mirror of
https://github.com/CISOfy/lynis.git
synced 2025-07-27 07:44:14 +02:00
Use -n instead of ! -z
This commit is contained in:
Michael Boelen
parent
2777caf6d2
commit
fa8bad20db
@ -49,7 +49,7 @@
|
|||||||
|
|
||||||
# Test if our PATH variable provides a set of paths. If so, reverse the order. If we discover the same binary
|
# Test if our PATH variable provides a set of paths. If so, reverse the order. If we discover the same binary
|
||||||
# multiple times, the one first in PATH should be used.
|
# multiple times, the one first in PATH should be used.
|
||||||
if [ ! -z "${PATH}" ]; then
|
if [ -n "${PATH}" ]; then
|
||||||
PATH_REVERSED=$(echo ${PATH} | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
|
PATH_REVERSED=$(echo ${PATH} | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
|
||||||
BIN_PATHS=$(echo "${PATH_REVERSED}" | tr ':' ' ')
|
BIN_PATHS=$(echo "${PATH_REVERSED}" | tr ':' ' ')
|
||||||
fi
|
fi
|
||||||
@ -84,7 +84,7 @@
|
|||||||
LogText "Result: directory exists, but is actually a symlink"
|
LogText "Result: directory exists, but is actually a symlink"
|
||||||
ShowSymlinkPath ${SCANDIR}
|
ShowSymlinkPath ${SCANDIR}
|
||||||
if [ ${FOUNDPATH} -eq 1 ]; then
|
if [ ${FOUNDPATH} -eq 1 ]; then
|
||||||
if [ ! -z "${SYMLINK}" -a -d ${SYMLINK} ]; then
|
if [ -n "${SYMLINK}" -a -d ${SYMLINK} ]; then
|
||||||
# Set path to new location
|
# Set path to new location
|
||||||
LogText "Result: found the path behind this symlink (${SCANDIR} --> ${sFILE})"
|
LogText "Result: found the path behind this symlink (${SCANDIR} --> ${sFILE})"
|
||||||
ORGPATH="${SCANDIR}"
|
ORGPATH="${SCANDIR}"
|
||||||
@ -100,7 +100,7 @@
|
|||||||
# Add a space to make sure we discover a related directory if it was already scanned
|
# Add a space to make sure we discover a related directory if it was already scanned
|
||||||
# The grep -v is to prevent a match /usr/bin in something like /usr/bin/core_perl
|
# The grep -v is to prevent a match /usr/bin in something like /usr/bin/core_perl
|
||||||
FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}" | grep -v ", ${SCANDIR}/")
|
FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}" | grep -v ", ${SCANDIR}/")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
SKIPDIR=1; LogText "Result: Skipping this directory as it was already scanned"
|
SKIPDIR=1; LogText "Result: Skipping this directory as it was already scanned"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -273,7 +273,7 @@
|
|||||||
done
|
done
|
||||||
else
|
else
|
||||||
LogText "Result: Directory ${SCANDIR} skipped"
|
LogText "Result: Directory ${SCANDIR} skipped"
|
||||||
if [ ! -z "${ORGPATH}" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi
|
if [ -n "${ORGPATH}" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
LogText "Result: Directory ${SCANDIR} does NOT exist"
|
LogText "Result: Directory ${SCANDIR} does NOT exist"
|
||||||
|
|||||||
@ -267,16 +267,16 @@
|
|||||||
if [ ${RUN_UPDATE_CHECK} -eq 1 ]; then
|
if [ ${RUN_UPDATE_CHECK} -eq 1 ]; then
|
||||||
LYNIS_LV_RECORD="lynis-latest-version.cisofy.com."
|
LYNIS_LV_RECORD="lynis-latest-version.cisofy.com."
|
||||||
FIND=$(which dig 2> /dev/null | grep -v "no [^ ]* in")
|
FIND=$(which dig 2> /dev/null | grep -v "no [^ ]* in")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
PROGRAM_LV=$(dig +short +time=3 -t txt lynis-latest-version.cisofy.com 2> /dev/null | grep -v "connection timed out" | sed 's/[".]//g' | grep "^[1-9][0-9][0-9]$")
|
PROGRAM_LV=$(dig +short +time=3 -t txt lynis-latest-version.cisofy.com 2> /dev/null | grep -v "connection timed out" | sed 's/[".]//g' | grep "^[1-9][0-9][0-9]$")
|
||||||
else
|
else
|
||||||
FIND=$(which host 2> /dev/null | grep -v "no [^ ]* in ")
|
FIND=$(which host 2> /dev/null | grep -v "no [^ ]* in ")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
PROGRAM_LV=$(host -t txt -W 3 lynis-latest-version.cisofy.com 2> /dev/null | grep -v "connection timed out" | awk '{ if ($1=="lynis-latest-version.cisofy.com" && $3=="text") { print $4 }}' | sed 's/"//g' | grep "^[1-9][0-9][0-9]$")
|
PROGRAM_LV=$(host -t txt -W 3 lynis-latest-version.cisofy.com 2> /dev/null | grep -v "connection timed out" | awk '{ if ($1=="lynis-latest-version.cisofy.com" && $3=="text") { print $4 }}' | sed 's/"//g' | grep "^[1-9][0-9][0-9]$")
|
||||||
if [ "${PROGRAM_LV}" = "" ]; then PROGRAM_LV=0; fi
|
if [ "${PROGRAM_LV}" = "" ]; then PROGRAM_LV=0; fi
|
||||||
else
|
else
|
||||||
FIND=$(which drill 2> /dev/null | grep -v "no [^ ]* in ")
|
FIND=$(which drill 2> /dev/null | grep -v "no [^ ]* in ")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
PROGRAM_LV=$(drill txt ${LYNIS_LV_RECORD} | awk '{ if ($1=="lynis-latest-version.cisofy.com." && $4=="TXT") { print $5 }}' | tr -d '"' | grep "^[1-9][0-9][0-9]$")
|
PROGRAM_LV=$(drill txt ${LYNIS_LV_RECORD} | awk '{ if ($1=="lynis-latest-version.cisofy.com." && $4=="TXT") { print $5 }}' | tr -d '"' | grep "^[1-9][0-9][0-9]$")
|
||||||
if [ -z "${PROGRAM_LV}" ]; then PROGRAM_LV=0; fi
|
if [ -z "${PROGRAM_LV}" ]; then PROGRAM_LV=0; fi
|
||||||
else
|
else
|
||||||
@ -530,7 +530,7 @@
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${TEXT}" ]; then
|
if [ -n "${TEXT}" ]; then
|
||||||
SHOW=0
|
SHOW=0
|
||||||
if [ ${SHOW_WARNINGS_ONLY} -eq 1 ]; then
|
if [ ${SHOW_WARNINGS_ONLY} -eq 1 ]; then
|
||||||
if [ "${RESULT}" = "WARNING" ]; then SHOW=1; fi
|
if [ "${RESULT}" = "WARNING" ]; then SHOW=1; fi
|
||||||
@ -571,7 +571,7 @@
|
|||||||
${ECHOCMD} ""
|
${ECHOCMD} ""
|
||||||
${ECHOCMD} "${WARNING}Error${NORMAL}: ${BOLD}$1${NORMAL}"
|
${ECHOCMD} "${WARNING}Error${NORMAL}: ${BOLD}$1${NORMAL}"
|
||||||
${ECHOCMD} ""
|
${ECHOCMD} ""
|
||||||
if [ ! -z "${EXITCODE}" ]; then ExitCustom ${EXITCODE}; fi
|
if [ -n "${EXITCODE}" ]; then ExitCustom ${EXITCODE}; fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -747,12 +747,12 @@
|
|||||||
exitcode=1
|
exitcode=1
|
||||||
file=$1
|
file=$1
|
||||||
find=""
|
find=""
|
||||||
if [ ! -z "${DPKGBINARY}" ]; then
|
if [ -n "${DPKGBINARY}" ]; then
|
||||||
find=$(${DPKGBINARY} -S "${file}" 2> /dev/null | ${AWKBINARY} -F: '{print $1}')
|
find=$(${DPKGBINARY} -S "${file}" 2> /dev/null | ${AWKBINARY} -F: '{print $1}')
|
||||||
elif [ ! -z "${RPMBINARY}" ]; then
|
elif [ -n "${RPMBINARY}" ]; then
|
||||||
find=$(${RPMBINARY} -qf "${file}" 2> /dev/null | ${AWKBINARY} -F- '{print $1}')
|
find=$(${RPMBINARY} -qf "${file}" 2> /dev/null | ${AWKBINARY} -F- '{print $1}')
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${find}" ]; then
|
if [ -n "${find}" ]; then
|
||||||
LogText "Result: file '${file}' belongs to package (${find})"
|
LogText "Result: file '${file}' belongs to package (${find})"
|
||||||
exitcode=0
|
exitcode=0
|
||||||
else
|
else
|
||||||
@ -805,7 +805,7 @@
|
|||||||
# Check for symlink
|
# Check for symlink
|
||||||
if [ -L "${escaped_file}" ]; then
|
if [ -L "${escaped_file}" ]; then
|
||||||
ShowSymlinkPath ${escaped_file}
|
ShowSymlinkPath ${escaped_file}
|
||||||
if [ ! -z "${SYMLINK}" ]; then escaped_file="${SYMLINK}"; fi
|
if [ -n "${SYMLINK}" ]; then escaped_file="${SYMLINK}"; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Only check the file if it isn't a symlink (after previous check)
|
# Only check the file if it isn't a symlink (after previous check)
|
||||||
@ -863,7 +863,7 @@
|
|||||||
return 2
|
return 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${HOSTID}" -a ! -z "${HOSTID2}" ]; then
|
if [ -n "${HOSTID}" -a -n "${HOSTID2}" ]; then
|
||||||
Debug "Skipping creation of host identifiers, as they are already configured (via profile)"
|
Debug "Skipping creation of host identifiers, as they are already configured (via profile)"
|
||||||
return 2
|
return 2
|
||||||
fi
|
fi
|
||||||
@ -936,7 +936,7 @@
|
|||||||
"HP-UX")
|
"HP-UX")
|
||||||
FIND=$(nwmgr -q info -c lan0 2> /dev/null | awk '{ if ($1=="MAC" && $2=="Address") { print $4 }}')
|
FIND=$(nwmgr -q info -c lan0 2> /dev/null | awk '{ if ($1=="MAC" && $2=="Address") { print $4 }}')
|
||||||
if HasData "${FIND}"; then
|
if HasData "${FIND}"; then
|
||||||
if [ ! -z "${OPENSSLBINARY}" ]; then
|
if [ -n "${OPENSSLBINARY}" ]; then
|
||||||
HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }')
|
HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }')
|
||||||
else
|
else
|
||||||
ReportException "GetHostID" "No openssl binary available on this HP-UX system"
|
ReportException "GetHostID" "No openssl binary available on this HP-UX system"
|
||||||
@ -954,7 +954,7 @@
|
|||||||
# ip -br link show up | sort | awk '$2=="UP" && $3 ~ /^[a-f0-9][a-f0-9]:/ {print $3}'
|
# ip -br link show up | sort | awk '$2=="UP" && $3 ~ /^[a-f0-9][a-f0-9]:/ {print $3}'
|
||||||
|
|
||||||
# Use ifconfig
|
# Use ifconfig
|
||||||
if [ ! -z "${IFCONFIGBINARY}" ]; then
|
if [ -n "${IFCONFIGBINARY}" ]; then
|
||||||
# Determine if we have the eth0 interface (not all Linux distro have this, e.g. Arch)
|
# Determine if we have the eth0 interface (not all Linux distro have this, e.g. Arch)
|
||||||
HASETH0=$(${IFCONFIGBINARY} | grep "^eth0")
|
HASETH0=$(${IFCONFIGBINARY} | grep "^eth0")
|
||||||
# Check if we can find it with HWaddr on the line
|
# Check if we can find it with HWaddr on the line
|
||||||
@ -982,7 +982,7 @@
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
elif [ ! -z "${IPBINARY}" ]; then
|
elif [ -n "${IPBINARY}" ]; then
|
||||||
# Determine if we have the common available eth0 interface
|
# Determine if we have the common available eth0 interface
|
||||||
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||||
if IsEmpty "${FIND}"; then
|
if IsEmpty "${FIND}"; then
|
||||||
@ -1015,10 +1015,10 @@
|
|||||||
ReportException "GetHostID" "No MAC address returned on macOS"
|
ReportException "GetHostID" "No MAC address returned on macOS"
|
||||||
fi
|
fi
|
||||||
LYNIS_HOSTID2_PART1=$(hostname -s)
|
LYNIS_HOSTID2_PART1=$(hostname -s)
|
||||||
if [ ! -z "${LYNIS_HOSTID2_PART1}" ]; then
|
if [ -n "${LYNIS_HOSTID2_PART1}" ]; then
|
||||||
LogText "Info: using hostname ${LYNIS_HOSTID2_PART1}"
|
LogText "Info: using hostname ${LYNIS_HOSTID2_PART1}"
|
||||||
LYNIS_HOSTID2_PART2=$(sysctl -n kern.uuid 2> /dev/null)
|
LYNIS_HOSTID2_PART2=$(sysctl -n kern.uuid 2> /dev/null)
|
||||||
if [ ! -z "${LYNIS_HOSTID2_PART2}" ]; then
|
if [ -n "${LYNIS_HOSTID2_PART2}" ]; then
|
||||||
LogText "Info: using UUID ${LYNIS_HOSTID2_PART2}"
|
LogText "Info: using UUID ${LYNIS_HOSTID2_PART2}"
|
||||||
else
|
else
|
||||||
LogText "Info: could not create HOSTID2 as kern.uuid sysctl key is missing"
|
LogText "Info: could not create HOSTID2 as kern.uuid sysctl key is missing"
|
||||||
@ -1143,17 +1143,17 @@
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
STRING_TO_HASH=""
|
STRING_TO_HASH=""
|
||||||
if [ ${FOUND} -eq 1 -a ! -z "${DATA_SSH}" ]; then
|
if [ ${FOUND} -eq 1 -a -n "${DATA_SSH}" ]; then
|
||||||
LogText "Using SSH public key to create the second host identifier"
|
LogText "Using SSH public key to create the second host identifier"
|
||||||
STRING_TO_HASH="${DATA_SSH}"
|
STRING_TO_HASH="${DATA_SSH}"
|
||||||
else
|
else
|
||||||
if [ ! -z "${MACHINEID}" ]; then
|
if [ -n "${MACHINEID}" ]; then
|
||||||
LogText "Using the machine ID to create the second host identifier"
|
LogText "Using the machine ID to create the second host identifier"
|
||||||
STRING_TO_HASH="${MACHINEID}"
|
STRING_TO_HASH="${MACHINEID}"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# Check if we have a string to turn into a host identifier
|
# Check if we have a string to turn into a host identifier
|
||||||
if [ ! -z "${STRING_TO_HASH}" ]; then
|
if [ -n "${STRING_TO_HASH}" ]; then
|
||||||
# Create hashes
|
# Create hashes
|
||||||
if [ ! "${SHA256SUMBINARY}" = "" ]; then
|
if [ ! "${SHA256SUMBINARY}" = "" ]; then
|
||||||
HASH2=$(echo ${STRING_TO_HASH} | ${SHA256SUMBINARY} | awk '{ print $1 }')
|
HASH2=$(echo ${STRING_TO_HASH} | ${SHA256SUMBINARY} | awk '{ print $1 }')
|
||||||
@ -1172,7 +1172,7 @@
|
|||||||
if [ -z "${HOSTID}" ]; then
|
if [ -z "${HOSTID}" ]; then
|
||||||
ReportException "GetHostID" "No unique host identifier could be created."
|
ReportException "GetHostID" "No unique host identifier could be created."
|
||||||
return 1
|
return 1
|
||||||
elif [ ! -z "${HOSTID2}" ]; then
|
elif [ -n "${HOSTID2}" ]; then
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@ -1228,7 +1228,7 @@
|
|||||||
|
|
||||||
HasData() {
|
HasData() {
|
||||||
if [ $# -eq 1 ]; then
|
if [ $# -eq 1 ]; then
|
||||||
if [ ! -z "$1" ]; then return 0; else return 1; fi
|
if [ -n "$1" ]; then return 0; else return 1; fi
|
||||||
else
|
else
|
||||||
ExitFatal "Function HasData called without parameters - look in log to determine where this happened, or use sh -x lynis to see all details."
|
ExitFatal "Function HasData called without parameters - look in log to determine where this happened, or use sh -x lynis to see all details."
|
||||||
fi
|
fi
|
||||||
@ -1386,7 +1386,7 @@
|
|||||||
if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi
|
if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi
|
||||||
RUNNING=0
|
RUNNING=0
|
||||||
# AIX does not fully support pgrep options, so using ps instead
|
# AIX does not fully support pgrep options, so using ps instead
|
||||||
if [ ! -z "${PGREPBINARY}" -a ! "${OS}" = "AIX" ]; then
|
if [ -n "${PGREPBINARY}" -a ! "${OS}" = "AIX" ]; then
|
||||||
FIND=$(${PGREPBINARY} ${pgrep_options} "${search}" | ${TRBINARY} '\n' ' ')
|
FIND=$(${PGREPBINARY} ${pgrep_options} "${search}" | ${TRBINARY} '\n' ' ')
|
||||||
else
|
else
|
||||||
if [ -z "${PSOPTIONS}" ]; then
|
if [ -z "${PSOPTIONS}" ]; then
|
||||||
@ -1402,7 +1402,7 @@
|
|||||||
FIND=$(${PSBINARY} ${PSOPTIONS} | egrep "( |/)${search}" | grep -v "grep")
|
FIND=$(${PSBINARY} ${PSOPTIONS} | egrep "( |/)${search}" | grep -v "grep")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
RUNNING=1
|
RUNNING=1
|
||||||
LogText "IsRunning: process '${search}' found (${FIND})"
|
LogText "IsRunning: process '${search}' found (${FIND})"
|
||||||
return 0
|
return 0
|
||||||
@ -1421,7 +1421,7 @@
|
|||||||
|
|
||||||
IsNotebook() {
|
IsNotebook() {
|
||||||
FIND=$(which laptop-detect 2> /dev/null | grep -v "no [^ ]* in ")
|
FIND=$(which laptop-detect 2> /dev/null | grep -v "no [^ ]* in ")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
Debug "Testing if we are a notebook"
|
Debug "Testing if we are a notebook"
|
||||||
laptop-detect
|
laptop-detect
|
||||||
if [ $? -eq 0 ]; then SYSTEM_IS_NOTEBOOK=1; Debug "System is a notebook according to laptop-detect"
|
if [ $? -eq 0 ]; then SYSTEM_IS_NOTEBOOK=1; Debug "System is a notebook according to laptop-detect"
|
||||||
@ -1535,7 +1535,7 @@
|
|||||||
if [ -x /usr/bin/systemd-detect-virt ]; then
|
if [ -x /usr/bin/systemd-detect-virt ]; then
|
||||||
LogText "Test: trying to guess virtualization technology with systemd-detect-virt"
|
LogText "Test: trying to guess virtualization technology with systemd-detect-virt"
|
||||||
FIND=$(/usr/bin/systemd-detect-virt)
|
FIND=$(/usr/bin/systemd-detect-virt)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found ${FIND}"
|
LogText "Result: found ${FIND}"
|
||||||
SHORT="${FIND}"
|
SHORT="${FIND}"
|
||||||
fi
|
fi
|
||||||
@ -1552,7 +1552,7 @@
|
|||||||
if [ -x /usr/bin/lscpu ]; then
|
if [ -x /usr/bin/lscpu ]; then
|
||||||
LogText "Test: trying to guess virtualization with lscpu"
|
LogText "Test: trying to guess virtualization with lscpu"
|
||||||
FIND=$(lscpu | grep -i "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g')
|
FIND=$(lscpu | grep -i "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found ${FIND}"
|
LogText "Result: found ${FIND}"
|
||||||
SHORT="${FIND}"
|
SHORT="${FIND}"
|
||||||
else
|
else
|
||||||
@ -1576,7 +1576,7 @@
|
|||||||
if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then
|
if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then
|
||||||
LogText "Test: trying to guess virtualization with dmidecode"
|
LogText "Test: trying to guess virtualization with dmidecode"
|
||||||
FIND=$(/usr/sbin/dmidecode -s system-product-name | awk '{ print $1 }')
|
FIND=$(/usr/sbin/dmidecode -s system-product-name | awk '{ print $1 }')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found ${FIND}"
|
LogText "Result: found ${FIND}"
|
||||||
SHORT="${FIND}"
|
SHORT="${FIND}"
|
||||||
else
|
else
|
||||||
@ -1820,24 +1820,24 @@
|
|||||||
Fatal "Incorrect usage of PackageIsInstalled function"
|
Fatal "Incorrect usage of PackageIsInstalled function"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${DNFBINARY}" ]; then
|
if [ -n "${DNFBINARY}" ]; then
|
||||||
output=$(${DNFBINARY} --quiet --cacheonly --noplugins --assumeno info --installed ${package} > /dev/null 2>&1)
|
output=$(${DNFBINARY} --quiet --cacheonly --noplugins --assumeno info --installed ${package} > /dev/null 2>&1)
|
||||||
exit_code=$?
|
exit_code=$?
|
||||||
elif [ ! -z "${DPKGBINARY}" ]; then
|
elif [ -n "${DPKGBINARY}" ]; then
|
||||||
output=$(${DPKGBINARY} -l ${package} 2> /dev/null | ${GREPBINARY} "^ii")
|
output=$(${DPKGBINARY} -l ${package} 2> /dev/null | ${GREPBINARY} "^ii")
|
||||||
exit_code=$?
|
exit_code=$?
|
||||||
elif [ ! -z "${EQUERYBINARY}" ]; then
|
elif [ -n "${EQUERYBINARY}" ]; then
|
||||||
output=$(${EQUERYBINARY} --quiet ${package} > /dev/null 2>&1)
|
output=$(${EQUERYBINARY} --quiet ${package} > /dev/null 2>&1)
|
||||||
exit_code=$? # 0=package installed, 3=package not installed
|
exit_code=$? # 0=package installed, 3=package not installed
|
||||||
elif [ ! -z "${PKG_BINARY}" ]; then
|
elif [ -n "${PKG_BINARY}" ]; then
|
||||||
output=$(${PKG_BINARY} -N info ${package} >/dev/null 2>&1)
|
output=$(${PKG_BINARY} -N info ${package} >/dev/null 2>&1)
|
||||||
exit_code=$? # 0=package installed, 70=invalid package
|
exit_code=$? # 0=package installed, 70=invalid package
|
||||||
elif [ ! -z "${RPMBINARY}" ]; then
|
elif [ -n "${RPMBINARY}" ]; then
|
||||||
output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1)
|
output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1)
|
||||||
exit_code=$?
|
exit_code=$?
