDAP module"
FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: LDAP module present"
LogText "Output: ${FIND}"
LDAP_AUTH_ENABLED=1
@ -868,7 +868,7 @@
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for ACCOUNT in ${FIND}; do
LogText "Result: password of user ${ACCOUNT} has been expired"
Report "account_password_expired[]=${ACCOUNT}"
@ -961,7 +961,7 @@
LogText "Test: checking presence sulogin for single user mode"
FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
fi
@ -976,7 +976,7 @@
LogText "Result: file ${ROOTDIR}etc/sysconfig/init exists"
LogText "Test: checking presence sulogin for single user mode"
FIND=$(${GREPBINARY} "^SINGLE=/sbin/sulogin" ${ROOTDIR}etc/sysconfig/init)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
fi
@ -1045,7 +1045,7 @@
if [ -d ${ROOTDIR}etc/profile.d ]; then
FOUND=0
FIND=$(ls ${ROOTDIR}etc/profile.d/* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found /etc/profile.d, with one or more files in it"
for FILE in ${FIND}; do
HAS_MASK=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }')
@ -1309,7 +1309,7 @@
if [ -f ${ROOTDIR}etc/default/login ]; then
LogText "Result: file ${ROOTDIR}etc/default/login exists"
FIND=$(${GREPBINARY} "^RETRIES" ${ROOTDIR}etc/default/login)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FOUND=1
LogText "Result: retries option configured"
LogText "Output: ${FIND}"
@ -1429,7 +1429,7 @@
#
# Test : AUTH-9410
# Description : Check for doas file permissions
if [ ! -z "${DOAS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DOAS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9410 --os OpenBSD --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/doas.conf file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking /etc/doas.conf permissions"
@ -1450,7 +1450,7 @@
Report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}"
Report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
Report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
if [ ! -z "${LDAP_CLIENT_CONFIG_FILE}" ]; then Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"; fi
if [ -n "${LDAP_CLIENT_CONFIG_FILE}" ]; then Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"; fi
Report "password_min_days=${PASSWORD_MINIMUM_DAYS}"
Report "password_max_days=${PASSWORD_MAXIMUM_DAYS}"

42
include/tests_boot_services
View File

@ -46,7 +46,7 @@
LogText "Test: Query bootinfo for AIX boot device"
if [ -x /usr/sbin/bootinfo ]; then
FIND=$(/usr/sbin/bootinfo -b)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found boot device ${FIND}"
Display --indent 2 --text "- Checking boot device (bootinfo)" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="ROS"
@ -76,7 +76,7 @@
FILENAME=$(echo "${OUTPUT}" | ${AWKBINARY} '{print $1}')
LogText "Result: file on disk = ${FILENAME}"
ISFILE=$(echo ${FILENAME} | ${GREPBINARY} "^/")
if [ ! -z "${ISFILE}" ]; then
if [ -n "${ISFILE}" ]; then
if [ -L ${ISFILE} ]; then
ShowSymlinkPath ${ISFILE}
FILENAME="${SYMLINK}"
@ -86,7 +86,7 @@
LogText "Result: cmdline of PID 1 is not a file"
fi
fi
if [ ! -z "${FILENAME}" ]; then
if [ -n "${FILENAME}" ]; then
SHORTNAME=$(echo ${FILENAME} | ${AWKBINARY} -F/ '{ print $NF }')
LogText "Found: ${SHORTNAME}"
if [ "${SERVICE_MANAGER}" = "unknown" ]; then
@ -110,7 +110,7 @@
;;
*)
CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd")
if [ ! -z "${CONTAINS_SYSTEMD}" ]; then
if [ -n "${CONTAINS_SYSTEMD}" ]; then
SERVICE_MANAGER="systemd"
else
LogText "Found ${SHORTNAME}. Unclear what service manager this is"
@ -204,7 +204,7 @@
LogText "Test: determine if Secure Boot is used"
if [ -d ${ROOTDIR}sys/firmware/efi/efivars ]; then
FIND=$(${LSBINARY} ${ROOTDIR}sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for FILE in ${FIND}; do
LogText "Test: checking file ${FILE}"
# TODO: add detection for od
@ -295,7 +295,7 @@
# Some OSes like Gentoo do not have /boot mounted by default
# TODO: root directory and rewrite ls statement
if [ -d /boot ]; then
if [ "$(ls /boot/* 2> /dev/null)" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then
if [ "$(ls /boot/* 2> /dev/null)" = "" -a -n "${GRUB2INSTALLBINARY}" ]; then
BOOT_LOADER_FOUND=1
LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW
@ -312,7 +312,7 @@
#
# Test : BOOT-5122
# Description : Check for GRUB boot loader configuration
if [ ! -z "${GRUBCONFFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${GRUBCONFFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@ -325,11 +325,11 @@
FIND4=$(${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
# GRUB1: Password should be set (MD5 or SHA1)
if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
FOUND=1
# GRUB2: Superusers AND password should be defined
elif [ ! -z "${FIND3}" ]; then
if [ ! -z "${FIND4}" -o ! -z "${FIND5}" ]; then FOUND=1; fi
elif [ -n "${FIND3}" ]; then
if [ -n "${FIND4}" -o -n "${FIND5}" ]; then FOUND=1; fi
fi
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN
@ -599,7 +599,7 @@
else
LogText "Result: systemctl binary not found, checking chkconfig binary"
if [ ! -z "${CHKCONFIGBINARY}" ]; then
if [ -n "${CHKCONFIGBINARY}" ]; then
LogText "Result: chkconfig binary found, trying that to discover information"
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
@ -634,7 +634,7 @@
if [ "${sRUNLEVEL}" = "2" ]; then
LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
COUNT=0
for SERVICE in ${FIND}; do
LogText "Found service (at boot, runlevel 2): ${SERVICE}"
@ -667,7 +667,7 @@
LogText "Result: directory ${DIR} found"
LogText "Test: checking for available files in directory"
FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found files in directory, checking permissions now"
for FILE in ${FIND}; do
LogText "Test: checking permissions of file ${FILE}"
@ -757,12 +757,12 @@
;;
DragonFly | FreeBSD | macOS)
if [ ! -z "${SYSCTLBINARY}" ]; then
if [ -n "${SYSCTLBINARY}" ]; then
TIME_BOOT=$(${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | ${SEDBINARY} -e 's/,//' | ${GREPBINARY} "[0-9]")
TIME_NOW=$(date "+%s")
LogText "Boot time: ${TIME_BOOT}"
LogText "Current time: ${TIME_NOW}"
if [ ! -z "${TIME_BOOT}" -a ! -z "${TIME_NOW}" ]; then
if [ -n "${TIME_BOOT}" -a -n "${TIME_NOW}" ]; then
UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
else
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
@ -774,12 +774,12 @@
;;
NetBSD | OpenBSD)
if [ ! -z "${SYSCTLBINARY}" ]; then
if [ -n "${SYSCTLBINARY}" ]; then
TIME_BOOT=$(${SYSCTLBINARY} -n kern.boottime)
TIME_NOW=$(date "+%s")
LogText "Boot time: ${TIME_BOOT}"
LogText "Current time: ${TIME_NOW}"
if [ ! -z "${TIME_BOOT}" -a ! -z "${TIME_NOW}" ]; then
if [ -n "${TIME_BOOT}" -a -n "${TIME_NOW}" ]; then
UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
else
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
@ -791,7 +791,7 @@
;;
Solaris)
if [ ! -z "${KSTATBINARY}" ]; then
if [ -n "${KSTATBINARY}" ]; then
UPTIME_IN_SECS=$(${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | ${CUTBINARY} -d "." -f1)
else
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
@ -806,7 +806,7 @@
ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system"
;;
esac
if [ ! -z "${UPTIME_IN_SECS}" ]; then
if [ -n "${UPTIME_IN_SECS}" ]; then
UPTIME_IN_DAYS=$((UPTIME_IN_SECS / 60 / 60 / 24))
LogText "Uptime (in seconds): ${UPTIME_IN_SECS}"
LogText "Uptime (in days): ${UPTIME_IN_DAYS}"
@ -828,7 +828,7 @@
LogText "Result: file /usr/lib/systemd/system/rescue.service"
LogText "Test: checking presence sulogin for single user mode"
FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
AddHP 3 3
@ -898,7 +898,7 @@
LogText "Test: checking for available files in directory"
# OpenBSD uses symlinks to create another instance of daemons
FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found files in directory, checking permissions now"
for FILE in ${FIND}; do
LogText "Test: checking permissions of file ${FILE}"

8
include/tests_containers
View File

@ -40,7 +40,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: query zoneadm to list all running zones"
FIND=$(${ROOTDIR}usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
COUNT=0
for ITEM in ${FIND}; do
COUNT=$((COUNT + 1))
@ -131,7 +131,7 @@
# Test : CONT-8106
# Description : Checking Docker containers (basic stats)
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather basic stats from Docker"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 6 --text "- Containers"
@ -171,7 +171,7 @@
# Test : CONT-8107
# Description : Checking Docker number of unused containers
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8107 --preqs-met ${PREQS_MET} --weight L --network NO --category performance --description "Check number of Docker containers"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if there aren't too many unused containers on the system
@ -194,7 +194,7 @@
# Test : CONT-8108
# Description : Checking Docker file permissions
# Notes : /var/run/docker.sock - Usually root as owner, docker as group - should not be world writable
if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check file permissions for Docker files"
if [ ${SKIPTEST} -eq 0 ]; then
NOT_WORLD_WRITABLE="${ROOTDIR}var/run/docker.sock"

2
include/tests_crypto
View File

@ -28,7 +28,7 @@
#
# Test : CRYP-7902
# Description : check for expired SSL certificates
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT_EXPIRED=0

