From fa8bad20db100d95cf089b0b2d897c339327215c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 16 Jul 2019 13:20:30 +0200 Subject: [PATCH] Use -n instead of ! -z --- include/binaries | 8 ++-- include/functions | 80 ++++++++++++++++----------------- include/helper_audit_dockerfile | 10 ++--- include/helper_show | 8 ++-- include/osdetection | 8 ++-- include/profiles | 34 +++++++------- include/report | 6 +-- include/tests_accounting | 26 +++++------ include/tests_authentication | 32 ++++++------- include/tests_boot_services | 42 ++++++++--------- include/tests_containers | 8 ++-- include/tests_crypto | 2 +- include/tests_databases | 10 ++--- include/tests_dns | 8 ++-- include/tests_file_integrity | 14 +++--- include/tests_filesystems | 32 ++++++------- include/tests_firewalls | 26 +++++------ include/tests_hardening | 2 +- include/tests_homedirs | 4 +- include/tests_insecure_services | 4 +- include/tests_kernel | 16 +++---- include/tests_kernel_hardening | 6 +-- include/tests_ldap | 2 +- include/tests_logging | 24 +++++----- include/tests_mac_frameworks | 6 +-- include/tests_mail_messaging | 36 +++++++-------- include/tests_malware | 6 +-- include/tests_nameservices | 22 ++++----- include/tests_networking | 34 +++++++------- include/tests_php | 24 +++++----- include/tests_ports_packages | 68 ++++++++++++++-------------- include/tests_printers_spools | 4 +- include/tests_scheduling | 4 +- include/tests_shells | 14 +++--- include/tests_snmp | 2 +- include/tests_squid | 26 +++++------ include/tests_ssh | 16 +++---- include/tests_storage | 6 +-- include/tests_storage_nfs | 10 ++--- include/tests_time | 38 ++++++++-------- include/tests_tooling | 24 +++++----- include/tests_usb | 22 ++++----- include/tests_webservers | 26 +++++------ include/tool_tips | 2 +- lynis | 12 ++--- 45 files changed, 407 insertions(+), 407 deletions(-) diff --git a/include/binaries b/include/binaries index 0fbefe46..5812003f 100644 --- a/include/binaries +++ b/include/binaries @@ -49,7 +49,7 @@ # Test if our PATH variable provides a set of paths. If so, reverse the order. If we discover the same binary # multiple times, the one first in PATH should be used. - if [ ! -z "${PATH}" ]; then + if [ -n "${PATH}" ]; then PATH_REVERSED=$(echo ${PATH} | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }') BIN_PATHS=$(echo "${PATH_REVERSED}" | tr ':' ' ') fi @@ -84,7 +84,7 @@ LogText "Result: directory exists, but is actually a symlink" ShowSymlinkPath ${SCANDIR} if [ ${FOUNDPATH} -eq 1 ]; then - if [ ! -z "${SYMLINK}" -a -d ${SYMLINK} ]; then + if [ -n "${SYMLINK}" -a -d ${SYMLINK} ]; then # Set path to new location LogText "Result: found the path behind this symlink (${SCANDIR} --> ${sFILE})" ORGPATH="${SCANDIR}" @@ -100,7 +100,7 @@ # Add a space to make sure we discover a related directory if it was already scanned # The grep -v is to prevent a match /usr/bin in something like /usr/bin/core_perl FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}" | grep -v ", ${SCANDIR}/") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then SKIPDIR=1; LogText "Result: Skipping this directory as it was already scanned" fi @@ -273,7 +273,7 @@ done else LogText "Result: Directory ${SCANDIR} skipped" - if [ ! -z "${ORGPATH}" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi + if [ -n "${ORGPATH}" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi fi else LogText "Result: Directory ${SCANDIR} does NOT exist" diff --git a/include/functions b/include/functions index c8f689e7..80096f50 100644 --- a/include/functions +++ b/include/functions @@ -267,16 +267,16 @@ if [ ${RUN_UPDATE_CHECK} -eq 1 ]; then LYNIS_LV_RECORD="lynis-latest-version.cisofy.com." FIND=$(which dig 2> /dev/null | grep -v "no [^ ]* in") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then PROGRAM_LV=$(dig +short +time=3 -t txt lynis-latest-version.cisofy.com 2> /dev/null | grep -v "connection timed out" | sed 's/[".]//g' | grep "^[1-9][0-9][0-9]$") else FIND=$(which host 2> /dev/null | grep -v "no [^ ]* in ") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then PROGRAM_LV=$(host -t txt -W 3 lynis-latest-version.cisofy.com 2> /dev/null | grep -v "connection timed out" | awk '{ if ($1=="lynis-latest-version.cisofy.com" && $3=="text") { print $4 }}' | sed 's/"//g' | grep "^[1-9][0-9][0-9]$") if [ "${PROGRAM_LV}" = "" ]; then PROGRAM_LV=0; fi else FIND=$(which drill 2> /dev/null | grep -v "no [^ ]* in ") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then PROGRAM_LV=$(drill txt ${LYNIS_LV_RECORD} | awk '{ if ($1=="lynis-latest-version.cisofy.com." && $4=="TXT") { print $5 }}' | tr -d '"' | grep "^[1-9][0-9][0-9]$") if [ -z "${PROGRAM_LV}" ]; then PROGRAM_LV=0; fi else @@ -530,7 +530,7 @@ fi fi - if [ ! -z "${TEXT}" ]; then + if [ -n "${TEXT}" ]; then SHOW=0 if [ ${SHOW_WARNINGS_ONLY} -eq 1 ]; then if [ "${RESULT}" = "WARNING" ]; then SHOW=1; fi @@ -571,7 +571,7 @@ ${ECHOCMD} "" ${ECHOCMD} "${WARNING}Error${NORMAL}: ${BOLD}$1${NORMAL}" ${ECHOCMD} "" - if [ ! -z "${EXITCODE}" ]; then ExitCustom ${EXITCODE}; fi + if [ -n "${EXITCODE}" ]; then ExitCustom ${EXITCODE}; fi } @@ -747,12 +747,12 @@ exitcode=1 file=$1 find="" - if [ ! -z "${DPKGBINARY}" ]; then + if [ -n "${DPKGBINARY}" ]; then find=$(${DPKGBINARY} -S "${file}" 2> /dev/null | ${AWKBINARY} -F: '{print $1}') - elif [ ! -z "${RPMBINARY}" ]; then + elif [ -n "${RPMBINARY}" ]; then find=$(${RPMBINARY} -qf "${file}" 2> /dev/null | ${AWKBINARY} -F- '{print $1}') fi - if [ ! -z "${find}" ]; then + if [ -n "${find}" ]; then LogText "Result: file '${file}' belongs to package (${find})" exitcode=0 else @@ -805,7 +805,7 @@ # Check for symlink if [ -L "${escaped_file}" ]; then ShowSymlinkPath ${escaped_file} - if [ ! -z "${SYMLINK}" ]; then escaped_file="${SYMLINK}"; fi + if [ -n "${SYMLINK}" ]; then escaped_file="${SYMLINK}"; fi fi # Only check the file if it isn't a symlink (after previous check) @@ -863,7 +863,7 @@ return 2 fi - if [ ! -z "${HOSTID}" -a ! -z "${HOSTID2}" ]; then + if [ -n "${HOSTID}" -a -n "${HOSTID2}" ]; then Debug "Skipping creation of host identifiers, as they are already configured (via profile)" return 2 fi @@ -936,7 +936,7 @@ "HP-UX") FIND=$(nwmgr -q info -c lan0 2> /dev/null | awk '{ if ($1=="MAC" && $2=="Address") { print $4 }}') if HasData "${FIND}"; then - if [ ! -z "${OPENSSLBINARY}" ]; then + if [ -n "${OPENSSLBINARY}" ]; then HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }') else ReportException "GetHostID" "No openssl binary available on this HP-UX system" @@ -954,7 +954,7 @@ # ip -br link show up | sort | awk '$2=="UP" && $3 ~ /^[a-f0-9][a-f0-9]:/ {print $3}' # Use ifconfig - if [ ! -z "${IFCONFIGBINARY}" ]; then + if [ -n "${IFCONFIGBINARY}" ]; then # Determine if we have the eth0 interface (not all Linux distro have this, e.g. Arch) HASETH0=$(${IFCONFIGBINARY} | grep "^eth0") # Check if we can find it with HWaddr on the line @@ -982,7 +982,7 @@ fi fi - elif [ ! -z "${IPBINARY}" ]; then + elif [ -n "${IPBINARY}" ]; then # Determine if we have the common available eth0 interface FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') if IsEmpty "${FIND}"; then @@ -1015,10 +1015,10 @@ ReportException "GetHostID" "No MAC address returned on macOS" fi LYNIS_HOSTID2_PART1=$(hostname -s) - if [ ! -z "${LYNIS_HOSTID2_PART1}" ]; then + if [ -n "${LYNIS_HOSTID2_PART1}" ]; then LogText "Info: using hostname ${LYNIS_HOSTID2_PART1}" LYNIS_HOSTID2_PART2=$(sysctl -n kern.uuid 2> /dev/null) - if [ ! -z "${LYNIS_HOSTID2_PART2}" ]; then + if [ -n "${LYNIS_HOSTID2_PART2}" ]; then LogText "Info: using UUID ${LYNIS_HOSTID2_PART2}" else LogText "Info: could not create HOSTID2 as kern.uuid sysctl key is missing" @@ -1143,17 +1143,17 @@ fi STRING_TO_HASH="" - if [ ${FOUND} -eq 1 -a ! -z "${DATA_SSH}" ]; then + if [ ${FOUND} -eq 1 -a -n "${DATA_SSH}" ]; then LogText "Using SSH public key to create the second host identifier" STRING_TO_HASH="${DATA_SSH}" else - if [ ! -z "${MACHINEID}" ]; then + if [ -n "${MACHINEID}" ]; then LogText "Using the machine ID to create the second host identifier" STRING_TO_HASH="${MACHINEID}" fi fi # Check if we have a string to turn into a host identifier - if [ ! -z "${STRING_TO_HASH}" ]; then + if [ -n "${STRING_TO_HASH}" ]; then # Create hashes if [ ! "${SHA256SUMBINARY}" = "" ]; then HASH2=$(echo ${STRING_TO_HASH} | ${SHA256SUMBINARY} | awk '{ print $1 }') @@ -1172,7 +1172,7 @@ if [ -z "${HOSTID}" ]; then ReportException "GetHostID" "No unique host identifier could be created." return 1 - elif [ ! -z "${HOSTID2}" ]; then + elif [ -n "${HOSTID2}" ]; then return 0 fi } @@ -1228,7 +1228,7 @@ HasData() { if [ $# -eq 1 ]; then - if [ ! -z "$1" ]; then return 0; else return 1; fi + if [ -n "$1" ]; then return 0; else return 1; fi else ExitFatal "Function HasData called without parameters - look in log to determine where this happened, or use sh -x lynis to see all details." fi @@ -1386,7 +1386,7 @@ if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi RUNNING=0 # AIX does not fully support pgrep options, so using ps instead - if [ ! -z "${PGREPBINARY}" -a ! "${OS}" = "AIX" ]; then + if [ -n "${PGREPBINARY}" -a ! "${OS}" = "AIX" ]; then FIND=$(${PGREPBINARY} ${pgrep_options} "${search}" | ${TRBINARY} '\n' ' ') else if [ -z "${PSOPTIONS}" ]; then @@ -1402,7 +1402,7 @@ FIND=$(${PSBINARY} ${PSOPTIONS} | egrep "( |/)${search}" | grep -v "grep") fi - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then RUNNING=1 LogText "IsRunning: process '${search}' found (${FIND})" return 0 @@ -1421,7 +1421,7 @@ IsNotebook() { FIND=$(which laptop-detect 2> /dev/null | grep -v "no [^ ]* in ") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then Debug "Testing if we are a notebook" laptop-detect if [ $? -eq 0 ]; then SYSTEM_IS_NOTEBOOK=1; Debug "System is a notebook according to laptop-detect" @@ -1535,7 +1535,7 @@ if [ -x /usr/bin/systemd-detect-virt ]; then LogText "Test: trying to guess virtualization technology with systemd-detect-virt" FIND=$(/usr/bin/systemd-detect-virt) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found ${FIND}" SHORT="${FIND}" fi @@ -1552,7 +1552,7 @@ if [ -x /usr/bin/lscpu ]; then LogText "Test: trying to guess virtualization with lscpu" FIND=$(lscpu | grep -i "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found ${FIND}" SHORT="${FIND}" else @@ -1576,7 +1576,7 @@ if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then LogText "Test: trying to guess virtualization with dmidecode" FIND=$(/usr/sbin/dmidecode -s system-product-name | awk '{ print $1 }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found ${FIND}" SHORT="${FIND}" else @@ -1820,24 +1820,24 @@ Fatal "Incorrect usage of PackageIsInstalled function" fi - if [ ! -z "${DNFBINARY}" ]; then + if [ -n "${DNFBINARY}" ]; then output=$(${DNFBINARY} --quiet --cacheonly --noplugins --assumeno info --installed ${package} > /dev/null 2>&1) exit_code=$? - elif [ ! -z "${DPKGBINARY}" ]; then + elif [ -n "${DPKGBINARY}" ]; then output=$(${DPKGBINARY} -l ${package} 2> /dev/null | ${GREPBINARY} "^ii") exit_code=$? - elif [ ! -z "${EQUERYBINARY}" ]; then + elif [ -n "${EQUERYBINARY}" ]; then output=$(${EQUERYBINARY} --quiet ${package} > /dev/null 2>&1) exit_code=$? # 0=package installed, 3=package not installed - elif [ ! -z "${PKG_BINARY}" ]; then + elif [ -n "${PKG_BINARY}" ]; then output=$(${PKG_BINARY} -N info ${package} >/dev/null 2>&1) exit_code=$? # 0=package installed, 70=invalid package - elif [ ! -z "${RPMBINARY}" ]; then + elif [ -n "${RPMBINARY}" ]; then output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1) exit_code=$? - elif [ ! -z "${ZYPPERBINARY}" ]; then + elif [ -n "${ZYPPERBINARY}" ]; then output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${PACKAGE} 2> /dev/null | grep "^i") - if [ ! -z "${output}" ]; then exit_code=0; else exit_code=1; fi + if [ -n "${output}" ]; then exit_code=0; else exit_code=1; fi else ReportException "PackageIsInstalled:01" fi @@ -2363,7 +2363,7 @@ if [ ${SKIPTEST} -eq 0 -a "${TEST_WEIGHT}" = "M" -a "${SCAN_TEST_MEDIUM}" = "NO" ]; then SKIPTEST=1; SKIPREASON="Test to system intensive for scan mode (M)"; fi # Test if our OS is the same as the requested OS (can be multiple values) - if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_OS}" ]; then + if [ ${SKIPTEST} -eq 0 -a -n "${TEST_NEED_OS}" ]; then HASMATCH=0 for I in ${TEST_NEED_OS}; do if [ "${I}" = "${OS}" ]; then HASMATCH=1; fi @@ -2375,12 +2375,12 @@ fi # Skip test when it belongs to another category (default is 'all') - if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_CATEGORY_TO_CHECK}" -a ! "${TEST_CATEGORY_TO_CHECK}" = "all" -a ! "${TEST_CATEGORY}" = "${TEST_CATEGORY_TO_CHECK}" ]; then + if [ ${SKIPTEST} -eq 0 -a -n "${TEST_CATEGORY_TO_CHECK}" -a ! "${TEST_CATEGORY_TO_CHECK}" = "all" -a ! "${TEST_CATEGORY}" = "${TEST_CATEGORY_TO_CHECK}" ]; then SKIPTEST=1; SKIPREASON="Incorrect category (${TEST_CATEGORY_TO_CHECK} only)" fi # Check for correct hardware platform - if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi + if [ ${SKIPTEST} -eq 0 -a -n "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi # Not all prerequisites met, like missing tool if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if [ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisites not met (ie missing tool, other type of Linux distribution)"; fi; fi @@ -2462,7 +2462,7 @@ # Remove PID file RemovePIDFile() { # Test if PIDFILE is defined, before checking file presence - if [ ! -z "${PIDFILE}" ]; then + if [ -n "${PIDFILE}" ]; then if [ -f "${PIDFILE}" ]; then rm -f "${PIDFILE}" LogText "PID file removed (${PIDFILE})" @@ -2486,7 +2486,7 @@ for FILE in ${TEMP_FILES}; do # Temporary files should be in /tmp TMPFILE=$(echo ${FILE} | egrep "^/tmp/lynis" | grep -v "\.