|
||||||
elif [ ! -z "${ZYPPERBINARY}" ]; then
|
elif [ -n "${ZYPPERBINARY}" ]; then
|
||||||
output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${PACKAGE} 2> /dev/null | grep "^i")
|
output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${PACKAGE} 2> /dev/null | grep "^i")
|
||||||
if [ ! -z "${output}" ]; then exit_code=0; else exit_code=1; fi
|
if [ -n "${output}" ]; then exit_code=0; else exit_code=1; fi
|
||||||
else
|
else
|
||||||
ReportException "PackageIsInstalled:01"
|
ReportException "PackageIsInstalled:01"
|
||||||
fi
|
fi
|
||||||
@ -2363,7 +2363,7 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 -a "${TEST_WEIGHT}" = "M" -a "${SCAN_TEST_MEDIUM}" = "NO" ]; then SKIPTEST=1; SKIPREASON="Test to system intensive for scan mode (M)"; fi
|
if [ ${SKIPTEST} -eq 0 -a "${TEST_WEIGHT}" = "M" -a "${SCAN_TEST_MEDIUM}" = "NO" ]; then SKIPTEST=1; SKIPREASON="Test to system intensive for scan mode (M)"; fi
|
||||||
|
|
||||||
# Test if our OS is the same as the requested OS (can be multiple values)
|
# Test if our OS is the same as the requested OS (can be multiple values)
|
||||||
if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_OS}" ]; then
|
if [ ${SKIPTEST} -eq 0 -a -n "${TEST_NEED_OS}" ]; then
|
||||||
HASMATCH=0
|
HASMATCH=0
|
||||||
for I in ${TEST_NEED_OS}; do
|
for I in ${TEST_NEED_OS}; do
|
||||||
if [ "${I}" = "${OS}" ]; then HASMATCH=1; fi
|
if [ "${I}" = "${OS}" ]; then HASMATCH=1; fi
|
||||||
@ -2375,12 +2375,12 @@
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Skip test when it belongs to another category (default is 'all')
|
# Skip test when it belongs to another category (default is 'all')
|
||||||
if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_CATEGORY_TO_CHECK}" -a ! "${TEST_CATEGORY_TO_CHECK}" = "all" -a ! "${TEST_CATEGORY}" = "${TEST_CATEGORY_TO_CHECK}" ]; then
|
if [ ${SKIPTEST} -eq 0 -a -n "${TEST_CATEGORY_TO_CHECK}" -a ! "${TEST_CATEGORY_TO_CHECK}" = "all" -a ! "${TEST_CATEGORY}" = "${TEST_CATEGORY_TO_CHECK}" ]; then
|
||||||
SKIPTEST=1; SKIPREASON="Incorrect category (${TEST_CATEGORY_TO_CHECK} only)"
|
SKIPTEST=1; SKIPREASON="Incorrect category (${TEST_CATEGORY_TO_CHECK} only)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Check for correct hardware platform
|
# Check for correct hardware platform
|
||||||
if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi
|
if [ ${SKIPTEST} -eq 0 -a -n "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi
|
||||||
|
|
||||||
# Not all prerequisites met, like missing tool
|
# Not all prerequisites met, like missing tool
|
||||||
if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if [ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisites not met (ie missing tool, other type of Linux distribution)"; fi; fi
|
if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if [ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisites not met (ie missing tool, other type of Linux distribution)"; fi; fi
|
||||||
@ -2462,7 +2462,7 @@
|
|||||||
# Remove PID file
|
# Remove PID file
|
||||||
RemovePIDFile() {
|
RemovePIDFile() {
|
||||||
# Test if PIDFILE is defined, before checking file presence
|
# Test if PIDFILE is defined, before checking file presence
|
||||||
if [ ! -z "${PIDFILE}" ]; then
|
if [ -n "${PIDFILE}" ]; then
|
||||||
if [ -f "${PIDFILE}" ]; then
|
if [ -f "${PIDFILE}" ]; then
|
||||||
rm -f "${PIDFILE}"
|
rm -f "${PIDFILE}"
|
||||||
LogText "PID file removed (${PIDFILE})"
|
LogText "PID file removed (${PIDFILE})"
|
||||||
@ -2486,7 +2486,7 @@
|
|||||||
for FILE in ${TEMP_FILES}; do
|
for FILE in ${TEMP_FILES}; do
|
||||||
# Temporary files should be in /tmp
|
# Temporary files should be in /tmp
|
||||||
TMPFILE=$(echo ${FILE} | egrep "^/tmp/lynis" | grep -v "\.\.")
|
TMPFILE=$(echo ${FILE} | egrep "^/tmp/lynis" | grep -v "\.\.")
|
||||||
if [ ! -z "${TMPFILE}" ]; then
|
if [ -n "${TMPFILE}" ]; then
|
||||||
if [ -f "${TMPFILE}" ]; then
|
if [ -f "${TMPFILE}" ]; then
|
||||||
LogText "Action: removing temporary file ${TMPFILE}"
|
LogText "Action: removing temporary file ${TMPFILE}"
|
||||||
rm -f "${TMPFILE}"
|
rm -f "${TMPFILE}"
|
||||||
@ -2887,7 +2887,7 @@
|
|||||||
# Check if we can find the main type (with or without brackets)
|
# Check if we can find the main type (with or without brackets)
|
||||||
LogText "Test: search string ${STRING} in file ${FILE}"
|
LogText "Test: search string ${STRING} in file ${FILE}"
|
||||||
FIND=$(egrep "${STRING}" ${FILE})
|
FIND=$(egrep "${STRING}" ${FILE})
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found search string '${STRING}'"
|
LogText "Result: found search string '${STRING}'"
|
||||||
if [ ${MASK_LOG} -eq 0 ]; then LogText "Full string returned: ${FIND}"; fi
|
if [ ${MASK_LOG} -eq 0 ]; then LogText "Full string returned: ${FIND}"; fi
|
||||||
RETVAL=0
|
RETVAL=0
|
||||||
@ -3285,7 +3285,7 @@
|
|||||||
################################################################################
|
################################################################################
|
||||||
|
|
||||||
ViewGroups() {
|
ViewGroups() {
|
||||||
if [ ! -z "${INCLUDEDIR}" ]; then
|
if [ -n "${INCLUDEDIR}" ]; then
|
||||||
for I in $(ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"); do
|
for I in $(ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"); do
|
||||||
echo "${I}"
|
echo "${I}"
|
||||||
done
|
done
|
||||||
|
|||||||
@ -59,11 +59,11 @@ fi
|
|||||||
IS_ALPINE=$(echo ${IMAGE} | grep -i alpine)
|
IS_ALPINE=$(echo ${IMAGE} | grep -i alpine)
|
||||||
IS_LATEST=$(echo ${TAG} | grep -i latest)
|
IS_LATEST=$(echo ${TAG} | grep -i latest)
|
||||||
|
|
||||||
if [ ! -z "${IS_DEBIAN}" ]; then IMAGE="debian"; fi
|
if [ -n "${IS_DEBIAN}" ]; then IMAGE="debian"; fi
|
||||||
if [ ! -z "${IS_FEDORA}" ]; then IMAGE="fedora"; fi
|
if [ -n "${IS_FEDORA}" ]; then IMAGE="fedora"; fi
|
||||||
if [ ! -z "${IS_UBUNTU}" ]; then IMAGE="ubuntu"; fi
|
if [ -n "${IS_UBUNTU}" ]; then IMAGE="ubuntu"; fi
|
||||||
if [ ! -z "${IS_ALPINE}" ]; then IMAGE="alpine"; fi
|
if [ -n "${IS_ALPINE}" ]; then IMAGE="alpine"; fi
|
||||||
if [ ! -z "${IS_LATEST}" ]; then
|
if [ -n "${IS_LATEST}" ]; then
|
||||||
ReportWarning "dockerfile" "latest TAG used. Specifying a targeted OS image and version is better for reproducible results."
|
ReportWarning "dockerfile" "latest TAG used. Specifying a targeted OS image and version is better for reproducible results."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
@ -154,7 +154,7 @@ if [ $# -gt 0 ]; then
|
|||||||
# Check also for gzipped changelog
|
# Check also for gzipped changelog
|
||||||
elif [ -f ${FILEPATH}/changelog.gz ]; then
|
elif [ -f ${FILEPATH}/changelog.gz ]; then
|
||||||
ZCAT=$(which zcat 2> /dev/null | grep -v "no [^ ]* in ")
|
ZCAT=$(which zcat 2> /dev/null | grep -v "no [^ ]* in ")
|
||||||
if [ ! -z "${ZCAT}" ]; then
|
if [ -n "${ZCAT}" ]; then
|
||||||
CreateTempFile
|
CreateTempFile
|
||||||
CHANGELOG="${TEMP_FILE}"
|
CHANGELOG="${TEMP_FILE}"
|
||||||
LogText "Result: found gzipped changelog in ${FILEPATH}"
|
LogText "Result: found gzipped changelog in ${FILEPATH}"
|
||||||
@ -164,9 +164,9 @@ if [ $# -gt 0 ]; then
|
|||||||
DisplayError "Could not find zcat utility to use on gzipped changelog"
|
DisplayError "Could not find zcat utility to use on gzipped changelog"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${CHANGELOG}" ]; then LogText "Result: found changelog file: ${CHANGELOG}"; break; fi
|
if [ -n "${CHANGELOG}" ]; then LogText "Result: found changelog file: ${CHANGELOG}"; break; fi
|
||||||
done
|
done
|
||||||
if [ ! -z "${CHANGELOG}" ]; then
|
if [ -n "${CHANGELOG}" ]; then
|
||||||
SEARCH=$(sed 's/^## //' ${CHANGELOG} | grep -E "^${PROGRAM_NAME} ${SEARCH_VERSION}")
|
SEARCH=$(sed 's/^## //' ${CHANGELOG} | grep -E "^${PROGRAM_NAME} ${SEARCH_VERSION}")
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
while read -r LINE; do
|
while read -r LINE; do
|
||||||
@ -358,7 +358,7 @@ if [ $# -gt 0 ]; then
|
|||||||
VALUE=$(echo ${LINE} | awk -F';' '{print $2}')
|
VALUE=$(echo ${LINE} | awk -F';' '{print $2}')
|
||||||
DESCRIPTION=$(echo ${LINE} | awk -F';' '{print $3}' | sed 's/:space:/ /g')
|
DESCRIPTION=$(echo ${LINE} | awk -F';' '{print $3}' | sed 's/:space:/ /g')
|
||||||
if [ -z "${VALUE}" -a ${CONFIGURED_ONLY_OUTPUT} -eq 0 ]; then VALUE="${GRAY}[not configured]${NORMAL}"; fi
|
if [ -z "${VALUE}" -a ${CONFIGURED_ONLY_OUTPUT} -eq 0 ]; then VALUE="${GRAY}[not configured]${NORMAL}"; fi
|
||||||
if [ ! -z "${VALUE}" ]; then
|
if [ -n "${VALUE}" ]; then
|
||||||
if [ ${BRIEF_OUTPUT} -eq 0 ]; then ${ECHOCMD} "${GRAY}# ${DESCRIPTION}${NORMAL}"; fi
|
if [ ${BRIEF_OUTPUT} -eq 0 ]; then ${ECHOCMD} "${GRAY}# ${DESCRIPTION}${NORMAL}"; fi
|
||||||
${ECHOCMD} "${WHITE}${SETTING}${NORMAL}=${CYAN}${VALUE}${NORMAL}"
|
${ECHOCMD} "${WHITE}${SETTING}${NORMAL}=${CYAN}${VALUE}${NORMAL}"
|
||||||
if [ ${BRIEF_OUTPUT} -eq 0 ]; then ${ECHOCMD} ""; fi
|
if [ ${BRIEF_OUTPUT} -eq 0 ]; then ${ECHOCMD} ""; fi
|
||||||
|
|||||||
@ -139,7 +139,7 @@
|
|||||||
# Generic
|
# Generic
|
||||||
if [ -e /etc/os-release ]; then
|
if [ -e /etc/os-release ]; then
|
||||||
OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
|
||||||
if [ ! -z "${OS_ID}" ]; then
|
if [ -n "${OS_ID}" ]; then
|
||||||
case ${OS_ID} in
|
case ${OS_ID} in
|
||||||
"arch")
|
"arch")
|
||||||
LINUX_VERSION="Arch Linux"
|
LINUX_VERSION="Arch Linux"
|
||||||
@ -513,14 +513,14 @@
|
|||||||
EOL=255
|
EOL=255
|
||||||
EOL_DATE=""
|
EOL_DATE=""
|
||||||
EOL_TIMESTAMP=0
|
EOL_TIMESTAMP=0
|
||||||
if [ ! -z "${OS_VERSION}" ]; then
|
if [ -n "${OS_VERSION}" ]; then
|
||||||
if [ -f "${DBDIR}/software-eol.db" ]; then
|
if [ -f "${DBDIR}/software-eol.db" ]; then
|
||||||
FIND="${OS_FULLNAME}"
|
FIND="${OS_FULLNAME}"
|
||||||
EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1)
|
EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1)
|
||||||
if [ ! -z "${EOL_TIMESTAMP}" ]; then
|
if [ -n "${EOL_TIMESTAMP}" ]; then
|
||||||
EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
|
EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
|
||||||
NOW=$(date "+%s")
|
NOW=$(date "+%s")
|
||||||
if [ ! -z "${NOW}" ]; then
|
if [ -n "${NOW}" ]; then
|
||||||
if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then
|
if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then
|
||||||
EOL=1
|
EOL=1
|
||||||
else
|
else
|
||||||
|
|||||||
@ -77,7 +77,7 @@
|
|||||||
# Is Lynis Enterprise allowed to purge this system when it is becomes outdated?
|
# Is Lynis Enterprise allowed to purge this system when it is becomes outdated?
|
||||||
allow-auto-purge)
|
allow-auto-purge)
|
||||||
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$")
|
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
Report "allow-auto-purge=1"
|
Report "allow-auto-purge=1"
|
||||||
else
|
else
|
||||||
Report "allow-auto-purge=0"
|
Report "allow-auto-purge=0"
|
||||||
@ -110,7 +110,7 @@
|
|||||||
# Quick mode (SKIP_PLUGINS) might already be set outside profile, so store in different variable
|
# Quick mode (SKIP_PLUGINS) might already be set outside profile, so store in different variable
|
||||||
SETTING_COLORS=1 # default is yes
|
SETTING_COLORS=1 # default is yes
|
||||||
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && COLORS=0
|
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && COLORS=0
|
||||||
if [ ! -z "${FIND}" ]; then SETTING_COLORS=0; RemoveColors; fi
|
if [ -n "${FIND}" ]; then SETTING_COLORS=0; RemoveColors; fi
|
||||||
Debug "Colors set to ${SETTING_COLORS}"
|
Debug "Colors set to ${SETTING_COLORS}"
|
||||||
AddSetting "colors" "${SETTING_COLORS}" "Colored screen output"
|
AddSetting "colors" "${SETTING_COLORS}" "Colored screen output"
|
||||||
unset SETTING_COLORS
|
unset SETTING_COLORS
|
||||||
@ -204,7 +204,7 @@
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
hostalias | host-alias)
|
hostalias | host-alias)
|
||||||
if [ ! -z "${VALUE}" ]; then Report "hostname_alias=${VALUE}"; fi
|
if [ -n "${VALUE}" ]; then Report "hostname_alias=${VALUE}"; fi
|
||||||
;;
|
;;
|
||||||
|
|
||||||
hostid)
|
hostid)
|
||||||
@ -223,13 +223,13 @@
|
|||||||
# Language
|
# Language
|
||||||
language | lang)
|
language | lang)
|
||||||
LogText "Language set via profile to '${VALUE}'"
|
LogText "Language set via profile to '${VALUE}'"
|
||||||
if [ ! -z "${VALUE}" ]; then LANGUAGE="${VALUE}"; fi
|
if [ -n "${VALUE}" ]; then LANGUAGE="${VALUE}"; fi
|
||||||
AddSetting "language" "${LANGUAGE}" "Language"
|
AddSetting "language" "${LANGUAGE}" "Language"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
# Lynis Enterprise license key
|
# Lynis Enterprise license key
|
||||||
license-key | license_key)
|
license-key | license_key)
|
||||||
if [ ! -z "${VALUE}" ]; then
|
if [ -n "${VALUE}" ]; then
|
||||||
LICENSE_KEY="${VALUE}"
|
LICENSE_KEY="${VALUE}"
|
||||||
Report "license_key=${VALUE}"
|
Report "license_key=${VALUE}"
|
||||||
fi
|
fi
|
||||||
@ -291,7 +291,7 @@
|
|||||||
# Quick mode might already be set outside profile, so store in different variable
|
# Quick mode might already be set outside profile, so store in different variable
|
||||||
SETTING_QUICK_MODE=1 # default is yes
|
SETTING_QUICK_MODE=1 # default is yes
|
||||||
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && QUICKMODE=0
|
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && QUICKMODE=0
|
||||||
if [ ! -z "${FIND}" ]; then SETTING_QUICK_MODE=1; fi
|
if [ -n "${FIND}" ]; then SETTING_QUICK_MODE=1; fi
|
||||||
Debug "Quickmode set to ${SETTING_QUICK_MODE}"
|
Debug "Quickmode set to ${SETTING_QUICK_MODE}"
|
||||||
AddSetting "quick" "${SETTING_QUICK_MODE}" "Quick mode (non-interactive)"
|
AddSetting "quick" "${SETTING_QUICK_MODE}" "Quick mode (non-interactive)"
|
||||||
;;
|
;;
|
||||||
@ -300,7 +300,7 @@
|
|||||||
refresh-repositories)
|
refresh-repositories)
|
||||||
SETTING_REFRESH_REPOSITORIES=1 # default is yes
|
SETTING_REFRESH_REPOSITORIES=1 # default is yes
|
||||||
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && REFRESH_REPOSITORIES=0
|
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && REFRESH_REPOSITORIES=0
|
||||||
if [ ! -z "${FIND}" ]; then SETTING_REFRESH_REPOSITORIES=0; fi
|
if [ -n "${FIND}" ]; then SETTING_REFRESH_REPOSITORIES=0; fi
|
||||||
Debug "Refreshing repositories set to ${SETTING_REFRESH_REPOSITORIES}"
|
Debug "Refreshing repositories set to ${SETTING_REFRESH_REPOSITORIES}"
|
||||||
AddSetting "refresh-repositories" "${SETTING_REFRESH_REPOSITORIES}" "Refresh repositories (for vulnerable package detection)"
|
AddSetting "refresh-repositories" "${SETTING_REFRESH_REPOSITORIES}" "Refresh repositories (for vulnerable package detection)"
|
||||||
;;
|
;;
|
||||||
@ -309,7 +309,7 @@
|
|||||||
show-report-solution)
|
show-report-solution)
|
||||||
SETTING_SHOW_REPORT_SOLUTION=${SHOW_REPORT_SOLUTION}
|
SETTING_SHOW_REPORT_SOLUTION=${SHOW_REPORT_SOLUTION}
|
||||||
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && SHOW_REPORT_SOLUTION=0
|
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && SHOW_REPORT_SOLUTION=0
|
||||||
if [ ! -z "${FIND}" ]; then SETTING_SHOW_REPORT_SOLUTION=0; fi
|
if [ -n "${FIND}" ]; then SETTING_SHOW_REPORT_SOLUTION=0; fi
|
||||||
Debug "Show report details (solution) set to ${SETTING_SHOW_REPORT_SOLUTION}"
|
Debug "Show report details (solution) set to ${SETTING_SHOW_REPORT_SOLUTION}"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
@ -317,7 +317,7 @@
|
|||||||
show_tool_tips | show-tool-tips)
|
show_tool_tips | show-tool-tips)
|
||||||
SETTING_SHOW_TOOL_TIPS=1 # default is yes
|
SETTING_SHOW_TOOL_TIPS=1 # default is yes
|
||||||
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && SHOW_TOOL_TIPS=0
|
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && SHOW_TOOL_TIPS=0
|
||||||
if [ ! -z "${FIND}" ]; then SETTING_SHOW_TOOL_TIPS=0; fi
|
if [ -n "${FIND}" ]; then SETTING_SHOW_TOOL_TIPS=0; fi
|
||||||
Debug "Show tool tips set to ${SETTING_SHOW_TOOL_TIPS}"
|
Debug "Show tool tips set to ${SETTING_SHOW_TOOL_TIPS}"
|
||||||
AddSetting "show-tool-tips" "${SETTING_SHOW_TOOL_TIPS}" "Show tool tips"
|
AddSetting "show-tool-tips" "${SETTING_SHOW_TOOL_TIPS}" "Show tool tips"
|
||||||
;;
|
;;
|
||||||
@ -336,7 +336,7 @@
|
|||||||
# Skip plugins (SKIP_PLUGINS) might already be set, so store in different variable
|
# Skip plugins (SKIP_PLUGINS) might already be set, so store in different variable
|
||||||
SETTING_SKIP_PLUGINS=0 # default is no
|
SETTING_SKIP_PLUGINS=0 # default is no
|
||||||
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && SKIP_PLUGINS=1
|
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && SKIP_PLUGINS=1
|
||||||
if [ ! -z "${FIND}" ]; then SETTING_SKIP_PLUGINS=1; fi
|
if [ -n "${FIND}" ]; then SETTING_SKIP_PLUGINS=1; fi
|
||||||
Debug "Skip plugins is set to ${SETTING_SKIP_PLUGINS}"
|
Debug "Skip plugins is set to ${SETTING_SKIP_PLUGINS}"
|
||||||
AddSetting "skip-plugins" "${SETTING_SKIP_PLUGINS}" "Skip plugins"
|
AddSetting "skip-plugins" "${SETTING_SKIP_PLUGINS}" "Skip plugins"
|
||||||
;;
|
;;
|
||||||
@ -374,17 +374,17 @@
|
|||||||
|
|
||||||
# The name of the customer/client that uses this system
|
# The name of the customer/client that uses this system
|
||||||
system-customer-name)
|
system-customer-name)
|
||||||
if [ ! -z "${VALUE}" ]; then Report "system-customer-name=${VALUE}"; fi
|
if [ -n "${VALUE}" ]; then Report "system-customer-name=${VALUE}"; fi
|
||||||
;;
|
;;
|
||||||
|
|
||||||
# The groups linked to a system (system-groups=customers,webservers,production)
|
# The groups linked to a system (system-groups=customers,webservers,production)
|
||||||
system-groups)
|
system-groups)
|
||||||
if [ ! -z "${VALUE}" ]; then Report "system-groups=${VALUE}"; fi
|
if [ -n "${VALUE}" ]; then Report "system-groups=${VALUE}"; fi
|
||||||
;;
|
;;
|
||||||
|
|
||||||
# Tags (tags=db,production,ssn-1304)
|
# Tags (tags=db,production,ssn-1304)
|
||||||
tags)
|
tags)
|
||||||
if [ ! -z "${VALUE}" ]; then Report "tags=${VALUE}"; fi
|
if [ -n "${VALUE}" ]; then Report "tags=${VALUE}"; fi
|
||||||
;;
|
;;
|
||||||
|
|
||||||
# Define what kind of scan we are performing
|
# Define what kind of scan we are performing
|
||||||
@ -399,7 +399,7 @@
|
|||||||
upload)
|
upload)
|
||||||
SETTING_UPLOAD=no # default
|
SETTING_UPLOAD=no # default
|
||||||
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && UPLOAD_DATA=1
|
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && UPLOAD_DATA=1
|
||||||
if [ ! -z "${FIND}" ]; then SETTING_UPLOAD=1; fi
|
if [ -n "${FIND}" ]; then SETTING_UPLOAD=1; fi
|
||||||
Debug "Upload set to ${SETTING_UPLOAD}"
|
Debug "Upload set to ${SETTING_UPLOAD}"
|
||||||
AddSetting "upload" "${SETTING_UPLOAD}" "Data upload after scanning"
|
AddSetting "upload" "${SETTING_UPLOAD}" "Data upload after scanning"
|
||||||
unset SETTING_UPLOAD
|
unset SETTING_UPLOAD
|
||||||
@ -499,12 +499,12 @@
|
|||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
SKIP_TESTS=$(echo ${SKIP_TESTS} | sed "s/^ //")
|
SKIP_TESTS=$(echo ${SKIP_TESTS} | sed "s/^ //")
|
||||||
if [ ! -z "${SKIP_TESTS}" ]; then LogText "Skip tests: ${SKIP_TESTS}"; fi
|
if [ -n "${SKIP_TESTS}" ]; then LogText "Skip tests: ${SKIP_TESTS}"; fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Add group name to report - deprecated
|
# Add group name to report - deprecated
|
||||||
if [ ! -z "${GROUP_NAME}" ]; then Report "group=${GROUP_NAME}"; fi
|
if [ -n "${GROUP_NAME}" ]; then Report "group=${GROUP_NAME}"; fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
@ -531,7 +531,7 @@
|
|||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
if [ ! -z "${DEPRECATED_OPTION}" ]; then
|
if [ -n "${DEPRECATED_OPTION}" ]; then
|
||||||
ReportWarning "LYNIS" "One or more deprecated options used" "${DEPRECATED_OPTION}" "Update your profile"
|
ReportWarning "LYNIS" "One or more deprecated options used" "${DEPRECATED_OPTION}" "Update your profile"
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
|
|||||||
@ -31,7 +31,7 @@
|
|||||||
Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}"
|
Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}"
|
||||||
Report "firewall_installed=${FIREWALL_ACTIVE}"
|
Report "firewall_installed=${FIREWALL_ACTIVE}"
|
||||||
|
|
||||||
if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi
|
if [ -n "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi
|
||||||
|
|
||||||
Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}"
|
Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}"
|
||||||
Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}"
|
Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}"
|
||||||
@ -139,7 +139,7 @@
|
|||||||
done
|
done
|
||||||
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
|
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
|
||||||
echo " ${RED}!${NORMAL} ${SHOWWARNING}"
|
echo " ${RED}!${NORMAL} ${SHOWWARNING}"
|
||||||
if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
|
if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
|
||||||
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
|
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
|
||||||
if [ -z "${IS_CUSTOM}" ]; then
|
if [ -z "${IS_CUSTOM}" ]; then
|
||||||
echo " ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}"