10
include/tests_databases
View File

@ -71,7 +71,7 @@
# Test : DBS-1816
# Description : Check empty MySQL root password
# Notes : Only perform test when MySQL is running and client is available
if [ ! -z "${MYSQLCLIENTBINARY}" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="MySQL not installed, or not running"; fi
if [ -n "${MYSQLCLIENTBINARY}" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="MySQL not installed, or not running"; fi
Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking MySQL root password"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Trying to login to local MySQL server without password"
@ -144,7 +144,7 @@
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
if HasData "${PGREPBINARY}"; then
AUTH_ON_CMDLINE=$(for I in $(${PGREPBINARY} mongo); do cat /proc/${I}/cmdline | xargs -0 echo | ${GREPBINARY} -E "\-\-auth( |$)"; done)
if [ ! -z "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
if [ -n "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
else
LogText "Result: skipped this part of the test, as pgrep is not available"
fi
@ -268,7 +268,7 @@
for DIR in ${PATHS}; do
LogText "Action: scanning directory (${DIR}) for Redis configuration files"
FILES=$(${LSBINARY} ${DIR}/*.conf 2> /dev/null)
if [ ! -z "${FILES}" ]; then
if [ -n "${FILES}" ]; then
ALLFILES="${ALLFILES} ${FILES}"
else
LogText "Result: no configuration files found in this directory"
@ -279,12 +279,12 @@
LogText "Action: checking if ${CONFFILE} is a Sentinel configuration file"
# Exclude Sentinel configuration file
FIND=$(${GREPBINARY} "^sentinel " ${CONFFILE})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: file is a Sentinel configuration file, skipping it"
else
LogText "Result: file is NOT a Sentinel configuration file. Now scanning if it is a Redis configuration file"
FIND=$(${GREPBINARY} "Redis" ${CONFFILE})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
REDIS_CONFIGURATION_FILES="${REDIS_CONFIGURATION_FILES} ${CONFFILE}"
REDIS_CONFIGURATION_FOUND=1
LogText "Result: found a Redis configuration file (${CONFFILE})"

8
include/tests_dns
View File

@ -38,7 +38,7 @@
# # Description : Validate DNSSEC signiture is checked
# Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked"
# if [ "${SKIPTEST}" -eq 0 ]; then
# if [ ! -z "${DIGBINARY}" ]; then
# if [ -n "${DIGBINARY}" ]; then
#
# GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS)
# BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS)
@ -47,16 +47,16 @@
# LogText "Result: received timeout, can't determine DNSSEC validation"
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
# #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
# elif [ -z "${GOOD}" -a ! -z "${BAD}" ]; then
# elif [ -z "${GOOD}" -a -n "${BAD}" ]; then
# LogText "Result: good signature failed, yet bad signature was accepted"
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
# #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted"
# elif [ ! -z "${GOOD}" -a ! -z "${BAD}" ]; then
# elif [ -n "${GOOD}" -a -n "${BAD}" ]; then
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW
# LogText "Note: Using DNSSEC validation can protect from DNS hijacking"
# #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC valdating name servers"
# AddHP 2 2
# elif [ ! -z "${GOOD}" -a -z "${BAD}" ]; then
# elif [ -n "${GOOD}" -a -z "${BAD}" ]; then
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN
# LogText "Result: altered DNS responses were ignored"
# AddHP 0 2

14
include/tests_file_integrity
View File

@ -70,7 +70,7 @@
#
# Test : FINT-4315
# Description : Check AIDE configuration file
if [ ! -z "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check AIDE configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
AIDE_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/aide ${ROOTDIR}usr/local/etc"
@ -104,7 +104,7 @@
Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Osiris binary"
if [ ! -z "${OSIRISBINARY}" ]; then
if [ -n "${OSIRISBINARY}" ]; then
LogText "Result: Osiris is installed (${OSIRISBINARY})"
Report "file_integrity_tool[]=osiris"
FILE_INT_TOOL="osiris"
@ -123,7 +123,7 @@
Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Samhain binary"
if [ ! -z "${SAMHAINBINARY}" ]; then
if [ -n "${SAMHAINBINARY}" ]; then
LogText "Result: Samhain is installed (${SAMHAINBINARY})"
Report "file_integrity_tool[]=samhain"
FILE_INT_TOOL="samhain"
@ -142,7 +142,7 @@
Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Tripwire binary"
if [ ! -z "${TRIPWIREBINARY}" ]; then
if [ -n "${TRIPWIREBINARY}" ]; then
LogText "Result: Tripwire is installed (${TRIPWIREBINARY})"
Report "file_integrity_tool[]=tripwire"
FILE_INT_TOOL="tripwire"
@ -229,7 +229,7 @@
Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
fi
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then
if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
else
@ -237,7 +237,7 @@
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
fi
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then
if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
else
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW
@ -267,7 +267,7 @@
#
# Test : FINT-4402 (was FINT-4316)
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
if [ ! "${AIDEBINARY}" = "" -a ! -z "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")

32
include/tests_filesystems
View File

@ -89,7 +89,7 @@
ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found"
;;
esac
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found one or more volume groups"
for I in ${FIND}; do
LogText "Found LVM volume group: ${I}"
@ -152,7 +152,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for Linux EXT file systems"
FIND=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found one or more EXT file systems"
for I in ${FIND}; do
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
@ -173,7 +173,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for Linux XFS file systems"
FIND=$(${MOUNTBINARY} -t xfs | ${AWKBINARY} '{ print $3","$5 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found one or more XFS file systems"
for I in ${FIND}; do
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
@ -272,12 +272,12 @@
# Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>)
HAS_UUID=$(echo ${I} | ${GREPBINARY} "^UUID=")
if [ ! -z "${HAS_UUID}" ]; then
if [ -n "${HAS_UUID}" ]; then
UUID=$(echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }')
LogText "Result: Using ${UUID} as UUID"
if [ ! -z "${BLKIDBINARY}" ]; then
if [ -n "${BLKIDBINARY}" ]; then
FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//')
if [ ! -z "${FIND2}" ]; then
if [ -n "${FIND2}" ]; then
REAL="${FIND2}"
fi
else
@ -286,7 +286,7 @@
if [ -L /dev/disk/by-uuid/${UUID} ]; then
LogText "Result: found disk via /dev/disk/by-uuid listing"
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
if [ ! -z "${sFILE}" ]; then
if [ -n "${sFILE}" ]; then
REAL="${sFILE}"
LogText "Result: disk is ${REAL}"
fi
@ -342,7 +342,7 @@
if [ "${OS}" = "Linux" -a -f ${ROOTDIR}proc/version ]; then
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then
if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
else
PREQS_MET="NO";
@ -464,7 +464,7 @@
FOUND=0
LogText "Test: Checking acl option on ext[2-4] root file system"
FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found ACL option"
FOUND=1
else
@ -480,11 +480,11 @@
FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }')
fi
# Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
if [ ! -z "${FIND1}" ]; then
if [ -n "${FIND1}" ]; then
LogText "Result: found ${FIND1}"
LogText "Test: Checking default options on ${FIND1}"
FIND2=$(${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl")
if [ ! -z "${FIND2}" ]; then
if [ -n "${FIND2}" ]; then
LogText "Result: found ACL option in default mount options"
FOUND=1
else
@ -528,7 +528,7 @@
NOEXEC=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "noexec") { print "YES" } else { print "NO" } }')
NOSUID=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "nosuid") { print "YES" } else { print "NO" } }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: mount system / is configured with options: ${FIND}"
if [ "${FIND}" = "defaults" ]; then
Display --indent 2 --text "- Mount options of /" --result "${STATUS_OK}" --color GREEN
@ -577,7 +577,7 @@
FS_FSTAB=""
fi
fi
if [ ! -z "${FS_FSTAB}" ]; then
if [ -n "${FS_FSTAB}" ]; then
FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
LogText "File system: ${FILESYSTEM}"
LogText "Expected flags: ${EXPECTED_FLAGS}"
@ -629,7 +629,7 @@
if [ -f ${ROOTDIR}etc/fstab ]; then
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' ${ROOTDIR}etc/fstab)
BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
if [ "${BIND}" = "YES" ]; then
Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN
@ -760,7 +760,7 @@
# Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf
Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
Display --indent 2 --text "- Disable kernel support of some filesystems"
LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf"
FOUND=0
@ -769,7 +769,7 @@
for FS in ${LIST_FS_NOT_SUPPORTED}; do
# Check if filesystem is present in modprobe output
FIND=$(${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found module support in kernel: ${FIND}"
Debug "Module ${FS} present in the kernel"
LogText "Test: Checking if ${FS} is active"