\.") - if [ ! -z "${TMPFILE}" ]; then + if [ -n "${TMPFILE}" ]; then if [ -f "${TMPFILE}" ]; then LogText "Action: removing temporary file ${TMPFILE}" rm -f "${TMPFILE}" @@ -2887,7 +2887,7 @@ # Check if we can find the main type (with or without brackets) LogText "Test: search string ${STRING} in file ${FILE}" FIND=$(egrep "${STRING}" ${FILE}) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found search string '${STRING}'" if [ ${MASK_LOG} -eq 0 ]; then LogText "Full string returned: ${FIND}"; fi RETVAL=0 @@ -3285,7 +3285,7 @@ ################################################################################ ViewGroups() { - if [ ! -z "${INCLUDEDIR}" ]; then + if [ -n "${INCLUDEDIR}" ]; then for I in $(ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"); do echo "${I}" done diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index 3d18556f..b3eff024 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -59,11 +59,11 @@ fi IS_ALPINE=$(echo ${IMAGE} | grep -i alpine) IS_LATEST=$(echo ${TAG} | grep -i latest) - if [ ! -z "${IS_DEBIAN}" ]; then IMAGE="debian"; fi - if [ ! -z "${IS_FEDORA}" ]; then IMAGE="fedora"; fi - if [ ! -z "${IS_UBUNTU}" ]; then IMAGE="ubuntu"; fi - if [ ! -z "${IS_ALPINE}" ]; then IMAGE="alpine"; fi - if [ ! -z "${IS_LATEST}" ]; then + if [ -n "${IS_DEBIAN}" ]; then IMAGE="debian"; fi + if [ -n "${IS_FEDORA}" ]; then IMAGE="fedora"; fi + if [ -n "${IS_UBUNTU}" ]; then IMAGE="ubuntu"; fi + if [ -n "${IS_ALPINE}" ]; then IMAGE="alpine"; fi + if [ -n "${IS_LATEST}" ]; then ReportWarning "dockerfile" "latest TAG used. Specifying a targeted OS image and version is better for reproducible results." fi diff --git a/include/helper_show b/include/helper_show index d1086378..8f906d99 100644 --- a/include/helper_show +++ b/include/helper_show @@ -154,7 +154,7 @@ if [ $# -gt 0 ]; then # Check also for gzipped changelog elif [ -f ${FILEPATH}/changelog.gz ]; then ZCAT=$(which zcat 2> /dev/null | grep -v "no [^ ]* in ") - if [ ! -z "${ZCAT}" ]; then + if [ -n "${ZCAT}" ]; then CreateTempFile CHANGELOG="${TEMP_FILE}" LogText "Result: found gzipped changelog in ${FILEPATH}" @@ -164,9 +164,9 @@ if [ $# -gt 0 ]; then DisplayError "Could not find zcat utility to use on gzipped changelog" fi fi - if [ ! -z "${CHANGELOG}" ]; then LogText "Result: found changelog file: ${CHANGELOG}"; break; fi + if [ -n "${CHANGELOG}" ]; then LogText "Result: found changelog file: ${CHANGELOG}"; break; fi done - if [ ! -z "${CHANGELOG}" ]; then + if [ -n "${CHANGELOG}" ]; then SEARCH=$(sed 's/^## //' ${CHANGELOG} | grep -E "^${PROGRAM_NAME} ${SEARCH_VERSION}") if [ $? -eq 0 ]; then while read -r LINE; do @@ -358,7 +358,7 @@ if [ $# -gt 0 ]; then VALUE=$(echo ${LINE} | awk -F';' '{print $2}') DESCRIPTION=$(echo ${LINE} | awk -F';' '{print $3}' | sed 's/:space:/ /g') if [ -z "${VALUE}" -a ${CONFIGURED_ONLY_OUTPUT} -eq 0 ]; then VALUE="${GRAY}[not configured]${NORMAL}"; fi - if [ ! -z "${VALUE}" ]; then + if [ -n "${VALUE}" ]; then if [ ${BRIEF_OUTPUT} -eq 0 ]; then ${ECHOCMD} "${GRAY}# ${DESCRIPTION}${NORMAL}"; fi ${ECHOCMD} "${WHITE}${SETTING}${NORMAL}=${CYAN}${VALUE}${NORMAL}" if [ ${BRIEF_OUTPUT} -eq 0 ]; then ${ECHOCMD} ""; fi diff --git a/include/osdetection b/include/osdetection index a6c18bb5..95f2e014 100644 --- a/include/osdetection +++ b/include/osdetection @@ -139,7 +139,7 @@ # Generic if [ -e /etc/os-release ]; then OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - if [ ! -z "${OS_ID}" ]; then + if [ -n "${OS_ID}" ]; then case ${OS_ID} in "arch") LINUX_VERSION="Arch Linux" @@ -513,14 +513,14 @@ EOL=255 EOL_DATE="" EOL_TIMESTAMP=0 - if [ ! -z "${OS_VERSION}" ]; then + if [ -n "${OS_VERSION}" ]; then if [ -f "${DBDIR}/software-eol.db" ]; then FIND="${OS_FULLNAME}" EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1) - if [ ! -z "${EOL_TIMESTAMP}" ]; then + if [ -n "${EOL_TIMESTAMP}" ]; then EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1) NOW=$(date "+%s") - if [ ! -z "${NOW}" ]; then + if [ -n "${NOW}" ]; then if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then EOL=1 else diff --git a/include/profiles b/include/profiles index ad5e6b07..e27c84cd 100644 --- a/include/profiles +++ b/include/profiles @@ -77,7 +77,7 @@ # Is Lynis Enterprise allowed to purge this system when it is becomes outdated? allow-auto-purge) FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then Report "allow-auto-purge=1" else Report "allow-auto-purge=0" @@ -110,7 +110,7 @@ # Quick mode (SKIP_PLUGINS) might already be set outside profile, so store in different variable SETTING_COLORS=1 # default is yes FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && COLORS=0 - if [ ! -z "${FIND}" ]; then SETTING_COLORS=0; RemoveColors; fi + if [ -n "${FIND}" ]; then SETTING_COLORS=0; RemoveColors; fi Debug "Colors set to ${SETTING_COLORS}" AddSetting "colors" "${SETTING_COLORS}" "Colored screen output" unset SETTING_COLORS @@ -204,7 +204,7 @@ ;; hostalias | host-alias) - if [ ! -z "${VALUE}" ]; then Report "hostname_alias=${VALUE}"; fi + if [ -n "${VALUE}" ]; then Report "hostname_alias=${VALUE}"; fi ;; hostid) @@ -223,13 +223,13 @@ # Language language | lang) LogText "Language set via profile to '${VALUE}'" - if [ ! -z "${VALUE}" ]; then LANGUAGE="${VALUE}"; fi + if [ -n "${VALUE}" ]; then LANGUAGE="${VALUE}"; fi AddSetting "language" "${LANGUAGE}" "Language" ;; # Lynis Enterprise license key license-key | license_key) - if [ ! -z "${VALUE}" ]; then + if [ -n "${VALUE}" ]; then LICENSE_KEY="${VALUE}" Report "license_key=${VALUE}" fi @@ -291,7 +291,7 @@ # Quick mode might already be set outside profile, so store in different variable SETTING_QUICK_MODE=1 # default is yes FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && QUICKMODE=0 - if [ ! -z "${FIND}" ]; then SETTING_QUICK_MODE=1; fi + if [ -n "${FIND}" ]; then SETTING_QUICK_MODE=1; fi Debug "Quickmode set to ${SETTING_QUICK_MODE}" AddSetting "quick" "${SETTING_QUICK_MODE}" "Quick mode (non-interactive)" ;; @@ -300,7 +300,7 @@ refresh-repositories) SETTING_REFRESH_REPOSITORIES=1 # default is yes FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && REFRESH_REPOSITORIES=0 - if [ ! -z "${FIND}" ]; then SETTING_REFRESH_REPOSITORIES=0; fi + if [ -n "${FIND}" ]; then SETTING_REFRESH_REPOSITORIES=0; fi Debug "Refreshing repositories set to ${SETTING_REFRESH_REPOSITORIES}" AddSetting "refresh-repositories" "${SETTING_REFRESH_REPOSITORIES}" "Refresh repositories (for vulnerable package detection)" ;; @@ -309,7 +309,7 @@ show-report-solution) SETTING_SHOW_REPORT_SOLUTION=${SHOW_REPORT_SOLUTION} FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && SHOW_REPORT_SOLUTION=0 - if [ ! -z "${FIND}" ]; then SETTING_SHOW_REPORT_SOLUTION=0; fi + if [ -n "${FIND}" ]; then SETTING_SHOW_REPORT_SOLUTION=0; fi Debug "Show report details (solution) set to ${SETTING_SHOW_REPORT_SOLUTION}" ;; @@ -317,7 +317,7 @@ show_tool_tips | show-tool-tips) SETTING_SHOW_TOOL_TIPS=1 # default is yes FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && SHOW_TOOL_TIPS=0 - if [ ! -z "${FIND}" ]; then SETTING_SHOW_TOOL_TIPS=0; fi + if [ -n "${FIND}" ]; then SETTING_SHOW_TOOL_TIPS=0; fi Debug "Show tool tips set to ${SETTING_SHOW_TOOL_TIPS}" AddSetting "show-tool-tips" "${SETTING_SHOW_TOOL_TIPS}" "Show tool tips" ;; @@ -336,7 +336,7 @@ # Skip plugins (SKIP_PLUGINS) might already be set, so store in different variable SETTING_SKIP_PLUGINS=0 # default is no FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && SKIP_PLUGINS=1 - if [ ! -z "${FIND}" ]; then SETTING_SKIP_PLUGINS=1; fi + if [ -n "${FIND}" ]; then SETTING_SKIP_PLUGINS=1; fi Debug "Skip plugins is set to ${SETTING_SKIP_PLUGINS}" AddSetting "skip-plugins" "${SETTING_SKIP_PLUGINS}" "Skip plugins" ;; @@ -374,17 +374,17 @@ # The name of the customer/client that uses this system system-customer-name) - if [ ! -z "${VALUE}" ]; then Report "system-customer-name=${VALUE}"; fi + if [ -n "${VALUE}" ]; then Report "system-customer-name=${VALUE}"; fi ;; # The groups linked to a system (system-groups=customers,webservers,production) system-groups) - if [ ! -z "${VALUE}" ]; then Report "system-groups=${VALUE}"; fi + if [ -n "${VALUE}" ]; then Report "system-groups=${VALUE}"; fi ;; # Tags (tags=db,production,ssn-1304) tags) - if [ ! -z "${VALUE}" ]; then Report "tags=${VALUE}"; fi + if [ -n "${VALUE}" ]; then Report "tags=${VALUE}"; fi ;; # Define what kind of scan we are performing @@ -399,7 +399,7 @@ upload) SETTING_UPLOAD=no # default FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && UPLOAD_DATA=1 - if [ ! -z "${FIND}" ]; then SETTING_UPLOAD=1; fi + if [ -n "${FIND}" ]; then SETTING_UPLOAD=1; fi Debug "Upload set to ${SETTING_UPLOAD}" AddSetting "upload" "${SETTING_UPLOAD}" "Data upload after scanning" unset SETTING_UPLOAD @@ -499,12 +499,12 @@ ################################################################################# # SKIP_TESTS=$(echo ${SKIP_TESTS} | sed "s/^ //") - if [ ! -z "${SKIP_TESTS}" ]; then LogText "Skip tests: ${SKIP_TESTS}"; fi + if [ -n "${SKIP_TESTS}" ]; then LogText "Skip tests: ${SKIP_TESTS}"; fi # ################################################################################# # # Add group name to report - deprecated - if [ ! -z "${GROUP_NAME}" ]; then Report "group=${GROUP_NAME}"; fi + if [ -n "${GROUP_NAME}" ]; then Report "group=${GROUP_NAME}"; fi # ################################################################################# # @@ -531,7 +531,7 @@ # ################################################################################# # - if [ ! -z "${DEPRECATED_OPTION}" ]; then + if [ -n "${DEPRECATED_OPTION}" ]; then ReportWarning "LYNIS" "One or more deprecated options used" "${DEPRECATED_OPTION}" "Update your profile" fi # diff --git a/include/report b/include/report index 88d75ce0..c340da53 100644 --- a/include/report +++ b/include/report @@ -31,7 +31,7 @@ Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}" Report "firewall_installed=${FIREWALL_ACTIVE}" - if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi + if [ -n "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}" Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}" @@ -139,7 +139,7 @@ done IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST") echo " ${RED}!${NORMAL} ${SHOWWARNING}" - if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi + if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi if [ -z "${IS_CUSTOM}" ]; then echo " ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}" @@ -172,7 +172,7 @@ done IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST") echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}" - if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi + if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi if [ -z "${IS_CUSTOM}" ]; then echo " ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}" diff --git a/include/tests_accounting b/include/tests_accounting index 827f412a..2b2ceb46 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -105,7 +105,7 @@ if [ -f ${ROOTDIR}etc/default/sysstat ]; then LogText "Result: ${ROOTDIR}etc/default/sysstat found" FIND=$(${GREPBINARY} "^ENABLED" ${ROOTDIR}etc/default/sysstat | ${GREPBINARY} -i true) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: sysstat enabled via ${ROOTDIR}etc/default/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN else @@ -115,7 +115,7 @@ fi elif [ -f ${ROOTDIR}etc/cron.d/sysstat ]; then FIND=$(${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: sysstat enabled via ${ROOTDIR}etc/cron.d/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN else @@ -134,7 +134,7 @@ # # Test : ACCT-9628 # Description : Check auditd status - if [ ! -z "${AUDITDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${AUDITDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9628 --os Linux --weight L --network NO --category security --description "Check for auditd" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check auditd status" @@ -163,7 +163,7 @@ # # Test : ACCT-9630 # Description : Check auditd rules - if [ ! -z "${AUDITDBINARY}" -a ! -z "${AUDITCTLBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${AUDITDBINARY}" -a -n "${AUDITCTLBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for auditd rules" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking auditd rules" @@ -189,7 +189,7 @@ # # Test : ACCT-9632 # Description : Check auditd configuration file - if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking auditd configuration file" @@ -202,7 +202,7 @@ fi done # Check if we discovered the configuration file. It should be there is the binaries are available and process is running - if [ ! -z "${AUDITD_CONF_FILE}" ]; then + if [ -n "${AUDITD_CONF_FILE}" ]; then Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN else LogText "Result: could not find auditd configuration file" @@ -215,12 +215,12 @@ # # Test : ACCT-9634 # Description : Check auditd log file - if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a ! -z "${AUDITD_CONF_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a -n "${AUDITD_CONF_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking auditd log file" FIND=$(${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: log file is defined" LogText "Defined value: ${FIND}" if [ -f ${FIND} ]; then @@ -252,7 +252,7 @@ if [ -f ${ROOTDIR}etc/ld.so.preload ]; then LogText "Result: found ${ROOTDIR}etc/ld.so.preload, testing if snoopy.so is listed" FIND=$(${GREPBINARY} ${FILE} ${ROOTDIR}etc/ld.so.preload) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found snoopy in ld.so.preload" LogText "Output: ${FIND}" Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN @@ -298,7 +298,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check if auditd service is enabled and online" FIND=$(${ROOTDIR}usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: auditd service is online" Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN else @@ -317,7 +317,7 @@ LogText "Test: check if BSM is enabled in ${ROOTDIR}etc/system" if [ -f ${ROOTDIR}etc/system ]; then FIND=$(${GREPBINARY} 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: BSM is enabled in ${ROOTDIR}etc/system" Display --indent 4 --text "- Checking Solaris BSM (${ROOTDIR}etc/system)" --result "${STATUS_ENABLED}" --color GREEN else @@ -339,7 +339,7 @@ LogText "Test: check if c2audit module is active" if [ -x ${ROOTDIR}usr/sbin/modinfo ]; then FIND=$(${ROOTDIR}usr/sbin/modinfo | ${GREPBINARY} c2audit) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: c2audit found in modinfo output" Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN else @@ -362,7 +362,7 @@ if [ -f ${ROOTDIR}etc/security/audit_control ]; then LogText "Result: file ${ROOTDIR}etc/security/audit_control found" FIND=$(${GREPBINARY} "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found location ${FIND}" LogText "Test: Checking if location is a valid directory" if [ -d ${FIND} ]; then diff --git a/include/tests_authentication b/include/tests_authentication index 6c867da6..c931ab77 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -46,7 +46,7 @@ else FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') fi - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED LogText "Result: Found more than one administrator accounts" ReportWarning "${TEST_NO}" "Multiple users with UID 0 found in passwd file" @@ -124,7 +124,7 @@ # Test : AUTH-9216 # Description : Check /etc/group and shadow group files # Notes : Run grpck to test group files (most likely /etc/group and shadow group files) - if [ ! -z "${GRPCKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${GRPCKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check group and shadow group files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for grpck binary output" @@ -363,7 +363,7 @@ "macOS") LogText "macOS real users output (ID = 0, or 500-599) using dscacheutil" FIND_USERS=$(dscacheutil -q user | ${GREPBINARY} -A 3 -B 2 -e "^uid: 5[0-9][0-9]" | ${GREPBINARY} "^name: " | ${AWKBINARY} '{print $2}') - if [ ! -z "${FIND_USERS}" ]; then + if [ -n "${FIND_USERS}" ]; then for FUSERNAME in ${FIND_USERS}; do FDETAILS=$(dscacheutil -q user -a name ${FUSERNAME} | ${GREPBINARY} "^uid: " | ${AWKBINARY} '{print $2}') FIND="${FUSERNAME},${FDETAILS} ${FIND}" @@ -397,7 +397,7 @@ else Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_DONE}" --color GREEN for I in ${FIND}; do - if [ ! -z "${I}" ]; then + if [ -n "${I}" ]; then LogText "Real user: ${I}" Report "real_user[]=${I}" fi @@ -419,7 +419,7 @@ else FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") - if [ ! -z "${FIND2}" -o ! -z "${FIND3}" ]; then + if [ -n "${FIND2}" -o -n "${FIND3}" ]; then LogText "Result: NIS+ authentication enabled" Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN else @@ -446,7 +446,7 @@ else FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") - if [ ! -z "${FIND2}" -o ! -z "${FIND3}" ]; then + if [ -n "${FIND2}" -o -n "${FIND3}" ]; then LogText "Result: NIS authentication enabled" Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN else @@ -489,7 +489,7 @@ # # Test : AUTH-9252 # Description : Check ownership and permissions for sudo configuration files - if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files" if [ ${SKIPTEST} -eq 0 ]; then SUDO_CONFIG_FILES="${SUDOERS_FILE}" @@ -680,7 +680,7 @@ else FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort) fi - if [ ! -z "${FIND}" ]; then FOUND=1; fi + if [ -n "${FIND}" ]; then FOUND=1; fi for FILE in ${FIND}; do LogText "Found file: ${FILE}" Report "pam_module[]=${FILE}" @@ -712,7 +712,7 @@ LogText "Result: file ${FILE} exists" LogText "Test: checking presence LDAP module" FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE}) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: LDAP module present" LogText "Output: ${FIND}" LDAP_AUTH_ENABLED=1 @@ -868,7 +868,7 @@ LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)" # Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed) FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then for ACCOUNT in ${FIND}; do LogText "Result: password of user ${ACCOUNT} has been expired" Report "account_password_expired[]=${ACCOUNT}" @@ -961,7 +961,7 @@ LogText "Test: checking presence sulogin for single user mode" FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab) FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab) - if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then + if [ -n "${FIND}" -o -n "${FIND2}" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" fi @@ -976,7 +976,7 @@ LogText "Result: file ${ROOTDIR}etc/sysconfig/init exists" LogText "Test: checking presence sulogin for single user mode" FIND=$(${GREPBINARY} "^SINGLE=/sbin/sulogin" ${ROOTDIR}etc/sysconfig/init) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" fi @@ -1045,7 +1045,7 @@ if [ -d ${ROOTDIR}etc/profile.d ]; then FOUND=0 FIND=$(ls ${ROOTDIR}etc/profile.d/* 2> /dev/null) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found /etc/profile.d, with one or more files in it" for FILE in ${FIND}; do HAS_MASK=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }') @@ -1309,7 +1309,7 @@ if [ -f ${ROOTDIR}etc/default/login ]; then LogText "Result: file ${ROOTDIR}etc/default/login exists" FIND=$(${GREPBINARY} "^RETRIES" ${ROOTDIR}etc/default/login) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FOUND=1 LogText "Result: retries option configured" LogText "Output: ${FIND}" @@ -1429,7 +1429,7 @@ # # Test : AUTH-9410 # Description : Check for doas file permissions - if [ ! -z "${DOAS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${DOAS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9410 --os OpenBSD --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/doas.conf file permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking /etc/doas.conf permissions" @@ -1450,7 +1450,7 @@ Report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}" Report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" Report "ldap_pam_enabled=${LDAP_PAM_ENABLED}" -if [ ! -z "${LDAP_CLIENT_CONFIG_FILE}" ]; then Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"; fi +if [ -n "${LDAP_CLIENT_CONFIG_FILE}" ]; then Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"; fi Report "password_min_days=${PASSWORD_MINIMUM_DAYS}" Report "password_max_days=${PASSWORD_MAXIMUM_DAYS}" diff --git a/include/tests_boot_services b/include/tests_boot_services index 42b8dab1..2fee353f 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -46,7 +46,7 @@ LogText "Test: Query bootinfo for AIX boot device" if [ -x /usr/sbin/bootinfo ]; then FIND=$(/usr/sbin/bootinfo -b) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found boot device ${FIND}" Display --indent 2 --text "- Checking boot device (bootinfo)" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="ROS" @@ -76,7 +76,7 @@ FILENAME=$(echo "${OUTPUT}" | ${AWKBINARY} '{print $1}') LogText "Result: file on disk = ${FILENAME}" ISFILE=$(echo ${FILENAME} | ${GREPBINARY} "^/") - if [ ! -z "${ISFILE}" ]; then + if [ -n "${ISFILE}" ]; then if [ -L ${ISFILE} ]; then ShowSymlinkPath ${ISFILE} FILENAME="${SYMLINK}" @@ -86,7 +86,7 @@ LogText "Result: cmdline of PID 1 is not a file" fi fi - if [ ! -z "${FILENAME}" ]; then + if [ -n "${FILENAME}" ]; then SHORTNAME=$(echo ${FILENAME} | ${AWKBINARY} -F/ '{ print $NF }') LogText "Found: ${SHORTNAME}" if [ "${SERVICE_MANAGER}" = "unknown" ]; then @@ -110,7 +110,7 @@ ;; *) CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd") - if [ ! -z "${CONTAINS_SYSTEMD}" ]; then + if [ -n "${CONTAINS_SYSTEMD}" ]; then SERVICE_MANAGER="systemd" else LogText "Found ${SHORTNAME}. Unclear what service manager this is" @@ -204,7 +204,7 @@ LogText "Test: determine if Secure Boot is used" if [ -d ${ROOTDIR}sys/firmware/efi/efivars ]; then FIND=$(${LSBINARY} ${ROOTDIR}sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then for FILE in ${FIND}; do LogText "Test: checking file ${FILE}" # TODO: add detection for od @@ -295,7 +295,7 @@ # Some OSes like Gentoo do not have /boot mounted by default # TODO: root directory and rewrite ls statement if [ -d /boot ]; then - if [ "$(ls /boot/* 2> /dev/null)" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then + if [ "$(ls /boot/* 2> /dev/null)" = "" -a -n "${GRUB2INSTALLBINARY}" ]; then BOOT_LOADER_FOUND=1 LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted" Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW @@ -312,7 +312,7 @@ # # Test : BOOT-5122 # Description : Check for GRUB boot loader configuration - if [ ! -z "${GRUBCONFFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${GRUBCONFFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 @@ -325,11 +325,11 @@ FIND4=$(${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') # GRUB1: Password should be set (MD5 or SHA1) - if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then + if [ -n "${FIND}" -o -n "${FIND2}" ]; then FOUND=1 # GRUB2: Superusers AND password should be defined - elif [ ! -z "${FIND3}" ]; then - if [ ! -z "${FIND4}" -o ! -z "${FIND5}" ]; then FOUND=1; fi + elif [ -n "${FIND3}" ]; then + if [ -n "${FIND4}" -o -n "${FIND5}" ]; then FOUND=1; fi fi if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN @@ -599,7 +599,7 @@ else LogText "Result: systemctl binary not found, checking chkconfig binary" - if [ ! -z "${CHKCONFIGBINARY}" ]; then + if [ -n "${CHKCONFIGBINARY}" ]; then LogText "Result: chkconfig binary found, trying that to discover information" LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)" FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }') @@ -634,7 +634,7 @@ if [ "${sRUNLEVEL}" = "2" ]; then LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found" FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then COUNT=0 for SERVICE in ${FIND}; do LogText "Found service (at boot, runlevel 2): ${SERVICE}" @@ -667,7 +667,7 @@ LogText "Result: directory ${DIR} found" LogText "Test: checking for available files in directory" FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY}) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found files in directory, checking permissions now" for FILE in ${FIND}; do LogText "Test: checking permissions of file ${FILE}" @@ -757,12 +757,12 @@ ;; DragonFly | FreeBSD | macOS) - if [ ! -z "${SYSCTLBINARY}" ]; then + if [ -n "${SYSCTLBINARY}" ]; then TIME_BOOT=$(${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | ${SEDBINARY} -e 's/,//' | ${GREPBINARY} "[0-9]") TIME_NOW=$(date "+%s") LogText "Boot time: ${TIME_BOOT}" LogText "Current time: ${TIME_NOW}" - if [ ! -z "${TIME_BOOT}" -a ! -z "${TIME_NOW}" ]; then + if [ -n "${TIME_BOOT}" -a -n "${TIME_NOW}" ]; then UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT)) else ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime" @@ -774,12 +774,12 @@ ;; NetBSD | OpenBSD) - if [ ! -z "${SYSCTLBINARY}" ]; then + if [ -n "${SYSCTLBINARY}" ]; then TIME_BOOT=$(${SYSCTLBINARY} -n kern.boottime) TIME_NOW=$(date "+%s") LogText "Boot time: ${TIME_BOOT}" LogText "Current time: ${TIME_NOW}" - if [ ! -z "${TIME_BOOT}" -a ! -z "${TIME_NOW}" ]; then + if [ -n "${TIME_BOOT}" -a -n "${TIME_NOW}" ]; then UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT)) else ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime" @@ -791,7 +791,7 @@ ;; Solaris) - if [ ! -z "${KSTATBINARY}" ]; then + if [ -n "${KSTATBINARY}" ]; then UPTIME_IN_SECS=$(${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | ${CUTBINARY} -d "." -f1) else Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW @@ -806,7 +806,7 @@ ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system" ;; esac - if [ ! -z "${UPTIME_IN_SECS}" ]; then + if [ -n "${UPTIME_IN_SECS}" ]; then UPTIME_IN_DAYS=$((UPTIME_IN_SECS / 60 / 60 / 24)) LogText "Uptime (in seconds): ${UPTIME_IN_SECS}" LogText "Uptime (in days): ${UPTIME_IN_DAYS}" @@ -828,7 +828,7 @@ LogText "Result: file /usr/lib/systemd/system/rescue.service" LogText "Test: checking presence sulogin for single user mode" FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" AddHP 3 3 @@ -898,7 +898,7 @@ LogText "Test: checking for available files in directory" # OpenBSD uses symlinks to create another instance of daemons FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY}) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found files in directory, checking permissions now" for FILE in ${FIND}; do LogText "Test: checking permissions of file ${FILE}" diff --git a/include/tests_containers b/include/tests_containers index 97351d92..4d722e52 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -40,7 +40,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: query zoneadm to list all running zones" FIND=$(${ROOTDIR}usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then COUNT=0 for ITEM in ${FIND}; do COUNT=$((COUNT + 1)) @@ -131,7 +131,7 @@ # Test : CONT-8106 # Description : Checking Docker containers (basic stats) # Notes : Hardening points are awarded, if there aren't a lot of stopped containers - if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather basic stats from Docker" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 6 --text "- Containers" @@ -171,7 +171,7 @@ # Test : CONT-8107 # Description : Checking Docker number of unused containers # Notes : Hardening points are awarded, if there aren't a lot of stopped containers - if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no CONT-8107 --preqs-met ${PREQS_MET} --weight L --network NO --category performance --description "Check number of Docker containers" if [ ${SKIPTEST} -eq 0 ]; then # Check if there aren't too many unused containers on the system @@ -194,7 +194,7 @@ # Test : CONT-8108 # Description : Checking Docker file permissions # Notes : /var/run/docker.sock - Usually root as owner, docker as group - should not be world writable - if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check file permissions for Docker files" if [ ${SKIPTEST} -eq 0 ]; then NOT_WORLD_WRITABLE="${ROOTDIR}var/run/docker.sock" diff --git a/include/tests_crypto b/include/tests_crypto index 6d0d5384..ecb19d2f 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -28,7 +28,7 @@ # # Test : CRYP-7902 # Description : check for expired SSL certificates - if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates" if [ ${SKIPTEST} -eq 0 ]; then COUNT_EXPIRED=0 diff --git a/include/tests_databases b/include/tests_databases index d3bd2777..43d0d025 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -71,7 +71,7 @@ # Test : DBS-1816 # Description : Check empty MySQL root password # Notes : Only perform test when MySQL is running and client is available - if [ ! -z "${MYSQLCLIENTBINARY}" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="MySQL not installed, or not running"; fi + if [ -n "${MYSQLCLIENTBINARY}" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="MySQL not installed, or not running"; fi Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking MySQL root password" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Trying to login to local MySQL server without password" @@ -144,7 +144,7 @@ if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then if HasData "${PGREPBINARY}"; then AUTH_ON_CMDLINE=$(for I in $(${PGREPBINARY} mongo); do cat /proc/${I}/cmdline | xargs -0 echo | ${GREPBINARY} -E "\-\-auth( |$)"; done) - if [ ! -z "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi + if [ -n "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi else LogText "Result: skipped this part of the test, as pgrep is not available" fi @@ -268,7 +268,7 @@ for DIR in ${PATHS}; do LogText "Action: scanning directory (${DIR}) for Redis configuration files" FILES=$(${LSBINARY} ${DIR}/*.conf 2> /dev/null) - if [ ! -z "${FILES}" ]; then + if [ -n "${FILES}" ]; then ALLFILES="${ALLFILES} ${FILES}" else LogText "Result: no configuration files found in this directory" @@ -279,12 +279,12 @@ LogText "Action: checking if ${CONFFILE} is a Sentinel configuration file" # Exclude Sentinel configuration file FIND=$(${GREPBINARY} "^sentinel " ${CONFFILE}) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: file is a Sentinel configuration file, skipping it" else LogText "Result: file is NOT a Sentinel configuration file. Now scanning if it is a Redis configuration file" FIND=$(${GREPBINARY} "Redis" ${CONFFILE}) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then REDIS_CONFIGURATION_FILES="${REDIS_CONFIGURATION_FILES} ${CONFFILE}" REDIS_CONFIGURATION_FOUND=1 LogText "Result: found a Redis configuration file (${CONFFILE})" diff --git a/include/tests_dns b/include/tests_dns index a2732b16..b7cf2ba8 100644 --- a/include/tests_dns +++ b/include/tests_dns @@ -38,7 +38,7 @@ # # Description : Validate DNSSEC signiture is checked # Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked" # if [ "${SKIPTEST}" -eq 0 ]; then -# if [ ! -z "${DIGBINARY}" ]; then +# if [ -n "${DIGBINARY}" ]; then # # GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS) # BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS) @@ -47,16 +47,16 @@ # LogText "Result: received timeout, can't determine DNSSEC validation" # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW # #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout" -# elif [ -z "${GOOD}" -a ! -z "${BAD}" ]; then +# elif [ -z "${GOOD}" -a -n "${BAD}" ]; then # LogText "Result: good signature failed, yet bad signature was accepted" # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW # #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted" -# elif [ ! -z "${GOOD}" -a ! -z "${BAD}" ]; then +# elif [ -n "${GOOD}" -a -n "${BAD}" ]; then # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW # LogText "Note: Using DNSSEC validation can protect from DNS hijacking" # #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC valdating name servers" # AddHP 2 2 -# elif [ ! -z "${GOOD}" -a -z "${BAD}" ]; then +# elif [ -n "${GOOD}" -a -z "${BAD}" ]; then # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN # LogText "Result: altered DNS responses were ignored" # AddHP 0 2 diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 097cb138..6a527e75 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -70,7 +70,7 @@ # # Test : FINT-4315 # Description : Check AIDE configuration file - if [ ! -z "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check AIDE configuration file" if [ ${SKIPTEST} -eq 0 ]; then AIDE_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/aide ${ROOTDIR}usr/local/etc" @@ -104,7 +104,7 @@ Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Osiris binary" - if [ ! -z "${OSIRISBINARY}" ]; then + if [ -n "${OSIRISBINARY}" ]; then LogText "Result: Osiris is installed (${OSIRISBINARY})" Report "file_integrity_tool[]=osiris" FILE_INT_TOOL="osiris" @@ -123,7 +123,7 @@ Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Samhain binary" - if [ ! -z "${SAMHAINBINARY}" ]; then + if [ -n "${SAMHAINBINARY}" ]; then LogText "Result: Samhain is installed (${SAMHAINBINARY})" Report "file_integrity_tool[]=samhain" FILE_INT_TOOL="samhain" @@ -142,7 +142,7 @@ Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Tripwire binary" - if [ ! -z "${TRIPWIREBINARY}" ]; then + if [ -n "${TRIPWIREBINARY}" ]; then LogText "Result: Tripwire is installed (${TRIPWIREBINARY})" Report "file_integrity_tool[]=tripwire" FILE_INT_TOOL="tripwire" @@ -229,7 +229,7 @@ Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW fi ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g') - if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then + if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then LogText "Result: lfd directory watching is enabled (value: ${ENABLED})" Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN else @@ -237,7 +237,7 @@ Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW fi ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g') - if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then + if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN else Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW @@ -267,7 +267,7 @@ # # Test : FINT-4402 (was FINT-4316) # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums - if [ ! "${AIDEBINARY}" = "" -a ! -z "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)") diff --git a/include/tests_filesystems b/include/tests_filesystems index 4e52ea5e..ac0c1d3c 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -89,7 +89,7 @@ ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found" ;; esac - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found one or more volume groups" for I in ${FIND}; do LogText "Found LVM volume group: ${I}" @@ -152,7 +152,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for Linux EXT file systems" FIND=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found one or more EXT file systems" for I in ${FIND}; do FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1) @@ -173,7 +173,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for Linux XFS file systems" FIND=$(${MOUNTBINARY} -t xfs | ${AWKBINARY} '{ print $3","$5 }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found one or more XFS file systems" for I in ${FIND}; do FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1) @@ -272,12 +272,12 @@ # Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/) HAS_UUID=$(echo ${I} | ${GREPBINARY} "^UUID=") - if [ ! -z "${HAS_UUID}" ]; then + if [ -n "${HAS_UUID}" ]; then UUID=$(echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }') LogText "Result: Using ${UUID} as UUID" - if [ ! -z "${BLKIDBINARY}" ]; then + if [ -n "${BLKIDBINARY}" ]; then FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//') - if [ ! -z "${FIND2}" ]; then + if [ -n "${FIND2}" ]; then REAL="${FIND2}" fi else @@ -286,7 +286,7 @@ if [ -L /dev/disk/by-uuid/${UUID} ]; then LogText "Result: found disk via /dev/disk/by-uuid listing" ShowSymlinkPath /dev/disk/by-uuid/${UUID} - if [ ! -z "${sFILE}" ]; then + if [ -n "${sFILE}" ]; then REAL="${sFILE}" LogText "Result: disk is ${REAL}" fi @@ -342,7 +342,7 @@ if [ "${OS}" = "Linux" -a -f ${ROOTDIR}proc/version ]; then LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}') LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}') - if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then + if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi else PREQS_MET="NO"; @@ -464,7 +464,7 @@ FOUND=0 LogText "Test: Checking acl option on ext[2-4] root file system" FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found ACL option" FOUND=1 else @@ -480,11 +480,11 @@ FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }') fi # Trying to determine default mount options from EXT2/EXT3/EXT4 file systems - if [ ! -z "${FIND1}" ]; then + if [ -n "${FIND1}" ]; then LogText "Result: found ${FIND1}" LogText "Test: Checking default options on ${FIND1}" FIND2=$(${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl") - if [ ! -z "${FIND2}" ]; then + if [ -n "${FIND2}" ]; then LogText "Result: found ACL option in default mount options" FOUND=1 else @@ -528,7 +528,7 @@ NOEXEC=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "noexec") { print "YES" } else { print "NO" } }') NOSUID=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "nosuid") { print "YES" } else { print "NO" } }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: mount system / is configured with options: ${FIND}" if [ "${FIND}" = "defaults" ]; then Display --indent 2 --text "- Mount options of /" --result "${STATUS_OK}" --color GREEN @@ -577,7 +577,7 @@ FS_FSTAB="" fi fi - if [ ! -z "${FS_FSTAB}" ]; then + if [ -n "${FS_FSTAB}" ]; then FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') LogText "File system: ${FILESYSTEM}" LogText "Expected flags: ${EXPECTED_FLAGS}" @@ -629,7 +629,7 @@ if [ -f ${ROOTDIR}etc/fstab ]; then FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' ${ROOTDIR}etc/fstab) BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: mount system /var/tmp is configured with options: ${FIND}" if [ "${BIND}" = "YES" ]; then Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN @@ -760,7 +760,7 @@ # Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then + if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then Display --indent 2 --text "- Disable kernel support of some filesystems" LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf" FOUND=0 @@ -769,7 +769,7 @@ for FS in ${LIST_FS_NOT_SUPPORTED}; do # Check if filesystem is present in modprobe output FIND=$(${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found module support in kernel: ${FIND}" Debug "Module ${FS} present in the kernel" LogText "Test: Checking if ${FS} is active" diff --git a/include/tests_firewalls b/include/tests_firewalls index 735059fe..99a9bc2a 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -41,7 +41,7 @@ Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FIREWALL_ACTIVE=1 IPTABLES_ACTIVE=1 IPTABLES_MODULE_ACTIVE=1 @@ -73,11 +73,11 @@ # If we have a kernel configuration file, use it for testing # Do not perform test if we already found it in kernel module list, to avoid triggered it in the upcoming # tests, when using iptables --list - if [ ! -z "${LINUXCONFIGFILE}" ]; then + if [ -n "${LINUXCONFIGFILE}" ]; then if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})" FIND=$(${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then HAVEMOD=$(echo ${FIND} | ${CUTBINARY} -d '=' -f2) # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the # active list. @@ -151,11 +151,11 @@ # # Test : FIRE-4512 # Description : Check iptables for empty ruleset (should have at least 5 or more rules) - if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FIREWALL_ACTIVE=1 if [ ${FIND} -le 5 ]; then # Firewall is active, but needs configuration @@ -174,7 +174,7 @@ # # Test : FIRE-4513 # Description : Check iptables for unused rules - if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY}) @@ -212,7 +212,7 @@ # Check status with pfctl LogText "Test: checking pf status via pfctl" - if [ ! -z "${PFCTLBINARY}" ]; then + if [ -n "${PFCTLBINARY}" ]; then FIND=$(${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | ${HEADBINARY} -1 | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "Disabled" ]; then if IsVerbose; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED; fi @@ -233,7 +233,7 @@ if [ ${PFFOUND} -eq 0 ]; then # Check for pf kernel module (FreeBSD and similar) LogText "Test: searching for pf kernel module" - if [ ! -z "${KLDSTATBINARY}" ]; then + if [ -n "${KLDSTATBINARY}" ]; then FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko') if [ -z "${FIND}" ]; then LogText "Result: Can not find pf KLD" @@ -353,7 +353,7 @@ # Description : Check IPFW (FreeBSD) Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! -z "${SYSCTLBINARY}" ]; then + if [ -n "${SYSCTLBINARY}" ]; then # For now, only check for IPv4. FIND=$(${SYSCTLBINARY} net.inet.ip.fw.enable 2> /dev/null | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "1" ]; then @@ -386,7 +386,7 @@ Register --test-no FIRE-4532 --weight L --os "macOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check macOS application firewall" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 LogText "Result: application firewall of macOS is enabled" @@ -478,7 +478,7 @@ Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found nftables kernel module" FIREWALL_ACTIVE=1 NFTABLES_ACTIVE=1 @@ -526,7 +526,7 @@ Register --test-no FIRE-4586 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check firewall logging" if [ ${SKIPTEST} -eq 0 ]; then if [ ${IPTABLES_ACTIVE} -eq 1 ]; then - if [ ! -z "${IPTABLESSAVEBINARY}" ]; then + if [ -n "${IPTABLESSAVEBINARY}" ]; then HAS_LOGGING=$(${IPTABLESSAVEBINARY} | ${GREPBINARY} "\-j LOG") if [ -z "${HAS_LOGGING}" ]; then Report "firewall_no_logging[]=iptables" @@ -563,7 +563,7 @@ # Test : FIRE-4594 # Description : Check for APF (Advanced Policy Firewall) Register --test-no FIRE-4594 --weight L --network NO --category security --description "Check for APF presence" - if [ ! -z "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SKIPTEST} -eq 0 ]; then FILE="/etc/apf/conf.apf" LogText "Test: check ${FILE}" diff --git a/include/tests_hardening b/include/tests_hardening index 0719cf8e..006df683 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -59,7 +59,7 @@ FILE="${ITEM}" LogText "Test: Check file permissions for ${ITEM}" ShowSymlinkPath ${ITEM} - if [ ! -z "${SYMLINK}" ]; then + if [ -n "${SYMLINK}" ]; then FILE="${SYMLINK}" fi diff --git a/include/tests_homedirs b/include/tests_homedirs index 9570816b..e51cf3d9 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -114,7 +114,7 @@ # Description : Check for suspicious shell history files Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! -z "${HOMEDIRS}" ]; then + if [ -n "${HOMEDIRS}" ]; then if [ "${OS}" = "Solaris" ]; then # Solaris doesn't support -maxdepth FIND=$(${FINDBINARY} ${HOMEDIRS} -name ".*history" ! -type f -print) @@ -152,7 +152,7 @@ # Notes : For performance reasons we combine the scanning of different files, so inode caching is used # as much as possible for every find command # Profile opt : ignore-home-dir (multiple lines allowed), ignores home directory - if [ ! -z "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories" if [ ${SKIPTEST} -eq 0 ]; then IGNORE_HOME_DIRS=$(${GREPBINARY} "^ignore-home-dir=" ${REPORTFILE} | ${AWKBINARY} -F= '{ print $2 }') diff --git a/include/tests_insecure_services b/include/tests_insecure_services index df616e56..3ba08570 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -222,7 +222,7 @@ if [ -f "${FILE}" ]; then LogText "Test: checking status in xinetd configuration file (${FILE})" FIND=$(${GREPBINARY} "disable\s*=\s*no" ${FILE}) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found insecure service enabled: ${SERVICE}" XINETD_INSECURE_SERVICE_FOUND=1 ReportSuggestion "${TEST_NO}" "Disable or remove any insecure services in the xinetd configuration" "${SERVICE}" "text:See log file for more details" @@ -492,7 +492,7 @@ # ################################################################################# # - if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi + if [ -n "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS" if [ ${SKIPTEST} -eq 0 ]; then TEST_SERVICES="com.apple.fingerd" diff --git a/include/tests_kernel b/include/tests_kernel index 7a542c3d..2ffd8df9 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -183,7 +183,7 @@ # Description : Check if Linux is build as a monolithic kernel or not Register --test-no KRNL-5723 --os Linux --weight L --network NO --category security --description "Determining if Linux kernel is monolithic" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then + if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then LogText "Test: checking if kernel is monolithic or modular" # Checking if any modules are loaded FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ') @@ -208,7 +208,7 @@ # Description : Checking Linux loaded kernel modules Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then + if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort) Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN if HasData "${FIND}"; then @@ -519,7 +519,7 @@ if [ -d ${ROOTDIR}boot ]; then LogText "Result: /boot exists, performing more tests from here" FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then if [ -f ${ROOTDIR}boot/vmlinuz -a ! -L ${ROOTDIR}boot/vmlinuz ]; then LogText "Result: found /boot/vmlinuz (not symlinked)" NEXTLINE=0 @@ -532,7 +532,7 @@ if [ "${I}" = "version" ]; then NEXTLINE=1; fi fi done - if [ ! -z "${FINDVERSION}" ]; then + if [ -n "${FINDVERSION}" ]; then CURRENT_KERNEL=$(uname -r) if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then LogText "Result: reboot needed, as current kernel is different than the one loaded" @@ -545,7 +545,7 @@ LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)" LogText "Test: checking kernel version on disk" VERSION_ON_DISK=$(${FILEBINARY} -b ${ROOTDIR}boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}') - if [ ! -z "${VERSION_ON_DISK}" ]; then + if [ -n "${VERSION_ON_DISK}" ]; then LogText "Result: found version ${VERSION_ON_DISK}" ACTIVE_KERNEL=$(uname -r) LogText "Result: active kernel version ${ACTIVE_KERNEL}" @@ -570,7 +570,7 @@ MYKERNEL=$(${UNAMEBINARY} -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g') LogText "Result: using ${MYKERNEL} as my kernel version (stripped)" FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then for ITEM in ${FIND}; do LogText "Result: found ${ITEM}" done @@ -586,11 +586,11 @@ # Examples: # /boot/kernel-genkernel-x86_64-3.14.14-gentoo KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.) - if [ ! -z "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi + if [ -n "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi else ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected" fi - if [ ! -z "${KERNELS}" ]; then + if [ -n "${KERNELS}" ]; then FOUND_KERNEL=0 for I in ${KERNELS}; do # Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist) diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 