|
echo " ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}"
|
||||||
@ -172,7 +172,7 @@
|
|||||||
done
|
done
|
||||||
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
|
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
|
||||||
echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}"
|
echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}"
|
||||||
if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
|
if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
|
||||||
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
|
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
|
||||||
if [ -z "${IS_CUSTOM}" ]; then
|
if [ -z "${IS_CUSTOM}" ]; then
|
||||||
echo " ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
|
echo " ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
|
||||||
|
|||||||
@ -105,7 +105,7 @@
|
|||||||
if [ -f ${ROOTDIR}etc/default/sysstat ]; then
|
if [ -f ${ROOTDIR}etc/default/sysstat ]; then
|
||||||
LogText "Result: ${ROOTDIR}etc/default/sysstat found"
|
LogText "Result: ${ROOTDIR}etc/default/sysstat found"
|
||||||
FIND=$(${GREPBINARY} "^ENABLED" ${ROOTDIR}etc/default/sysstat | ${GREPBINARY} -i true)
|
FIND=$(${GREPBINARY} "^ENABLED" ${ROOTDIR}etc/default/sysstat | ${GREPBINARY} -i true)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: sysstat enabled via ${ROOTDIR}etc/default/sysstat"
|
LogText "Result: sysstat enabled via ${ROOTDIR}etc/default/sysstat"
|
||||||
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
|
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
else
|
else
|
||||||
@ -115,7 +115,7 @@
|
|||||||
fi
|
fi
|
||||||
elif [ -f ${ROOTDIR}etc/cron.d/sysstat ]; then
|
elif [ -f ${ROOTDIR}etc/cron.d/sysstat ]; then
|
||||||
FIND=$(${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat)
|
FIND=$(${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: sysstat enabled via ${ROOTDIR}etc/cron.d/sysstat"
|
LogText "Result: sysstat enabled via ${ROOTDIR}etc/cron.d/sysstat"
|
||||||
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
|
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
else
|
else
|
||||||
@ -134,7 +134,7 @@
|
|||||||
#
|
#
|
||||||
# Test : ACCT-9628
|
# Test : ACCT-9628
|
||||||
# Description : Check auditd status
|
# Description : Check auditd status
|
||||||
if [ ! -z "${AUDITDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${AUDITDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no ACCT-9628 --os Linux --weight L --network NO --category security --description "Check for auditd"
|
Register --test-no ACCT-9628 --os Linux --weight L --network NO --category security --description "Check for auditd"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Check auditd status"
|
LogText "Test: Check auditd status"
|
||||||
@ -163,7 +163,7 @@
|
|||||||
#
|
#
|
||||||
# Test : ACCT-9630
|
# Test : ACCT-9630
|
||||||
# Description : Check auditd rules
|
# Description : Check auditd rules
|
||||||
if [ ! -z "${AUDITDBINARY}" -a ! -z "${AUDITCTLBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${AUDITDBINARY}" -a -n "${AUDITCTLBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for auditd rules"
|
Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for auditd rules"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking auditd rules"
|
LogText "Test: Checking auditd rules"
|
||||||
@ -189,7 +189,7 @@
|
|||||||
#
|
#
|
||||||
# Test : ACCT-9632
|
# Test : ACCT-9632
|
||||||
# Description : Check auditd configuration file
|
# Description : Check auditd configuration file
|
||||||
if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd configuration file"
|
Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd configuration file"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking auditd configuration file"
|
LogText "Test: Checking auditd configuration file"
|
||||||
@ -202,7 +202,7 @@
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
# Check if we discovered the configuration file. It should be there is the binaries are available and process is running
|
# Check if we discovered the configuration file. It should be there is the binaries are available and process is running
|
||||||
if [ ! -z "${AUDITD_CONF_FILE}" ]; then
|
if [ -n "${AUDITD_CONF_FILE}" ]; then
|
||||||
Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN
|
Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN
|
||||||
else
|
else
|
||||||
LogText "Result: could not find auditd configuration file"
|
LogText "Result: could not find auditd configuration file"
|
||||||
@ -215,12 +215,12 @@
|
|||||||
#
|
#
|
||||||
# Test : ACCT-9634
|
# Test : ACCT-9634
|
||||||
# Description : Check auditd log file
|
# Description : Check auditd log file
|
||||||
if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a ! -z "${AUDITD_CONF_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a -n "${AUDITD_CONF_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file"
|
Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking auditd log file"
|
LogText "Test: Checking auditd log file"
|
||||||
FIND=$(${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }')
|
FIND=$(${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: log file is defined"
|
LogText "Result: log file is defined"
|
||||||
LogText "Defined value: ${FIND}"
|
LogText "Defined value: ${FIND}"
|
||||||
if [ -f ${FIND} ]; then
|
if [ -f ${FIND} ]; then
|
||||||
@ -252,7 +252,7 @@
|
|||||||
if [ -f ${ROOTDIR}etc/ld.so.preload ]; then
|
if [ -f ${ROOTDIR}etc/ld.so.preload ]; then
|
||||||
LogText "Result: found ${ROOTDIR}etc/ld.so.preload, testing if snoopy.so is listed"
|
LogText "Result: found ${ROOTDIR}etc/ld.so.preload, testing if snoopy.so is listed"
|
||||||
FIND=$(${GREPBINARY} ${FILE} ${ROOTDIR}etc/ld.so.preload)
|
FIND=$(${GREPBINARY} ${FILE} ${ROOTDIR}etc/ld.so.preload)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found snoopy in ld.so.preload"
|
LogText "Result: found snoopy in ld.so.preload"
|
||||||
LogText "Output: ${FIND}"
|
LogText "Output: ${FIND}"
|
||||||
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
|
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
|
||||||
@ -298,7 +298,7 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: check if auditd service is enabled and online"
|
LogText "Test: check if auditd service is enabled and online"
|
||||||
FIND=$(${ROOTDIR}usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online")
|
FIND=$(${ROOTDIR}usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: auditd service is online"
|
LogText "Result: auditd service is online"
|
||||||
Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN
|
Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN
|
||||||
else
|
else
|
||||||
@ -317,7 +317,7 @@
|
|||||||
LogText "Test: check if BSM is enabled in ${ROOTDIR}etc/system"
|
LogText "Test: check if BSM is enabled in ${ROOTDIR}etc/system"
|
||||||
if [ -f ${ROOTDIR}etc/system ]; then
|
if [ -f ${ROOTDIR}etc/system ]; then
|
||||||
FIND=$(${GREPBINARY} 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system)
|
FIND=$(${GREPBINARY} 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: BSM is enabled in ${ROOTDIR}etc/system"
|
LogText "Result: BSM is enabled in ${ROOTDIR}etc/system"
|
||||||
Display --indent 4 --text "- Checking Solaris BSM (${ROOTDIR}etc/system)" --result "${STATUS_ENABLED}" --color GREEN
|
Display --indent 4 --text "- Checking Solaris BSM (${ROOTDIR}etc/system)" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
else
|
else
|
||||||
@ -339,7 +339,7 @@
|
|||||||
LogText "Test: check if c2audit module is active"
|
LogText "Test: check if c2audit module is active"
|
||||||
if [ -x ${ROOTDIR}usr/sbin/modinfo ]; then
|
if [ -x ${ROOTDIR}usr/sbin/modinfo ]; then
|
||||||
FIND=$(${ROOTDIR}usr/sbin/modinfo | ${GREPBINARY} c2audit)
|
FIND=$(${ROOTDIR}usr/sbin/modinfo | ${GREPBINARY} c2audit)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: c2audit found in modinfo output"
|
LogText "Result: c2audit found in modinfo output"
|
||||||
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN
|
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
else
|
else
|
||||||
@ -362,7 +362,7 @@
|
|||||||
if [ -f ${ROOTDIR}etc/security/audit_control ]; then
|
if [ -f ${ROOTDIR}etc/security/audit_control ]; then
|
||||||
LogText "Result: file ${ROOTDIR}etc/security/audit_control found"
|
LogText "Result: file ${ROOTDIR}etc/security/audit_control found"
|
||||||
FIND=$(${GREPBINARY} "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }')
|
FIND=$(${GREPBINARY} "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found location ${FIND}"
|
LogText "Result: found location ${FIND}"
|
||||||
LogText "Test: Checking if location is a valid directory"
|
LogText "Test: Checking if location is a valid directory"
|
||||||
if [ -d ${FIND} ]; then
|
if [ -d ${FIND} ]; then
|
||||||
|
|||||||
@ -46,7 +46,7 @@
|
|||||||
else
|
else
|
||||||
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
|
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
|
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
|
||||||
LogText "Result: Found more than one administrator accounts"
|
LogText "Result: Found more than one administrator accounts"
|
||||||
ReportWarning "${TEST_NO}" "Multiple users with UID 0 found in passwd file"
|
ReportWarning "${TEST_NO}" "Multiple users with UID 0 found in passwd file"
|
||||||
@ -124,7 +124,7 @@
|
|||||||
# Test : AUTH-9216
|
# Test : AUTH-9216
|
||||||
# Description : Check /etc/group and shadow group files
|
# Description : Check /etc/group and shadow group files
|
||||||
# Notes : Run grpck to test group files (most likely /etc/group and shadow group files)
|
# Notes : Run grpck to test group files (most likely /etc/group and shadow group files)
|
||||||
if [ ! -z "${GRPCKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${GRPCKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check group and shadow group files"
|
Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check group and shadow group files"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking for grpck binary output"
|
LogText "Test: Checking for grpck binary output"
|
||||||
@ -363,7 +363,7 @@
|
|||||||
"macOS")
|
"macOS")
|
||||||
LogText "macOS real users output (ID = 0, or 500-599) using dscacheutil"
|
LogText "macOS real users output (ID = 0, or 500-599) using dscacheutil"
|
||||||
FIND_USERS=$(dscacheutil -q user | ${GREPBINARY} -A 3 -B 2 -e "^uid: 5[0-9][0-9]" | ${GREPBINARY} "^name: " | ${AWKBINARY} '{print $2}')
|
FIND_USERS=$(dscacheutil -q user | ${GREPBINARY} -A 3 -B 2 -e "^uid: 5[0-9][0-9]" | ${GREPBINARY} "^name: " | ${AWKBINARY} '{print $2}')
|
||||||
if [ ! -z "${FIND_USERS}" ]; then
|
if [ -n "${FIND_USERS}" ]; then
|
||||||
for FUSERNAME in ${FIND_USERS}; do
|
for FUSERNAME in ${FIND_USERS}; do
|
||||||
FDETAILS=$(dscacheutil -q user -a name ${FUSERNAME} | ${GREPBINARY} "^uid: " | ${AWKBINARY} '{print $2}')
|
FDETAILS=$(dscacheutil -q user -a name ${FUSERNAME} | ${GREPBINARY} "^uid: " | ${AWKBINARY} '{print $2}')
|
||||||
FIND="${FUSERNAME},${FDETAILS} ${FIND}"
|
FIND="${FUSERNAME},${FDETAILS} ${FIND}"
|
||||||
@ -397,7 +397,7 @@
|
|||||||
else
|
else
|
||||||
Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_DONE}" --color GREEN
|
Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_DONE}" --color GREEN
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
if [ ! -z "${I}" ]; then
|
if [ -n "${I}" ]; then
|
||||||
LogText "Real user: ${I}"
|
LogText "Real user: ${I}"
|
||||||
Report "real_user[]=${I}"
|
Report "real_user[]=${I}"
|
||||||
fi
|
fi
|
||||||
@ -419,7 +419,7 @@
|
|||||||
else
|
else
|
||||||
FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
|
FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
|
||||||
FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
|
FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
|
||||||
if [ ! -z "${FIND2}" -o ! -z "${FIND3}" ]; then
|
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
|
||||||
LogText "Result: NIS+ authentication enabled"
|
LogText "Result: NIS+ authentication enabled"
|
||||||
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
|
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
else
|
else
|
||||||
@ -446,7 +446,7 @@
|
|||||||
else
|
else
|
||||||
FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
|
FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
|
||||||
FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
|
FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
|
||||||
if [ ! -z "${FIND2}" -o ! -z "${FIND3}" ]; then
|
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
|
||||||
LogText "Result: NIS authentication enabled"
|
LogText "Result: NIS authentication enabled"
|
||||||
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
|
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
else
|
else
|
||||||
@ -489,7 +489,7 @@
|
|||||||
#
|
#
|
||||||
# Test : AUTH-9252
|
# Test : AUTH-9252
|
||||||
# Description : Check ownership and permissions for sudo configuration files
|
# Description : Check ownership and permissions for sudo configuration files
|
||||||
if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files"
|
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
SUDO_CONFIG_FILES="${SUDOERS_FILE}"
|
SUDO_CONFIG_FILES="${SUDOERS_FILE}"
|
||||||
@ -680,7 +680,7 @@
|
|||||||
else
|
else
|
||||||
FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort)
|
FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort)
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${FIND}" ]; then FOUND=1; fi
|
if [ -n "${FIND}" ]; then FOUND=1; fi
|
||||||
for FILE in ${FIND}; do
|
for FILE in ${FIND}; do
|
||||||
LogText "Found file: ${FILE}"
|
LogText "Found file: ${FILE}"
|
||||||
Report "pam_module[]=${FILE}"
|
Report "pam_module[]=${FILE}"
|
||||||
@ -712,7 +712,7 @@
|
|||||||
LogText "Result: file ${FILE} exists"
|
LogText "Result: file ${FILE} exists"
|
||||||
LogText "Test: checking presence LDAP module"
|
LogText "Test: checking presence LDAP module"
|
||||||
FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE})
|
FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE})
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: LDAP module present"
|
LogText "Result: LDAP module present"
|
||||||
LogText "Output: ${FIND}"
|
LogText "Output: ${FIND}"
|
||||||
LDAP_AUTH_ENABLED=1
|
LDAP_AUTH_ENABLED=1
|
||||||
@ -868,7 +868,7 @@
|
|||||||
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
|
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
|
||||||
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
|
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
|
||||||
FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
|
FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
for ACCOUNT in ${FIND}; do
|
for ACCOUNT in ${FIND}; do
|
||||||
LogText "Result: password of user ${ACCOUNT} has been expired"
|
LogText "Result: password of user ${ACCOUNT} has been expired"
|
||||||
Report "account_password_expired[]=${ACCOUNT}"
|
Report "account_password_expired[]=${ACCOUNT}"
|
||||||
@ -961,7 +961,7 @@
|
|||||||
LogText "Test: checking presence sulogin for single user mode"
|
LogText "Test: checking presence sulogin for single user mode"
|
||||||
FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
|
FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
|
||||||
FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
|
FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
|
||||||
if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
|
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
|
||||||
FOUND=1
|
FOUND=1
|
||||||
LogText "Result: found sulogin, so single user is protected"
|
LogText "Result: found sulogin, so single user is protected"
|
||||||
fi
|
fi
|
||||||
@ -976,7 +976,7 @@
|
|||||||
LogText "Result: file ${ROOTDIR}etc/sysconfig/init exists"
|
LogText "Result: file ${ROOTDIR}etc/sysconfig/init exists"
|
||||||
LogText "Test: checking presence sulogin for single user mode"
|
LogText "Test: checking presence sulogin for single user mode"
|
||||||
FIND=$(${GREPBINARY} "^SINGLE=/sbin/sulogin" ${ROOTDIR}etc/sysconfig/init)
|
FIND=$(${GREPBINARY} "^SINGLE=/sbin/sulogin" ${ROOTDIR}etc/sysconfig/init)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FOUND=1
|
FOUND=1
|
||||||
LogText "Result: found sulogin, so single user is protected"
|
LogText "Result: found sulogin, so single user is protected"
|
||||||
fi
|
fi
|
||||||
@ -1045,7 +1045,7 @@
|
|||||||
if [ -d ${ROOTDIR}etc/profile.d ]; then
|
if [ -d ${ROOTDIR}etc/profile.d ]; then
|
||||||
FOUND=0
|
FOUND=0
|
||||||
FIND=$(ls ${ROOTDIR}etc/profile.d/* 2> /dev/null)
|
FIND=$(ls ${ROOTDIR}etc/profile.d/* 2> /dev/null)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found /etc/profile.d, with one or more files in it"
|
LogText "Result: found /etc/profile.d, with one or more files in it"
|
||||||
for FILE in ${FIND}; do
|
for FILE in ${FIND}; do
|
||||||
HAS_MASK=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }')
|
HAS_MASK=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }')
|
||||||
@ -1309,7 +1309,7 @@
|
|||||||
if [ -f ${ROOTDIR}etc/default/login ]; then
|
if [ -f ${ROOTDIR}etc/default/login ]; then
|
||||||
LogText "Result: file ${ROOTDIR}etc/default/login exists"
|
LogText "Result: file ${ROOTDIR}etc/default/login exists"
|
||||||
FIND=$(${GREPBINARY} "^RETRIES" ${ROOTDIR}etc/default/login)
|
FIND=$(${GREPBINARY} "^RETRIES" ${ROOTDIR}etc/default/login)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FOUND=1
|
FOUND=1
|
||||||
LogText "Result: retries option configured"
|
LogText "Result: retries option configured"
|
||||||
LogText "Output: ${FIND}"
|
LogText "Output: ${FIND}"
|
||||||
@ -1429,7 +1429,7 @@
|
|||||||
#
|
#
|
||||||
# Test : AUTH-9410
|
# Test : AUTH-9410
|
||||||
# Description : Check for doas file permissions
|
# Description : Check for doas file permissions
|
||||||
if [ ! -z "${DOAS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${DOAS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no AUTH-9410 --os OpenBSD --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/doas.conf file permissions"
|
Register --test-no AUTH-9410 --os OpenBSD --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/doas.conf file permissions"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: checking /etc/doas.conf permissions"
|
LogText "Test: checking /etc/doas.conf permissions"
|
||||||
@ -1450,7 +1450,7 @@
|
|||||||
Report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}"
|
Report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}"
|
||||||
Report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
|
Report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
|
||||||
Report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
|
Report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
|
||||||
if [ ! -z "${LDAP_CLIENT_CONFIG_FILE}" ]; then Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"; fi
|
if [ -n "${LDAP_CLIENT_CONFIG_FILE}" ]; then Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"; fi
|
||||||
Report "password_min_days=${PASSWORD_MINIMUM_DAYS}"
|
Report "password_min_days=${PASSWORD_MINIMUM_DAYS}"
|
||||||
Report "password_max_days=${PASSWORD_MAXIMUM_DAYS}"
|
Report "password_max_days=${PASSWORD_MAXIMUM_DAYS}"
|
||||||
|
|
||||||
|
|||||||
@ -46,7 +46,7 @@
|
|||||||
LogText "Test: Query bootinfo for AIX boot device"
|
LogText "Test: Query bootinfo for AIX boot device"
|
||||||
if [ -x /usr/sbin/bootinfo ]; then
|
if [ -x /usr/sbin/bootinfo ]; then
|
||||||
FIND=$(/usr/sbin/bootinfo -b)
|
FIND=$(/usr/sbin/bootinfo -b)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found boot device ${FIND}"
|
LogText "Result: found boot device ${FIND}"
|
||||||
Display --indent 2 --text "- Checking boot device (bootinfo)" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- Checking boot device (bootinfo)" --result "${STATUS_FOUND}" --color GREEN
|
||||||
BOOT_LOADER="ROS"
|
BOOT_LOADER="ROS"
|
||||||
@ -76,7 +76,7 @@
|
|||||||
FILENAME=$(echo "${OUTPUT}" | ${AWKBINARY} '{print $1}')
|
FILENAME=$(echo "${OUTPUT}" | ${AWKBINARY} '{print $1}')
|
||||||
LogText "Result: file on disk = ${FILENAME}"
|
LogText "Result: file on disk = ${FILENAME}"
|
||||||
ISFILE=$(echo ${FILENAME} | ${GREPBINARY} "^/")
|
ISFILE=$(echo ${FILENAME} | ${GREPBINARY} "^/")
|
||||||
if [ ! -z "${ISFILE}" ]; then
|
if [ -n "${ISFILE}" ]; then
|
||||||
if [ -L ${ISFILE} ]; then
|
if [ -L ${ISFILE} ]; then
|
||||||
ShowSymlinkPath ${ISFILE}
|
ShowSymlinkPath ${ISFILE}
|
||||||
FILENAME="${SYMLINK}"
|
FILENAME="${SYMLINK}"
|
||||||
@ -86,7 +86,7 @@
|
|||||||
LogText "Result: cmdline of PID 1 is not a file"
|
LogText "Result: cmdline of PID 1 is not a file"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${FILENAME}" ]; then
|
if [ -n "${FILENAME}" ]; then
|
||||||
SHORTNAME=$(echo ${FILENAME} | ${AWKBINARY} -F/ '{ print $NF }')
|
SHORTNAME=$(echo ${FILENAME} | ${AWKBINARY} -F/ '{ print $NF }')
|
||||||
LogText "Found: ${SHORTNAME}"
|
LogText "Found: ${SHORTNAME}"
|
||||||
if [ "${SERVICE_MANAGER}" = "unknown" ]; then
|
if [ "${SERVICE_MANAGER}" = "unknown" ]; then
|
||||||
@ -110,7 +110,7 @@
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd")