26
include/tests_firewalls
View File

@ -41,7 +41,7 @@
Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FIREWALL_ACTIVE=1
IPTABLES_ACTIVE=1
IPTABLES_MODULE_ACTIVE=1
@ -73,11 +73,11 @@
# If we have a kernel configuration file, use it for testing
# Do not perform test if we already found it in kernel module list, to avoid triggered it in the upcoming
# tests, when using iptables --list
if [ ! -z "${LINUXCONFIGFILE}" ]; then
if [ -n "${LINUXCONFIGFILE}" ]; then
if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})"
FIND=$(${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
HAVEMOD=$(echo ${FIND} | ${CUTBINARY} -d '=' -f2)
# Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
# active list.
@ -151,11 +151,11 @@
#
# Test : FIRE-4512
# Description : Check iptables for empty ruleset (should have at least 5 or more rules)
if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FIREWALL_ACTIVE=1
if [ ${FIND} -le 5 ]; then
# Firewall is active, but needs configuration
@ -174,7 +174,7 @@
#
# Test : FIRE-4513
# Description : Check iptables for unused rules
if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
@ -212,7 +212,7 @@
# Check status with pfctl
LogText "Test: checking pf status via pfctl"
if [ ! -z "${PFCTLBINARY}" ]; then
if [ -n "${PFCTLBINARY}" ]; then
FIND=$(${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | ${HEADBINARY} -1 | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "Disabled" ]; then
if IsVerbose; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED; fi
@ -233,7 +233,7 @@
if [ ${PFFOUND} -eq 0 ]; then
# Check for pf kernel module (FreeBSD and similar)
LogText "Test: searching for pf kernel module"
if [ ! -z "${KLDSTATBINARY}" ]; then
if [ -n "${KLDSTATBINARY}" ]; then
FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko')
if [ -z "${FIND}" ]; then
LogText "Result: Can not find pf KLD"
@ -353,7 +353,7 @@
# Description : Check IPFW (FreeBSD)
Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${SYSCTLBINARY}" ]; then
if [ -n "${SYSCTLBINARY}" ]; then
# For now, only check for IPv4.
FIND=$(${SYSCTLBINARY} net.inet.ip.fw.enable 2> /dev/null | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "1" ]; then
@ -386,7 +386,7 @@
Register --test-no FIRE-4532 --weight L --os "macOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check macOS application firewall"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3
LogText "Result: application firewall of macOS is enabled"
@ -478,7 +478,7 @@
Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found nftables kernel module"
FIREWALL_ACTIVE=1
NFTABLES_ACTIVE=1
@ -526,7 +526,7 @@
Register --test-no FIRE-4586 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check firewall logging"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${IPTABLES_ACTIVE} -eq 1 ]; then
if [ ! -z "${IPTABLESSAVEBINARY}" ]; then
if [ -n "${IPTABLESSAVEBINARY}" ]; then
HAS_LOGGING=$(${IPTABLESSAVEBINARY} | ${GREPBINARY} "\-j LOG")
if [ -z "${HAS_LOGGING}" ]; then
Report "firewall_no_logging[]=iptables"
@ -563,7 +563,7 @@
# Test : FIRE-4594
# Description : Check for APF (Advanced Policy Firewall)
Register --test-no FIRE-4594 --weight L --network NO --category security --description "Check for APF presence"
if [ ! -z "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SKIPTEST} -eq 0 ]; then
FILE="/etc/apf/conf.apf"
LogText "Test: check ${FILE}"

2
include/tests_hardening
View File

@ -59,7 +59,7 @@
FILE="${ITEM}"
LogText "Test: Check file permissions for ${ITEM}"
ShowSymlinkPath ${ITEM}
if [ ! -z "${SYMLINK}" ]; then
if [ -n "${SYMLINK}" ]; then
FILE="${SYMLINK}"
fi

4
include/tests_homedirs
View File

@ -114,7 +114,7 @@
# Description : Check for suspicious shell history files
Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${HOMEDIRS}" ]; then
if [ -n "${HOMEDIRS}" ]; then
if [ "${OS}" = "Solaris" ]; then
# Solaris doesn't support -maxdepth
FIND=$(${FINDBINARY} ${HOMEDIRS} -name ".*history" ! -type f -print)
@ -152,7 +152,7 @@
# Notes : For performance reasons we combine the scanning of different files, so inode caching is used
# as much as possible for every find command
# Profile opt : ignore-home-dir (multiple lines allowed), ignores home directory
if [ ! -z "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories"
if [ ${SKIPTEST} -eq 0 ]; then
IGNORE_HOME_DIRS=$(${GREPBINARY} "^ignore-home-dir=" ${REPORTFILE} | ${AWKBINARY} -F= '{ print $2 }')

4
include/tests_insecure_services
View File

@ -222,7 +222,7 @@
if [ -f "${FILE}" ]; then
LogText "Test: checking status in xinetd configuration file (${FILE})"
FIND=$(${GREPBINARY} "disable\s*=\s*no" ${FILE})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found insecure service enabled: ${SERVICE}"
XINETD_INSECURE_SERVICE_FOUND=1
ReportSuggestion "${TEST_NO}" "Disable or remove any insecure services in the xinetd configuration" "${SERVICE}" "text:See log file for more details"
@ -492,7 +492,7 @@
#
#################################################################################
#
if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
if [ -n "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS"
if [ ${SKIPTEST} -eq 0 ]; then
TEST_SERVICES="com.apple.fingerd"

16
include/tests_kernel
View File

@ -183,7 +183,7 @@
# Description : Check if Linux is build as a monolithic kernel or not
Register --test-no KRNL-5723 --os Linux --weight L --network NO --category security --description "Determining if Linux kernel is monolithic"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
LogText "Test: checking if kernel is monolithic or modular"
# Checking if any modules are loaded
FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ')
@ -208,7 +208,7 @@
# Description : Checking Linux loaded kernel modules
Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort)
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
if HasData "${FIND}"; then
@ -519,7 +519,7 @@
if [ -d ${ROOTDIR}boot ]; then
LogText "Result: /boot exists, performing more tests from here"
FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
if [ -f ${ROOTDIR}boot/vmlinuz -a ! -L ${ROOTDIR}boot/vmlinuz ]; then
LogText "Result: found /boot/vmlinuz (not symlinked)"
NEXTLINE=0
@ -532,7 +532,7 @@
if [ "${I}" = "version" ]; then NEXTLINE=1; fi
fi
done
if [ ! -z "${FINDVERSION}" ]; then
if [ -n "${FINDVERSION}" ]; then
CURRENT_KERNEL=$(uname -r)
if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then
LogText "Result: reboot needed, as current kernel is different than the one loaded"
@ -545,7 +545,7 @@
LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)"
LogText "Test: checking kernel version on disk"
VERSION_ON_DISK=$(${FILEBINARY} -b ${ROOTDIR}boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}')
if [ ! -z "${VERSION_ON_DISK}" ]; then
if [ -n "${VERSION_ON_DISK}" ]; then
LogText "Result: found version ${VERSION_ON_DISK}"
ACTIVE_KERNEL=$(uname -r)
LogText "Result: active kernel version ${ACTIVE_KERNEL}"
@ -570,7 +570,7 @@
MYKERNEL=$(${UNAMEBINARY} -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g')
LogText "Result: using ${MYKERNEL} as my kernel version (stripped)"
FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for ITEM in ${FIND}; do
LogText "Result: found ${ITEM}"
done
@ -586,11 +586,11 @@
# Examples:
# /boot/kernel-genkernel-x86_64-3.14.14-gentoo
KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
if [ ! -z "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi
if [ -n "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi
else
ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected"
fi
if [ ! -z "${KERNELS}" ]; then
if [ -n "${KERNELS}" ]; then
FOUND_KERNEL=0
for I in ${KERNELS}; do
# Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist)

6
include/tests_kernel_hardening
View File

@ -47,7 +47,7 @@
done
# Scan custom profile
if [ ! -z "${CUSTOM_PROFILE}" ]; then
if [ -n "${CUSTOM_PROFILE}" ]; then
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
for LINE in ${FIND}; do
SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
@ -57,7 +57,7 @@
fi
# Last, use data from default profile
if [ ! -z "${DEFAULT_PROFILE}" ]; then
if [ -n "${DEFAULT_PROFILE}" ]; then
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
for LINE in ${FIND}; do
SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
@ -76,7 +76,7 @@
tFINDhp=$(echo ${line} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]")
tFINDdesc=$(echo ${line} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g')
tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
if [ ! -z "${tFINDcurvalue}" ]; then
if [ -n "${tFINDcurvalue}" ]; then
positive_match=0
for value in ${tFINDexpvalue}; do
if [ "${value}" = "${tFINDcurvalue}" ]; then

2
include/tests_ldap
View File

@ -66,7 +66,7 @@
fi
done
# Check if we found a valid location
if [ ! -z "${SLAPD_CONF_LOCATION}" ]; then
if [ -n "${SLAPD_CONF_LOCATION}" ]; then
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW

24
include/tests_logging
View File

@ -262,7 +262,7 @@
#
# Test : LOGG-2148
# Description : Checking log files rotated with logrotate
if [ ! -z "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which files are rotated with logrotate and if they exist"
@ -311,7 +311,7 @@
# Try local hosts file
LogText "Result: Checking for loghost in /etc/inet/hosts"
FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1
LogText "Result: Found loghost entry in /etc/inet/hosts"
else
@ -320,7 +320,7 @@
# Try name resolving if no entry is present in local host file
LogText "Result: Checking for loghost via name resolving"
FIND=$(getent hosts loghost | ${GREPBINARY} loghost)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1
LogText "Result: name resolving was successful"
LogText "Output: ${FIND}"
@ -356,7 +356,7 @@
if [ -f ${SYSLOGD_CONF} ]; then
LogText "Test: check if logs are also logged to a remote logging host"
FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: remote logging enabled"
REMOTE_LOGGING_ENABLED=1
else
@ -364,7 +364,7 @@
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
for DESTINATION in ${DESTINATIONS}; do
FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
if [ ! -z "${FIND2}" = "" ]; then
if [ -n "${FIND2}" = "" ]; then
LogText "Result: found destination ${DESTINATION} configured for remote logging"
REMOTE_LOGGING_ENABLED=1
fi
@ -461,7 +461,7 @@
Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking open log files with lsof"
if [ ! -z "${LSOFBINARY}" ]; then
if [ -n "${LSOFBINARY}" ]; then
FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
for I in ${FIND}; do
LogText "Found logfile: ${I}"
@ -477,7 +477,7 @@
#
# Test : LOGG-2190
# Description : Checking deleted files
if [ ! -z "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for deleted files in use"
if [ ${SKIPTEST} -eq 0 ]; then
EARLY_MYSQL=""
@ -486,12 +486,12 @@
LSOF_GREP="WARNING|Output information"
# MySQL versions prior to 5.6 leave lots of deleted in-use files in /tmp, ignoring those
if [ ! -z "${DPKGBINARY}" ]; then
if [ -n "${DPKGBINARY}" ]; then
EARLY_MYSQL=$(${DPKGBINARY} -l | ${EGREPBINARY} mysql-server-5.[0-5])
elif [ ! -z "${RPMBINARY}" ]; then
elif [ -n "${RPMBINARY}" ]; then
EARLY_MYSQL=$(${RPMBINARY} -qa mariadb | ${EGREPBINARY} mariadb-5.[0-5])
fi
if [ ! -z "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi
if [ -n "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi
# grsecurity causes Fail2Ban to hold onto deleted in-use files in /var/tmp
if [ ${GRSEC_FOUND} -eq 1 ]; then LSOF_GREP="${LSOF_GREP}|fail2ban"; fi
@ -501,7 +501,7 @@
fi
FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found one or more files which are deleted, but still in use"
for I in ${FIND}; do
LogText "Found deleted file: ${I}"
@ -523,7 +523,7 @@
Register --test-no LOGG-2192 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for open log files that are empty"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${LSOFBINARY} -n -w | ${AWKBINARY} '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | ${SORTBINARY} | uniq)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for I in ${FIND}; do
LogText "Found an opened logfile that is empty: ${I}"
Report "open_empty_log_file[]=${I}"