71ed901e..eba7504d 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -47,7 +47,7 @@ done # Scan custom profile - if [ ! -z "${CUSTOM_PROFILE}" ]; then + if [ -n "${CUSTOM_PROFILE}" ]; then FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | ${SEDBINARY} 's/ /-space-/g') for LINE in ${FIND}; do SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }') @@ -57,7 +57,7 @@ fi # Last, use data from default profile - if [ ! -z "${DEFAULT_PROFILE}" ]; then + if [ -n "${DEFAULT_PROFILE}" ]; then FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | ${SEDBINARY} 's/ /-space-/g') for LINE in ${FIND}; do SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }') @@ -76,7 +76,7 @@ tFINDhp=$(echo ${line} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]") tFINDdesc=$(echo ${line} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g') tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null) - if [ ! -z "${tFINDcurvalue}" ]; then + if [ -n "${tFINDcurvalue}" ]; then positive_match=0 for value in ${tFINDexpvalue}; do if [ "${value}" = "${tFINDcurvalue}" ]; then diff --git a/include/tests_ldap b/include/tests_ldap index ae4a9599..0c6ae10e 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -66,7 +66,7 @@ fi done # Check if we found a valid location - if [ ! -z "${SLAPD_CONF_LOCATION}" ]; then + if [ -n "${SLAPD_CONF_LOCATION}" ]; then Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN else Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW diff --git a/include/tests_logging b/include/tests_logging index c7995b47..f8492c90 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -262,7 +262,7 @@ # # Test : LOGG-2148 # Description : Checking log files rotated with logrotate - if [ ! -z "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which files are rotated with logrotate and if they exist" @@ -311,7 +311,7 @@ # Try local hosts file LogText "Result: Checking for loghost in /etc/inet/hosts" FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then SOLARIS_LOGHOST_FOUND=1 LogText "Result: Found loghost entry in /etc/inet/hosts" else @@ -320,7 +320,7 @@ # Try name resolving if no entry is present in local host file LogText "Result: Checking for loghost via name resolving" FIND=$(getent hosts loghost | ${GREPBINARY} loghost) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then SOLARIS_LOGHOST_FOUND=1 LogText "Result: name resolving was successful" LogText "Output: ${FIND}" @@ -356,7 +356,7 @@ if [ -f ${SYSLOGD_CONF} ]; then LogText "Test: check if logs are also logged to a remote logging host" FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: remote logging enabled" REMOTE_LOGGING_ENABLED=1 else @@ -364,7 +364,7 @@ DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}') for DESTINATION in ${DESTINATIONS}; do FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)") - if [ ! -z "${FIND2}" = "" ]; then + if [ -n "${FIND2}" = "" ]; then LogText "Result: found destination ${DESTINATION} configured for remote logging" REMOTE_LOGGING_ENABLED=1 fi @@ -461,7 +461,7 @@ Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking open log files with lsof" - if [ ! -z "${LSOFBINARY}" ]; then + if [ -n "${LSOFBINARY}" ]; then FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$") for I in ${FIND}; do LogText "Found logfile: ${I}" @@ -477,7 +477,7 @@ # # Test : LOGG-2190 # Description : Checking deleted files - if [ ! -z "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for deleted files in use" if [ ${SKIPTEST} -eq 0 ]; then EARLY_MYSQL="" @@ -486,12 +486,12 @@ LSOF_GREP="WARNING|Output information" # MySQL versions prior to 5.6 leave lots of deleted in-use files in /tmp, ignoring those - if [ ! -z "${DPKGBINARY}" ]; then + if [ -n "${DPKGBINARY}" ]; then EARLY_MYSQL=$(${DPKGBINARY} -l | ${EGREPBINARY} mysql-server-5.[0-5]) - elif [ ! -z "${RPMBINARY}" ]; then + elif [ -n "${RPMBINARY}" ]; then EARLY_MYSQL=$(${RPMBINARY} -qa mariadb | ${EGREPBINARY} mariadb-5.[0-5]) fi - if [ ! -z "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi + if [ -n "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi # grsecurity causes Fail2Ban to hold onto deleted in-use files in /var/tmp if [ ${GRSEC_FOUND} -eq 1 ]; then LSOF_GREP="${LSOF_GREP}|fail2ban"; fi @@ -501,7 +501,7 @@ fi FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found one or more files which are deleted, but still in use" for I in ${FIND}; do LogText "Found deleted file: ${I}" @@ -523,7 +523,7 @@ Register --test-no LOGG-2192 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for open log files that are empty" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${LSOFBINARY} -n -w | ${AWKBINARY} '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | ${SORTBINARY} | uniq) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then for I in ${FIND}; do LogText "Found an opened logfile that is empty: ${I}" Report "open_empty_log_file[]=${I}" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 516a501e..14b34e4a 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -50,7 +50,7 @@ if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! -z "${AASTATUSBINARY}" ]; then + if [ -n "${AASTATUSBINARY}" ]; then CAN_READ_FILE=0 FILE="/sys/kernel/security/apparmor/profiles" if [ -f ${FILE} ]; then @@ -114,7 +114,7 @@ Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking if we have sestatus binary" - if [ ! -z "${SESTATUSBINARY}" ]; then + if [ -n "${SESTATUSBINARY}" ]; then LogText "Result: found sestatus binary (${SESTATUSBINARY})" Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN else @@ -206,7 +206,7 @@ Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence" if [ ${SKIPTEST} -eq 0 ]; then # Check Linux kernel configuration - if [ ! -z "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then + if [ -n "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then FIND=$(${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE}) if [ ! "${FIND}" = "" ]; then LogText "Result: grsecurity available (in kernel config)" diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index b74a7c5e..f5770bc2 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -77,20 +77,20 @@ # Smarthost or Satellite FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then EXIM_TYPE="LOCAL ONLY" - elif [ ! -z "${FIND2}" ]; then + elif [ -n "${FIND2}" ]; then EXIM_TYPE="INTERNET HOST" - elif [ ! -z "${FIND3}" ]; then + elif [ -n "${FIND3}" ]; then FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost') - if [ ! -z "${FIND4}" ]; then + if [ -n "${FIND4}" ]; then EXIM_TYPE="SATELLITE" else EXIM_TYPE="SMARTHOST" fi fi - if [ ! -z "${EXIM_TYPE}" ]; then + if [ -n "${EXIM_TYPE}" ]; then LogText "Result: Exim Type - ${EXIM_TYPE}" Display --indent 4 --text "- Type" --result "${EXIM_TYPE}" --color GREEN else @@ -101,7 +101,7 @@ if [ "${EXIM_TYPE}" = "INTERNET HOST" -o "${EXIM_TYPE}" = "SMARTHOST" ]; then LogText "Test: Exim Public Interfaces" EXIM_IP=$(exim -bP local_interfaces | cut -d '=' -f2 | sed -e 's/\s*<\s*\;\?//' -e 's/\s*::0\s*\;\?//' -e 's/\s*127.0.0.1\s*\;\?//' -e 's/^\s*//' -e 's/\s*$//') - if [ ! -z "${EXIM_IP}" ]; then + if [ -n "${EXIM_IP}" ]; then LogText "Result: ${EXIM_IP}" Display --indent 4 --text "- Public Interface(s)" --result "${EXIM_IP}" --color GREEN else @@ -111,7 +111,7 @@ LogText "Test: Exim TLS State" EXIM_TLS=$(exim -bP tls_advertise_hosts | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//') - if [ ! -z "${EXIM_TLS}" ]; then + if [ -n "${EXIM_TLS}" ]; then LogText "Result: Enabled" Display --indent 4 --text "- TLS" --result "ENABLED" --color GREEN else @@ -120,7 +120,7 @@ fi fi - if [ ! -z "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then + if [ -n "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then LogText "Test: Exim Certificate and Private Key" case "${EXIM_TYPE}" in @@ -134,7 +134,7 @@ ;; esac - if [ ! -z "${EXIM_CERTIFICATE}" ]; then + if [ -n "${EXIM_CERTIFICATE}" ]; then LogText "Result: ${EXIM_CERTIFICATE}" if [ -f "${EXIM_CERTIFICATE}" ]; then Display --indent 4 --text "- Certificate" --result "${STATUS_FOUND}" --color GREEN @@ -148,7 +148,7 @@ Display --indent 4 --text "- Certificate not set" --result "${STATUS_WARNING}" --color WHITE fi - if [ ! -z "${EXIM_PRIVATEKEY}" ]; then + if [ -n "${EXIM_PRIVATEKEY}" ]; then LogText "Result: ${EXIM_PRIVATEKEY}" if [ -f "${EXIM_PRIVATEKEY}" ]; then LogText "Result: Private Key found." @@ -175,7 +175,7 @@ LogText "Test: check Postfix status" # Some other processes also use master, therefore it should include both master and postfix FIND1=$(${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep") - if [ ! -z "${FIND1}" ]; then + if [ -n "${FIND1}" ]; then LogText "Result: found running Postfix process" Display --indent 2 --text "- Postfix status" --result "${STATUS_RUNNING}" --color GREEN POSTFIX_RUNNING=1 @@ -210,7 +210,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: using postconf to see if Postfix configuration has errors" FIND=$(${POSTCONFBINARY} 2>&1 | ${GREPBINARY} "warning:") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then Report "postfix_config_error=1" Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_WARNING}" --color RED LogText "Result: found an error or warning in the Postfix configuration. Manual check suggested." @@ -233,21 +233,21 @@ FIND2=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} '$mail_name') FIND3=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^mail_name' | ${GREPBINARY} -i 'postfix') FIND4=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${OS}") - if [ ! -z "${LINUX_VERSION}" ]; then + if [ -n "${LINUX_VERSION}" ]; then FIND5=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${LINUX_VERSION}") fi SHOWWARNING=0 - if [ ! -z "${FIND1}" ]; then + if [ -n "${FIND1}" ]; then SHOWWARNING=1 Report "banner_software_disclosure[]=${FIND1}" - elif [ ! -z "${FIND2}" -a ! -z "${FIND3}" ]; then + elif [ -n "${FIND2}" -a -n "${FIND3}" ]; then SHOWWARNING=1 Report "banner_software_disclosure[]=${FIND2}" - elif [ ! -z "${FIND4}" ]; then + elif [ -n "${FIND4}" ]; then SHOWWARNING=1 Report "banner_os_disclosure[]=${FIND4}" - elif [ ! -z "${FIND5}" ]; then + elif [ -n "${FIND5}" ]; then SHOWWARNING=1 Report "banner_os_disclosure[]=${FIND5}" fi @@ -342,7 +342,7 @@ # # Test : MAIL-8920 # Description : Check OpenSMTPD process status - if [ ! -z "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check smtpd status" diff --git a/include/tests_malware b/include/tests_malware index 340224ce..19172ca6 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -45,7 +45,7 @@ Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence chkrootkit" - if [ ! -z "${CHKROOTKITBINARY}" ]; then + if [ -n "${CHKROOTKITBINARY}" ]; then Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found ${CHKROOTKITBINARY}" MALWARE_SCANNER_INSTALLED=1 @@ -63,7 +63,7 @@ Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence Rootkit Hunter" - if [ ! -z "${RKHUNTERBINARY}" ]; then + if [ -n "${RKHUNTERBINARY}" ]; then Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found ${RKHUNTERBINARY}" MALWARE_SCANNER_INSTALLED=1 @@ -307,7 +307,7 @@ Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav" if [ ${SKIPTEST} -eq 0 ]; then CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan') - if [ ! -z "${CLAMSCANBINARY}" ]; then + if [ -n "${CLAMSCANBINARY}" ]; then LogText "Result: Found ClamXav clamscan installed" Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN MALWARE_SCANNER_INSTALLED=1 diff --git a/include/tests_nameservices b/include/tests_nameservices index 2ae503e3..4b4b1ac8 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -188,7 +188,7 @@ # If files and commands can't be found, use defined value from resolv.conf if [ -z "${DOMAINNAME}" ]; then - if [ ! -z "${RESOLV_DOMAINNAME}" ]; then + if [ -n "${RESOLV_DOMAINNAME}" ]; then LogText "Result: using domain name from ${ROOTDIR}etc/resolv.conf" DOMAINNAME=${RESOLV_DOMAINNAME} else @@ -197,7 +197,7 @@ fi fi - if [ ! -z "${DOMAINNAME}" ]; then + if [ -n "${DOMAINNAME}" ]; then LogText "Result: found domain name" Report "domainname=${DOMAINNAME}" Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN @@ -303,7 +303,7 @@ LogText "Result: found configuration file (${BIND_CONFIG_LOCATION})" fi done - if [ ! -z "${BIND_CONFIG_LOCATION}" ]; then + if [ -n "${BIND_CONFIG_LOCATION}" ]; then Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN else Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW @@ -449,12 +449,12 @@ # # Test : NAME-4238 # Description : Check PowerDNS authoritative status - if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${POWERDNS_RUNNING} -eq 1 -a -n "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritative status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for PowerDNS master status" FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Found master=yes in configuration file" Display --indent 4 --text "- PowerDNS authoritative master: YES" POWERDNS_AUTH_MASTER=1 @@ -464,7 +464,7 @@ fi LogText "Test: Checking for PowerDNS slave status" FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Found slave=yes in configuration file" Display --indent 4 --text "- PowerDNS authoritative slave: YES" POWERDNS_AUTH_SLAVE=1 @@ -509,7 +509,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking $(domainname) for NIS domain value" FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Value: ${FIND}" NISDOMAIN="${FIND}" else @@ -520,7 +520,7 @@ if [ -f ${ROOTDIR}etc/defaultdomain ]; then LogText "Result: file ${ROOTDIR}etc/defaultdomain exists" FIND2=$(cat ${ROOTDIR}etc/defaultdomain) - if [ ! -z "${FIND2}" ]; then + if [ -n "${FIND2}" ]; then LogText "Output: ${FIND2}" NISDOMAIN="${FIND2}" else @@ -533,7 +533,7 @@ LogText "Result: file ${ROOTDIR}etc/sysconfig/network exists" LogText "Test: checking NISDOMAIN value in file" FIND3=$(${GREPBINARY} "^NISDOMAIN" ${ROOTDIR}etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g') - if [ ! -z "${FIND3}" ]; then + if [ -n "${FIND3}" ]; then LogText "Found NIS domain: ${FIND3}" NISDOMAIN="${FIND3}" else @@ -553,7 +553,7 @@ fi fi # Check if we found any NIS domain - if [ ! -z "${NISDOMAIN}" ]; then + if [ -n "${NISDOMAIN}" ]; then LogText "Found NIS domain: ${NISDOMAIN}" Report "nisdomain=${NISDOMAIN}" Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN @@ -636,7 +636,7 @@ # # Test : NAME-4408 # Description : Check localhost entry - if [ ! -z "${GETENT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON="No getent binary"; else PREQS_MET="NO"; SKIPREASON=""; fi + if [ -n "${GETENT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON="No getent binary"; else PREQS_MET="NO"; SKIPREASON=""; fi Register --test-no NAME-4408 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check localhost entry" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check server hostname not locally mapped in /etc/hosts" diff --git a/include/tests_networking b/include/tests_networking index 8c895c4e..23067c57 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -47,7 +47,7 @@ IPV6_MISCONFIGURED=0 IPV6_MISCONFIGURED_MTU=0 FIND=$(sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then IPV6_CONFIGURED=1 for I in ${FIND}; do SYSCTL_KEY=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }') @@ -124,7 +124,7 @@ if [ -f /etc/resolv.conf ]; then LogText "Result: Found /etc/resolv.conf file" FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq | ${CUTBINARY} -d# -f1) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then Display --indent 4 --text "- Testing nameservers" LogText "Test: Querying nameservers" for I in ${FIND}; do @@ -134,7 +134,7 @@ if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "127.0.0.53" -o "${I}" = "127.0.1.1" -o "${I}" = "0.0.0.0" ]; then LOCAL_DNSRESOLVER_FOUND=1 fi - if [ ! -z "${DIGBINARY}" ]; then + if [ -n "${DIGBINARY}" ]; then # See if we can query something at the nameserver # 0=good, other=bad DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${FQDN} > /dev/null ; echo $?) @@ -167,7 +167,7 @@ Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check availability two nameservers" if [ ${SKIPTEST} -eq 0 ]; then SKIP=0 - if [ ! -z "${DIGBINARY}" ]; then + if [ -n "${DIGBINARY}" ]; then if [ ${NUMBERACTIVENS} -lt 2 ]; then Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED LogText "Result: less than 2 responsive nameservers found" @@ -193,12 +193,12 @@ # Test : NETW-3001 # Description : Find default gateway (route) # More info : BSD: ^default Linux: 0.0.0.0 - if [ ! -z "${NETSTATBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${NETSTATBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)" if [ $SKIPTEST -eq 0 ]; then LogText "Test: Searching default gateway(s)" FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then for I in ${FIND}; do LogText "Result: Found default gateway ${I}" Report "default_gateway[]=${I}" @@ -222,9 +222,9 @@ FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }') ;; Linux) - if [ ! -z "${IPBINARY}" ]; then + if [ -n "${IPBINARY}" ]; then FIND=$(${IPBINARY} link show 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} 's/://g') - elif [ ! -z "${IFCONFIGBINARY}" ]; then + elif [ -n "${IFCONFIGBINARY}" ]; then FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ( $2 == "Link" ) { print $1 }}') fi ;; @@ -265,14 +265,14 @@ FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u) ;; Linux) - if [ ! -z "${IFCONFIGBINARY}" ]; then + if [ -n "${IFCONFIGBINARY}" ]; then FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u) # CentOS 7.x and others may return nothing. Let's retry with 'ether' field. if [ -z "${FIND}" ]; then FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u) fi else - if [ ! -z "${IPBINARY}" ]; then + if [ -n "${IPBINARY}" ]; then LogText "Test: Using ip binary to gather hardware addresses" FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }') else @@ -320,12 +320,12 @@ FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }') ;; Linux) - if [ ! -z "${IFCONFIGBINARY}" ]; then + if [ -n "${IFCONFIGBINARY}" ]; then FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2) # Version which works for multiple types of ifconfig (e.g. Slackware) FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }') else - if [ ! -z "${IPBINARY}" ]; then + if [ -n "${IPBINARY}" ]; then LogText "Test: Using ip binary to gather IP addresses" FIND=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//') FIND2=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//') @@ -375,7 +375,7 @@ COUNT=0 case ${OS} in DragonFly|FreeBSD) - if [ ! -z "${SOCKSTATBINARY}" ]; then + if [ -n "${SOCKSTATBINARY}" ]; then FIND=$(${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u) # To strip off IP's: ${SEDBINARY} 's/|.*:/|/' else @@ -513,17 +513,17 @@ NETWORK="" USE_IP_INSTEAD_IFCONFIG=0 - if [ ! -z "${IPBINARY}" ]; then + if [ -n "${IPBINARY}" ]; then LogText "Test: Using ip binary to retrieve network interfaces" NETWORK=$(${IPBINARY} -o link 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{print $2 }' | ${TRBINARY} -d ':') USE_IP_INSTEAD_IFCONFIG=1 - elif [ ! -z "${IFCONFIGBINARY}" ]; then + elif [ -n "${IFCONFIGBINARY}" ]; then LogText "Test: Using ifconfig binary to retrieve network interfaces" NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1) fi LogText "Test: Checking all interfaces to discover any with promiscuous mode enabled" - if [ ! -z "${NETWORK}" ]; then + if [ -n "${NETWORK}" ]; then FOUNDPROMISC=0 for I in ${NETWORK}; do if [ ${USE_IP_INSTEAD_IFCONFIG} -eq 1 ]; then @@ -531,7 +531,7 @@ else FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC) fi - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: Promiscuous interface: ${I}" ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}) if [ -z "${ISWHITELISTED}" ]; then diff --git a/include/tests_php b/include/tests_php index 76606c64..ef43f282 100644 --- a/include/tests_php +++ b/include/tests_php @@ -139,7 +139,7 @@ fi done - if [ ! -z "${PHPINIFILE}" ]; then + if [ -n "${PHPINIFILE}" ]; then Display --indent 2 --text "- Checking PHP" --result "${STATUS_FOUND}" --color GREEN LogText "Result: using single file ${PHPINIFILE} for main php.ini tests" LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests" @@ -154,7 +154,7 @@ # # Test : PHP-2320 # Description : Check php disable functions option - if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 @@ -194,7 +194,7 @@ # Test : PHP-2368 # Description : Check php register_globals option # Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed) - if [ ! -z "${PHPINIFILE}" -a ! -z "${PHPVERSION}" -a ! -z "${EGREPBINARY}" ]; then + if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then if [ -f "${PHPINIFILE}" ]; then FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])") if [ -z "${FIND}" ]; then @@ -215,7 +215,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP register_globals option" FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off" @@ -235,7 +235,7 @@ # Description : Check PHP expose_php option # Background : When this option is turned on, PHP will show its version number in the HTTP headers # Notes : TODO - Extend test to check all PHP files - if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 @@ -266,12 +266,12 @@ # Test : PHP-2374 # Description : Check PHP enable_dl option # Notes : Extend test to check all PHP files - if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP enable_dl option" FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls" ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules" @@ -288,7 +288,7 @@ # Test : PHP-2376 # Description : Check PHP allow_url_fopen option # Notes : Extend test to check all PHP files YYY - if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_fopen option" @@ -311,7 +311,7 @@ # Test : PHP-2378 # Description : Check PHP allow_url_include option # Notes : Extend test to check all PHP files YYY - if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_include option" @@ -333,7 +333,7 @@ # - test disabled for time being, as newer suhosin7 work is not stable enough - # Test : PHP-2379 # Description : Check PHP suhosin extension status - #if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + #if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi #Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP suhosin extension status" #if [ ${SKIPTEST} -eq 0 ]; then @@ -365,14 +365,14 @@ # fi # # Check Suhosin for PHP 7 - # if [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then + # if [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then # LogText "Test: Check Suhosin for PHP 7 is not enabled" # LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production" # ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7" # Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED # Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED # AddHP 0 1 - # elif [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then + # elif [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then # LogText "Test: Check Suhosin for PHP 7 is not enabled" # LogText "Result: Suhosin for PHP 7 is not enabled" # Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 6b6b2ed9..e82c8eaf 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -88,7 +88,7 @@ # Test : PKGS-7303 # Description : Query brew package manager FIND=$(which brew 2> /dev/null | grep -v "no [^ ]* in ") - if [ ! -z "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN @@ -158,7 +158,7 @@ # # Test : PKGS-7308 # Description : RPM package based systems - if [ ! -z "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 @@ -191,7 +191,7 @@ # # Test : PKGS-7310 # Description : pacman package based systems - if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 @@ -222,12 +222,12 @@ # # Test : PKGS-7312 # Description : Check for available package updates when pacman package is used - if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking available updates for pacman based system" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 FIND=$(which checkupdates 2> /dev/null | grep -v "no [^ ]* in ") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FIND=$(checkupdates) for I in ${FIND}; do LogText "Result: update available for ${I}" @@ -252,7 +252,7 @@ # Test : PKGS-7314 # Description : Check pacman.conf options PACMANCONF="/etc/pacman.conf" - if [ ! -z "${PACMANBINARY}" -a -f ${PACMANCONF} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${PACMANBINARY}" -a -f ${PACMANCONF} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7314 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking pacman configuration options" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 @@ -315,7 +315,7 @@ # # Test : PKGS-7322 # Description : Discover vulnerable packages with arch-audit - if [ ! -z "${ARCH_AUDIT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="arch-audit not found"; fi + if [ -n "${ARCH_AUDIT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="arch-audit not found"; fi Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking arch-audit output for vulnerable packages" @@ -338,14 +338,14 @@ # # Test : PKGS-7328 # Description : Check installed packages with Zypper - if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="zypper" FIND=$(${ZYPPERBINARY} --non-interactive -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then for PKG in ${FIND}; do COUNT=$((COUNT + 1)) LogText "Installed package: ${PKG}" @@ -362,11 +362,11 @@ # # Test : PKGS-7330 # Description : Check vulnerable packages with Zypper - if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${ZYPPERBINARY} --non-interactive pchk | ${GREPBINARY} "(0 security patches)") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: No security updates found with Zypper" Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN else @@ -520,7 +520,7 @@ # Test : PKGS-7350 # Description : Use Dandified YUM to gather installed packages # Notes : Possible replacement for YUM in the long term - if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 @@ -546,13 +546,13 @@ # # Test : PKGS-7352 # Description : Use Dandified YUM to detect security updates - if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no "PKGS-7352" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for security updates with DNF utility" if [ ${SKIPTEST} -eq 0 ]; then # Check for security updates LogText "Action: checking updateinfo for security updates" FIND=$(${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then VULNERABLE_PACKAGES_FOUND=1 LogText "Result: found vulnerable packages, upgrade of system needed." for PKG in ${FIND}; do @@ -574,20 +574,20 @@ # # Test : PKGS-7354 # Description : Perform integrity tests for package database - if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity" if [ ${SKIPTEST} -eq 0 ]; then # Check if repoquery plugin is available FIND=$(${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Action: checking integrity of package database" FIND=$(${DNFBINARY} -q repoquery --duplicated) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found unexpected result on repoquery --duplicated" ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated" fi FIND=$(${DNFBINARY} -q repoquery --unsatisfied) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found unexpected result on repoquery --unsatisfied" ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied" fi @@ -600,17 +600,17 @@ # # Test : PKGS-7366 # Description : Checking if debsecan is installed and enabled on Debian systems - if [ ! -z "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsecan utility" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! -z "${DEBSECANBINARY}" ]; then + if [ -n "${DEBSECANBINARY}" ]; then LogText "Result: debsecan utility is installed" Display --indent 4 --text "- debsecan utility" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="debsecan" FIND=$(${FINDBINARY} ${ROOTDIR}etc/cron* -name debsecan) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: cron job is configured for debsecan" Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 @@ -633,10 +633,10 @@ # Test : PKGS-7370 # Description : Checking debsums installation status and presence in cron job # Note : Run this only when it is a DPKG based system - if [ ! -z "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsums utility" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! -z "${DEBSUMSBINARY}" ]; then + if [ -n "${DEBSUMSBINARY}" ]; then LogText "Result: debsums utility is installed" Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN AddHP 1 1 @@ -728,7 +728,7 @@ # Description : Check for vulnerable FreeBSD packages (with pkg) # Notes : Related vulnerability file is /var/db/pkg/vuln.xml # TODO : Run this in any jail - if [ ! -z "${PKG_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="pkg tool not available"; fi + if [ -n "${PKG_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="pkg tool not available"; fi Register --test-no PKGS-7381 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with pkg" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 @@ -746,7 +746,7 @@ Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN AddHP 10 10 elif [ $? -eq 1 ]; then - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then VULNERABLE_PACKAGES_FOUND=1 Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_FOUND}" --color YELLOW for ITEM in ${FIND}; do @@ -804,7 +804,7 @@ # Test : PKGS-7383 # Description : Check for YUM package Update management # Notes : Skip if DNF is used as package manager - if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: YUM package update management" @@ -823,7 +823,7 @@ # # Test : PKGS-7384 # Description : Search for YUM utils package - if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package" if [ ${SKIPTEST} -eq 0 ]; then # package-cleanup tool can be found in different locations @@ -903,7 +903,7 @@ # Check if it's installed as package (this is old style) if [ ${DO_TEST} -eq 0 ]; then FIND=$(rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: found yum-plugin-security package" DO_TEST=1 fi @@ -943,7 +943,7 @@ if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! -z "${PYTHONBINARY}" ]; then + if [ -n "${PYTHONBINARY}" ]; then LogText "Test: checking enabled repositories" REPOS=$(${PYTHONBINARY} -c 'import yum ; yb = yum.YumBase() ; yb.conf ; print [(r.id + "=" + str(r.gpgcheck)) for r in yb.repos.listEnabled()]' | ${GREPBINARY} "^\[" | ${TRBINARY} -d '[] ' | ${TRBINARY} -d "'" | ${SEDBINARY} 's/,/ /g') if [ -z "${REPOS}" ]; then LogText "Result: found no repositories"; fi @@ -991,7 +991,7 @@ if [ -f ${ROOTDIR}etc/apt/sources.list ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file" FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN LogText "Result: Found security repository in ${ROOTDIR}etc/apt/sources.list" @@ -1004,7 +1004,7 @@ if [ -d /etc/apt/sources.list.d ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory" FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d" @@ -1100,7 +1100,7 @@ # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates) # Show packages which would be upgraded and match 'security' in repository name FIND=$(${ROOTDIR}usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then VULNERABLE_PACKAGES_FOUND=1 SCAN_PERFORMED=1 LogText "Result: found vulnerable package(s) via apt-get (-security channel)" @@ -1247,7 +1247,7 @@ KERNELS=0 LogText "Test: Checking how many kernel packages are installed" - if [ ! -z "${DPKGBINARY}" ]; then + if [ -n "${DPKGBINARY}" ]; then KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} "linux-image-[0-9]" | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from dpkg -l output, which is unexpected" @@ -1258,7 +1258,7 @@ else LogText "Result: found ${KERNELS} kernel packages on the system, which is fine" fi - elif [ ! -z "${RPMBINARY}" ]; then + elif [ -n "${RPMBINARY}" ]; then KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from rpm -q kernel output, which is unexpected" diff --git a/include/tests_printers_spools b/include/tests_printers_spools index 5c492a9e..5786f4c7 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -211,7 +211,7 @@ FileIsReadable ${QDAEMON_CONFIG_FILE} if [ ${CANREAD} -eq 1 ]; then FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}" Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN QDAEMON_CONFIG_ENABLED=1 @@ -279,7 +279,7 @@ ################################################################################# # -if [ ! -z ${PRINTING_DAEMON} ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi +if [ -n ${PRINTING_DAEMON} ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi WaitForKeyPress diff --git a/include/tests_scheduling b/include/tests_scheduling index 91a89c63..98b29932 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -170,7 +170,7 @@ if [ -f /etc/anacrontab ]; then LogText "Test: checking anacrontab" sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) - if [ ! -z "${sANACRONJOBS}" ]; then + if [ -n "${sANACRONJOBS}" ]; then Report "scheduler[]=anacron" for I in ${sANACRONJOBS}; do LogText "Found anacron job (/etc/anacrontab): ${I}" @@ -201,7 +201,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking atd status" FIND=$(${PSBINARY} ax | ${GREPBINARY} "/atd" | ${GREPBINARY} -v "grep") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: at daemon active" Display --indent 2 --text "- Checking atd status" --result "${STATUS_RUNNING}" --color GREEN ATD_RUNNING=1 diff --git a/include/tests_shells b/include/tests_shells index 3a094ad8..8e97ae86 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -126,7 +126,7 @@ FIND=$(${GREPBINARY} 'TMOUT=' ${ROOTDIR}etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') # Determine if the value is exported (with export, readonly, or typeset) FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' ${ROOTDIR}etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do LogText "Output: ${I}" @@ -143,7 +143,7 @@ LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile" fi - if [ ! -z "${FIND2}" ]; then + if [ -n "${FIND2}" ]; then N=0; for I in ${FIND2}; do LogText "Output: ${I}" @@ -167,12 +167,12 @@ if [ -d ${ROOTDIR}etc/profile.d ]; then FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then # Determine if we can find a TMOUT value FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') # Determine if the value is exported (with export, readonly, or typeset) FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do LogText "Output: ${I}" @@ -189,7 +189,7 @@ LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile.d/*.sh" fi # Check for readonly - if [ ! -z "${FIND2}" ]; then + if [ -n "${FIND2}" ]; then N=0; for I in ${FIND2}; do LogText "Output: ${I}" @@ -212,10 +212,10 @@ LogText "Result: skip ${ROOTDIR}etc/profile.d directory test, directory not available on this system" fi - if [ ! -z "${IDLE_TIMEOUT_METHOD}" ]; then + if [ -n "${IDLE_TIMEOUT_METHOD}" ]; then Report "session_timeout_method[]=${IDLE_TIMEOUT_METHOD}" fi - if [ ! -z "${IDLE_TIMEOUT_READONLY}" ]; then + if [ -n "${IDLE_TIMEOUT_READONLY}" ]; then Report "session_timeout_set_readonly=${IDLE_TIMEOUT_READONLY}" fi diff --git a/include/tests_snmp b/include/tests_snmp index 5140555f..8b82d9e8 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -74,7 +74,7 @@ # # Test : SNMP-3306 # Description : Determine SNMP communities - if [ ! -z "${SNMP_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${SNMP_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP communities" if [ ${SKIPTEST} -eq 0 ]; then WARN=0 diff --git a/include/tests_squid b/include/tests_squid index c9eb1b71..bfb699f0 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -43,7 +43,7 @@ FOUND=0 # Check running processes FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then SQUID_DAEMON_RUNNING=1 LogText "Result: Squid daemon is running" Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN @@ -86,10 +86,10 @@ # # Test : SQD-3606 # Description : Check Squid version - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! -z "${SQUIDBINARY}" ]; then + if [ -n "${SQUIDBINARY}" ]; then LogText "Result: Squid binary found (${SQUIDBINARY})" # Skip check if a setuid/setgid bit is found FIND=$(${FINDBINARY} ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print) @@ -110,7 +110,7 @@ # # Test : SQD-3610 # Description : Check Squid configuration options - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather Squid settings" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" @@ -127,12 +127,12 @@ # # Test : SQD-3613 # Description : Check Squid configuration file permissions - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}" FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access" @@ -147,7 +147,7 @@ # ################################################################################# # - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then Display --indent 4 --text "- Checking Squid access control" fi # @@ -155,7 +155,7 @@ # # Test : SQD-3614 # Description : Check Squid authentication - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check auth_param option for authentication methods" @@ -176,7 +176,7 @@ # # Test : SQD-3616 # Description : Check external Squid authentication - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check external_acl_type option for external authentication helpers" @@ -265,7 +265,7 @@ # ################################################################################# # - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then Display --indent 4 --text "- Checking Squid Denial of Service tuning options" fi # @@ -273,7 +273,7 @@ # # Test : SQD-3630 [T] # Description : Check reply_body_max_size value - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking option reply_body_max_size" @@ -293,7 +293,7 @@ # ################################################################################# # - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then Display --indent 4 --text "- Checking Squid general options" fi # @@ -301,7 +301,7 @@ # # Test : SQD-3680 # Description : Check httpd_suppress_version_string - if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppression" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on") diff --git a/include/tests_ssh b/include/tests_ssh index 8a55eabf..377d043f 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -104,7 +104,7 @@ if [ ${SKIPTEST} -eq 0 ]; then OPENSSHD_VERSION=$(${SSHDBINARY} -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d '[:cntrl:],') LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}" - if [ ! -z ${OPENSSHD_VERSION} ]; then + if [ -n ${OPENSSHD_VERSION} ]; then OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $1}') LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}" OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $2}') @@ -117,7 +117,7 @@ # Test : SSH-7408 # Description : Check SSH specific defined options # Notes : Instead of parsing the configuration file, we query the SSH daemon itself - if [ ${OPENSSHD_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" -a ${OPENSSHD_VERSION_MAJOR} -ge 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" -a ${OPENSSHD_VERSION_MAJOR} -ge 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}" @@ -189,7 +189,7 @@ FOUNDVALUE=$(${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1) LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}" - if [ ! -z "${FOUNDVALUE}" ]; then + if [ -n "${FOUNDVALUE}" ]; then LogText "Result: Option ${OPTIONNAME} found" LogText "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}" @@ -201,7 +201,7 @@ elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then RESULT="WEAK" else - if [ ! -z "${EXPECTEDVALUE}" ]; then + if [ -n "${EXPECTEDVALUE}" ]; then LogText "Expected value has multiple values, testing if active value is in list (${EXPECTEDVALUE})" FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${EXPECTEDVALUE}") if [ $? -eq 0 ]; then @@ -211,7 +211,7 @@ LogText "Result: not found" fi fi - if [ ! -z "${MEDIUMSCOREDVALUE}" ]; then + if [ -n "${MEDIUMSCOREDVALUE}" ]; then LogText "Medium scored value has multiple values, testing if active value is in list (${MEDIUMSCOREDVALUE})" FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${MEDIUMSCOREDVALUE}") if [ $? -eq 0 ]; then @@ -296,13 +296,13 @@ # Test : SSH-7440 # Description : OpenSSH - AllowUsers / AllowGroups # Goal : Check if only a specific amount of users/groups can log in to the system - if [ ${OPENSSHD_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSSH option: AllowUsers and AllowGroups" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 # AllowUsers FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: AllowUsers set, with value ${FIND}" Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN FOUND=1 @@ -313,7 +313,7 @@ # AllowGroups FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: AllowUsers set ${FIND}" Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN FOUND=1 diff --git a/include/tests_storage b/include/tests_storage index 34a92ec3..a9029852 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -37,10 +37,10 @@ LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" if [ -d ${ROOTDIR}etc/modprobe.d ]; then FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - if [ ! -z "${FIND1}" -o ! -z "${FIND2}" ]; then + if [ -n "${FIND1}" -o -n "${FIND2}" ]; then FOUND=1 LogText "Result: found firewire ohci driver in disabled state" fi @@ -51,7 +51,7 @@ if [ -f ${ROOTDIR}etc/modprobe.conf ]; then FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#") FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#") - if [ ! -z "${FIND1}" -o ! -z "${FIND2}" ]; then + if [ -n "${FIND1}" -o -n "${FIND2}" ]; then FOUND=1 LogText "Result: found firewire ohci driver in disabled state" fi diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 4c0e39ef..bfc5192d 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -33,7 +33,7 @@ # # Test : STRG-1902 # Description : Check rpcinfo - if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking rpcinfo registered programs" @@ -48,7 +48,7 @@ # # Test : STRG-1904 # Description : Check nfs versions in rpcinfo - if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking NFS registered versions" @@ -63,7 +63,7 @@ # # Test : STRG-1906 # Description : Check nfs protocols (TCP/UDP) and port in rpcinfo - if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking NFS registered protocols" @@ -123,7 +123,7 @@ if [ -f ${ROOTDIR}etc/exports ]; then LogText "Result: ${ROOTDIR}etc/exports exists" FIND=$(${GREPBINARY} -v "^$" ${ROOTDIR}etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then for I in ${FIND}; do I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') LogText "Found line: ${I}" @@ -161,7 +161,7 @@ Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share" if [ ${SKIPTEST} -eq 0 ]; then sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d' | ${GREPBINARY} "\*") - if [ ! -z "${sFIND}" ]; then + if [ -n "${sFIND}" ]; then LogText "Result: all client are allowed to access a NFS share in /etc/exports" Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports" diff --git a/include/tests_time b/include/tests_time index d67580b8..27693236 100644 --- a/include/tests_time +++ b/include/tests_time @@ -62,7 +62,7 @@ for FILE in ${SEARCH_FILES}; do if [ -f ${FILE} ]; then LogText "result: found chrony configuration: ${FILE}"; CHRONY_CONF_FILE="${FILE}"; fi done - if [ ! -z "${CHRONY_CONF_FILE}" ]; then + if [ -n "${CHRONY_CONF_FILE}" ]; then IsRunning chronyd if [ ${RUNNING} -eq 1 ]; then FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd" @@ -83,7 +83,7 @@ # Check running processes FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1 NTP_DAEMON="ntpd" LogText "Result: found running NTP daemon in process list" @@ -98,9 +98,9 @@ fi # Check timedate daemon (systemd) - if [ ! -z "${TIMEDATECTL}" ]; then + if [ -n "${TIMEDATECTL}" ]; then FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then # Check for systemd-timesyncd if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf" @@ -124,7 +124,7 @@ if [ -f ${I} ]; then LogText "Test: checking for ntpdate or rdate in crontab file ${I}" FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found ntpdate or rdate reference in crontab file ${I}" @@ -146,11 +146,11 @@ if [ -d ${I} ]; then if FileIsReadable ${I}; then FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then for J in ${FIND}; do LogText "Test: checking for ntpdate or rdate in ${I}/${J}" FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#") - if [ ! -z "${FIND2}" ]; then + if [ -n "${FIND2}" ]; then LogText "Positive match found: ${FIND2}" FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 fi @@ -186,7 +186,7 @@ if [ -f /etc/rc.conf ]; then LogText "Test: Checking if ntpdate is enabled at startup in *BSD" FIND=$(${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then LogText "Result: ntpdate is enabled in rc.conf" FOUND=1 NTP_CONFIG_TYPE_STARTUP=1 @@ -219,7 +219,7 @@ # # Test : TIME-3106 # Description : Check status of systemd time synchronization - if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! -z "${TIMEDATECTL}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a -n "${TIMEDATECTL}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check the status of time synchronization via timedatectl" @@ -234,7 +234,7 @@ # # Test : TIME-3112 # Description : Check for valid associations from ntpq peers list - if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for NTP association ID's from ntpq peers list" @@ -252,7 +252,7 @@ # # Test : TIME-3116 # Description : Check for stratum 16 peers - if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 @@ -290,7 +290,7 @@ # Description : Check unreliable peers from peer list # Notes : Items with # are too far away (network distance) # Items with - are not chosen due clustering algorithm - if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking unreliable ntp peers" @@ -313,13 +313,13 @@ # # Test : TIME-3124 # Description : Check selected time source - if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check selected time source" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking selected time source" FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ if ($4=="l") { print $1 } }') FIND2=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }') - if [ -z "${FIND}" -a ! -z "${FIND2}" ]; then + if [ -z "${FIND}" -a -n "${FIND2}" ]; then Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN FIND2=$(echo ${FIND2} | ${SEDBINARY} 's/*//g') LogText "Result: Found selected time source (value: ${FIND2})" @@ -335,7 +335,7 @@ # # Test : TIME-3128 # Description : Check time source candidates - if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preferred time source" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking preferred time source" @@ -358,7 +358,7 @@ # # Test : TIME-3132 # Description : Check ntpq falsetickers - if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking preferred time source" @@ -382,7 +382,7 @@ # # Test : TIME-3136 # Description : Check ntpq reported ntp version (Linux) - if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)" @@ -403,7 +403,7 @@ # Test : TIME-3146 # Description : Check /etc/default/ntpdate (Linux) # Notes : ntpdate-debian binary - #if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + #if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi #Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/default/ntpdate" #if [ ${SKIPTEST} -eq 0 ]; then # @@ -428,7 +428,7 @@ # Description : Check empty NTP step-tickers # Notes : Mostly applies to Red Hat and clones FILE="${ROOTDIR}etc/ntp/step-tickers" - if [ "${NTPD_RUNNING}" -eq 1 -a ! -z "${NTPQBINARY}" -a -f "${FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ "${NTPD_RUNNING}" -eq 1 -a -n "${NTPQBINARY}" -a -f "${FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check empty NTP step-tickers" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 diff --git a/include/tests_tooling b/include/tests_tooling index c752dbde..f07bcdac 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -71,7 +71,7 @@ fi # Cfengine - if [ ! -z "${CFAGENTBINARY}" ]; then + if [ -n "${CFAGENTBINARY}" ]; then LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})" AUTOMATION_TOOL_FOUND=1 CFENGINE_AGENT_FOUND=1 @@ -129,7 +129,7 @@ fi fi - if [ ! -z "${PUPPETBINARY}" ]; then + if [ -n "${PUPPETBINARY}" ]; then LogText "Result: Puppet is installed (${PUPPETBINARY})" AUTOMATION_TOOL_FOUND=1 Report "automation_tool_running[]=puppet-agent" @@ -145,14 +145,14 @@ fi # SaltStack - if [ ! -z "${SALTMINIONBINARY}" ]; then + if [ -n "${SALTMINIONBINARY}" ]; then LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})" AUTOMATION_TOOL_FOUND=1 SALT_MINION_RUNNING=1 Report "automation_tool_running[]=saltstack-minion" Display --indent 4 --text "- SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN fi - if [ ! -z "${SALTMASTERBINARY}" ]; then + if [ -n "${SALTMASTERBINARY}" ]; then LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})" AUTOMATION_TOOL_FOUND=1 SALT_MASTER_RUNNING=1 @@ -188,7 +188,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Fail2ban presence - if [ ! -z "${FAIL2BANBINARY}" ]; then + if [ -n "${FAIL2BANBINARY}" ]; then FAIL2BAN_FOUND=1 IDS_IPS_TOOL_FOUND=1 LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})" @@ -209,10 +209,10 @@ fi # Continue if tooling is available and configuration file found - if [ ${FAIL2BAN_FOUND} -eq 1 -a ! -z "${FAIL2BAN_CONFIG}" ]; then + if [ ${FAIL2BAN_FOUND} -eq 1 -a -n "${FAIL2BAN_CONFIG}" ]; then Report "fail2ban_config=${FAIL2BAN_CONFIG}" FAIL2BANCLIENT=$(which fail2ban-client 2> /dev/null | grep -v "no [^ ]* in ") - if [ ! -z "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi + if [ -n "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi fi fi # @@ -224,7 +224,7 @@ Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${FAIL2BANCLIENT} -d | ${TRBINARY} -d '[]' | ${TRBINARY} -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | ${TRBINARY} -d ' ') - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then for F2BSERVICE in ${FIND}; do LogText "Result: service '${F2BSERVICE}' enabled" Report "fail2ban_enabled_service[]=${F2BSERVICE}" @@ -252,12 +252,12 @@ # FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}) # FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}) # - # if [ ! -z "${FIND}" ]; then + # if [ -n "${FIND}" ]; then # FAIL2BAN_EMAIL=1 # LogText "Result: found at least one jail which sends an email alert" # fi # - # if [ ! -z "${FIND2}" ]; then + # if [ -n "${FIND2}" ]; then # FAIL2BAN_SILENT=1 # LogText "Result: found at least one jail which does NOT send an email alert" # fi @@ -298,9 +298,9 @@ # # LogText "Checking for fail2ban iptables chains" # - # if [ ! -z "${IPTABLESBINARY}" ]; then + # if [ -n "${IPTABLESBINARY}" ]; then # CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban) - # if [ ! -z "${CHECK_CHAINS}" ]; then + # if [ -n "${CHECK_CHAINS}" ]; then # LogText "Result: found at least one iptables chain for fail2ban" # Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN # else diff --git a/include/tests_usb b/include/tests_usb index eada5d12..3ba19cc9 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -39,7 +39,7 @@ # # Test to determine if USBGuard is installed. If it is, we will limit # suggestions from other tests. - if [ ! -z "${USBGUARDBINARY}" ]; then + if [ -n "${USBGUARDBINARY}" ]; then USBGUARD_FOUND=1 fi # @@ -53,10 +53,10 @@ LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" if [ -d /etc/modprobe.d ]; then FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*) - if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then + if [ -n "${FIND}" -o -n "${FIND2}" ]; then FOUND=1 LogText "Result: found usb-storage driver in disabled state (blacklisted)" fi @@ -66,7 +66,7 @@ fi if [ -f ${ROOTDIR}etc/modprobe.conf ]; then FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") - if [ ! -z "${FIND}" ]; then + if [ -n "${FIND}" ]; then FOUND=1 LogText "Result: found usb-storage driver in disabled state" fi @@ -146,14 +146,14 @@ USBGUARD_CONFIG="" fi - if [ ! -z "${USBGUARD_CONFIG}" ]; then + if [ -n "${USBGUARD_CONFIG}" ]; then LogText "Result: USBGuard configuration found (${USBGUARD_CONFIG})" Display --indent 4 --text "- Configuration" --result "${STATUS_FOUND}" --color GREEN AddHP 1 1 LogText "Checking USBGuard restore controller device state (RestoreControllerDeviceState)" USBGUARD_RESTORE_POLICY=$(${AWKBINARY} -F '=' -v OPT="RestoreControllerDeviceState" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG}) - if [ ! -z "${USBGUARD_RESTORE_POLICY}" ]; then + if [ -n "${USBGUARD_RESTORE_POLICY}" ]; then LogText "Result: RestoreControllerDeviceState = ${USBGUARD_RESTORE_POLICY}" case "${USBGUARD_RESTORE_POLICY}" in "true") @@ -184,7 +184,7 @@ LogText "Checking USBGuard rule for controllers connected before daemon starts (PresentControllerPolicy)" USBGUARD_CONTROLLER_POLICY=$(${AWKBINARY} -F '=' -v OPT="PresentControllerPolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG}) - if [ ! -z "${USBGUARD_CONTROLLER_POLICY}" ]; then + if [ -n "${USBGUARD_CONTROLLER_POLICY}" ]; then LogText "Result: PresentControllerPolicy = ${USBGUARD_CONTROLLER_POLICY}" case "${USBGUARD_CONTROLLER_POLICY}" in "allow" | "keep") @@ -214,7 +214,7 @@ LogText "Checking USBGuard rule for devices connected before daemon starts (PresentDevicePolicy)" USBGUARD_DEVICE_POLICY=$(${AWKBINARY} -F '=' -v OPT="PresentDevicePolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG}) - if [ ! -z "${USBGUARD_DEVICE_POLICY}" ]; then + if [ -n "${USBGUARD_DEVICE_POLICY}" ]; then LogText "Result: PresentDevicePolicy = ${USBGUARD_DEVICE_POLICY}" case "${USBGUARD_DEVICE_POLICY}" in "allow" | "keep") @@ -244,7 +244,7 @@ LogText "Checking USBGuard rule for devices inserted after daemon starts (InsertedDevicePolicy)" USBGUARD_INSERTED_POLICY=$(${AWKBINARY} -F '=' -v OPT="InsertedDevicePolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG}) - if [ ! -z "${USBGUARD_INSERTED_POLICY}" ]; then + if [ -n "${USBGUARD_INSERTED_POLICY}" ]; then LogText "Result: InsertedDevicePolicy = ${USBGUARD_INSERTED_POLICY}" case "${USBGUARD_INSERTED_POLICY}" in "allow" | "keep") @@ -274,7 +274,7 @@ LogText "Checking USBGuard rule for devices not in RuleFile (ImplicitPolicyTarget)" USBGUARD_DEFAULT_POLICY=$(${AWKBINARY} -F '=' -v OPT="ImplicitPolicyTarget" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG}) - if [ ! -z "${USBGUARD_DEFAULT_POLICY}" ]; then + if [ -n "${USBGUARD_DEFAULT_POLICY}" ]; then LogText "Result: ImplicitPolicyTarget = ${USBGUARD_DEFAULT_POLICY}" case "${USBGUARD_DEFAULT_POLICY}" in "allow") @@ -304,7 +304,7 @@ LogText "Checking RuleFile" USBGUARD_RULES=$(${AWKBINARY} -F '=' -v OPT="RuleFile" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG}) - if [ ! -z "${USBGUARD_RULES}" ] && [ -f "${USBGUARD_RULES}" ]; then + if [ -n "${USBGUARD_RULES}" ] && [ -f "${USBGUARD_RULES}" ]; then LogText "Result: RuleFile found (${USBGUARD_RULES})" Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN AddHP 1 1 diff --git a/include/tests_webservers b/include/tests_webservers index dfe8aabc..be78fb11 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -157,7 +157,7 @@ done # Search Server aliases for J in $(${GREPBINARY} "ServerAlias" ${I} | ${GREPBINARY} -v "^#" | ${SEDBINARY} "s/\s*ServerAlias //g" | ${SEDBINARY} "s/#.*//g"); do - if [ ! -z ${J} ]; then + if [ -n ${J} ]; then tVHOSTS="${tVHOSTS} ${J}" cVHOSTS=$((cVHOSTS + 1)) fi @@ -170,7 +170,7 @@ # Log all virtual hosts we found for J in ${tVHOSTS}; do - if [ ! -z ${J} ]; then + if [ -n ${J} ]; then LogText "Virtual host: ${J}" #Report "apache_vhost_name[]=${J}" fi @@ -186,10 +186,10 @@ fi # Remove temp files - if [ -f ${TMPFILE} -a ! -z "${TMPFILE}" ]; then + if [ -f ${TMPFILE} -a -n "${TMPFILE}" ]; then rm -f ${TMPFILE} fi - if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi + if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi # ################################################################################# # @@ -351,7 +351,7 @@ # Test : HTTP-6706 # Description : Search for includes within nginx configuration file # Notes : Daemon nginx should be running, nginx.conf should be found - if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for additional nginx configuration files" if [ ${SKIPTEST} -eq 0 ]; then CreateTempFile || ExitFatal @@ -402,7 +402,7 @@ # Test : HTTP-6708 # Description : Check discovered nginx configuration settings for further hardening # Notes : Daemon of nginx should be running, nginx.conf should be found - if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: start parsing all discovered nginx options" @@ -420,7 +420,7 @@ LogText "Result: this configuration file is skipped, as it contains usually no interesting details" fi done - if [ ! -z "${NGINX_CONF_FILES_ADDITIONS}" ]; then + if [ -n "${NGINX_CONF_FILES_ADDITIONS}" ]; then for I in ${NGINX_CONF_FILES_ADDITIONS}; do FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}') if [ ! "${FILENAME}" = "mime.types" ]; then @@ -442,7 +442,7 @@ # Test : HTTP-6710 # Description : Check SSL configuration of nginx # Notes : Daemon of nginx should be running, nginx.conf should be found - if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx SSL configuration settings" if [ ${SKIPTEST} -eq 0 ]; then NGINX_SSL_SUGGESTION=0 @@ -494,7 +494,7 @@ # Test : HTTP-6712 # Description : Check logging configuration of nginx # Notes : Daemon of nginx should be running, nginx.conf should be found - if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx access logging" if [ ${SKIPTEST} -eq 0 ]; then NGINX_LOG_SUGGESTION=0 @@ -528,7 +528,7 @@ # # Test : HTTP-6714 # Description : Check missing error logs in nginx - if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for missing error logs in nginx" if [ ${SKIPTEST} -eq 0 ]; then NGINX_LOG_SUGGESTION=0 @@ -549,7 +549,7 @@ # # Test : HTTP-6716 # Description : Check debug mode on error log in nginx - if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for debug mode on error log in nginx" if [ ${SKIPTEST} -eq 0 ]; then NGINX_LOG_SUGGESTION=0 @@ -606,8 +606,8 @@ ################################################################################# # # Remove temp file (double check) - if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi - if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi + if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi + if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi WaitForKeyPress diff --git a/include/tool_tips b/include/tool_tips index bf529ca2..4f2f3b6e 100644 --- a/include/tool_tips +++ b/include/tool_tips @@ -48,7 +48,7 @@ # Bash completion support # # Detect if bash is used for active user - #if [ ! -z "${ETC_PATHS}" ]; then + #if [ -n "${ETC_PATHS}" ]; then # for I in ${ETC_PATHS}; do # if [ -d ${I}/bash_completion.d ]; then # if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then diff --git a/lynis b/lynis index 8476efe0..35a023ef 100755 --- a/lynis +++ b/lynis @@ -538,8 +538,8 @@ ${NORMAL} Report "os_fullname=${OS_FULLNAME}" Report "os_version=${OS_VERSION}" if [ "${OS}" = "Linux" ]; then Report "linux_version=${LINUX_VERSION}"; fi - if [ ! -z "${OS_KERNELVERSION}" ]; then Report "os_kernel_version=${OS_KERNELVERSION}"; fi - if [ ! -z "${OS_KERNELVERSION_FULL}" ]; then Report "os_kernel_version_full=${OS_KERNELVERSION_FULL}"; fi + if [ -n "${OS_KERNELVERSION}" ]; then Report "os_kernel_version=${OS_KERNELVERSION}"; fi + if [ -n "${OS_KERNELVERSION_FULL}" ]; then Report "os_kernel_version_full=${OS_KERNELVERSION_FULL}"; fi Report "hostname=${HOSTNAME}" @@ -635,7 +635,7 @@ ${NORMAL} LogText "Note: the end-of-life of '${OS_FULLNAME}' could not be checked. Entry missing in software-eol.db?" fi - if [ ! -z "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi + if [ -n "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi echo " Kernel version: ${OS_KERNELVERSION}" echo " Hardware platform: ${HARDWARE}" echo " Hostname: ${HOSTNAME}" @@ -658,9 +658,9 @@ ${NORMAL} LogText "Operating system: ${OS}" LogText "Operating system name: ${OS_NAME}" LogText "Operating system version: ${OS_VERSION}" - if [ ! -z "${OS_MODE}" ]; then LogText "Operating system mode: ${OS_MODE}"; fi + if [ -n "${OS_MODE}" ]; then LogText "Operating system mode: ${OS_MODE}"; fi LogText "Kernel version: ${OS_KERNELVERSION}" - if [ ! -z "${OS_KERNELVERSION_FULL}" ]; then + if [ -n "${OS_KERNELVERSION_FULL}" ]; then LogText "Kernel version (full): ${OS_KERNELVERSION_FULL}" fi LogText "Hardware platform: ${HARDWARE}" @@ -872,7 +872,7 @@ ${NORMAL} for PROFILE in ${PROFILES}; do LogText "Action: checking plugin status in profile: ${PROFILE}" FIND3=$(grep "^plugin=${FIND2}" ${PROFILE}) - if [ ! -z "${FIND3}" ]; then + if [ -n "${FIND3}" ]; then FOUND=0 for I in ${DISABLED_PLUGINS}; do if [ "${I}" = "${FIND2}" ]; then