|
CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd")
|
||||||
if [ ! -z "${CONTAINS_SYSTEMD}" ]; then
|
if [ -n "${CONTAINS_SYSTEMD}" ]; then
|
||||||
SERVICE_MANAGER="systemd"
|
SERVICE_MANAGER="systemd"
|
||||||
else
|
else
|
||||||
LogText "Found ${SHORTNAME}. Unclear what service manager this is"
|
LogText "Found ${SHORTNAME}. Unclear what service manager this is"
|
||||||
@ -204,7 +204,7 @@
|
|||||||
LogText "Test: determine if Secure Boot is used"
|
LogText "Test: determine if Secure Boot is used"
|
||||||
if [ -d ${ROOTDIR}sys/firmware/efi/efivars ]; then
|
if [ -d ${ROOTDIR}sys/firmware/efi/efivars ]; then
|
||||||
FIND=$(${LSBINARY} ${ROOTDIR}sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null)
|
FIND=$(${LSBINARY} ${ROOTDIR}sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
for FILE in ${FIND}; do
|
for FILE in ${FIND}; do
|
||||||
LogText "Test: checking file ${FILE}"
|
LogText "Test: checking file ${FILE}"
|
||||||
# TODO: add detection for od
|
# TODO: add detection for od
|
||||||
@ -295,7 +295,7 @@
|
|||||||
# Some OSes like Gentoo do not have /boot mounted by default
|
# Some OSes like Gentoo do not have /boot mounted by default
|
||||||
# TODO: root directory and rewrite ls statement
|
# TODO: root directory and rewrite ls statement
|
||||||
if [ -d /boot ]; then
|
if [ -d /boot ]; then
|
||||||
if [ "$(ls /boot/* 2> /dev/null)" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then
|
if [ "$(ls /boot/* 2> /dev/null)" = "" -a -n "${GRUB2INSTALLBINARY}" ]; then
|
||||||
BOOT_LOADER_FOUND=1
|
BOOT_LOADER_FOUND=1
|
||||||
LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
|
LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
|
||||||
Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW
|
Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW
|
||||||
@ -312,7 +312,7 @@
|
|||||||
#
|
#
|
||||||
# Test : BOOT-5122
|
# Test : BOOT-5122
|
||||||
# Description : Check for GRUB boot loader configuration
|
# Description : Check for GRUB boot loader configuration
|
||||||
if [ ! -z "${GRUBCONFFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${GRUBCONFFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password"
|
Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FOUND=0
|
FOUND=0
|
||||||
@ -325,11 +325,11 @@
|
|||||||
FIND4=$(${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
|
FIND4=$(${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
|
||||||
FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
|
FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
|
||||||
# GRUB1: Password should be set (MD5 or SHA1)
|
# GRUB1: Password should be set (MD5 or SHA1)
|
||||||
if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
|
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
|
||||||
FOUND=1
|
FOUND=1
|
||||||
# GRUB2: Superusers AND password should be defined
|
# GRUB2: Superusers AND password should be defined
|
||||||
elif [ ! -z "${FIND3}" ]; then
|
elif [ -n "${FIND3}" ]; then
|
||||||
if [ ! -z "${FIND4}" -o ! -z "${FIND5}" ]; then FOUND=1; fi
|
if [ -n "${FIND4}" -o -n "${FIND5}" ]; then FOUND=1; fi
|
||||||
fi
|
fi
|
||||||
if [ ${FOUND} -eq 1 ]; then
|
if [ ${FOUND} -eq 1 ]; then
|
||||||
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN
|
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN
|
||||||
@ -599,7 +599,7 @@
|
|||||||
else
|
else
|
||||||
|
|
||||||
LogText "Result: systemctl binary not found, checking chkconfig binary"
|
LogText "Result: systemctl binary not found, checking chkconfig binary"
|
||||||
if [ ! -z "${CHKCONFIGBINARY}" ]; then
|
if [ -n "${CHKCONFIGBINARY}" ]; then
|
||||||
LogText "Result: chkconfig binary found, trying that to discover information"
|
LogText "Result: chkconfig binary found, trying that to discover information"
|
||||||
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
|
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
|
||||||
FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
|
FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
|
||||||
@ -634,7 +634,7 @@
|
|||||||
if [ "${sRUNLEVEL}" = "2" ]; then
|
if [ "${sRUNLEVEL}" = "2" ]; then
|
||||||
LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
|
LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
|
||||||
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort)
|
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
COUNT=0
|
COUNT=0
|
||||||
for SERVICE in ${FIND}; do
|
for SERVICE in ${FIND}; do
|
||||||
LogText "Found service (at boot, runlevel 2): ${SERVICE}"
|
LogText "Found service (at boot, runlevel 2): ${SERVICE}"
|
||||||
@ -667,7 +667,7 @@
|
|||||||
LogText "Result: directory ${DIR} found"
|
LogText "Result: directory ${DIR} found"
|
||||||
LogText "Test: checking for available files in directory"
|
LogText "Test: checking for available files in directory"
|
||||||
FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY})
|
FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY})
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found files in directory, checking permissions now"
|
LogText "Result: found files in directory, checking permissions now"
|
||||||
for FILE in ${FIND}; do
|
for FILE in ${FIND}; do
|
||||||
LogText "Test: checking permissions of file ${FILE}"
|
LogText "Test: checking permissions of file ${FILE}"
|
||||||
@ -757,12 +757,12 @@
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
DragonFly | FreeBSD | macOS)
|
DragonFly | FreeBSD | macOS)
|
||||||
if [ ! -z "${SYSCTLBINARY}" ]; then
|
if [ -n "${SYSCTLBINARY}" ]; then
|
||||||
TIME_BOOT=$(${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | ${SEDBINARY} -e 's/,//' | ${GREPBINARY} "[0-9]")
|
TIME_BOOT=$(${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | ${SEDBINARY} -e 's/,//' | ${GREPBINARY} "[0-9]")
|
||||||
TIME_NOW=$(date "+%s")
|
TIME_NOW=$(date "+%s")
|
||||||
LogText "Boot time: ${TIME_BOOT}"
|
LogText "Boot time: ${TIME_BOOT}"
|
||||||
LogText "Current time: ${TIME_NOW}"
|
LogText "Current time: ${TIME_NOW}"
|
||||||
if [ ! -z "${TIME_BOOT}" -a ! -z "${TIME_NOW}" ]; then
|
if [ -n "${TIME_BOOT}" -a -n "${TIME_NOW}" ]; then
|
||||||
UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
|
UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
|
||||||
else
|
else
|
||||||
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
|
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
|
||||||
@ -774,12 +774,12 @@
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
NetBSD | OpenBSD)
|
NetBSD | OpenBSD)
|
||||||
if [ ! -z "${SYSCTLBINARY}" ]; then
|
if [ -n "${SYSCTLBINARY}" ]; then
|
||||||
TIME_BOOT=$(${SYSCTLBINARY} -n kern.boottime)
|
TIME_BOOT=$(${SYSCTLBINARY} -n kern.boottime)
|
||||||
TIME_NOW=$(date "+%s")
|
TIME_NOW=$(date "+%s")
|
||||||
LogText "Boot time: ${TIME_BOOT}"
|
LogText "Boot time: ${TIME_BOOT}"
|
||||||
LogText "Current time: ${TIME_NOW}"
|
LogText "Current time: ${TIME_NOW}"
|
||||||
if [ ! -z "${TIME_BOOT}" -a ! -z "${TIME_NOW}" ]; then
|
if [ -n "${TIME_BOOT}" -a -n "${TIME_NOW}" ]; then
|
||||||
UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
|
UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
|
||||||
else
|
else
|
||||||
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
|
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
|
||||||
@ -791,7 +791,7 @@
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
Solaris)
|
Solaris)
|
||||||
if [ ! -z "${KSTATBINARY}" ]; then
|
if [ -n "${KSTATBINARY}" ]; then
|
||||||
UPTIME_IN_SECS=$(${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | ${CUTBINARY} -d "." -f1)
|
UPTIME_IN_SECS=$(${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | ${CUTBINARY} -d "." -f1)
|
||||||
else
|
else
|
||||||
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
|
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
|
||||||
@ -806,7 +806,7 @@
|
|||||||
ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system"
|
ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
if [ ! -z "${UPTIME_IN_SECS}" ]; then
|
if [ -n "${UPTIME_IN_SECS}" ]; then
|
||||||
UPTIME_IN_DAYS=$((UPTIME_IN_SECS / 60 / 60 / 24))
|
UPTIME_IN_DAYS=$((UPTIME_IN_SECS / 60 / 60 / 24))
|
||||||
LogText "Uptime (in seconds): ${UPTIME_IN_SECS}"
|
LogText "Uptime (in seconds): ${UPTIME_IN_SECS}"
|
||||||
LogText "Uptime (in days): ${UPTIME_IN_DAYS}"
|
LogText "Uptime (in days): ${UPTIME_IN_DAYS}"
|
||||||
@ -828,7 +828,7 @@
|
|||||||
LogText "Result: file /usr/lib/systemd/system/rescue.service"
|
LogText "Result: file /usr/lib/systemd/system/rescue.service"
|
||||||
LogText "Test: checking presence sulogin for single user mode"
|
LogText "Test: checking presence sulogin for single user mode"
|
||||||
FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
|
FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FOUND=1
|
FOUND=1
|
||||||
LogText "Result: found sulogin, so single user is protected"
|
LogText "Result: found sulogin, so single user is protected"
|
||||||
AddHP 3 3
|
AddHP 3 3
|
||||||
@ -898,7 +898,7 @@
|
|||||||
LogText "Test: checking for available files in directory"
|
LogText "Test: checking for available files in directory"
|
||||||
# OpenBSD uses symlinks to create another instance of daemons
|
# OpenBSD uses symlinks to create another instance of daemons
|
||||||
FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY})
|
FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY})
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found files in directory, checking permissions now"
|
LogText "Result: found files in directory, checking permissions now"
|
||||||
for FILE in ${FIND}; do
|
for FILE in ${FIND}; do
|
||||||
LogText "Test: checking permissions of file ${FILE}"
|
LogText "Test: checking permissions of file ${FILE}"
|
||||||
|
|||||||
@ -40,7 +40,7 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: query zoneadm to list all running zones"
|
LogText "Test: query zoneadm to list all running zones"
|
||||||
FIND=$(${ROOTDIR}usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }')
|
FIND=$(${ROOTDIR}usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
COUNT=0
|
COUNT=0
|
||||||
for ITEM in ${FIND}; do
|
for ITEM in ${FIND}; do
|
||||||
COUNT=$((COUNT + 1))
|
COUNT=$((COUNT + 1))
|
||||||
@ -131,7 +131,7 @@
|
|||||||
# Test : CONT-8106
|
# Test : CONT-8106
|
||||||
# Description : Checking Docker containers (basic stats)
|
# Description : Checking Docker containers (basic stats)
|
||||||
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
|
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
|
||||||
if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather basic stats from Docker"
|
Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather basic stats from Docker"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
Display --indent 6 --text "- Containers"
|
Display --indent 6 --text "- Containers"
|
||||||
@ -171,7 +171,7 @@
|
|||||||
# Test : CONT-8107
|
# Test : CONT-8107
|
||||||
# Description : Checking Docker number of unused containers
|
# Description : Checking Docker number of unused containers
|
||||||
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
|
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
|
||||||
if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no CONT-8107 --preqs-met ${PREQS_MET} --weight L --network NO --category performance --description "Check number of Docker containers"
|
Register --test-no CONT-8107 --preqs-met ${PREQS_MET} --weight L --network NO --category performance --description "Check number of Docker containers"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
# Check if there aren't too many unused containers on the system
|
# Check if there aren't too many unused containers on the system
|
||||||
@ -194,7 +194,7 @@
|
|||||||
# Test : CONT-8108
|
# Test : CONT-8108
|
||||||
# Description : Checking Docker file permissions
|
# Description : Checking Docker file permissions
|
||||||
# Notes : /var/run/docker.sock - Usually root as owner, docker as group - should not be world writable
|
# Notes : /var/run/docker.sock - Usually root as owner, docker as group - should not be world writable
|
||||||
if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check file permissions for Docker files"
|
Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check file permissions for Docker files"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
NOT_WORLD_WRITABLE="${ROOTDIR}var/run/docker.sock"
|
NOT_WORLD_WRITABLE="${ROOTDIR}var/run/docker.sock"
|
||||||
|
|||||||
@ -28,7 +28,7 @@
|
|||||||
#
|
#
|
||||||
# Test : CRYP-7902
|
# Test : CRYP-7902
|
||||||
# Description : check for expired SSL certificates
|
# Description : check for expired SSL certificates
|
||||||
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
|
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
COUNT_EXPIRED=0
|
COUNT_EXPIRED=0
|
||||||
|
|||||||
@ -71,7 +71,7 @@
|
|||||||
# Test : DBS-1816
|
# Test : DBS-1816
|
||||||
# Description : Check empty MySQL root password
|
# Description : Check empty MySQL root password
|
||||||
# Notes : Only perform test when MySQL is running and client is available
|
# Notes : Only perform test when MySQL is running and client is available
|
||||||
if [ ! -z "${MYSQLCLIENTBINARY}" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="MySQL not installed, or not running"; fi
|
if [ -n "${MYSQLCLIENTBINARY}" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="MySQL not installed, or not running"; fi
|
||||||
Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking MySQL root password"
|
Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking MySQL root password"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Trying to login to local MySQL server without password"
|
LogText "Test: Trying to login to local MySQL server without password"
|
||||||
@ -144,7 +144,7 @@
|
|||||||
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
|
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
|
||||||
if HasData "${PGREPBINARY}"; then
|
if HasData "${PGREPBINARY}"; then
|
||||||
AUTH_ON_CMDLINE=$(for I in $(${PGREPBINARY} mongo); do cat /proc/${I}/cmdline | xargs -0 echo | ${GREPBINARY} -E "\-\-auth( |$)"; done)
|
AUTH_ON_CMDLINE=$(for I in $(${PGREPBINARY} mongo); do cat /proc/${I}/cmdline | xargs -0 echo | ${GREPBINARY} -E "\-\-auth( |$)"; done)
|
||||||
if [ ! -z "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
|
if [ -n "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
|
||||||
else
|
else
|
||||||
LogText "Result: skipped this part of the test, as pgrep is not available"
|
LogText "Result: skipped this part of the test, as pgrep is not available"
|
||||||
fi
|
fi
|
||||||
@ -268,7 +268,7 @@
|
|||||||
for DIR in ${PATHS}; do
|
for DIR in ${PATHS}; do
|
||||||
LogText "Action: scanning directory (${DIR}) for Redis configuration files"
|
LogText "Action: scanning directory (${DIR}) for Redis configuration files"
|
||||||
FILES=$(${LSBINARY} ${DIR}/*.conf 2> /dev/null)
|
FILES=$(${LSBINARY} ${DIR}/*.conf 2> /dev/null)
|
||||||
if [ ! -z "${FILES}" ]; then
|
if [ -n "${FILES}" ]; then
|
||||||
ALLFILES="${ALLFILES} ${FILES}"
|
ALLFILES="${ALLFILES} ${FILES}"
|
||||||
else
|
else
|
||||||
LogText "Result: no configuration files found in this directory"
|
LogText "Result: no configuration files found in this directory"
|
||||||
@ -279,12 +279,12 @@
|
|||||||
LogText "Action: checking if ${CONFFILE} is a Sentinel configuration file"
|
LogText "Action: checking if ${CONFFILE} is a Sentinel configuration file"
|
||||||
# Exclude Sentinel configuration file
|
# Exclude Sentinel configuration file
|
||||||
FIND=$(${GREPBINARY} "^sentinel " ${CONFFILE})
|
FIND=$(${GREPBINARY} "^sentinel " ${CONFFILE})
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: file is a Sentinel configuration file, skipping it"
|
LogText "Result: file is a Sentinel configuration file, skipping it"
|
||||||
else
|
else
|
||||||
LogText "Result: file is NOT a Sentinel configuration file. Now scanning if it is a Redis configuration file"
|
LogText "Result: file is NOT a Sentinel configuration file. Now scanning if it is a Redis configuration file"
|
||||||
FIND=$(${GREPBINARY} "Redis" ${CONFFILE})
|
FIND=$(${GREPBINARY} "Redis" ${CONFFILE})
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
REDIS_CONFIGURATION_FILES="${REDIS_CONFIGURATION_FILES} ${CONFFILE}"
|
REDIS_CONFIGURATION_FILES="${REDIS_CONFIGURATION_FILES} ${CONFFILE}"
|
||||||
REDIS_CONFIGURATION_FOUND=1
|
REDIS_CONFIGURATION_FOUND=1
|
||||||
LogText "Result: found a Redis configuration file (${CONFFILE})"
|
LogText "Result: found a Redis configuration file (${CONFFILE})"
|
||||||
|
|||||||
@ -38,7 +38,7 @@
|
|||||||
# # Description : Validate DNSSEC signiture is checked
|
# # Description : Validate DNSSEC signiture is checked
|
||||||
# Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked"
|
# Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked"
|
||||||
# if [ "${SKIPTEST}" -eq 0 ]; then
|
# if [ "${SKIPTEST}" -eq 0 ]; then
|
||||||
# if [ ! -z "${DIGBINARY}" ]; then
|
# if [ -n "${DIGBINARY}" ]; then
|
||||||
#
|
#
|
||||||
# GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS)
|
# GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS)
|
||||||
# BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS)
|
# BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS)
|
||||||
@ -47,16 +47,16 @@
|
|||||||
# LogText "Result: received timeout, can't determine DNSSEC validation"
|
# LogText "Result: received timeout, can't determine DNSSEC validation"
|
||||||
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
|
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
|
||||||
# #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
|
# #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
|
||||||
# elif [ -z "${GOOD}" -a ! -z "${BAD}" ]; then
|
# elif [ -z "${GOOD}" -a -n "${BAD}" ]; then
|
||||||
# LogText "Result: good signature failed, yet bad signature was accepted"
|
# LogText "Result: good signature failed, yet bad signature was accepted"
|
||||||
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
|
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
|
||||||
# #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted"
|
# #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted"
|
||||||
# elif [ ! -z "${GOOD}" -a ! -z "${BAD}" ]; then
|
# elif [ -n "${GOOD}" -a -n "${BAD}" ]; then
|
||||||
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW
|
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||||
# LogText "Note: Using DNSSEC validation can protect from DNS hijacking"
|
# LogText "Note: Using DNSSEC validation can protect from DNS hijacking"
|
||||||
# #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC valdating name servers"
|
# #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC valdating name servers"
|
||||||
# AddHP 2 2
|
# AddHP 2 2
|
||||||
# elif [ ! -z "${GOOD}" -a -z "${BAD}" ]; then
|
# elif [ -n "${GOOD}" -a -z "${BAD}" ]; then
|
||||||
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN
|
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN
|
||||||
# LogText "Result: altered DNS responses were ignored"
|
# LogText "Result: altered DNS responses were ignored"
|
||||||
# AddHP 0 2
|
# AddHP 0 2
|
||||||
|
|||||||
@ -70,7 +70,7 @@
|
|||||||
#
|
#
|
||||||
# Test : FINT-4315
|
# Test : FINT-4315
|
||||||
# Description : Check AIDE configuration file
|
# Description : Check AIDE configuration file
|
||||||
if [ ! -z "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check AIDE configuration file"
|
Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check AIDE configuration file"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
AIDE_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/aide ${ROOTDIR}usr/local/etc"
|
AIDE_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/aide ${ROOTDIR}usr/local/etc"
|
||||||
@ -104,7 +104,7 @@
|
|||||||
Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability"
|
Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking Osiris binary"
|
LogText "Test: Checking Osiris binary"
|
||||||
if [ ! -z "${OSIRISBINARY}" ]; then
|
if [ -n "${OSIRISBINARY}" ]; then
|
||||||
LogText "Result: Osiris is installed (${OSIRISBINARY})"
|
LogText "Result: Osiris is installed (${OSIRISBINARY})"
|
||||||
Report "file_integrity_tool[]=osiris"
|
Report "file_integrity_tool[]=osiris"
|
||||||
FILE_INT_TOOL="osiris"
|
FILE_INT_TOOL="osiris"
|
||||||
@ -123,7 +123,7 @@
|
|||||||
Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability"
|
Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking Samhain binary"
|
LogText "Test: Checking Samhain binary"
|
||||||
if [ ! -z "${SAMHAINBINARY}" ]; then
|
if [ -n "${SAMHAINBINARY}" ]; then
|
||||||
LogText "Result: Samhain is installed (${SAMHAINBINARY})"
|
LogText "Result: Samhain is installed (${SAMHAINBINARY})"
|
||||||
Report "file_integrity_tool[]=samhain"
|
Report "file_integrity_tool[]=samhain"
|
||||||
FILE_INT_TOOL="samhain"
|
FILE_INT_TOOL="samhain"
|
||||||
@ -142,7 +142,7 @@
|
|||||||
Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability"
|
Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking Tripwire binary"