6
include/tests_mac_frameworks
View File

@ -50,7 +50,7 @@
if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${AASTATUSBINARY}" ]; then
if [ -n "${AASTATUSBINARY}" ]; then
CAN_READ_FILE=0
FILE="/sys/kernel/security/apparmor/profiles"
if [ -f ${FILE} ]; then
@ -114,7 +114,7 @@
Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking if we have sestatus binary"
if [ ! -z "${SESTATUSBINARY}" ]; then
if [ -n "${SESTATUSBINARY}" ]; then
LogText "Result: found sestatus binary (${SESTATUSBINARY})"
Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN
else
@ -206,7 +206,7 @@
Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence"
if [ ${SKIPTEST} -eq 0 ]; then
# Check Linux kernel configuration
if [ ! -z "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then
if [ -n "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then
FIND=$(${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE})
if [ ! "${FIND}" = "" ]; then
LogText "Result: grsecurity available (in kernel config)"

36
include/tests_mail_messaging
View File

@ -77,20 +77,20 @@
# Smarthost or Satellite
FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
EXIM_TYPE="LOCAL ONLY"
elif [ ! -z "${FIND2}" ]; then
elif [ -n "${FIND2}" ]; then
EXIM_TYPE="INTERNET HOST"
elif [ ! -z "${FIND3}" ]; then
elif [ -n "${FIND3}" ]; then
FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost')
if [ ! -z "${FIND4}" ]; then
if [ -n "${FIND4}" ]; then
EXIM_TYPE="SATELLITE"
else
EXIM_TYPE="SMARTHOST"
fi
fi
if [ ! -z "${EXIM_TYPE}" ]; then
if [ -n "${EXIM_TYPE}" ]; then
LogText "Result: Exim Type - ${EXIM_TYPE}"
Display --indent 4 --text "- Type" --result "${EXIM_TYPE}" --color GREEN
else
@ -101,7 +101,7 @@
if [ "${EXIM_TYPE}" = "INTERNET HOST" -o "${EXIM_TYPE}" = "SMARTHOST" ]; then
LogText "Test: Exim Public Interfaces"
EXIM_IP=$(exim -bP local_interfaces | cut -d '=' -f2 | sed -e 's/\s*<\s*\;\?//' -e 's/\s*::0\s*\;\?//' -e 's/\s*127.0.0.1\s*\;\?//' -e 's/^\s*//' -e 's/\s*$//')
if [ ! -z "${EXIM_IP}" ]; then
if [ -n "${EXIM_IP}" ]; then
LogText "Result: ${EXIM_IP}"
Display --indent 4 --text "- Public Interface(s)" --result "${EXIM_IP}" --color GREEN
else
@ -111,7 +111,7 @@
LogText "Test: Exim TLS State"
EXIM_TLS=$(exim -bP tls_advertise_hosts | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
if [ ! -z "${EXIM_TLS}" ]; then
if [ -n "${EXIM_TLS}" ]; then
LogText "Result: Enabled"
Display --indent 4 --text "- TLS" --result "ENABLED" --color GREEN
else
@ -120,7 +120,7 @@
fi
fi
if [ ! -z "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then
if [ -n "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then
LogText "Test: Exim Certificate and Private Key"
case "${EXIM_TYPE}" in
@ -134,7 +134,7 @@
;;
esac
if [ ! -z "${EXIM_CERTIFICATE}" ]; then
if [ -n "${EXIM_CERTIFICATE}" ]; then
LogText "Result: ${EXIM_CERTIFICATE}"
if [ -f "${EXIM_CERTIFICATE}" ]; then
Display --indent 4 --text "- Certificate" --result "${STATUS_FOUND}" --color GREEN
@ -148,7 +148,7 @@
Display --indent 4 --text "- Certificate not set" --result "${STATUS_WARNING}" --color WHITE
fi
if [ ! -z "${EXIM_PRIVATEKEY}" ]; then
if [ -n "${EXIM_PRIVATEKEY}" ]; then
LogText "Result: ${EXIM_PRIVATEKEY}"
if [ -f "${EXIM_PRIVATEKEY}" ]; then
LogText "Result: Private Key found."
@ -175,7 +175,7 @@
LogText "Test: check Postfix status"
# Some other processes also use master, therefore it should include both master and postfix
FIND1=$(${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep")
if [ ! -z "${FIND1}" ]; then
if [ -n "${FIND1}" ]; then
LogText "Result: found running Postfix process"
Display --indent 2 --text "- Postfix status" --result "${STATUS_RUNNING}" --color GREEN
POSTFIX_RUNNING=1
@ -210,7 +210,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: using postconf to see if Postfix configuration has errors"
FIND=$(${POSTCONFBINARY} 2>&1 | ${GREPBINARY} "warning:")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Report "postfix_config_error=1"
Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_WARNING}" --color RED
LogText "Result: found an error or warning in the Postfix configuration. Manual check suggested."
@ -233,21 +233,21 @@
FIND2=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} '$mail_name')
FIND3=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^mail_name' | ${GREPBINARY} -i 'postfix')
FIND4=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${OS}")
if [ ! -z "${LINUX_VERSION}" ]; then
if [ -n "${LINUX_VERSION}" ]; then
FIND5=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${LINUX_VERSION}")
fi
SHOWWARNING=0
if [ ! -z "${FIND1}" ]; then
if [ -n "${FIND1}" ]; then
SHOWWARNING=1
Report "banner_software_disclosure[]=${FIND1}"
elif [ ! -z "${FIND2}" -a ! -z "${FIND3}" ]; then
elif [ -n "${FIND2}" -a -n "${FIND3}" ]; then
SHOWWARNING=1
Report "banner_software_disclosure[]=${FIND2}"
elif [ ! -z "${FIND4}" ]; then
elif [ -n "${FIND4}" ]; then
SHOWWARNING=1
Report "banner_os_disclosure[]=${FIND4}"
elif [ ! -z "${FIND5}" ]; then
elif [ -n "${FIND5}" ]; then
SHOWWARNING=1
Report "banner_os_disclosure[]=${FIND5}"
fi
@ -342,7 +342,7 @@
#
# Test : MAIL-8920
# Description : Check OpenSMTPD process status
if [ ! -z "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check smtpd status"

6
include/tests_malware
View File

@ -45,7 +45,7 @@
Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence chkrootkit"
if [ ! -z "${CHKROOTKITBINARY}" ]; then
if [ -n "${CHKROOTKITBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1
@ -63,7 +63,7 @@
Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence Rootkit Hunter"
if [ ! -z "${RKHUNTERBINARY}" ]; then
if [ -n "${RKHUNTERBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1
@ -307,7 +307,7 @@
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then
CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan')
if [ ! -z "${CLAMSCANBINARY}" ]; then
if [ -n "${CLAMSCANBINARY}" ]; then
LogText "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
MALWARE_SCANNER_INSTALLED=1

22
include/tests_nameservices
View File

@ -188,7 +188,7 @@
# If files and commands can't be found, use defined value from resolv.conf
if [ -z "${DOMAINNAME}" ]; then
if [ ! -z "${RESOLV_DOMAINNAME}" ]; then
if [ -n "${RESOLV_DOMAINNAME}" ]; then
LogText "Result: using domain name from ${ROOTDIR}etc/resolv.conf"
DOMAINNAME=${RESOLV_DOMAINNAME}
else
@ -197,7 +197,7 @@
fi
fi
if [ ! -z "${DOMAINNAME}" ]; then
if [ -n "${DOMAINNAME}" ]; then
LogText "Result: found domain name"
Report "domainname=${DOMAINNAME}"
Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN
@ -303,7 +303,7 @@
LogText "Result: found configuration file (${BIND_CONFIG_LOCATION})"
fi
done
if [ ! -z "${BIND_CONFIG_LOCATION}" ]; then
if [ -n "${BIND_CONFIG_LOCATION}" ]; then
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
@ -449,12 +449,12 @@
#
# Test : NAME-4238
# Description : Check PowerDNS authoritative status
if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${POWERDNS_RUNNING} -eq 1 -a -n "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritative status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for PowerDNS master status"
FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Found master=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritative master: YES"
POWERDNS_AUTH_MASTER=1
@ -464,7 +464,7 @@
fi
LogText "Test: Checking for PowerDNS slave status"
FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Found slave=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritative slave: YES"
POWERDNS_AUTH_SLAVE=1
@ -509,7 +509,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking $(domainname) for NIS domain value"
FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Value: ${FIND}"
NISDOMAIN="${FIND}"
else
@ -520,7 +520,7 @@
if [ -f ${ROOTDIR}etc/defaultdomain ]; then
LogText "Result: file ${ROOTDIR}etc/defaultdomain exists"
FIND2=$(cat ${ROOTDIR}etc/defaultdomain)
if [ ! -z "${FIND2}" ]; then
if [ -n "${FIND2}" ]; then
LogText "Output: ${FIND2}"
NISDOMAIN="${FIND2}"
else
@ -533,7 +533,7 @@
LogText "Result: file ${ROOTDIR}etc/sysconfig/network exists"
LogText "Test: checking NISDOMAIN value in file"
FIND3=$(${GREPBINARY} "^NISDOMAIN" ${ROOTDIR}etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g')
if [ ! -z "${FIND3}" ]; then
if [ -n "${FIND3}" ]; then
LogText "Found NIS domain: ${FIND3}"
NISDOMAIN="${FIND3}"
else
@ -553,7 +553,7 @@
fi
fi
# Check if we found any NIS domain
if [ ! -z "${NISDOMAIN}" ]; then
if [ -n "${NISDOMAIN}" ]; then
LogText "Found NIS domain: ${NISDOMAIN}"
Report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN
@ -636,7 +636,7 @@
#
# Test : NAME-4408
# Description : Check localhost entry
if [ ! -z "${GETENT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON="No getent binary"; else PREQS_MET="NO"; SKIPREASON=""; fi
if [ -n "${GETENT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON="No getent binary"; else PREQS_MET="NO"; SKIPREASON=""; fi
Register --test-no NAME-4408 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check localhost entry"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check server hostname not locally mapped in /etc/hosts"

34
include/tests_networking
View File

@ -47,7 +47,7 @@
IPV6_MISCONFIGURED=0
IPV6_MISCONFIGURED_MTU=0
FIND=$(sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
IPV6_CONFIGURED=1
for I in ${FIND}; do
SYSCTL_KEY=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
@ -124,7 +124,7 @@
if [ -f /etc/resolv.conf ]; then
LogText "Result: Found /etc/resolv.conf file"
FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq | ${CUTBINARY} -d# -f1)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Display --indent 4 --text "- Testing nameservers"
LogText "Test: Querying nameservers"
for I in ${FIND}; do
@ -134,7 +134,7 @@
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "127.0.0.53" -o "${I}" = "127.0.1.1" -o "${I}" = "0.0.0.0" ]; then
LOCAL_DNSRESOLVER_FOUND=1
fi
if [ ! -z "${DIGBINARY}" ]; then
if [ -n "${DIGBINARY}" ]; then
# See if we can query something at the nameserver
# 0=good, other=bad
DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${FQDN} > /dev/null ; echo $?)
@ -167,7 +167,7 @@
Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check availability two nameservers"
if [ ${SKIPTEST} -eq 0 ]; then
SKIP=0
if [ ! -z "${DIGBINARY}" ]; then
if [ -n "${DIGBINARY}" ]; then
if [ ${NUMBERACTIVENS} -lt 2 ]; then
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
LogText "Result: less than 2 responsive nameservers found"
@ -193,12 +193,12 @@
# Test : NETW-3001
# Description : Find default gateway (route)
# More info : BSD: ^default Linux: 0.0.0.0
if [ ! -z "${NETSTATBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${NETSTATBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then
LogText "Test: Searching default gateway(s)"
FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for I in ${FIND}; do
LogText "Result: Found default gateway ${I}"
Report "default_gateway[]=${I}"
@ -222,9 +222,9 @@
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }')
;;
Linux)
if [ ! -z "${IPBINARY}" ]; then
if [ -n "${IPBINARY}" ]; then
FIND=$(${IPBINARY} link show 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} 's/://g')
elif [ ! -z "${IFCONFIGBINARY}" ]; then
elif [ -n "${IFCONFIGBINARY}" ]; then
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ( $2 == "Link" ) { print $1 }}')
fi
;;
@ -265,14 +265,14 @@
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
;;
Linux)
if [ ! -z "${IFCONFIGBINARY}" ]; then
if [ -n "${IFCONFIGBINARY}" ]; then
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u)
# CentOS 7.x and others may return nothing. Let's retry with 'ether' field.
if [ -z "${FIND}" ]; then
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
fi
else
if [ ! -z "${IPBINARY}" ]; then
if [ -n "${IPBINARY}" ]; then
LogText "Test: Using ip binary to gather hardware addresses"
FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }')
else
@ -320,12 +320,12 @@
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;;
Linux)
if [ ! -z "${IFCONFIGBINARY}" ]; then
if [ -n "${IFCONFIGBINARY}" ]; then
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2)
# Version which works for multiple types of ifconfig (e.g. Slackware)
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }')
else
if [ ! -z "${IPBINARY}" ]; then
if [ -n "${IPBINARY}" ]; then
LogText "Test: Using ip binary to gather IP addresses"
FIND=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
FIND2=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
@ -375,7 +375,7 @@
COUNT=0
case ${OS} in
DragonFly|FreeBSD)
if [ ! -z "${SOCKSTATBINARY}" ]; then
if [ -n "${SOCKSTATBINARY}" ]; then
FIND=$(${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
# To strip off IP's: ${SEDBINARY} 's/|.*:/|/'
else
@ -513,17 +513,17 @@
NETWORK=""
USE_IP_INSTEAD_IFCONFIG=0
if [ ! -z "${IPBINARY}" ]; then
if [ -n "${IPBINARY}" ]; then
LogText "Test: Using ip binary to retrieve network interfaces"
NETWORK=$(${IPBINARY} -o link 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{print $2 }' | ${TRBINARY} -d ':')
USE_IP_INSTEAD_IFCONFIG=1
elif [ ! -z "${IFCONFIGBINARY}" ]; then
elif [ -n "${IFCONFIGBINARY}" ]; then
LogText "Test: Using ifconfig binary to retrieve network interfaces"
NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
fi
LogText "Test: Checking all interfaces to discover any with promiscuous mode enabled"
if [ ! -z "${NETWORK}" ]; then
if [ -n "${NETWORK}" ]; then
FOUNDPROMISC=0
for I in ${NETWORK}; do
if [ ${USE_IP_INSTEAD_IFCONFIG} -eq 1 ]; then
@ -531,7 +531,7 @@
else
FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
fi
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: Promiscuous interface: ${I}"
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
if [ -z "${ISWHITELISTED}" ]; then

24
include/tests_php
View File

@ -139,7 +139,7 @@
fi
done
if [ ! -z "${PHPINIFILE}" ]; then
if [ -n "${PHPINIFILE}" ]; then
Display --indent 2 --text "- Checking PHP" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: using single file ${PHPINIFILE} for main php.ini tests"
LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
@ -154,7 +154,7 @@
#
# Test : PHP-2320
# Description : Check php disable functions option
if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@ -194,7 +194,7 @@
# Test : PHP-2368
# Description : Check php register_globals option
# Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
if [ ! -z "${PHPINIFILE}" -a ! -z "${PHPVERSION}" -a ! -z "${EGREPBINARY}" ]; then
if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then
if [ -f "${PHPINIFILE}" ]; then
FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
if [ -z "${FIND}" ]; then
@ -215,7 +215,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP register_globals option"
FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
@ -235,7 +235,7 @@
# Description : Check PHP expose_php option
# Background : When this option is turned on, PHP will show its version number in the HTTP headers
# Notes : TODO - Extend test to check all PHP files
if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@ -266,12 +266,12 @@
# Test : PHP-2374
# Description : Check PHP enable_dl option
# Notes : Extend test to check all PHP files
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP enable_dl option"
FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules"
@ -288,7 +288,7 @@
# Test : PHP-2376
# Description : Check PHP allow_url_fopen option
# Notes : Extend test to check all PHP files YYY
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_fopen option"
@ -311,7 +311,7 @@
# Test : PHP-2378
# Description : Check PHP allow_url_include option
# Notes : Extend test to check all PHP files YYY
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_include option"
@ -333,7 +333,7 @@
# - test disabled for time being, as newer suhosin7 work is not stable enough -
# Test : PHP-2379
# Description : Check PHP suhosin extension status
#if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP suhosin extension status"
#if [ ${SKIPTEST} -eq 0 ]; then
@ -365,14 +365,14 @@
# fi
# # Check Suhosin for PHP 7
# if [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then
# if [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then
# LogText "Test: Check Suhosin for PHP 7 is not enabled"
# LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production"
# ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7"
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
# Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED
# AddHP 0 1
# elif [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then
# elif [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then
# LogText "Test: Check Suhosin for PHP 7 is not enabled"
# LogText "Result: Suhosin for PHP 7 is not enabled"
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN

68
include/tests_ports_packages
View File

@ -88,7 +88,7 @@
# Test : PKGS-7303
# Description : Query brew package manager
FIND=$(which brew 2> /dev/null | grep -v "no [^ ]* in ")
if [ ! -z "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
@ -158,7 +158,7 @@
#
# Test : PKGS-7308
# Description : RPM package based systems
if [ ! -z "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
@ -191,7 +191,7 @@
#
# Test : PKGS-7310
# Description : pacman package based systems
if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
@ -222,12 +222,12 @@
#
# Test : PKGS-7312
# Description : Check for available package updates when pacman package is used
if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking available updates for pacman based system"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
FIND=$(which checkupdates 2> /dev/null | grep -v "no [^ ]* in ")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FIND=$(checkupdates)
for I in ${FIND}; do
LogText "Result: update available for ${I}"
@ -252,7 +252,7 @@
# Test : PKGS-7314
# Description : Check pacman.conf options
PACMANCONF="/etc/pacman.conf"
if [ ! -z "${PACMANBINARY}" -a -f ${PACMANCONF} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PACMANBINARY}" -a -f ${PACMANCONF} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7314 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking pacman configuration options"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
@ -315,7 +315,7 @@
#
# Test : PKGS-7322
# Description : Discover vulnerable packages with arch-audit
if [ ! -z "${ARCH_AUDIT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="arch-audit not found"; fi
if [ -n "${ARCH_AUDIT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="arch-audit not found"; fi
Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking arch-audit output for vulnerable packages"
@ -338,14 +338,14 @@
#
# Test : PKGS-7328
# Description : Check installed packages with Zypper
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="zypper"
FIND=$(${ZYPPERBINARY} --non-interactive -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for PKG in ${FIND}; do
COUNT=$((COUNT + 1))
LogText "Installed package: ${PKG}"
@ -362,11 +362,11 @@
#
# Test : PKGS-7330
# Description : Check vulnerable packages with Zypper
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${ZYPPERBINARY} --non-interactive pchk | ${GREPBINARY} "(0 security patches)")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: No security updates found with Zypper"
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
else
@ -520,7 +520,7 @@
# Test : PKGS-7350
# Description : Use Dandified YUM to gather installed packages
# Notes : Possible replacement for YUM in the long term
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
@ -546,13 +546,13 @@
#
# Test : PKGS-7352
# Description : Use Dandified YUM to detect security updates
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7352" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for security updates with DNF utility"
if [ ${SKIPTEST} -eq 0 ]; then
# Check for security updates
LogText "Action: checking updateinfo for security updates"
FIND=$(${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
VULNERABLE_PACKAGES_FOUND=1
LogText "Result: found vulnerable packages, upgrade of system needed."
for PKG in ${FIND}; do
@ -574,20 +574,20 @@
#
# Test : PKGS-7354
# Description : Perform integrity tests for package database
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if repoquery plugin is available
FIND=$(${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Action: checking integrity of package database"
FIND=$(${DNFBINARY} -q repoquery --duplicated)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found unexpected result on repoquery --duplicated"
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated"
fi
FIND=$(${DNFBINARY} -q repoquery --unsatisfied)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found unexpected result on repoquery --unsatisfied"
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied"
fi
@ -600,17 +600,17 @@
#
# Test : PKGS-7366
# Description : Checking if debsecan is installed and enabled on Debian systems
if [ ! -z "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsecan utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${DEBSECANBINARY}" ]; then
if [ -n "${DEBSECANBINARY}" ]; then
LogText "Result: debsecan utility is installed"
Display --indent 4 --text "- debsecan utility" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="debsecan"
FIND=$(${FINDBINARY} ${ROOTDIR}etc/cron* -name debsecan)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: cron job is configured for debsecan"
Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
@ -633,10 +633,10 @@
# Test : PKGS-7370
# Description : Checking debsums installation status and presence in cron job
# Note : Run this only when it is a DPKG based system
if [ ! -z "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsums utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${DEBSUMSBINARY}" ]; then
if [ -n "${DEBSUMSBINARY}" ]; then
LogText "Result: debsums utility is installed"
Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
@ -728,7 +728,7 @@
# Description : Check for vulnerable FreeBSD packages (with pkg)
# Notes : Related vulnerability file is /var/db/pkg/vuln.xml
# TODO : Run this in any jail
if [ ! -z "${PKG_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="pkg tool not available"; fi
if [ -n "${PKG_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="pkg tool not available"; fi
Register --test-no PKGS-7381 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with pkg"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
@ -746,7 +746,7 @@
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 10 10
elif [ $? -eq 1 ]; then
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
VULNERABLE_PACKAGES_FOUND=1
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_FOUND}" --color YELLOW
for ITEM in ${FIND}; do
@ -804,7 +804,7 @@
# Test : PKGS-7383
# Description : Check for YUM package Update management
# Notes : Skip if DNF is used as package manager
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: YUM package update management"
@ -823,7 +823,7 @@
#
# Test : PKGS-7384
# Description : Search for YUM utils package
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package"
if [ ${SKIPTEST} -eq 0 ]; then
# package-cleanup tool can be found in different locations
@ -903,7 +903,7 @@
# Check if it's installed as package (this is old style)
if [ ${DO_TEST} -eq 0 ]; then
FIND=$(rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found yum-plugin-security package"
DO_TEST=1
fi
@ -943,7 +943,7 @@
if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${PYTHONBINARY}" ]; then
if [ -n "${PYTHONBINARY}" ]; then
LogText "Test: checking enabled repositories"
REPOS=$(${PYTHONBINARY} -c 'import yum ; yb = yum.YumBase() ; yb.conf ; print [(r.id + "=" + str(r.gpgcheck)) for r in yb.repos.listEnabled()]' | ${GREPBINARY} "^\[" | ${TRBINARY} -d '[] ' | ${TRBINARY} -d "'" | ${SEDBINARY} 's/,/ /g')
if [ -z "${REPOS}" ]; then LogText "Result: found no repositories"; fi
@ -991,7 +991,7 @@
if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found security repository in ${ROOTDIR}etc/apt/sources.list"
@ -1004,7 +1004,7 @@
if [ -d /etc/apt/sources.list.d ]; then
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
@ -1100,7 +1100,7 @@
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
# Show packages which would be upgraded and match 'security' in repository name
FIND=$(${ROOTDIR}usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
VULNERABLE_PACKAGES_FOUND=1
SCAN_PERFORMED=1
LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
@ -1247,7 +1247,7 @@
KERNELS=0
LogText "Test: Checking how many kernel packages are installed"
if [ ! -z "${DPKGBINARY}" ]; then
if [ -n "${DPKGBINARY}" ]; then
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} "linux-image-[0-9]" | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from dpkg -l output, which is unexpected"
@ -1258,7 +1258,7 @@
else
LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
fi
elif [ ! -z "${RPMBINARY}" ]; then
elif [ -n "${RPMBINARY}" ]; then
KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from rpm -q kernel output, which is unexpected"

4
include/tests_printers_spools
View File

@ -211,7 +211,7 @@
FileIsReadable ${QDAEMON_CONFIG_FILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
QDAEMON_CONFIG_ENABLED=1
@ -279,7 +279,7 @@
#################################################################################
#
if [ ! -z ${PRINTING_DAEMON} ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi
if [ -n ${PRINTING_DAEMON} ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi
WaitForKeyPress

4
include/tests_scheduling
View File

@ -170,7 +170,7 @@
if [ -f /etc/anacrontab ]; then
LogText "Test: checking anacrontab"
sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
if [ ! -z "${sANACRONJOBS}" ]; then
if [ -n "${sANACRONJOBS}" ]; then
Report "scheduler[]=anacron"
for I in ${sANACRONJOBS}; do
LogText "Found anacron job (/etc/anacrontab): ${I}"
@ -201,7 +201,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking atd status"
FIND=$(${PSBINARY} ax | ${GREPBINARY} "/atd" | ${GREPBINARY} -v "grep")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: at daemon active"
Display --indent 2 --text "- Checking atd status" --result "${STATUS_RUNNING}" --color GREEN
ATD_RUNNING=1

14
include/tests_shells
View File

@ -126,7 +126,7 @@
FIND=$(${GREPBINARY} 'TMOUT=' ${ROOTDIR}etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
# Determine if the value is exported (with export, readonly, or typeset)
FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' ${ROOTDIR}etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
LogText "Output: ${I}"
@ -143,7 +143,7 @@
LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile"
fi
if [ ! -z "${FIND2}" ]; then
if [ -n "${FIND2}" ]; then
N=0;
for I in ${FIND2}; do
LogText "Output: ${I}"
@ -167,12 +167,12 @@
if [ -d ${ROOTDIR}etc/profile.d ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
# Determine if we can find a TMOUT value
FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
# Determine if the value is exported (with export, readonly, or typeset)
FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
LogText "Output: ${I}"
@ -189,7 +189,7 @@
LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile.d/*.sh"
fi
# Check for readonly
if [ ! -z "${FIND2}" ]; then
if [ -n "${FIND2}" ]; then
N=0;
for I in ${FIND2}; do
LogText "Output: ${I}"
@ -212,10 +212,10 @@
LogText "Result: skip ${ROOTDIR}etc/profile.d directory test, directory not available on this system"
fi
if [ ! -z "${IDLE_TIMEOUT_METHOD}" ]; then
if [ -n "${IDLE_TIMEOUT_METHOD}" ]; then
Report "session_timeout_method[]=${IDLE_TIMEOUT_METHOD}"
fi
if [ ! -z "${IDLE_TIMEOUT_READONLY}" ]; then
if [ -n "${IDLE_TIMEOUT_READONLY}" ]; then
Report "session_timeout_set_readonly=${IDLE_TIMEOUT_READONLY}"
fi

2
include/tests_snmp
View File

@ -74,7 +74,7 @@
#
# Test : SNMP-3306
# Description : Determine SNMP communities
if [ ! -z "${SNMP_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${SNMP_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP communities"
if [ ${SKIPTEST} -eq 0 ]; then
WARN=0

26
include/tests_squid
View File

@ -43,7 +43,7 @@
FOUND=0
# Check running processes
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
SQUID_DAEMON_RUNNING=1
LogText "Result: Squid daemon is running"
Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN
@ -86,10 +86,10 @@
#
# Test : SQD-3606
# Description : Check Squid version
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${SQUIDBINARY}" ]; then
if [ -n "${SQUIDBINARY}" ]; then
LogText "Result: Squid binary found (${SQUIDBINARY})"
# Skip check if a setuid/setgid bit is found
FIND=$(${FINDBINARY} ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print)
@ -110,7 +110,7 @@
#
# Test : SQD-3610
# Description : Check Squid configuration options
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather Squid settings"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
@ -127,12 +127,12 @@
#
# Test : SQD-3613
# Description : Check Squid configuration file permissions
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
@ -147,7 +147,7 @@
#
#################################################################################
#
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
Display --indent 4 --text "- Checking Squid access control"
fi
#
@ -155,7 +155,7 @@
#
# Test : SQD-3614
# Description : Check Squid authentication
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check auth_param option for authentication methods"
@ -176,7 +176,7 @@
#
# Test : SQD-3616
# Description : Check external Squid authentication
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check external_acl_type option for external authentication helpers"
@ -265,7 +265,7 @@
#
#################################################################################
#
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
Display --indent 4 --text "- Checking Squid Denial of Service tuning options"
fi
#
@ -273,7 +273,7 @@
#
# Test : SQD-3630 [T]
# Description : Check reply_body_max_size value
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking option reply_body_max_size"
@ -293,7 +293,7 @@
#
#################################################################################
#
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
Display --indent 4 --text "- Checking Squid general options"
fi
#
@ -301,7 +301,7 @@
#
# Test : SQD-3680
# Description : Check httpd_suppress_version_string
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppression"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on")