|
LogText "Test: Checking Tripwire binary"
|
||||||
if [ ! -z "${TRIPWIREBINARY}" ]; then
|
if [ -n "${TRIPWIREBINARY}" ]; then
|
||||||
LogText "Result: Tripwire is installed (${TRIPWIREBINARY})"
|
LogText "Result: Tripwire is installed (${TRIPWIREBINARY})"
|
||||||
Report "file_integrity_tool[]=tripwire"
|
Report "file_integrity_tool[]=tripwire"
|
||||||
FILE_INT_TOOL="tripwire"
|
FILE_INT_TOOL="tripwire"
|
||||||
@ -229,7 +229,7 @@
|
|||||||
Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
|
Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
|
||||||
fi
|
fi
|
||||||
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
|
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
|
||||||
if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then
|
if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then
|
||||||
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
|
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
|
||||||
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
|
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
else
|
else
|
||||||
@ -237,7 +237,7 @@
|
|||||||
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
|
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
|
||||||
fi
|
fi
|
||||||
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
|
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
|
||||||
if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then
|
if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then
|
||||||
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
|
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
else
|
else
|
||||||
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW
|
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW
|
||||||
@ -267,7 +267,7 @@
|
|||||||
#
|
#
|
||||||
# Test : FINT-4402 (was FINT-4316)
|
# Test : FINT-4402 (was FINT-4316)
|
||||||
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
|
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
|
||||||
if [ ! "${AIDEBINARY}" = "" -a ! -z "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
|
Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
|
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
|
||||||
|
|||||||
@ -89,7 +89,7 @@
|
|||||||
ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found"
|
ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found one or more volume groups"
|
LogText "Result: found one or more volume groups"
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
LogText "Found LVM volume group: ${I}"
|
LogText "Found LVM volume group: ${I}"
|
||||||
@ -152,7 +152,7 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking for Linux EXT file systems"
|
LogText "Test: Checking for Linux EXT file systems"
|
||||||
FIND=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }')
|
FIND=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found one or more EXT file systems"
|
LogText "Result: found one or more EXT file systems"
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
|
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
|
||||||
@ -173,7 +173,7 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking for Linux XFS file systems"
|
LogText "Test: Checking for Linux XFS file systems"
|
||||||
FIND=$(${MOUNTBINARY} -t xfs | ${AWKBINARY} '{ print $3","$5 }')
|
FIND=$(${MOUNTBINARY} -t xfs | ${AWKBINARY} '{ print $3","$5 }')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found one or more XFS file systems"
|
LogText "Result: found one or more XFS file systems"
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
|
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
|
||||||
@ -272,12 +272,12 @@
|
|||||||
|
|
||||||
# Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>)
|
# Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>)
|
||||||
HAS_UUID=$(echo ${I} | ${GREPBINARY} "^UUID=")
|
HAS_UUID=$(echo ${I} | ${GREPBINARY} "^UUID=")
|
||||||
if [ ! -z "${HAS_UUID}" ]; then
|
if [ -n "${HAS_UUID}" ]; then
|
||||||
UUID=$(echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }')
|
UUID=$(echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }')
|
||||||
LogText "Result: Using ${UUID} as UUID"
|
LogText "Result: Using ${UUID} as UUID"
|
||||||
if [ ! -z "${BLKIDBINARY}" ]; then
|
if [ -n "${BLKIDBINARY}" ]; then
|
||||||
FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//')
|
FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//')
|
||||||
if [ ! -z "${FIND2}" ]; then
|
if [ -n "${FIND2}" ]; then
|
||||||
REAL="${FIND2}"
|
REAL="${FIND2}"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
@ -286,7 +286,7 @@
|
|||||||
if [ -L /dev/disk/by-uuid/${UUID} ]; then
|
if [ -L /dev/disk/by-uuid/${UUID} ]; then
|
||||||
LogText "Result: found disk via /dev/disk/by-uuid listing"
|
LogText "Result: found disk via /dev/disk/by-uuid listing"
|
||||||
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
|
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
|
||||||
if [ ! -z "${sFILE}" ]; then
|
if [ -n "${sFILE}" ]; then
|
||||||
REAL="${sFILE}"
|
REAL="${sFILE}"
|
||||||
LogText "Result: disk is ${REAL}"
|
LogText "Result: disk is ${REAL}"
|
||||||
fi
|
fi
|
||||||
@ -342,7 +342,7 @@
|
|||||||
if [ "${OS}" = "Linux" -a -f ${ROOTDIR}proc/version ]; then
|
if [ "${OS}" = "Linux" -a -f ${ROOTDIR}proc/version ]; then
|
||||||
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
|
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
|
||||||
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
|
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
|
||||||
if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then
|
if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then
|
||||||
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
else
|
else
|
||||||
PREQS_MET="NO";
|
PREQS_MET="NO";
|
||||||
@ -464,7 +464,7 @@
|
|||||||
FOUND=0
|
FOUND=0
|
||||||
LogText "Test: Checking acl option on ext[2-4] root file system"
|
LogText "Test: Checking acl option on ext[2-4] root file system"
|
||||||
FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl)
|
FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found ACL option"
|
LogText "Result: found ACL option"
|
||||||
FOUND=1
|
FOUND=1
|
||||||
else
|
else
|
||||||
@ -480,11 +480,11 @@
|
|||||||
FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }')
|
FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }')
|
||||||
fi
|
fi
|
||||||
# Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
|
# Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
|
||||||
if [ ! -z "${FIND1}" ]; then
|
if [ -n "${FIND1}" ]; then
|
||||||
LogText "Result: found ${FIND1}"
|
LogText "Result: found ${FIND1}"
|
||||||
LogText "Test: Checking default options on ${FIND1}"
|
LogText "Test: Checking default options on ${FIND1}"
|
||||||
FIND2=$(${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl")
|
FIND2=$(${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl")
|
||||||
if [ ! -z "${FIND2}" ]; then
|
if [ -n "${FIND2}" ]; then
|
||||||
LogText "Result: found ACL option in default mount options"
|
LogText "Result: found ACL option in default mount options"
|
||||||
FOUND=1
|
FOUND=1
|
||||||
else
|
else
|
||||||
@ -528,7 +528,7 @@
|
|||||||
NOEXEC=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "noexec") { print "YES" } else { print "NO" } }')
|
NOEXEC=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "noexec") { print "YES" } else { print "NO" } }')
|
||||||
NOSUID=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "nosuid") { print "YES" } else { print "NO" } }')
|
NOSUID=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "nosuid") { print "YES" } else { print "NO" } }')
|
||||||
|
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: mount system / is configured with options: ${FIND}"
|
LogText "Result: mount system / is configured with options: ${FIND}"
|
||||||
if [ "${FIND}" = "defaults" ]; then
|
if [ "${FIND}" = "defaults" ]; then
|
||||||
Display --indent 2 --text "- Mount options of /" --result "${STATUS_OK}" --color GREEN
|
Display --indent 2 --text "- Mount options of /" --result "${STATUS_OK}" --color GREEN
|
||||||
@ -577,7 +577,7 @@
|
|||||||
FS_FSTAB=""
|
FS_FSTAB=""
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${FS_FSTAB}" ]; then
|
if [ -n "${FS_FSTAB}" ]; then
|
||||||
FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
|
FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
|
||||||
LogText "File system: ${FILESYSTEM}"
|
LogText "File system: ${FILESYSTEM}"
|
||||||
LogText "Expected flags: ${EXPECTED_FLAGS}"
|
LogText "Expected flags: ${EXPECTED_FLAGS}"
|
||||||
@ -629,7 +629,7 @@
|
|||||||
if [ -f ${ROOTDIR}etc/fstab ]; then
|
if [ -f ${ROOTDIR}etc/fstab ]; then
|
||||||
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' ${ROOTDIR}etc/fstab)
|
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' ${ROOTDIR}etc/fstab)
|
||||||
BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
|
BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
|
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
|
||||||
if [ "${BIND}" = "YES" ]; then
|
if [ "${BIND}" = "YES" ]; then
|
||||||
Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN
|
Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN
|
||||||
@ -760,7 +760,7 @@
|
|||||||
# Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf
|
# Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf
|
||||||
Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems"
|
Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
|
if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
|
||||||
Display --indent 2 --text "- Disable kernel support of some filesystems"
|
Display --indent 2 --text "- Disable kernel support of some filesystems"
|
||||||
LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf"
|
LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf"
|
||||||
FOUND=0
|
FOUND=0
|
||||||
@ -769,7 +769,7 @@
|
|||||||
for FS in ${LIST_FS_NOT_SUPPORTED}; do
|
for FS in ${LIST_FS_NOT_SUPPORTED}; do
|
||||||
# Check if filesystem is present in modprobe output
|
# Check if filesystem is present in modprobe output
|
||||||
FIND=$(${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1)
|
FIND=$(${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found module support in kernel: ${FIND}"
|
LogText "Result: found module support in kernel: ${FIND}"
|
||||||
Debug "Module ${FS} present in the kernel"
|
Debug "Module ${FS} present in the kernel"
|
||||||
LogText "Test: Checking if ${FS} is active"
|
LogText "Test: Checking if ${FS} is active"
|
||||||
|
|||||||
@ -41,7 +41,7 @@
|
|||||||
Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module"
|
Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables")
|
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FIREWALL_ACTIVE=1
|
FIREWALL_ACTIVE=1
|
||||||
IPTABLES_ACTIVE=1
|
IPTABLES_ACTIVE=1
|
||||||
IPTABLES_MODULE_ACTIVE=1
|
IPTABLES_MODULE_ACTIVE=1
|
||||||
@ -73,11 +73,11 @@
|
|||||||
# If we have a kernel configuration file, use it for testing
|
# If we have a kernel configuration file, use it for testing
|
||||||
# Do not perform test if we already found it in kernel module list, to avoid triggered it in the upcoming
|
# Do not perform test if we already found it in kernel module list, to avoid triggered it in the upcoming
|
||||||
# tests, when using iptables --list
|
# tests, when using iptables --list
|
||||||
if [ ! -z "${LINUXCONFIGFILE}" ]; then
|
if [ -n "${LINUXCONFIGFILE}" ]; then
|
||||||
if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
|
if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
|
||||||
LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})"
|
LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})"
|
||||||
FIND=$(${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1)
|
FIND=$(${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
HAVEMOD=$(echo ${FIND} | ${CUTBINARY} -d '=' -f2)
|
HAVEMOD=$(echo ${FIND} | ${CUTBINARY} -d '=' -f2)
|
||||||
# Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
|
# Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
|
||||||
# active list.
|
# active list.
|
||||||
@ -151,11 +151,11 @@
|
|||||||
#
|
#
|
||||||
# Test : FIRE-4512
|
# Test : FIRE-4512
|
||||||
# Description : Check iptables for empty ruleset (should have at least 5 or more rules)
|
# Description : Check iptables for empty ruleset (should have at least 5 or more rules)
|
||||||
if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
|
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
|
FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FIREWALL_ACTIVE=1
|
FIREWALL_ACTIVE=1
|
||||||
if [ ${FIND} -le 5 ]; then
|
if [ ${FIND} -le 5 ]; then
|
||||||
# Firewall is active, but needs configuration
|
# Firewall is active, but needs configuration
|
||||||
@ -174,7 +174,7 @@
|
|||||||
#
|
#
|
||||||
# Test : FIRE-4513
|
# Test : FIRE-4513
|
||||||
# Description : Check iptables for unused rules
|
# Description : Check iptables for unused rules
|
||||||
if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
|
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
|
FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
|
||||||
@ -212,7 +212,7 @@
|
|||||||
|
|
||||||
# Check status with pfctl
|
# Check status with pfctl
|
||||||
LogText "Test: checking pf status via pfctl"
|
LogText "Test: checking pf status via pfctl"
|
||||||
if [ ! -z "${PFCTLBINARY}" ]; then
|
if [ -n "${PFCTLBINARY}" ]; then
|
||||||
FIND=$(${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | ${HEADBINARY} -1 | ${AWKBINARY} '{ print $2 }')
|
FIND=$(${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | ${HEADBINARY} -1 | ${AWKBINARY} '{ print $2 }')
|
||||||
if [ "${FIND}" = "Disabled" ]; then
|
if [ "${FIND}" = "Disabled" ]; then
|
||||||
if IsVerbose; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED; fi
|
if IsVerbose; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED; fi
|
||||||
@ -233,7 +233,7 @@
|
|||||||
if [ ${PFFOUND} -eq 0 ]; then
|
if [ ${PFFOUND} -eq 0 ]; then
|
||||||
# Check for pf kernel module (FreeBSD and similar)
|
# Check for pf kernel module (FreeBSD and similar)
|
||||||
LogText "Test: searching for pf kernel module"
|
LogText "Test: searching for pf kernel module"
|
||||||
if [ ! -z "${KLDSTATBINARY}" ]; then
|
if [ -n "${KLDSTATBINARY}" ]; then
|
||||||
FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko')
|
FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko')
|
||||||
if [ -z "${FIND}" ]; then
|
if [ -z "${FIND}" ]; then
|
||||||
LogText "Result: Can not find pf KLD"
|
LogText "Result: Can not find pf KLD"
|
||||||
@ -353,7 +353,7 @@
|
|||||||
# Description : Check IPFW (FreeBSD)
|
# Description : Check IPFW (FreeBSD)
|
||||||
Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status"
|
Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if [ ! -z "${SYSCTLBINARY}" ]; then
|
if [ -n "${SYSCTLBINARY}" ]; then
|
||||||
# For now, only check for IPv4.
|
# For now, only check for IPv4.
|
||||||
FIND=$(${SYSCTLBINARY} net.inet.ip.fw.enable 2> /dev/null | ${AWKBINARY} '{ print $2 }')
|
FIND=$(${SYSCTLBINARY} net.inet.ip.fw.enable 2> /dev/null | ${AWKBINARY} '{ print $2 }')
|
||||||
if [ "${FIND}" = "1" ]; then
|
if [ "${FIND}" = "1" ]; then
|
||||||
@ -386,7 +386,7 @@
|
|||||||
Register --test-no FIRE-4532 --weight L --os "macOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check macOS application firewall"
|
Register --test-no FIRE-4532 --weight L --os "macOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check macOS application firewall"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FIND=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled")
|
FIND=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN
|
Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
AddHP 3 3
|
AddHP 3 3
|
||||||
LogText "Result: application firewall of macOS is enabled"
|
LogText "Result: application firewall of macOS is enabled"
|
||||||
@ -478,7 +478,7 @@
|
|||||||
Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
|
Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables")
|
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found nftables kernel module"
|
LogText "Result: found nftables kernel module"
|
||||||
FIREWALL_ACTIVE=1
|
FIREWALL_ACTIVE=1
|
||||||
NFTABLES_ACTIVE=1
|
NFTABLES_ACTIVE=1
|
||||||
@ -526,7 +526,7 @@
|
|||||||
Register --test-no FIRE-4586 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check firewall logging"
|
Register --test-no FIRE-4586 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check firewall logging"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if [ ${IPTABLES_ACTIVE} -eq 1 ]; then
|
if [ ${IPTABLES_ACTIVE} -eq 1 ]; then
|
||||||
if [ ! -z "${IPTABLESSAVEBINARY}" ]; then
|
if [ -n "${IPTABLESSAVEBINARY}" ]; then
|
||||||
HAS_LOGGING=$(${IPTABLESSAVEBINARY} | ${GREPBINARY} "\-j LOG")
|
HAS_LOGGING=$(${IPTABLESSAVEBINARY} | ${GREPBINARY} "\-j LOG")
|
||||||
if [ -z "${HAS_LOGGING}" ]; then
|
if [ -z "${HAS_LOGGING}" ]; then
|
||||||
Report "firewall_no_logging[]=iptables"
|
Report "firewall_no_logging[]=iptables"
|
||||||
@ -563,7 +563,7 @@
|
|||||||
# Test : FIRE-4594
|
# Test : FIRE-4594
|
||||||
# Description : Check for APF (Advanced Policy Firewall)
|
# Description : Check for APF (Advanced Policy Firewall)
|
||||||
Register --test-no FIRE-4594 --weight L --network NO --category security --description "Check for APF presence"
|
Register --test-no FIRE-4594 --weight L --network NO --category security --description "Check for APF presence"
|
||||||
if [ ! -z "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FILE="/etc/apf/conf.apf"
|
FILE="/etc/apf/conf.apf"
|
||||||
LogText "Test: check ${FILE}"
|
LogText "Test: check ${FILE}"
|
||||||
|
|||||||
@ -59,7 +59,7 @@
|
|||||||
FILE="${ITEM}"
|
FILE="${ITEM}"
|
||||||
LogText "Test: Check file permissions for ${ITEM}"
|
LogText "Test: Check file permissions for ${ITEM}"
|
||||||
ShowSymlinkPath ${ITEM}
|
ShowSymlinkPath ${ITEM}
|
||||||
if [ ! -z "${SYMLINK}" ]; then
|
if [ -n "${SYMLINK}" ]; then
|
||||||
FILE="${SYMLINK}"
|
FILE="${SYMLINK}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
@ -114,7 +114,7 @@
|
|||||||
# Description : Check for suspicious shell history files
|
# Description : Check for suspicious shell history files
|
||||||
Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files"
|
Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if [ ! -z "${HOMEDIRS}" ]; then
|
if [ -n "${HOMEDIRS}" ]; then
|
||||||
if [ "${OS}" = "Solaris" ]; then
|
if [ "${OS}" = "Solaris" ]; then
|
||||||
# Solaris doesn't support -maxdepth
|
# Solaris doesn't support -maxdepth
|
||||||
FIND=$(${FINDBINARY} ${HOMEDIRS} -name ".*history" ! -type f -print)
|
FIND=$(${FINDBINARY} ${HOMEDIRS} -name ".*history" ! -type f -print)
|
||||||
@ -152,7 +152,7 @@
|
|||||||
# Notes : For performance reasons we combine the scanning of different files, so inode caching is used
|
# Notes : For performance reasons we combine the scanning of different files, so inode caching is used
|
||||||
# as much as possible for every find command
|
# as much as possible for every find command
|
||||||
# Profile opt : ignore-home-dir (multiple lines allowed), ignores home directory
|
# Profile opt : ignore-home-dir (multiple lines allowed), ignores home directory
|
||||||
if [ ! -z "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories"
|
Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
IGNORE_HOME_DIRS=$(${GREPBINARY} "^ignore-home-dir=" ${REPORTFILE} | ${AWKBINARY} -F= '{ print $2 }')
|
IGNORE_HOME_DIRS=$(${GREPBINARY} "^ignore-home-dir=" ${REPORTFILE} | ${AWKBINARY} -F= '{ print $2 }')
|
||||||
|
|||||||
@ -222,7 +222,7 @@
|
|||||||
if [ -f "${FILE}" ]; then
|
if [ -f "${FILE}" ]; then
|
||||||
LogText "Test: checking status in xinetd configuration file (${FILE})"
|
LogText "Test: checking status in xinetd configuration file (${FILE})"
|
||||||
FIND=$(${GREPBINARY} "disable\s*=\s*no" ${FILE})
|
FIND=$(${GREPBINARY} "disable\s*=\s*no" ${FILE})
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found insecure service enabled: ${SERVICE}"
|
LogText "Result: found insecure service enabled: ${SERVICE}"
|
||||||
XINETD_INSECURE_SERVICE_FOUND=1
|
XINETD_INSECURE_SERVICE_FOUND=1
|
||||||
ReportSuggestion "${TEST_NO}" "Disable or remove any insecure services in the xinetd configuration" "${SERVICE}" "text:See log file for more details"
|
ReportSuggestion "${TEST_NO}" "Disable or remove any insecure services in the xinetd configuration" "${SERVICE}" "text:See log file for more details"
|
||||||
@ -492,7 +492,7 @@
|
|||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
|
if [ -n "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
|
||||||
Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS"
|
Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
TEST_SERVICES="com.apple.fingerd"
|
TEST_SERVICES="com.apple.fingerd"
|
||||||
|
|||||||
@ -183,7 +183,7 @@
|
|||||||
# Description : Check if Linux is build as a monolithic kernel or not
|
# Description : Check if Linux is build as a monolithic kernel or not
|
||||||
Register --test-no KRNL-5723 --os Linux --weight L --network NO --category security --description "Determining if Linux kernel is monolithic"
|
Register --test-no KRNL-5723 --os Linux --weight L --network NO --category security --description "Determining if Linux kernel is monolithic"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
|
if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
|
||||||
LogText "Test: checking if kernel is monolithic or modular"
|
LogText "Test: checking if kernel is monolithic or modular"
|
||||||
# Checking if any modules are loaded
|
# Checking if any modules are loaded
|
||||||
FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ')
|
FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ')
|
||||||
@ -208,7 +208,7 @@
|
|||||||
# Description : Checking Linux loaded kernel modules
|
# Description : Checking Linux loaded kernel modules
|
||||||
Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules"
|
Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
|
if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
|
||||||
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort)
|
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort)
|
||||||
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
|
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||||
if HasData "${FIND}"; then
|
if HasData "${FIND}"; then
|
||||||
@ -519,7 +519,7 @@
|
|||||||
if [ -d ${ROOTDIR}boot ]; then
|
if [ -d ${ROOTDIR}boot ]; then
|
||||||
LogText "Result: /boot exists, performing more tests from here"
|
LogText "Result: /boot exists, performing more tests from here"
|
||||||
FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null)
|
FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
if [ -f ${ROOTDIR}boot/vmlinuz -a ! -L ${ROOTDIR}boot/vmlinuz ]; then
|
if [ -f ${ROOTDIR}boot/vmlinuz -a ! -L ${ROOTDIR}boot/vmlinuz ]; then
|
||||||
LogText "Result: found /boot/vmlinuz (not symlinked)"
|
LogText "Result: found /boot/vmlinuz (not symlinked)"
|
||||||
NEXTLINE=0
|
NEXTLINE=0
|
||||||
@ -532,7 +532,7 @@
|
|||||||
if [ "${I}" = "version" ]; then NEXTLINE=1; fi
|
if [ "${I}" = "version" ]; then NEXTLINE=1; fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if [ ! -z "${FINDVERSION}" ]; then
|
if [ -n "${FINDVERSION}" ]; then
|
||||||
CURRENT_KERNEL=$(uname -r)
|
CURRENT_KERNEL=$(uname -r)
|
||||||
if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then
|
if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then
|
||||||
LogText "Result: reboot needed, as current kernel is different than the one loaded"
|
LogText "Result: reboot needed, as current kernel is different than the one loaded"
|
||||||
@ -545,7 +545,7 @@
|
|||||||
LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)"
|
LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)"
|
||||||
LogText "Test: checking kernel version on disk"
|
LogText "Test: checking kernel version on disk"
|
||||||
VERSION_ON_DISK=$(${FILEBINARY} -b ${ROOTDIR}boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}')
|
VERSION_ON_DISK=$(${FILEBINARY} -b ${ROOTDIR}boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}')
|
||||||
if [ ! -z "${VERSION_ON_DISK}" ]; then
|
if [ -n "${VERSION_ON_DISK}" ]; then
|
||||||
LogText "Result: found version ${VERSION_ON_DISK}"
|
LogText "Result: found version ${VERSION_ON_DISK}"
|
||||||
ACTIVE_KERNEL=$(uname -r)
|
ACTIVE_KERNEL=$(uname -r)
|
||||||
LogText "Result: active kernel version ${ACTIVE_KERNEL}"
|
LogText "Result: active kernel version ${ACTIVE_KERNEL}"
|
||||||
@ -570,7 +570,7 @@
|
|||||||
MYKERNEL=$(${UNAMEBINARY} -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g')
|
MYKERNEL=$(${UNAMEBINARY} -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g')
|
||||||
LogText "Result: using ${MYKERNEL} as my kernel version (stripped)"
|
LogText "Result: using ${MYKERNEL} as my kernel version (stripped)"
|
||||||
FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null)
|
FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
for ITEM in ${FIND}; do
|
for ITEM in ${FIND}; do
|
||||||
LogText "Result: found ${ITEM}"
|
LogText "Result: found ${ITEM}"
|
||||||
done
|
done
|
||||||
@ -586,11 +586,11 @@
|
|||||||
# Examples:
|
# Examples:
|
||||||
# /boot/kernel-genkernel-x86_64-3.14.14-gentoo
|
# /boot/kernel-genkernel-x86_64-3.14.14-gentoo
|
||||||
KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
|
KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
|
||||||
if [ ! -z "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi
|
if [ -n "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi
|
||||||
else
|
else
|
||||||
ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected"
|
ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected"
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${KERNELS}" ]; then
|
if [ -n "${KERNELS}" ]; then
|
||||||
FOUND_KERNEL=0
|
FOUND_KERNEL=0
|
||||||
for I in ${KERNELS}; do
|
for I in ${KERNELS}; do
|
||||||
# Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist)
|
# Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist)
|
||||||
|
|||||||
@ -47,7 +47,7 @@
|
|||||||
done
|
done
|
||||||
|
|
||||||
# Scan custom profile
|
# Scan custom profile
|
||||||
if [ ! -z "${CUSTOM_PROFILE}" ]; then
|
if [ -n "${CUSTOM_PROFILE}" ]; then
|
||||||
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
|
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
|
||||||
for LINE in ${FIND}; do
|
for LINE in ${FIND}; do
|
||||||
SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
|
SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
|
||||||
@ -57,7 +57,7 @@
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Last, use data from default profile
|
# Last, use data from default profile
|
||||||
if [ ! -z "${DEFAULT_PROFILE}" ]; then
|
if [ -n "${DEFAULT_PROFILE}" ]; then
|
||||||
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
|
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
|
||||||
for LINE in ${FIND}; do
|
for LINE in ${FIND}; do
|
||||||
SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
|
SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
|
||||||
@ -76,7 +76,7 @@
|
|||||||
tFINDhp=$(echo ${line} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]")
|
tFINDhp=$(echo ${line} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]")
|
||||||
tFINDdesc=$(echo ${line} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g')
|
tFINDdesc=$(echo ${line} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g')
|
||||||
tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
|
tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
|
||||||
if [ ! -z "${tFINDcurvalue}" ]; then
|
if [ -n "${tFINDcurvalue}" ]; then
|
||||||
positive_match=0
|
positive_match=0
|
||||||
for value in ${tFINDexpvalue}; do
|
for value in ${tFINDexpvalue}; do
|
||||||
if [ "${value}" = "${tFINDcurvalue}" ]; then
|
if [ "${value}" = "${tFINDcurvalue}" ]; then
|
||||||
|
|||||||
@ -66,7 +66,7 @@
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
# Check if we found a valid location
|
# Check if we found a valid location
|
||||||
if [ ! -z "${SLAPD_CONF_LOCATION}" ]; then
|
if [ -n "${SLAPD_CONF_LOCATION}" ]; then
|
||||||
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN
|
||||||
else
|
else
|
||||||
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||||
|
|||||||
@ -262,7 +262,7 @@
|
|||||||
#
|
#
|
||||||
# Test : LOGG-2148
|
# Test : LOGG-2148
|
||||||
# Description : Checking log files rotated with logrotate
|
# Description : Checking log files rotated with logrotate
|
||||||
if [ ! -z "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
|
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking which files are rotated with logrotate and if they exist"
|
LogText "Test: Checking which files are rotated with logrotate and if they exist"
|
||||||
@ -311,7 +311,7 @@
|
|||||||
# Try local hosts file
|
# Try local hosts file
|
||||||
LogText "Result: Checking for loghost in /etc/inet/hosts"
|
LogText "Result: Checking for loghost in /etc/inet/hosts"
|
||||||
FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#")
|
FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
SOLARIS_LOGHOST_FOUND=1
|
SOLARIS_LOGHOST_FOUND=1
|
||||||
LogText "Result: Found loghost entry in /etc/inet/hosts"
|
LogText "Result: Found loghost entry in /etc/inet/hosts"
|
||||||
else
|
else
|
||||||
@ -320,7 +320,7 @@
|
|||||||
# Try name resolving if no entry is present in local host file
|
# Try name resolving if no entry is present in local host file
|
||||||
LogText "Result: Checking for loghost via name resolving"
|
LogText "Result: Checking for loghost via name resolving"
|
||||||
FIND=$(getent hosts loghost | ${GREPBINARY} loghost)
|
FIND=$(getent hosts loghost | ${GREPBINARY} loghost)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
SOLARIS_LOGHOST_FOUND=1
|
SOLARIS_LOGHOST_FOUND=1
|
||||||
LogText "Result: name resolving was successful"
|
LogText "Result: name resolving was successful"
|
||||||
LogText "Output: ${FIND}"
|
LogText "Output: ${FIND}"
|
||||||
@ -356,7 +356,7 @@
|
|||||||
if [ -f ${SYSLOGD_CONF} ]; then
|
if [ -f ${SYSLOGD_CONF} ]; then
|
||||||
LogText "Test: check if logs are also logged to a remote logging host"
|
LogText "Test: check if logs are also logged to a remote logging host"
|
||||||
FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
|
FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: remote logging enabled"
|
LogText "Result: remote logging enabled"
|
||||||
REMOTE_LOGGING_ENABLED=1
|
REMOTE_LOGGING_ENABLED=1
|
||||||
else
|
else
|
||||||
@ -364,7 +364,7 @@
|
|||||||
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
|
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
|
||||||
for DESTINATION in ${DESTINATIONS}; do
|
for DESTINATION in ${DESTINATIONS}; do
|
||||||
FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
|
FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
|
||||||
if [ ! -z "${FIND2}" = "" ]; then
|
if [ -n "${FIND2}" = "" ]; then
|
||||||
LogText "Result: found destination ${DESTINATION} configured for remote logging"
|
LogText "Result: found destination ${DESTINATION} configured for remote logging"
|
||||||
REMOTE_LOGGING_ENABLED=1
|
REMOTE_LOGGING_ENABLED=1
|
||||||
fi
|
fi
|
||||||
@ -461,7 +461,7 @@
|
|||||||
Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files"
|
Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: checking open log files with lsof"
|
LogText "Test: checking open log files with lsof"
|
||||||
if [ ! -z "${LSOFBINARY}" ]; then
|
if [ -n "${LSOFBINARY}" ]; then
|
||||||
FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
|
FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
LogText "Found logfile: ${I}"
|
LogText "Found logfile: ${I}"
|
||||||
@ -477,7 +477,7 @@
|
|||||||
#
|
#
|
||||||
# Test : LOGG-2190
|
# Test : LOGG-2190
|
||||||
# Description : Checking deleted files
|
# Description : Checking deleted files
|
||||||
if [ ! -z "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for deleted files in use"
|
Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for deleted files in use"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
EARLY_MYSQL=""
|
EARLY_MYSQL=""
|
||||||
@ -486,12 +486,12 @@
|
|||||||
LSOF_GREP="WARNING|Output information"
|
LSOF_GREP="WARNING|Output information"
|
||||||
|
|
||||||
# MySQL versions prior to 5.6 leave lots of deleted in-use files in /tmp, ignoring those
|
# MySQL versions prior to 5.6 leave lots of deleted in-use files in /tmp, ignoring those
|
||||||
if [ ! -z "${DPKGBINARY}" ]; then
|
if [ -n "${DPKGBINARY}" ]; then
|
||||||
EARLY_MYSQL=$(${DPKGBINARY} -l | ${EGREPBINARY} mysql-server-5.[0-5])
|
EARLY_MYSQL=$(${DPKGBINARY} -l | ${EGREPBINARY} mysql-server-5.[0-5])
|
||||||
elif [ ! -z "${RPMBINARY}" ]; then
|
elif [ -n "${RPMBINARY}" ]; then
|
||||||
EARLY_MYSQL=$(${RPMBINARY} -qa mariadb | ${EGREPBINARY} mariadb-5.[0-5])
|
EARLY_MYSQL=$(${RPMBINARY} -qa mariadb | ${EGREPBINARY} mariadb-5.[0-5])
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi
|
if [ -n "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi
|
||||||
|
|
||||||
# grsecurity causes Fail2Ban to hold onto deleted in-use files in /var/tmp
|
# grsecurity causes Fail2Ban to hold onto deleted in-use files in /var/tmp
|
||||||
if [ ${GRSEC_FOUND} -eq 1 ]; then LSOF_GREP="${LSOF_GREP}|fail2ban"; fi
|
if [ ${GRSEC_FOUND} -eq 1 ]; then LSOF_GREP="${LSOF_GREP}|fail2ban"; fi
|
||||||
@ -501,7 +501,7 @@
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
|
FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found one or more files which are deleted, but still in use"
|
LogText "Result: found one or more files which are deleted, but still in use"
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
LogText "Found deleted file: ${I}"
|
LogText "Found deleted file: ${I}"
|
||||||
@ -523,7 +523,7 @@
|
|||||||
Register --test-no LOGG-2192 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for open log files that are empty"
|
Register --test-no LOGG-2192 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for open log files that are empty"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FIND=$(${LSOFBINARY} -n -w | ${AWKBINARY} '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | ${SORTBINARY} | uniq)
|
FIND=$(${LSOFBINARY} -n -w | ${AWKBINARY} '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | ${SORTBINARY} | uniq)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
LogText "Found an opened logfile that is empty: ${I}"
|
LogText "Found an opened logfile that is empty: ${I}"
|
||||||
Report "open_empty_log_file[]=${I}"
|
Report "open_empty_log_file[]=${I}"
|
||||||
|
|||||||
@ -50,7 +50,7 @@
|
|||||||
if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled"
|
Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if [ ! -z "${AASTATUSBINARY}" ]; then
|
if [ -n "${AASTATUSBINARY}" ]; then
|
||||||
CAN_READ_FILE=0
|
CAN_READ_FILE=0
|
||||||
FILE="/sys/kernel/security/apparmor/profiles"
|
FILE="/sys/kernel/security/apparmor/profiles"
|
||||||
if [ -f ${FILE} ]; then
|
if [ -f ${FILE} ]; then
|
||||||
@ -114,7 +114,7 @@
|
|||||||
Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence"
|
Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: checking if we have sestatus binary"
|
LogText "Test: checking if we have sestatus binary"
|
||||||
if [ ! -z "${SESTATUSBINARY}" ]; then
|
if [ -n "${SESTATUSBINARY}" ]; then
|
||||||
LogText "Result: found sestatus binary (${SESTATUSBINARY})"
|
LogText "Result: found sestatus binary (${SESTATUSBINARY})"
|
||||||
Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN
|
||||||
else
|
else
|
||||||
@ -206,7 +206,7 @@
|
|||||||
Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence"
|
Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
# Check Linux kernel configuration
|
# Check Linux kernel configuration
|
||||||
if [ ! -z "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then
|
if [ -n "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then
|
||||||
FIND=$(${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE})
|
FIND=$(${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE})
|
||||||
if [ ! "${FIND}" = "" ]; then
|
if [ ! "${FIND}" = "" ]; then
|
||||||
LogText "Result: grsecurity available (in kernel config)"
|
LogText "Result: grsecurity available (in kernel config)"
|
||||||
|
|||||||
@ -77,20 +77,20 @@
|
|||||||
# Smarthost or Satellite
|
# Smarthost or Satellite
|
||||||
FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost')
|
FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost')
|
||||||
|
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
EXIM_TYPE="LOCAL ONLY"
|
EXIM_TYPE="LOCAL ONLY"
|
||||||
elif [ ! -z "${FIND2}" ]; then
|
elif [ -n "${FIND2}" ]; then
|
||||||
EXIM_TYPE="INTERNET HOST"
|
EXIM_TYPE="INTERNET HOST"
|
||||||
elif [ ! -z "${FIND3}" ]; then
|
elif [ -n "${FIND3}" ]; then
|
||||||
FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost')
|
FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost')
|
||||||
if [ ! -z "${FIND4}" ]; then
|
if [ -n "${FIND4}" ]; then
|
||||||
EXIM_TYPE="SATELLITE"
|
EXIM_TYPE="SATELLITE"
|
||||||
else
|
else
|
||||||
EXIM_TYPE="SMARTHOST"
|
EXIM_TYPE="SMARTHOST"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${EXIM_TYPE}" ]; then
|
if [ -n "${EXIM_TYPE}" ]; then
|
||||||
LogText "Result: Exim Type - ${EXIM_TYPE}"
|
LogText "Result: Exim Type - ${EXIM_TYPE}"
|
||||||
Display --indent 4 --text "- Type" --result "${EXIM_TYPE}" --color GREEN
|
Display --indent 4 --text "- Type" --result "${EXIM_TYPE}" --color GREEN
|
||||||
else
|
else
|
||||||
@ -101,7 +101,7 @@
|
|||||||
if [ "${EXIM_TYPE}" = "INTERNET HOST" -o "${EXIM_TYPE}" = "SMARTHOST" ]; then
|
if [ "${EXIM_TYPE}" = "INTERNET HOST" -o "${EXIM_TYPE}" = "SMARTHOST" ]; then
|
||||||
LogText "Test: Exim Public Interfaces"
|
LogText "Test: Exim Public Interfaces"
|
||||||
EXIM_IP=$(exim -bP local_interfaces | cut -d '=' -f2 | sed -e 's/\s*<\s*\;\?//' -e 's/\s*::0\s*\;\?//' -e 's/\s*127.0.0.1\s*\;\?//' -e 's/^\s*//' -e 's/\s*$//')
|
EXIM_IP=$(exim -bP local_interfaces | cut -d '=' -f2 | sed -e 's/\s*<\s*\;\?//' -e 's/\s*::0\s*\;\?//' -e 's/\s*127.0.0.1\s*\;\?//' -e 's/^\s*//' -e 's/\s*$//')
|
||||||
if [ ! -z "${EXIM_IP}" ]; then
|
if [ -n "${EXIM_IP}" ]; then
|
||||||
LogText "Result: ${EXIM_IP}"
|
LogText "Result: ${EXIM_IP}"
|
||||||
Display --indent 4 --text "- Public Interface(s)" --result "${EXIM_IP}" --color GREEN
|
Display --indent 4 --text "- Public Interface(s)" --result "${EXIM_IP}" --color GREEN
|
||||||
else
|
else
|
||||||
@ -111,7 +111,7 @@
|
|||||||
|
|
||||||
LogText "Test: Exim TLS State"
|
LogText "Test: Exim TLS State"
|
||||||
EXIM_TLS=$(exim -bP tls_advertise_hosts | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
|
EXIM_TLS=$(exim -bP tls_advertise_hosts | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
|
||||||
if [ ! -z "${EXIM_TLS}" ]; then
|
if [ -n "${EXIM_TLS}" ]; then
|
||||||
LogText "Result: Enabled"
|
LogText "Result: Enabled"
|
||||||
Display --indent 4 --text "- TLS" --result "ENABLED" --color GREEN
|
Display --indent 4 --text "- TLS" --result "ENABLED" --color GREEN
|
||||||
else
|
else
|
||||||
@ -120,7 +120,7 @@
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then
|
if [ -n "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then
|
||||||
LogText "Test: Exim Certificate and Private Key"
|
LogText "Test: Exim Certificate and Private Key"
|
||||||
|
|
||||||
case "${EXIM_TYPE}" in
|
case "${EXIM_TYPE}" in
|
||||||
@ -134,7 +134,7 @@
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
if [ ! -z "${EXIM_CERTIFICATE}" ]; then
|
if [ -n "${EXIM_CERTIFICATE}" ]; then
|
||||||
LogText "Result: ${EXIM_CERTIFICATE}"
|
LogText "Result: ${EXIM_CERTIFICATE}"
|
||||||
if [ -f "${EXIM_CERTIFICATE}" ]; then
|
if [ -f "${EXIM_CERTIFICATE}" ]; then
|
||||||
Display --indent 4 --text "- Certificate" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- Certificate" --result "${STATUS_FOUND}" --color GREEN
|
||||||
@ -148,7 +148,7 @@
|
|||||||
Display --indent 4 --text "- Certificate not set" --result "${STATUS_WARNING}" --color WHITE
|
Display --indent 4 --text "- Certificate not set" --result "${STATUS_WARNING}" --color WHITE
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${EXIM_PRIVATEKEY}" ]; then
|
if [ -n "${EXIM_PRIVATEKEY}" ]; then
|
||||||
LogText "Result: ${EXIM_PRIVATEKEY}"
|
LogText "Result: ${EXIM_PRIVATEKEY}"
|
||||||
if [ -f "${EXIM_PRIVATEKEY}" ]; then
|
if [ -f "${EXIM_PRIVATEKEY}" ]; then
|
||||||
LogText "Result: Private Key found."
|
LogText "Result: Private Key found."
|
||||||
@ -175,7 +175,7 @@
|
|||||||
LogText "Test: check Postfix status"
|
LogText "Test: check Postfix status"
|
||||||
# Some other processes also use master, therefore it should include both master and postfix
|
# Some other processes also use master, therefore it should include both master and postfix
|
||||||
FIND1=$(${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep")
|
FIND1=$(${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep")
|
||||||
if [ ! -z "${FIND1}" ]; then
|
if [ -n "${FIND1}" ]; then
|
||||||
LogText "Result: found running Postfix process"
|
LogText "Result: found running Postfix process"
|
||||||
Display --indent 2 --text "- Postfix status" --result "${STATUS_RUNNING}" --color GREEN
|
Display --indent 2 --text "- Postfix status" --result "${STATUS_RUNNING}" --color GREEN
|
||||||
POSTFIX_RUNNING=1
|
POSTFIX_RUNNING=1
|
||||||
@ -210,7 +210,7 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: using postconf to see if Postfix configuration has errors"
|
LogText "Test: using postconf to see if Postfix configuration has errors"
|
||||||
FIND=$(${POSTCONFBINARY} 2>&1 | ${GREPBINARY} "warning:")
|
FIND=$(${POSTCONFBINARY} 2>&1 | ${GREPBINARY} "warning:")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
Report "postfix_config_error=1"
|
Report "postfix_config_error=1"
|
||||||
Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_WARNING}" --color RED
|
Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_WARNING}" --color RED
|
||||||
LogText "Result: found an error or warning in the Postfix configuration. Manual check suggested."
|
LogText "Result: found an error or warning in the Postfix configuration. Manual check suggested."