16
include/tests_ssh
View File

@ -104,7 +104,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
OPENSSHD_VERSION=$(${SSHDBINARY} -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d '[:cntrl:],')
LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}"
if [ ! -z ${OPENSSHD_VERSION} ]; then
if [ -n ${OPENSSHD_VERSION} ]; then
OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $1}')
LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}"
OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $2}')
@ -117,7 +117,7 @@
# Test : SSH-7408
# Description : Check SSH specific defined options
# Notes : Instead of parsing the configuration file, we query the SSH daemon itself
if [ ${OPENSSHD_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" -a ${OPENSSHD_VERSION_MAJOR} -ge 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" -a ${OPENSSHD_VERSION_MAJOR} -ge 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}"
@ -189,7 +189,7 @@
FOUNDVALUE=$(${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1)
LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}"
if [ ! -z "${FOUNDVALUE}" ]; then
if [ -n "${FOUNDVALUE}" ]; then
LogText "Result: Option ${OPTIONNAME} found"
LogText "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}"
@ -201,7 +201,7 @@
elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
RESULT="WEAK"
else
if [ ! -z "${EXPECTEDVALUE}" ]; then
if [ -n "${EXPECTEDVALUE}" ]; then
LogText "Expected value has multiple values, testing if active value is in list (${EXPECTEDVALUE})"
FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${EXPECTEDVALUE}")
if [ $? -eq 0 ]; then
@ -211,7 +211,7 @@
LogText "Result: not found"
fi
fi
if [ ! -z "${MEDIUMSCOREDVALUE}" ]; then
if [ -n "${MEDIUMSCOREDVALUE}" ]; then
LogText "Medium scored value has multiple values, testing if active value is in list (${MEDIUMSCOREDVALUE})"
FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${MEDIUMSCOREDVALUE}")
if [ $? -eq 0 ]; then
@ -296,13 +296,13 @@
# Test : SSH-7440
# Description : OpenSSH - AllowUsers / AllowGroups
# Goal : Check if only a specific amount of users/groups can log in to the system
if [ ${OPENSSHD_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSSH option: AllowUsers and AllowGroups"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# AllowUsers
FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
FOUND=1
@ -313,7 +313,7 @@
# AllowGroups
FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
FOUND=1

6
include/tests_storage
View File

@ -37,10 +37,10 @@
LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
if [ ! -z "${FIND1}" -o ! -z "${FIND2}" ]; then
if [ -n "${FIND1}" -o -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"
fi
@ -51,7 +51,7 @@
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#")
if [ ! -z "${FIND1}" -o ! -z "${FIND2}" ]; then
if [ -n "${FIND1}" -o -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"
fi

10
include/tests_storage_nfs
View File

@ -33,7 +33,7 @@
#
# Test : STRG-1902
# Description : Check rpcinfo
if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking rpcinfo registered programs"
@ -48,7 +48,7 @@
#
# Test : STRG-1904
# Description : Check nfs versions in rpcinfo
if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NFS registered versions"
@ -63,7 +63,7 @@
#
# Test : STRG-1906
# Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NFS registered protocols"
@ -123,7 +123,7 @@
if [ -f ${ROOTDIR}etc/exports ]; then
LogText "Result: ${ROOTDIR}etc/exports exists"
FIND=$(${GREPBINARY} -v "^$" ${ROOTDIR}etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for I in ${FIND}; do
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found line: ${I}"
@ -161,7 +161,7 @@
Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share"
if [ ${SKIPTEST} -eq 0 ]; then
sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d' | ${GREPBINARY} "\*")
if [ ! -z "${sFIND}" ]; then
if [ -n "${sFIND}" ]; then
LogText "Result: all client are allowed to access a NFS share in /etc/exports"
Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW
ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports"

38
include/tests_time
View File

@ -62,7 +62,7 @@
for FILE in ${SEARCH_FILES}; do
if [ -f ${FILE} ]; then LogText "result: found chrony configuration: ${FILE}"; CHRONY_CONF_FILE="${FILE}"; fi
done
if [ ! -z "${CHRONY_CONF_FILE}" ]; then
if [ -n "${CHRONY_CONF_FILE}" ]; then
IsRunning chronyd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
@ -83,7 +83,7 @@
# Check running processes
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
NTP_DAEMON="ntpd"
LogText "Result: found running NTP daemon in process list"
@ -98,9 +98,9 @@
fi
# Check timedate daemon (systemd)
if [ ! -z "${TIMEDATECTL}" ]; then
if [ -n "${TIMEDATECTL}" ]; then
FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
# Check for systemd-timesyncd
if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then
LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf"
@ -124,7 +124,7 @@
if [ -f ${I} ]; then
LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
@ -146,11 +146,11 @@
if [ -d ${I} ]; then
if FileIsReadable ${I}; then
FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for J in ${FIND}; do
LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#")
if [ ! -z "${FIND2}" ]; then
if [ -n "${FIND2}" ]; then
LogText "Positive match found: ${FIND2}"
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
fi
@ -186,7 +186,7 @@
if [ -f /etc/rc.conf ]; then
LogText "Test: Checking if ntpdate is enabled at startup in *BSD"
FIND=$(${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: ntpdate is enabled in rc.conf"
FOUND=1
NTP_CONFIG_TYPE_STARTUP=1
@ -219,7 +219,7 @@
#
# Test : TIME-3106
# Description : Check status of systemd time synchronization
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! -z "${TIMEDATECTL}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a -n "${TIMEDATECTL}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check the status of time synchronization via timedatectl"
@ -234,7 +234,7 @@
#
# Test : TIME-3112
# Description : Check for valid associations from ntpq peers list
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for NTP association ID's from ntpq peers list"
@ -252,7 +252,7 @@
#
# Test : TIME-3116
# Description : Check for stratum 16 peers
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
@ -290,7 +290,7 @@
# Description : Check unreliable peers from peer list
# Notes : Items with # are too far away (network distance)
# Items with - are not chosen due clustering algorithm
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking unreliable ntp peers"
@ -313,13 +313,13 @@
#
# Test : TIME-3124
# Description : Check selected time source
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check selected time source"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking selected time source"
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ if ($4=="l") { print $1 } }')
FIND2=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }')
if [ -z "${FIND}" -a ! -z "${FIND2}" ]; then
if [ -z "${FIND}" -a -n "${FIND2}" ]; then
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN
FIND2=$(echo ${FIND2} | ${SEDBINARY} 's/*//g')
LogText "Result: Found selected time source (value: ${FIND2})"
@ -335,7 +335,7 @@
#
# Test : TIME-3128
# Description : Check time source candidates
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preferred time source"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking preferred time source"
@ -358,7 +358,7 @@
#
# Test : TIME-3132
# Description : Check ntpq falsetickers
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking preferred time source"
@ -382,7 +382,7 @@
#
# Test : TIME-3136
# Description : Check ntpq reported ntp version (Linux)
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
@ -403,7 +403,7 @@
# Test : TIME-3146
# Description : Check /etc/default/ntpdate (Linux)
# Notes : ntpdate-debian binary
#if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/default/ntpdate"
#if [ ${SKIPTEST} -eq 0 ]; then
#
@ -428,7 +428,7 @@
# Description : Check empty NTP step-tickers
# Notes : Mostly applies to Red Hat and clones
FILE="${ROOTDIR}etc/ntp/step-tickers"
if [ "${NTPD_RUNNING}" -eq 1 -a ! -z "${NTPQBINARY}" -a -f "${FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ "${NTPD_RUNNING}" -eq 1 -a -n "${NTPQBINARY}" -a -f "${FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check empty NTP step-tickers"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0

24
include/tests_tooling
View File

@ -71,7 +71,7 @@
fi
# Cfengine
if [ ! -z "${CFAGENTBINARY}" ]; then
if [ -n "${CFAGENTBINARY}" ]; then
LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
@ -129,7 +129,7 @@
fi
fi
if [ ! -z "${PUPPETBINARY}" ]; then
if [ -n "${PUPPETBINARY}" ]; then
LogText "Result: Puppet is installed (${PUPPETBINARY})"
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=puppet-agent"
@ -145,14 +145,14 @@
fi
# SaltStack
if [ ! -z "${SALTMINIONBINARY}" ]; then
if [ -n "${SALTMINIONBINARY}" ]; then
LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MINION_RUNNING=1
Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "- SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN
fi
if [ ! -z "${SALTMASTERBINARY}" ]; then
if [ -n "${SALTMASTERBINARY}" ]; then
LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
@ -188,7 +188,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Fail2ban presence
if [ ! -z "${FAIL2BANBINARY}" ]; then
if [ -n "${FAIL2BANBINARY}" ]; then
FAIL2BAN_FOUND=1
IDS_IPS_TOOL_FOUND=1
LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
@ -209,10 +209,10 @@
fi
# Continue if tooling is available and configuration file found
if [ ${FAIL2BAN_FOUND} -eq 1 -a ! -z "${FAIL2BAN_CONFIG}" ]; then
if [ ${FAIL2BAN_FOUND} -eq 1 -a -n "${FAIL2BAN_CONFIG}" ]; then
Report "fail2ban_config=${FAIL2BAN_CONFIG}"
FAIL2BANCLIENT=$(which fail2ban-client 2> /dev/null | grep -v "no [^ ]* in ")
if [ ! -z "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi
if [ -n "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi
fi
fi
#
@ -224,7 +224,7 @@
Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${FAIL2BANCLIENT} -d | ${TRBINARY} -d '[]' | ${TRBINARY} -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | ${TRBINARY} -d ' ')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for F2BSERVICE in ${FIND}; do
LogText "Result: service '${F2BSERVICE}' enabled"
Report "fail2ban_enabled_service[]=${F2BSERVICE}"
@ -252,12 +252,12 @@
# FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
# FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
#
# if [ ! -z "${FIND}" ]; then
# if [ -n "${FIND}" ]; then
# FAIL2BAN_EMAIL=1
# LogText "Result: found at least one jail which sends an email alert"
# fi
#
# if [ ! -z "${FIND2}" ]; then
# if [ -n "${FIND2}" ]; then
# FAIL2BAN_SILENT=1
# LogText "Result: found at least one jail which does NOT send an email alert"
# fi
@ -298,9 +298,9 @@
#
# LogText "Checking for fail2ban iptables chains"
#
# if [ ! -z "${IPTABLESBINARY}" ]; then
# if [ -n "${IPTABLESBINARY}" ]; then
# CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban)
# if [ ! -z "${CHECK_CHAINS}" ]; then
# if [ -n "${CHECK_CHAINS}" ]; then
# LogText "Result: found at least one iptables chain for fail2ban"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
# else