|
||||||
@ -233,21 +233,21 @@
|
|||||||
FIND2=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} '$mail_name')
|
FIND2=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} '$mail_name')
|
||||||
FIND3=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^mail_name' | ${GREPBINARY} -i 'postfix')
|
FIND3=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^mail_name' | ${GREPBINARY} -i 'postfix')
|
||||||
FIND4=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${OS}")
|
FIND4=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${OS}")
|
||||||
if [ ! -z "${LINUX_VERSION}" ]; then
|
if [ -n "${LINUX_VERSION}" ]; then
|
||||||
FIND5=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${LINUX_VERSION}")
|
FIND5=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${LINUX_VERSION}")
|
||||||
fi
|
fi
|
||||||
SHOWWARNING=0
|
SHOWWARNING=0
|
||||||
|
|
||||||
if [ ! -z "${FIND1}" ]; then
|
if [ -n "${FIND1}" ]; then
|
||||||
SHOWWARNING=1
|
SHOWWARNING=1
|
||||||
Report "banner_software_disclosure[]=${FIND1}"
|
Report "banner_software_disclosure[]=${FIND1}"
|
||||||
elif [ ! -z "${FIND2}" -a ! -z "${FIND3}" ]; then
|
elif [ -n "${FIND2}" -a -n "${FIND3}" ]; then
|
||||||
SHOWWARNING=1
|
SHOWWARNING=1
|
||||||
Report "banner_software_disclosure[]=${FIND2}"
|
Report "banner_software_disclosure[]=${FIND2}"
|
||||||
elif [ ! -z "${FIND4}" ]; then
|
elif [ -n "${FIND4}" ]; then
|
||||||
SHOWWARNING=1
|
SHOWWARNING=1
|
||||||
Report "banner_os_disclosure[]=${FIND4}"
|
Report "banner_os_disclosure[]=${FIND4}"
|
||||||
elif [ ! -z "${FIND5}" ]; then
|
elif [ -n "${FIND5}" ]; then
|
||||||
SHOWWARNING=1
|
SHOWWARNING=1
|
||||||
Report "banner_os_disclosure[]=${FIND5}"
|
Report "banner_os_disclosure[]=${FIND5}"
|
||||||
fi
|
fi
|
||||||
@ -342,7 +342,7 @@
|
|||||||
#
|
#
|
||||||
# Test : MAIL-8920
|
# Test : MAIL-8920
|
||||||
# Description : Check OpenSMTPD process status
|
# Description : Check OpenSMTPD process status
|
||||||
if [ ! -z "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
|
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: check smtpd status"
|
LogText "Test: check smtpd status"
|
||||||
|
|||||||
@ -45,7 +45,7 @@
|
|||||||
Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
|
Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: checking presence chkrootkit"
|
LogText "Test: checking presence chkrootkit"
|
||||||
if [ ! -z "${CHKROOTKITBINARY}" ]; then
|
if [ -n "${CHKROOTKITBINARY}" ]; then
|
||||||
Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
|
||||||
LogText "Result: Found ${CHKROOTKITBINARY}"
|
LogText "Result: Found ${CHKROOTKITBINARY}"
|
||||||
MALWARE_SCANNER_INSTALLED=1
|
MALWARE_SCANNER_INSTALLED=1
|
||||||
@ -63,7 +63,7 @@
|
|||||||
Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter"
|
Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: checking presence Rootkit Hunter"
|
LogText "Test: checking presence Rootkit Hunter"
|
||||||
if [ ! -z "${RKHUNTERBINARY}" ]; then
|
if [ -n "${RKHUNTERBINARY}" ]; then
|
||||||
Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
|
||||||
LogText "Result: Found ${RKHUNTERBINARY}"
|
LogText "Result: Found ${RKHUNTERBINARY}"
|
||||||
MALWARE_SCANNER_INSTALLED=1
|
MALWARE_SCANNER_INSTALLED=1
|
||||||
@ -307,7 +307,7 @@
|
|||||||
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
|
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan')
|
CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan')
|
||||||
if [ ! -z "${CLAMSCANBINARY}" ]; then
|
if [ -n "${CLAMSCANBINARY}" ]; then
|
||||||
LogText "Result: Found ClamXav clamscan installed"
|
LogText "Result: Found ClamXav clamscan installed"
|
||||||
Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
|
||||||
MALWARE_SCANNER_INSTALLED=1
|
MALWARE_SCANNER_INSTALLED=1
|
||||||
|
|||||||
@ -188,7 +188,7 @@
|
|||||||
|
|
||||||
# If files and commands can't be found, use defined value from resolv.conf
|
# If files and commands can't be found, use defined value from resolv.conf
|
||||||
if [ -z "${DOMAINNAME}" ]; then
|
if [ -z "${DOMAINNAME}" ]; then
|
||||||
if [ ! -z "${RESOLV_DOMAINNAME}" ]; then
|
if [ -n "${RESOLV_DOMAINNAME}" ]; then
|
||||||
LogText "Result: using domain name from ${ROOTDIR}etc/resolv.conf"
|
LogText "Result: using domain name from ${ROOTDIR}etc/resolv.conf"
|
||||||
DOMAINNAME=${RESOLV_DOMAINNAME}
|
DOMAINNAME=${RESOLV_DOMAINNAME}
|
||||||
else
|
else
|
||||||
@ -197,7 +197,7 @@
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${DOMAINNAME}" ]; then
|
if [ -n "${DOMAINNAME}" ]; then
|
||||||
LogText "Result: found domain name"
|
LogText "Result: found domain name"
|
||||||
Report "domainname=${DOMAINNAME}"
|
Report "domainname=${DOMAINNAME}"
|
||||||
Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN
|
||||||
@ -303,7 +303,7 @@
|
|||||||
LogText "Result: found configuration file (${BIND_CONFIG_LOCATION})"
|
LogText "Result: found configuration file (${BIND_CONFIG_LOCATION})"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if [ ! -z "${BIND_CONFIG_LOCATION}" ]; then
|
if [ -n "${BIND_CONFIG_LOCATION}" ]; then
|
||||||
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN
|
||||||
else
|
else
|
||||||
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||||
@ -449,12 +449,12 @@
|
|||||||
#
|
#
|
||||||
# Test : NAME-4238
|
# Test : NAME-4238
|
||||||
# Description : Check PowerDNS authoritative status
|
# Description : Check PowerDNS authoritative status
|
||||||
if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${POWERDNS_RUNNING} -eq 1 -a -n "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritative status"
|
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritative status"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking for PowerDNS master status"
|
LogText "Test: Checking for PowerDNS master status"
|
||||||
FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
|
FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Found master=yes in configuration file"
|
LogText "Found master=yes in configuration file"
|
||||||
Display --indent 4 --text "- PowerDNS authoritative master: YES"
|
Display --indent 4 --text "- PowerDNS authoritative master: YES"
|
||||||
POWERDNS_AUTH_MASTER=1
|
POWERDNS_AUTH_MASTER=1
|
||||||
@ -464,7 +464,7 @@
|
|||||||
fi
|
fi
|
||||||
LogText "Test: Checking for PowerDNS slave status"
|
LogText "Test: Checking for PowerDNS slave status"
|
||||||
FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
|
FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Found slave=yes in configuration file"
|
LogText "Found slave=yes in configuration file"
|
||||||
Display --indent 4 --text "- PowerDNS authoritative slave: YES"
|
Display --indent 4 --text "- PowerDNS authoritative slave: YES"
|
||||||
POWERDNS_AUTH_SLAVE=1
|
POWERDNS_AUTH_SLAVE=1
|
||||||
@ -509,7 +509,7 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking $(domainname) for NIS domain value"
|
LogText "Test: Checking $(domainname) for NIS domain value"
|
||||||
FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)")
|
FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Value: ${FIND}"
|
LogText "Value: ${FIND}"
|
||||||
NISDOMAIN="${FIND}"
|
NISDOMAIN="${FIND}"
|
||||||
else
|
else
|
||||||
@ -520,7 +520,7 @@
|
|||||||
if [ -f ${ROOTDIR}etc/defaultdomain ]; then
|
if [ -f ${ROOTDIR}etc/defaultdomain ]; then
|
||||||
LogText "Result: file ${ROOTDIR}etc/defaultdomain exists"
|
LogText "Result: file ${ROOTDIR}etc/defaultdomain exists"
|
||||||
FIND2=$(cat ${ROOTDIR}etc/defaultdomain)
|
FIND2=$(cat ${ROOTDIR}etc/defaultdomain)
|
||||||
if [ ! -z "${FIND2}" ]; then
|
if [ -n "${FIND2}" ]; then
|
||||||
LogText "Output: ${FIND2}"
|
LogText "Output: ${FIND2}"
|
||||||
NISDOMAIN="${FIND2}"
|
NISDOMAIN="${FIND2}"
|
||||||
else
|
else
|
||||||
@ -533,7 +533,7 @@
|
|||||||
LogText "Result: file ${ROOTDIR}etc/sysconfig/network exists"
|
LogText "Result: file ${ROOTDIR}etc/sysconfig/network exists"
|
||||||
LogText "Test: checking NISDOMAIN value in file"
|
LogText "Test: checking NISDOMAIN value in file"
|
||||||
FIND3=$(${GREPBINARY} "^NISDOMAIN" ${ROOTDIR}etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g')
|
FIND3=$(${GREPBINARY} "^NISDOMAIN" ${ROOTDIR}etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g')
|
||||||
if [ ! -z "${FIND3}" ]; then
|
if [ -n "${FIND3}" ]; then
|
||||||
LogText "Found NIS domain: ${FIND3}"
|
LogText "Found NIS domain: ${FIND3}"
|
||||||
NISDOMAIN="${FIND3}"
|
NISDOMAIN="${FIND3}"
|
||||||
else
|
else
|
||||||
@ -553,7 +553,7 @@
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# Check if we found any NIS domain
|
# Check if we found any NIS domain
|
||||||
if [ ! -z "${NISDOMAIN}" ]; then
|
if [ -n "${NISDOMAIN}" ]; then
|
||||||
LogText "Found NIS domain: ${NISDOMAIN}"
|
LogText "Found NIS domain: ${NISDOMAIN}"
|
||||||
Report "nisdomain=${NISDOMAIN}"
|
Report "nisdomain=${NISDOMAIN}"
|
||||||
Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN
|
||||||
@ -636,7 +636,7 @@
|
|||||||
#
|
#
|
||||||
# Test : NAME-4408
|
# Test : NAME-4408
|
||||||
# Description : Check localhost entry
|
# Description : Check localhost entry
|
||||||
if [ ! -z "${GETENT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON="No getent binary"; else PREQS_MET="NO"; SKIPREASON=""; fi
|
if [ -n "${GETENT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON="No getent binary"; else PREQS_MET="NO"; SKIPREASON=""; fi
|
||||||
Register --test-no NAME-4408 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check localhost entry"
|
Register --test-no NAME-4408 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check localhost entry"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Check server hostname not locally mapped in /etc/hosts"
|
LogText "Test: Check server hostname not locally mapped in /etc/hosts"
|
||||||
|
|||||||
@ -47,7 +47,7 @@
|
|||||||
IPV6_MISCONFIGURED=0
|
IPV6_MISCONFIGURED=0
|
||||||
IPV6_MISCONFIGURED_MTU=0
|
IPV6_MISCONFIGURED_MTU=0
|
||||||
FIND=$(sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/")
|
FIND=$(sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
IPV6_CONFIGURED=1
|
IPV6_CONFIGURED=1
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
SYSCTL_KEY=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
|
SYSCTL_KEY=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
|
||||||
@ -124,7 +124,7 @@
|
|||||||
if [ -f /etc/resolv.conf ]; then
|
if [ -f /etc/resolv.conf ]; then
|
||||||
LogText "Result: Found /etc/resolv.conf file"
|
LogText "Result: Found /etc/resolv.conf file"
|
||||||
FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq | ${CUTBINARY} -d# -f1)
|
FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq | ${CUTBINARY} -d# -f1)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
Display --indent 4 --text "- Testing nameservers"
|
Display --indent 4 --text "- Testing nameservers"
|
||||||
LogText "Test: Querying nameservers"
|
LogText "Test: Querying nameservers"
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
@ -134,7 +134,7 @@
|
|||||||
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "127.0.0.53" -o "${I}" = "127.0.1.1" -o "${I}" = "0.0.0.0" ]; then
|
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "127.0.0.53" -o "${I}" = "127.0.1.1" -o "${I}" = "0.0.0.0" ]; then
|
||||||
LOCAL_DNSRESOLVER_FOUND=1
|
LOCAL_DNSRESOLVER_FOUND=1
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${DIGBINARY}" ]; then
|
if [ -n "${DIGBINARY}" ]; then
|
||||||
# See if we can query something at the nameserver
|
# See if we can query something at the nameserver
|
||||||
# 0=good, other=bad
|
# 0=good, other=bad
|
||||||
DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${FQDN} > /dev/null ; echo $?)
|
DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${FQDN} > /dev/null ; echo $?)
|
||||||
@ -167,7 +167,7 @@
|
|||||||
Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check availability two nameservers"
|
Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check availability two nameservers"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
SKIP=0
|
SKIP=0
|
||||||
if [ ! -z "${DIGBINARY}" ]; then
|
if [ -n "${DIGBINARY}" ]; then
|
||||||
if [ ${NUMBERACTIVENS} -lt 2 ]; then
|
if [ ${NUMBERACTIVENS} -lt 2 ]; then
|
||||||
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
|
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
|
||||||
LogText "Result: less than 2 responsive nameservers found"
|
LogText "Result: less than 2 responsive nameservers found"
|
||||||
@ -193,12 +193,12 @@
|
|||||||
# Test : NETW-3001
|
# Test : NETW-3001
|
||||||
# Description : Find default gateway (route)
|
# Description : Find default gateway (route)
|
||||||
# More info : BSD: ^default Linux: 0.0.0.0
|
# More info : BSD: ^default Linux: 0.0.0.0
|
||||||
if [ ! -z "${NETSTATBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${NETSTATBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
|
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
|
||||||
if [ $SKIPTEST -eq 0 ]; then
|
if [ $SKIPTEST -eq 0 ]; then
|
||||||
LogText "Test: Searching default gateway(s)"
|
LogText "Test: Searching default gateway(s)"
|
||||||
FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
|
FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
LogText "Result: Found default gateway ${I}"
|
LogText "Result: Found default gateway ${I}"
|
||||||
Report "default_gateway[]=${I}"
|
Report "default_gateway[]=${I}"
|
||||||
@ -222,9 +222,9 @@
|
|||||||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }')
|
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }')
|
||||||
;;
|
;;
|
||||||
Linux)
|
Linux)
|
||||||
if [ ! -z "${IPBINARY}" ]; then
|
if [ -n "${IPBINARY}" ]; then
|
||||||
FIND=$(${IPBINARY} link show 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} 's/://g')
|
FIND=$(${IPBINARY} link show 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} 's/://g')
|
||||||
elif [ ! -z "${IFCONFIGBINARY}" ]; then
|
elif [ -n "${IFCONFIGBINARY}" ]; then
|
||||||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ( $2 == "Link" ) { print $1 }}')
|
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ( $2 == "Link" ) { print $1 }}')
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@ -265,14 +265,14 @@
|
|||||||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
|
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
|
||||||
;;
|
;;
|
||||||
Linux)
|
Linux)
|
||||||
if [ ! -z "${IFCONFIGBINARY}" ]; then
|
if [ -n "${IFCONFIGBINARY}" ]; then
|
||||||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u)
|
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u)
|
||||||
# CentOS 7.x and others may return nothing. Let's retry with 'ether' field.
|
# CentOS 7.x and others may return nothing. Let's retry with 'ether' field.
|
||||||
if [ -z "${FIND}" ]; then
|
if [ -z "${FIND}" ]; then
|
||||||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
|
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [ ! -z "${IPBINARY}" ]; then
|
if [ -n "${IPBINARY}" ]; then
|
||||||
LogText "Test: Using ip binary to gather hardware addresses"
|
LogText "Test: Using ip binary to gather hardware addresses"
|
||||||
FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }')
|
FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }')
|
||||||
else
|
else
|
||||||
@ -320,12 +320,12 @@
|
|||||||
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
|
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
|
||||||
;;
|
;;
|
||||||
Linux)
|
Linux)
|
||||||
if [ ! -z "${IFCONFIGBINARY}" ]; then
|
if [ -n "${IFCONFIGBINARY}" ]; then
|
||||||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2)
|
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2)
|
||||||
# Version which works for multiple types of ifconfig (e.g. Slackware)
|
# Version which works for multiple types of ifconfig (e.g. Slackware)
|
||||||
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }')
|
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }')
|
||||||
else
|
else
|
||||||
if [ ! -z "${IPBINARY}" ]; then
|
if [ -n "${IPBINARY}" ]; then
|
||||||
LogText "Test: Using ip binary to gather IP addresses"
|
LogText "Test: Using ip binary to gather IP addresses"
|
||||||
FIND=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
|
FIND=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
|
||||||
FIND2=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
|
FIND2=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
|
||||||
@ -375,7 +375,7 @@
|
|||||||
COUNT=0
|
COUNT=0
|
||||||
case ${OS} in
|
case ${OS} in
|
||||||
DragonFly|FreeBSD)
|
DragonFly|FreeBSD)
|
||||||
if [ ! -z "${SOCKSTATBINARY}" ]; then
|
if [ -n "${SOCKSTATBINARY}" ]; then
|
||||||
FIND=$(${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
|
FIND=$(${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
|
||||||
# To strip off IP's: ${SEDBINARY} 's/|.*:/|/'
|
# To strip off IP's: ${SEDBINARY} 's/|.*:/|/'
|
||||||
else
|
else
|
||||||
@ -513,17 +513,17 @@
|
|||||||
NETWORK=""
|
NETWORK=""
|
||||||
USE_IP_INSTEAD_IFCONFIG=0
|
USE_IP_INSTEAD_IFCONFIG=0
|
||||||
|
|
||||||
if [ ! -z "${IPBINARY}" ]; then
|
if [ -n "${IPBINARY}" ]; then
|
||||||
LogText "Test: Using ip binary to retrieve network interfaces"
|
LogText "Test: Using ip binary to retrieve network interfaces"
|
||||||
NETWORK=$(${IPBINARY} -o link 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{print $2 }' | ${TRBINARY} -d ':')
|
NETWORK=$(${IPBINARY} -o link 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{print $2 }' | ${TRBINARY} -d ':')
|
||||||
USE_IP_INSTEAD_IFCONFIG=1
|
USE_IP_INSTEAD_IFCONFIG=1
|
||||||
elif [ ! -z "${IFCONFIGBINARY}" ]; then
|
elif [ -n "${IFCONFIGBINARY}" ]; then
|
||||||
LogText "Test: Using ifconfig binary to retrieve network interfaces"
|
LogText "Test: Using ifconfig binary to retrieve network interfaces"
|
||||||
NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
|
NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
LogText "Test: Checking all interfaces to discover any with promiscuous mode enabled"
|
LogText "Test: Checking all interfaces to discover any with promiscuous mode enabled"
|
||||||
if [ ! -z "${NETWORK}" ]; then
|
if [ -n "${NETWORK}" ]; then
|
||||||
FOUNDPROMISC=0
|
FOUNDPROMISC=0
|
||||||
for I in ${NETWORK}; do
|
for I in ${NETWORK}; do
|
||||||
if [ ${USE_IP_INSTEAD_IFCONFIG} -eq 1 ]; then
|
if [ ${USE_IP_INSTEAD_IFCONFIG} -eq 1 ]; then
|
||||||
@ -531,7 +531,7 @@
|
|||||||
else
|
else
|
||||||
FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
|
FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: Promiscuous interface: ${I}"
|
LogText "Result: Promiscuous interface: ${I}"
|
||||||
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
|
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
|
||||||
if [ -z "${ISWHITELISTED}" ]; then
|
if [ -z "${ISWHITELISTED}" ]; then
|
||||||
|
|||||||
@ -139,7 +139,7 @@
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ ! -z "${PHPINIFILE}" ]; then
|
if [ -n "${PHPINIFILE}" ]; then
|
||||||
Display --indent 2 --text "- Checking PHP" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- Checking PHP" --result "${STATUS_FOUND}" --color GREEN
|
||||||
LogText "Result: using single file ${PHPINIFILE} for main php.ini tests"
|
LogText "Result: using single file ${PHPINIFILE} for main php.ini tests"
|
||||||
LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
|
LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
|
||||||
@ -154,7 +154,7 @@
|
|||||||
#
|
#
|
||||||
# Test : PHP-2320
|
# Test : PHP-2320
|
||||||
# Description : Check php disable functions option
|
# Description : Check php disable functions option
|
||||||
if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions"
|
Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FOUND=0
|
FOUND=0
|
||||||
@ -194,7 +194,7 @@
|
|||||||
# Test : PHP-2368
|
# Test : PHP-2368
|
||||||
# Description : Check php register_globals option
|
# Description : Check php register_globals option
|
||||||
# Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
|
# Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
|
||||||
if [ ! -z "${PHPINIFILE}" -a ! -z "${PHPVERSION}" -a ! -z "${EGREPBINARY}" ]; then
|
if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then
|
||||||
if [ -f "${PHPINIFILE}" ]; then
|
if [ -f "${PHPINIFILE}" ]; then
|
||||||
FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
|
FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
|
||||||
if [ -z "${FIND}" ]; then
|
if [ -z "${FIND}" ]; then
|
||||||
@ -215,7 +215,7 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking PHP register_globals option"
|
LogText "Test: Checking PHP register_globals option"
|
||||||
FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
|
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
|
||||||
ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
|
ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
|
||||||
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
|
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
|
||||||
@ -235,7 +235,7 @@
|
|||||||
# Description : Check PHP expose_php option
|
# Description : Check PHP expose_php option
|
||||||
# Background : When this option is turned on, PHP will show its version number in the HTTP headers
|
# Background : When this option is turned on, PHP will show its version number in the HTTP headers
|
||||||
# Notes : TODO - Extend test to check all PHP files
|
# Notes : TODO - Extend test to check all PHP files
|
||||||
if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
|
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FOUND=0
|
FOUND=0
|
||||||
@ -266,12 +266,12 @@
|
|||||||
# Test : PHP-2374
|
# Test : PHP-2374
|
||||||
# Description : Check PHP enable_dl option
|
# Description : Check PHP enable_dl option
|
||||||
# Notes : Extend test to check all PHP files
|
# Notes : Extend test to check all PHP files
|
||||||
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
|
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking PHP enable_dl option"
|
LogText "Test: Checking PHP enable_dl option"
|
||||||
FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
|
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
|
||||||
Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
|
Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
|
||||||
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules"
|
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules"
|
||||||
@ -288,7 +288,7 @@
|
|||||||
# Test : PHP-2376
|
# Test : PHP-2376
|
||||||
# Description : Check PHP allow_url_fopen option
|
# Description : Check PHP allow_url_fopen option
|
||||||
# Notes : Extend test to check all PHP files YYY
|
# Notes : Extend test to check all PHP files YYY
|
||||||
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
|
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking PHP allow_url_fopen option"
|
LogText "Test: Checking PHP allow_url_fopen option"
|
||||||
@ -311,7 +311,7 @@
|
|||||||
# Test : PHP-2378
|
# Test : PHP-2378
|
||||||
# Description : Check PHP allow_url_include option
|
# Description : Check PHP allow_url_include option
|
||||||
# Notes : Extend test to check all PHP files YYY
|
# Notes : Extend test to check all PHP files YYY
|
||||||
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
|
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking PHP allow_url_include option"
|
LogText "Test: Checking PHP allow_url_include option"
|
||||||
@ -333,7 +333,7 @@
|
|||||||
# - test disabled for time being, as newer suhosin7 work is not stable enough -
|
# - test disabled for time being, as newer suhosin7 work is not stable enough -
|
||||||
# Test : PHP-2379
|
# Test : PHP-2379
|
||||||
# Description : Check PHP suhosin extension status
|
# Description : Check PHP suhosin extension status
|
||||||
#if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
#if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
#Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP suhosin extension status"
|
#Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP suhosin extension status"
|
||||||
|
|
||||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
@ -365,14 +365,14 @@
|
|||||||
# fi
|
# fi
|
||||||
|
|
||||||
# # Check Suhosin for PHP 7
|
# # Check Suhosin for PHP 7
|
||||||
# if [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then
|
# if [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then
|
||||||
# LogText "Test: Check Suhosin for PHP 7 is not enabled"
|
# LogText "Test: Check Suhosin for PHP 7 is not enabled"
|
||||||
# LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production"
|
# LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production"
|
||||||
# ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7"
|
# ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7"
|
||||||
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
|
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
|
||||||
# Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED
|
# Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED
|
||||||
# AddHP 0 1
|
# AddHP 0 1
|
||||||
# elif [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then
|
# elif [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then
|
||||||
# LogText "Test: Check Suhosin for PHP 7 is not enabled"
|
# LogText "Test: Check Suhosin for PHP 7 is not enabled"
|
||||||
# LogText "Result: Suhosin for PHP 7 is not enabled"
|
# LogText "Result: Suhosin for PHP 7 is not enabled"
|
||||||
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN
|
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN
|
||||||
|
|||||||
@ -88,7 +88,7 @@
|
|||||||
# Test : PKGS-7303
|
# Test : PKGS-7303
|
||||||
# Description : Query brew package manager
|
# Description : Query brew package manager
|
||||||
FIND=$(which brew 2> /dev/null | grep -v "no [^ ]* in ")
|
FIND=$(which brew 2> /dev/null | grep -v "no [^ ]* in ")
|
||||||
if [ ! -z "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager"
|
Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
|
||||||
@ -158,7 +158,7 @@
|
|||||||
#
|
#
|
||||||
# Test : PKGS-7308
|
# Test : PKGS-7308
|
||||||
# Description : RPM package based systems
|
# Description : RPM package based systems
|
||||||
if [ ! -z "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM"
|
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
COUNT=0
|
COUNT=0
|
||||||
@ -191,7 +191,7 @@
|
|||||||
#
|
#
|
||||||
# Test : PKGS-7310
|
# Test : PKGS-7310
|
||||||
# Description : pacman package based systems
|
# Description : pacman package based systems
|
||||||
if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman"
|
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
COUNT=0
|
COUNT=0
|
||||||
@ -222,12 +222,12 @@
|
|||||||
#
|
#
|
||||||
# Test : PKGS-7312
|
# Test : PKGS-7312
|
||||||
# Description : Check for available package updates when pacman package is used
|
# Description : Check for available package updates when pacman package is used
|
||||||
if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PKGS-7312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking available updates for pacman based system"
|
Register --test-no PKGS-7312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking available updates for pacman based system"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FOUND=0
|
FOUND=0
|
||||||
FIND=$(which checkupdates 2> /dev/null | grep -v "no [^ ]* in ")
|
FIND=$(which checkupdates 2> /dev/null | grep -v "no [^ ]* in ")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FIND=$(checkupdates)
|
FIND=$(checkupdates)
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
LogText "Result: update available for ${I}"
|
LogText "Result: update available for ${I}"
|
||||||
@ -252,7 +252,7 @@
|
|||||||
# Test : PKGS-7314
|
# Test : PKGS-7314
|
||||||
# Description : Check pacman.conf options
|
# Description : Check pacman.conf options
|
||||||
PACMANCONF="/etc/pacman.conf"
|
PACMANCONF="/etc/pacman.conf"
|
||||||
if [ ! -z "${PACMANBINARY}" -a -f ${PACMANCONF} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${PACMANBINARY}" -a -f ${PACMANCONF} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PKGS-7314 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking pacman configuration options"
|
Register --test-no PKGS-7314 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking pacman configuration options"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
COUNT=0
|
COUNT=0
|
||||||
@ -315,7 +315,7 @@
|
|||||||
#
|
#
|
||||||
# Test : PKGS-7322
|
# Test : PKGS-7322
|
||||||
# Description : Discover vulnerable packages with arch-audit
|
# Description : Discover vulnerable packages with arch-audit
|
||||||
if [ ! -z "${ARCH_AUDIT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="arch-audit not found"; fi
|
if [ -n "${ARCH_AUDIT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="arch-audit not found"; fi
|
||||||
Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit"
|
Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: checking arch-audit output for vulnerable packages"
|
LogText "Test: checking arch-audit output for vulnerable packages"
|
||||||
@ -338,14 +338,14 @@
|
|||||||
#
|
#
|
||||||
# Test : PKGS-7328
|
# Test : PKGS-7328
|
||||||
# Description : Check installed packages with Zypper
|
# Description : Check installed packages with Zypper
|
||||||
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages"
|
Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
COUNT=0
|
COUNT=0
|
||||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||||
PACKAGE_AUDIT_TOOL="zypper"
|
PACKAGE_AUDIT_TOOL="zypper"
|
||||||
FIND=$(${ZYPPERBINARY} --non-interactive -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
|
FIND=$(${ZYPPERBINARY} --non-interactive -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
for PKG in ${FIND}; do
|
for PKG in ${FIND}; do
|
||||||
COUNT=$((COUNT + 1))
|
COUNT=$((COUNT + 1))
|
||||||
LogText "Installed package: ${PKG}"
|
LogText "Installed package: ${PKG}"
|
||||||
@ -362,11 +362,11 @@
|
|||||||
#
|
#
|
||||||
# Test : PKGS-7330
|
# Test : PKGS-7330
|
||||||
# Description : Check vulnerable packages with Zypper
|
# Description : Check vulnerable packages with Zypper
|
||||||
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages"
|
Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FIND=$(${ZYPPERBINARY} --non-interactive pchk | ${GREPBINARY} "(0 security patches)")
|
FIND=$(${ZYPPERBINARY} --non-interactive pchk | ${GREPBINARY} "(0 security patches)")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: No security updates found with Zypper"
|
LogText "Result: No security updates found with Zypper"
|
||||||
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
||||||
else
|
else
|
||||||
@ -520,7 +520,7 @@
|
|||||||
# Test : PKGS-7350
|
# Test : PKGS-7350
|
||||||
# Description : Use Dandified YUM to gather installed packages
|
# Description : Use Dandified YUM to gather installed packages
|
||||||
# Notes : Possible replacement for YUM in the long term
|
# Notes : Possible replacement for YUM in the long term
|
||||||
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility"
|
Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
COUNT=0
|
COUNT=0
|
||||||
@ -546,13 +546,13 @@
|
|||||||
#
|
#
|
||||||
# Test : PKGS-7352
|
# Test : PKGS-7352
|
||||||
# Description : Use Dandified YUM to detect security updates
|
# Description : Use Dandified YUM to detect security updates
|
||||||
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no "PKGS-7352" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for security updates with DNF utility"
|
Register --test-no "PKGS-7352" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for security updates with DNF utility"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
# Check for security updates
|
# Check for security updates
|
||||||
LogText "Action: checking updateinfo for security updates"
|
LogText "Action: checking updateinfo for security updates"
|
||||||
FIND=$(${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}')
|
FIND=$(${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
VULNERABLE_PACKAGES_FOUND=1
|
VULNERABLE_PACKAGES_FOUND=1
|
||||||
LogText "Result: found vulnerable packages, upgrade of system needed."