22
include/tests_usb
View File

@ -39,7 +39,7 @@
#
# Test to determine if USBGuard is installed. If it is, we will limit
# suggestions from other tests.
if [ ! -z "${USBGUARDBINARY}" ]; then
if [ -n "${USBGUARDBINARY}" ]; then
USBGUARD_FOUND=1
fi
#
@ -53,10 +53,10 @@
LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
fi
@ -66,7 +66,7 @@
fi
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state"
fi
@ -146,14 +146,14 @@
USBGUARD_CONFIG=""
fi
if [ ! -z "${USBGUARD_CONFIG}" ]; then
if [ -n "${USBGUARD_CONFIG}" ]; then
LogText "Result: USBGuard configuration found (${USBGUARD_CONFIG})"
Display --indent 4 --text "- Configuration" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
LogText "Checking USBGuard restore controller device state (RestoreControllerDeviceState)"
USBGUARD_RESTORE_POLICY=$(${AWKBINARY} -F '=' -v OPT="RestoreControllerDeviceState" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
if [ ! -z "${USBGUARD_RESTORE_POLICY}" ]; then
if [ -n "${USBGUARD_RESTORE_POLICY}" ]; then
LogText "Result: RestoreControllerDeviceState = ${USBGUARD_RESTORE_POLICY}"
case "${USBGUARD_RESTORE_POLICY}" in
"true")
@ -184,7 +184,7 @@
LogText "Checking USBGuard rule for controllers connected before daemon starts (PresentControllerPolicy)"
USBGUARD_CONTROLLER_POLICY=$(${AWKBINARY} -F '=' -v OPT="PresentControllerPolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
if [ ! -z "${USBGUARD_CONTROLLER_POLICY}" ]; then
if [ -n "${USBGUARD_CONTROLLER_POLICY}" ]; then
LogText "Result: PresentControllerPolicy = ${USBGUARD_CONTROLLER_POLICY}"
case "${USBGUARD_CONTROLLER_POLICY}" in
"allow" | "keep")
@ -214,7 +214,7 @@
LogText "Checking USBGuard rule for devices connected before daemon starts (PresentDevicePolicy)"
USBGUARD_DEVICE_POLICY=$(${AWKBINARY} -F '=' -v OPT="PresentDevicePolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
if [ ! -z "${USBGUARD_DEVICE_POLICY}" ]; then
if [ -n "${USBGUARD_DEVICE_POLICY}" ]; then
LogText "Result: PresentDevicePolicy = ${USBGUARD_DEVICE_POLICY}"
case "${USBGUARD_DEVICE_POLICY}" in
"allow" | "keep")
@ -244,7 +244,7 @@
LogText "Checking USBGuard rule for devices inserted after daemon starts (InsertedDevicePolicy)"
USBGUARD_INSERTED_POLICY=$(${AWKBINARY} -F '=' -v OPT="InsertedDevicePolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
if [ ! -z "${USBGUARD_INSERTED_POLICY}" ]; then
if [ -n "${USBGUARD_INSERTED_POLICY}" ]; then
LogText "Result: InsertedDevicePolicy = ${USBGUARD_INSERTED_POLICY}"
case "${USBGUARD_INSERTED_POLICY}" in
"allow" | "keep")
@ -274,7 +274,7 @@
LogText "Checking USBGuard rule for devices not in RuleFile (ImplicitPolicyTarget)"
USBGUARD_DEFAULT_POLICY=$(${AWKBINARY} -F '=' -v OPT="ImplicitPolicyTarget" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
if [ ! -z "${USBGUARD_DEFAULT_POLICY}" ]; then
if [ -n "${USBGUARD_DEFAULT_POLICY}" ]; then
LogText "Result: ImplicitPolicyTarget = ${USBGUARD_DEFAULT_POLICY}"
case "${USBGUARD_DEFAULT_POLICY}" in
"allow")
@ -304,7 +304,7 @@
LogText "Checking RuleFile"
USBGUARD_RULES=$(${AWKBINARY} -F '=' -v OPT="RuleFile" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
if [ ! -z "${USBGUARD_RULES}" ] && [ -f "${USBGUARD_RULES}" ]; then
if [ -n "${USBGUARD_RULES}" ] && [ -f "${USBGUARD_RULES}" ]; then
LogText "Result: RuleFile found (${USBGUARD_RULES})"
Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1

26
include/tests_webservers
View File

@ -157,7 +157,7 @@
done
# Search Server aliases
for J in $(${GREPBINARY} "ServerAlias" ${I} | ${GREPBINARY} -v "^#" | ${SEDBINARY} "s/\s*ServerAlias //g" | ${SEDBINARY} "s/#.*//g"); do
if [ ! -z ${J} ]; then
if [ -n ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=$((cVHOSTS + 1))
fi
@ -170,7 +170,7 @@
# Log all virtual hosts we found
for J in ${tVHOSTS}; do
if [ ! -z ${J} ]; then
if [ -n ${J} ]; then
LogText "Virtual host: ${J}"
#Report "apache_vhost_name[]=${J}"
fi
@ -186,10 +186,10 @@
fi
# Remove temp files
if [ -f ${TMPFILE} -a ! -z "${TMPFILE}" ]; then
if [ -f ${TMPFILE} -a -n "${TMPFILE}" ]; then
rm -f ${TMPFILE}
fi
if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
#
#################################################################################
#
@ -351,7 +351,7 @@
# Test : HTTP-6706
# Description : Search for includes within nginx configuration file
# Notes : Daemon nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for additional nginx configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
CreateTempFile || ExitFatal
@ -402,7 +402,7 @@
# Test : HTTP-6708
# Description : Check discovered nginx configuration settings for further hardening
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: start parsing all discovered nginx options"
@ -420,7 +420,7 @@
LogText "Result: this configuration file is skipped, as it contains usually no interesting details"
fi
done
if [ ! -z "${NGINX_CONF_FILES_ADDITIONS}" ]; then
if [ -n "${NGINX_CONF_FILES_ADDITIONS}" ]; then
for I in ${NGINX_CONF_FILES_ADDITIONS}; do
FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}')
if [ ! "${FILENAME}" = "mime.types" ]; then
@ -442,7 +442,7 @@
# Test : HTTP-6710
# Description : Check SSL configuration of nginx
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx SSL configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_SSL_SUGGESTION=0
@ -494,7 +494,7 @@
# Test : HTTP-6712
# Description : Check logging configuration of nginx
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx access logging"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
@ -528,7 +528,7 @@
#
# Test : HTTP-6714
# Description : Check missing error logs in nginx
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for missing error logs in nginx"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
@ -549,7 +549,7 @@
#
# Test : HTTP-6716
# Description : Check debug mode on error log in nginx
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for debug mode on error log in nginx"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
@ -606,8 +606,8 @@
#################################################################################
#
# Remove temp file (double check)
if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
WaitForKeyPress

2
include/tool_tips
View File

@ -48,7 +48,7 @@
# Bash completion support
#
# Detect if bash is used for active user
#if [ ! -z "${ETC_PATHS}" ]; then
#if [ -n "${ETC_PATHS}" ]; then
# for I in ${ETC_PATHS}; do
# if [ -d ${I}/bash_completion.d ]; then
# if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then

12
lynis
View File

@ -538,8 +538,8 @@ ${NORMAL}
Report "os_fullname=${OS_FULLNAME}"
Report "os_version=${OS_VERSION}"
if [ "${OS}" = "Linux" ]; then Report "linux_version=${LINUX_VERSION}"; fi
if [ ! -z "${OS_KERNELVERSION}" ]; then Report "os_kernel_version=${OS_KERNELVERSION}"; fi
if [ ! -z "${OS_KERNELVERSION_FULL}" ]; then Report "os_kernel_version_full=${OS_KERNELVERSION_FULL}"; fi
if [ -n "${OS_KERNELVERSION}" ]; then Report "os_kernel_version=${OS_KERNELVERSION}"; fi
if [ -n "${OS_KERNELVERSION_FULL}" ]; then Report "os_kernel_version_full=${OS_KERNELVERSION_FULL}"; fi
Report "hostname=${HOSTNAME}"
@ -635,7 +635,7 @@ ${NORMAL}
LogText "Note: the end-of-life of '${OS_FULLNAME}' could not be checked. Entry missing in software-eol.db?"
fi
if [ ! -z "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi
if [ -n "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi
echo " Kernel version: ${OS_KERNELVERSION}"
echo " Hardware platform: ${HARDWARE}"
echo " Hostname: ${HOSTNAME}"
@ -658,9 +658,9 @@ ${NORMAL}
LogText "Operating system: ${OS}"
LogText "Operating system name: ${OS_NAME}"
LogText "Operating system version: ${OS_VERSION}"
if [ ! -z "${OS_MODE}" ]; then LogText "Operating system mode: ${OS_MODE}"; fi
if [ -n "${OS_MODE}" ]; then LogText "Operating system mode: ${OS_MODE}"; fi
LogText "Kernel version: ${OS_KERNELVERSION}"
if [ ! -z "${OS_KERNELVERSION_FULL}" ]; then
if [ -n "${OS_KERNELVERSION_FULL}" ]; then
LogText "Kernel version (full): ${OS_KERNELVERSION_FULL}"
fi
LogText "Hardware platform: ${HARDWARE}"
@ -872,7 +872,7 @@ ${NORMAL}
for PROFILE in ${PROFILES}; do
LogText "Action: checking plugin status in profile: ${PROFILE}"
FIND3=$(grep "^plugin=${FIND2}" ${PROFILE})
if [ ! -z "${FIND3}" ]; then
if [ -n "${FIND3}" ]; then
FOUND=0
for I in ${DISABLED_PLUGINS}; do
if [ "${I}" = "${FIND2}" ]; then