|
LogText "Result: found vulnerable packages, upgrade of system needed."
|
||||||
for PKG in ${FIND}; do
|
for PKG in ${FIND}; do
|
||||||
@ -574,20 +574,20 @@
|
|||||||
#
|
#
|
||||||
# Test : PKGS-7354
|
# Test : PKGS-7354
|
||||||
# Description : Perform integrity tests for package database
|
# Description : Perform integrity tests for package database
|
||||||
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity"
|
Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
# Check if repoquery plugin is available
|
# Check if repoquery plugin is available
|
||||||
FIND=$(${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery")
|
FIND=$(${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Action: checking integrity of package database"
|
LogText "Action: checking integrity of package database"
|
||||||
FIND=$(${DNFBINARY} -q repoquery --duplicated)
|
FIND=$(${DNFBINARY} -q repoquery --duplicated)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found unexpected result on repoquery --duplicated"
|
LogText "Result: found unexpected result on repoquery --duplicated"
|
||||||
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated"
|
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated"
|
||||||
fi
|
fi
|
||||||
FIND=$(${DNFBINARY} -q repoquery --unsatisfied)
|
FIND=$(${DNFBINARY} -q repoquery --unsatisfied)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found unexpected result on repoquery --unsatisfied"
|
LogText "Result: found unexpected result on repoquery --unsatisfied"
|
||||||
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied"
|
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied"
|
||||||
fi
|
fi
|
||||||
@ -600,17 +600,17 @@
|
|||||||
#
|
#
|
||||||
# Test : PKGS-7366
|
# Test : PKGS-7366
|
||||||
# Description : Checking if debsecan is installed and enabled on Debian systems
|
# Description : Checking if debsecan is installed and enabled on Debian systems
|
||||||
if [ ! -z "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsecan utility"
|
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsecan utility"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if [ ! -z "${DEBSECANBINARY}" ]; then
|
if [ -n "${DEBSECANBINARY}" ]; then
|
||||||
LogText "Result: debsecan utility is installed"
|
LogText "Result: debsecan utility is installed"
|
||||||
Display --indent 4 --text "- debsecan utility" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- debsecan utility" --result "${STATUS_FOUND}" --color GREEN
|
||||||
AddHP 3 3
|
AddHP 3 3
|
||||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||||
PACKAGE_AUDIT_TOOL="debsecan"
|
PACKAGE_AUDIT_TOOL="debsecan"
|
||||||
FIND=$(${FINDBINARY} ${ROOTDIR}etc/cron* -name debsecan)
|
FIND=$(${FINDBINARY} ${ROOTDIR}etc/cron* -name debsecan)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: cron job is configured for debsecan"
|
LogText "Result: cron job is configured for debsecan"
|
||||||
Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN
|
||||||
AddHP 3 3
|
AddHP 3 3
|
||||||
@ -633,10 +633,10 @@
|
|||||||
# Test : PKGS-7370
|
# Test : PKGS-7370
|
||||||
# Description : Checking debsums installation status and presence in cron job
|
# Description : Checking debsums installation status and presence in cron job
|
||||||
# Note : Run this only when it is a DPKG based system
|
# Note : Run this only when it is a DPKG based system
|
||||||
if [ ! -z "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsums utility"
|
Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsums utility"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if [ ! -z "${DEBSUMSBINARY}" ]; then
|
if [ -n "${DEBSUMSBINARY}" ]; then
|
||||||
LogText "Result: debsums utility is installed"
|
LogText "Result: debsums utility is installed"
|
||||||
Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN
|
||||||
AddHP 1 1
|
AddHP 1 1
|
||||||
@ -728,7 +728,7 @@
|
|||||||
# Description : Check for vulnerable FreeBSD packages (with pkg)
|
# Description : Check for vulnerable FreeBSD packages (with pkg)
|
||||||
# Notes : Related vulnerability file is /var/db/pkg/vuln.xml
|
# Notes : Related vulnerability file is /var/db/pkg/vuln.xml
|
||||||
# TODO : Run this in any jail
|
# TODO : Run this in any jail
|
||||||
if [ ! -z "${PKG_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="pkg tool not available"; fi
|
if [ -n "${PKG_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="pkg tool not available"; fi
|
||||||
Register --test-no PKGS-7381 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with pkg"
|
Register --test-no PKGS-7381 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with pkg"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
COUNT=0
|
COUNT=0
|
||||||
@ -746,7 +746,7 @@
|
|||||||
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
||||||
AddHP 10 10
|
AddHP 10 10
|
||||||
elif [ $? -eq 1 ]; then
|
elif [ $? -eq 1 ]; then
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
VULNERABLE_PACKAGES_FOUND=1
|
VULNERABLE_PACKAGES_FOUND=1
|
||||||
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_FOUND}" --color YELLOW
|
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_FOUND}" --color YELLOW
|
||||||
for ITEM in ${FIND}; do
|
for ITEM in ${FIND}; do
|
||||||
@ -804,7 +804,7 @@
|
|||||||
# Test : PKGS-7383
|
# Test : PKGS-7383
|
||||||
# Description : Check for YUM package Update management
|
# Description : Check for YUM package Update management
|
||||||
# Notes : Skip if DNF is used as package manager
|
# Notes : Skip if DNF is used as package manager
|
||||||
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
|
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: YUM package update management"
|
LogText "Test: YUM package update management"
|
||||||
@ -823,7 +823,7 @@
|
|||||||
#
|
#
|
||||||
# Test : PKGS-7384
|
# Test : PKGS-7384
|
||||||
# Description : Search for YUM utils package
|
# Description : Search for YUM utils package
|
||||||
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package"
|
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
# package-cleanup tool can be found in different locations
|
# package-cleanup tool can be found in different locations
|
||||||
@ -903,7 +903,7 @@
|
|||||||
# Check if it's installed as package (this is old style)
|
# Check if it's installed as package (this is old style)
|
||||||
if [ ${DO_TEST} -eq 0 ]; then
|
if [ ${DO_TEST} -eq 0 ]; then
|
||||||
FIND=$(rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed")
|
FIND=$(rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: found yum-plugin-security package"
|
LogText "Result: found yum-plugin-security package"
|
||||||
DO_TEST=1
|
DO_TEST=1
|
||||||
fi
|
fi
|
||||||
@ -943,7 +943,7 @@
|
|||||||
if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package"
|
Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if [ ! -z "${PYTHONBINARY}" ]; then
|
if [ -n "${PYTHONBINARY}" ]; then
|
||||||
LogText "Test: checking enabled repositories"
|
LogText "Test: checking enabled repositories"
|
||||||
REPOS=$(${PYTHONBINARY} -c 'import yum ; yb = yum.YumBase() ; yb.conf ; print [(r.id + "=" + str(r.gpgcheck)) for r in yb.repos.listEnabled()]' | ${GREPBINARY} "^\[" | ${TRBINARY} -d '[] ' | ${TRBINARY} -d "'" | ${SEDBINARY} 's/,/ /g')
|
REPOS=$(${PYTHONBINARY} -c 'import yum ; yb = yum.YumBase() ; yb.conf ; print [(r.id + "=" + str(r.gpgcheck)) for r in yb.repos.listEnabled()]' | ${GREPBINARY} "^\[" | ${TRBINARY} -d '[] ' | ${TRBINARY} -d "'" | ${SEDBINARY} 's/,/ /g')
|
||||||
if [ -z "${REPOS}" ]; then LogText "Result: found no repositories"; fi
|
if [ -z "${REPOS}" ]; then LogText "Result: found no repositories"; fi
|
||||||
@ -991,7 +991,7 @@
|
|||||||
if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
|
if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
|
||||||
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
|
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
|
||||||
FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
|
FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FOUND=1
|
FOUND=1
|
||||||
Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
|
Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
|
||||||
LogText "Result: Found security repository in ${ROOTDIR}etc/apt/sources.list"
|
LogText "Result: Found security repository in ${ROOTDIR}etc/apt/sources.list"
|
||||||
@ -1004,7 +1004,7 @@
|
|||||||
if [ -d /etc/apt/sources.list.d ]; then
|
if [ -d /etc/apt/sources.list.d ]; then
|
||||||
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
|
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
|
||||||
FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
|
FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FOUND=1
|
FOUND=1
|
||||||
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
|
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
|
||||||
LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
|
LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
|
||||||
@ -1100,7 +1100,7 @@
|
|||||||
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
|
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
|
||||||
# Show packages which would be upgraded and match 'security' in repository name
|
# Show packages which would be upgraded and match 'security' in repository name
|
||||||
FIND=$(${ROOTDIR}usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u)
|
FIND=$(${ROOTDIR}usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
VULNERABLE_PACKAGES_FOUND=1
|
VULNERABLE_PACKAGES_FOUND=1
|
||||||
SCAN_PERFORMED=1
|
SCAN_PERFORMED=1
|
||||||
LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
|
LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
|
||||||
@ -1247,7 +1247,7 @@
|
|||||||
KERNELS=0
|
KERNELS=0
|
||||||
LogText "Test: Checking how many kernel packages are installed"
|
LogText "Test: Checking how many kernel packages are installed"
|
||||||
|
|
||||||
if [ ! -z "${DPKGBINARY}" ]; then
|
if [ -n "${DPKGBINARY}" ]; then
|
||||||
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} "linux-image-[0-9]" | ${WCBINARY} -l)
|
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} "linux-image-[0-9]" | ${WCBINARY} -l)
|
||||||
if [ ${KERNELS} -eq 0 ]; then
|
if [ ${KERNELS} -eq 0 ]; then
|
||||||
LogText "Result: found no kernels from dpkg -l output, which is unexpected"
|
LogText "Result: found no kernels from dpkg -l output, which is unexpected"
|
||||||
@ -1258,7 +1258,7 @@
|
|||||||
else
|
else
|
||||||
LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
|
LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
|
||||||
fi
|
fi
|
||||||
elif [ ! -z "${RPMBINARY}" ]; then
|
elif [ -n "${RPMBINARY}" ]; then
|
||||||
KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l)
|
KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l)
|
||||||
if [ ${KERNELS} -eq 0 ]; then
|
if [ ${KERNELS} -eq 0 ]; then
|
||||||
LogText "Result: found no kernels from rpm -q kernel output, which is unexpected"
|
LogText "Result: found no kernels from rpm -q kernel output, which is unexpected"
|
||||||
|
|||||||
@ -211,7 +211,7 @@
|
|||||||
FileIsReadable ${QDAEMON_CONFIG_FILE}
|
FileIsReadable ${QDAEMON_CONFIG_FILE}
|
||||||
if [ ${CANREAD} -eq 1 ]; then
|
if [ ${CANREAD} -eq 1 ]; then
|
||||||
FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
|
FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
|
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
|
||||||
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
|
||||||
QDAEMON_CONFIG_ENABLED=1
|
QDAEMON_CONFIG_ENABLED=1
|
||||||
@ -279,7 +279,7 @@
|
|||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
|
|
||||||
if [ ! -z ${PRINTING_DAEMON} ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi
|
if [ -n ${PRINTING_DAEMON} ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi
|
||||||
|
|
||||||
WaitForKeyPress
|
WaitForKeyPress
|
||||||
|
|
||||||
|
|||||||
@ -170,7 +170,7 @@
|
|||||||
if [ -f /etc/anacrontab ]; then
|
if [ -f /etc/anacrontab ]; then
|
||||||
LogText "Test: checking anacrontab"
|
LogText "Test: checking anacrontab"
|
||||||
sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
|
sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
|
||||||
if [ ! -z "${sANACRONJOBS}" ]; then
|
if [ -n "${sANACRONJOBS}" ]; then
|
||||||
Report "scheduler[]=anacron"
|
Report "scheduler[]=anacron"
|
||||||
for I in ${sANACRONJOBS}; do
|
for I in ${sANACRONJOBS}; do
|
||||||
LogText "Found anacron job (/etc/anacrontab): ${I}"
|
LogText "Found anacron job (/etc/anacrontab): ${I}"
|
||||||
@ -201,7 +201,7 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking atd status"
|
LogText "Test: Checking atd status"
|
||||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} "/atd" | ${GREPBINARY} -v "grep")
|
FIND=$(${PSBINARY} ax | ${GREPBINARY} "/atd" | ${GREPBINARY} -v "grep")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: at daemon active"
|
LogText "Result: at daemon active"
|
||||||
Display --indent 2 --text "- Checking atd status" --result "${STATUS_RUNNING}" --color GREEN
|
Display --indent 2 --text "- Checking atd status" --result "${STATUS_RUNNING}" --color GREEN
|
||||||
ATD_RUNNING=1
|
ATD_RUNNING=1
|
||||||
|
|||||||
@ -126,7 +126,7 @@
|
|||||||
FIND=$(${GREPBINARY} 'TMOUT=' ${ROOTDIR}etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
|
FIND=$(${GREPBINARY} 'TMOUT=' ${ROOTDIR}etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
|
||||||
# Determine if the value is exported (with export, readonly, or typeset)
|
# Determine if the value is exported (with export, readonly, or typeset)
|
||||||
FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' ${ROOTDIR}etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
|
FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' ${ROOTDIR}etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
N=0; IDLE_TIMEOUT=1
|
N=0; IDLE_TIMEOUT=1
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
LogText "Output: ${I}"
|
LogText "Output: ${I}"
|
||||||
@ -143,7 +143,7 @@
|
|||||||
LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile"
|
LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${FIND2}" ]; then
|
if [ -n "${FIND2}" ]; then
|
||||||
N=0;
|
N=0;
|
||||||
for I in ${FIND2}; do
|
for I in ${FIND2}; do
|
||||||
LogText "Output: ${I}"
|
LogText "Output: ${I}"
|
||||||
@ -167,12 +167,12 @@
|
|||||||
|
|
||||||
if [ -d ${ROOTDIR}etc/profile.d ]; then
|
if [ -d ${ROOTDIR}etc/profile.d ]; then
|
||||||
FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null)
|
FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
# Determine if we can find a TMOUT value
|
# Determine if we can find a TMOUT value
|
||||||
FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
|
FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
|
||||||
# Determine if the value is exported (with export, readonly, or typeset)
|
# Determine if the value is exported (with export, readonly, or typeset)
|
||||||
FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
|
FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
N=0; IDLE_TIMEOUT=1
|
N=0; IDLE_TIMEOUT=1
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
LogText "Output: ${I}"
|
LogText "Output: ${I}"
|
||||||
@ -189,7 +189,7 @@
|
|||||||
LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile.d/*.sh"
|
LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile.d/*.sh"
|
||||||
fi
|
fi
|
||||||
# Check for readonly
|
# Check for readonly
|
||||||
if [ ! -z "${FIND2}" ]; then
|
if [ -n "${FIND2}" ]; then
|
||||||
N=0;
|
N=0;
|
||||||
for I in ${FIND2}; do
|
for I in ${FIND2}; do
|
||||||
LogText "Output: ${I}"
|
LogText "Output: ${I}"
|
||||||
@ -212,10 +212,10 @@
|
|||||||
LogText "Result: skip ${ROOTDIR}etc/profile.d directory test, directory not available on this system"
|
LogText "Result: skip ${ROOTDIR}etc/profile.d directory test, directory not available on this system"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${IDLE_TIMEOUT_METHOD}" ]; then
|
if [ -n "${IDLE_TIMEOUT_METHOD}" ]; then
|
||||||
Report "session_timeout_method[]=${IDLE_TIMEOUT_METHOD}"
|
Report "session_timeout_method[]=${IDLE_TIMEOUT_METHOD}"
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${IDLE_TIMEOUT_READONLY}" ]; then
|
if [ -n "${IDLE_TIMEOUT_READONLY}" ]; then
|
||||||
Report "session_timeout_set_readonly=${IDLE_TIMEOUT_READONLY}"
|
Report "session_timeout_set_readonly=${IDLE_TIMEOUT_READONLY}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
@ -74,7 +74,7 @@
|
|||||||
#
|
#
|
||||||
# Test : SNMP-3306
|
# Test : SNMP-3306
|
||||||
# Description : Determine SNMP communities
|
# Description : Determine SNMP communities
|
||||||
if [ ! -z "${SNMP_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${SNMP_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP communities"
|
Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP communities"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
WARN=0
|
WARN=0
|
||||||
|
|||||||
@ -43,7 +43,7 @@
|
|||||||
FOUND=0
|
FOUND=0
|
||||||
# Check running processes
|
# Check running processes
|
||||||
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
|
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
SQUID_DAEMON_RUNNING=1
|
SQUID_DAEMON_RUNNING=1
|
||||||
LogText "Result: Squid daemon is running"
|
LogText "Result: Squid daemon is running"
|
||||||
Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN
|
||||||
@ -86,10 +86,10 @@
|
|||||||
#
|
#
|
||||||
# Test : SQD-3606
|
# Test : SQD-3606
|
||||||
# Description : Check Squid version
|
# Description : Check Squid version
|
||||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
|
Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
if [ ! -z "${SQUIDBINARY}" ]; then
|
if [ -n "${SQUIDBINARY}" ]; then
|
||||||
LogText "Result: Squid binary found (${SQUIDBINARY})"
|
LogText "Result: Squid binary found (${SQUIDBINARY})"
|
||||||
# Skip check if a setuid/setgid bit is found
|
# Skip check if a setuid/setgid bit is found
|
||||||
FIND=$(${FINDBINARY} ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print)
|
FIND=$(${FINDBINARY} ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print)
|
||||||
@ -110,7 +110,7 @@
|
|||||||
#
|
#
|
||||||
# Test : SQD-3610
|
# Test : SQD-3610
|
||||||
# Description : Check Squid configuration options
|
# Description : Check Squid configuration options
|
||||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather Squid settings"
|
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather Squid settings"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
|
LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
|
||||||
@ -127,12 +127,12 @@
|
|||||||
#
|
#
|
||||||
# Test : SQD-3613
|
# Test : SQD-3613
|
||||||
# Description : Check Squid configuration file permissions
|
# Description : Check Squid configuration file permissions
|
||||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
|
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
|
LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
|
||||||
FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
|
FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
|
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
|
||||||
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
|
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
|
||||||
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
|
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
|
||||||
@ -147,7 +147,7 @@
|
|||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
|
||||||
Display --indent 4 --text "- Checking Squid access control"
|
Display --indent 4 --text "- Checking Squid access control"
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
@ -155,7 +155,7 @@
|
|||||||
#
|
#
|
||||||
# Test : SQD-3614
|
# Test : SQD-3614
|
||||||
# Description : Check Squid authentication
|
# Description : Check Squid authentication
|
||||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods"
|
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: check auth_param option for authentication methods"
|
LogText "Test: check auth_param option for authentication methods"
|
||||||
@ -176,7 +176,7 @@
|
|||||||
#
|
#
|
||||||
# Test : SQD-3616
|
# Test : SQD-3616
|
||||||
# Description : Check external Squid authentication
|
# Description : Check external Squid authentication
|
||||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication"
|
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: check external_acl_type option for external authentication helpers"
|
LogText "Test: check external_acl_type option for external authentication helpers"
|
||||||
@ -265,7 +265,7 @@
|
|||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
|
||||||
Display --indent 4 --text "- Checking Squid Denial of Service tuning options"
|
Display --indent 4 --text "- Checking Squid Denial of Service tuning options"
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
@ -273,7 +273,7 @@
|
|||||||
#
|
#
|
||||||
# Test : SQD-3630 [T]
|
# Test : SQD-3630 [T]
|
||||||
# Description : Check reply_body_max_size value
|
# Description : Check reply_body_max_size value
|
||||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option"
|
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: checking option reply_body_max_size"
|
LogText "Test: checking option reply_body_max_size"
|
||||||
@ -293,7 +293,7 @@
|
|||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
|
||||||
Display --indent 4 --text "- Checking Squid general options"
|
Display --indent 4 --text "- Checking Squid general options"
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
@ -301,7 +301,7 @@
|
|||||||
#
|
#
|
||||||
# Test : SQD-3680
|
# Test : SQD-3680
|
||||||
# Description : Check httpd_suppress_version_string
|
# Description : Check httpd_suppress_version_string
|
||||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppression"
|
Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppression"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on")
|
FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on")
|
||||||
|
|||||||
@ -104,7 +104,7 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
OPENSSHD_VERSION=$(${SSHDBINARY} -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d '[:cntrl:],')
|
OPENSSHD_VERSION=$(${SSHDBINARY} -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d '[:cntrl:],')
|
||||||
LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}"
|
LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}"
|
||||||
if [ ! -z ${OPENSSHD_VERSION} ]; then
|
if [ -n ${OPENSSHD_VERSION} ]; then
|
||||||
OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $1}')
|
OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $1}')
|
||||||
LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}"
|
LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}"
|
||||||
OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $2}')
|
OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $2}')
|
||||||
@ -117,7 +117,7 @@
|
|||||||
# Test : SSH-7408
|
# Test : SSH-7408
|
||||||
# Description : Check SSH specific defined options
|
# Description : Check SSH specific defined options
|
||||||
# Notes : Instead of parsing the configuration file, we query the SSH daemon itself
|
# Notes : Instead of parsing the configuration file, we query the SSH daemon itself
|
||||||
if [ ${OPENSSHD_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" -a ${OPENSSHD_VERSION_MAJOR} -ge 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" -a ${OPENSSHD_VERSION_MAJOR} -ge 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options"
|
Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}"
|
LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}"
|
||||||
@ -189,7 +189,7 @@
|
|||||||
FOUNDVALUE=$(${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1)
|
FOUNDVALUE=$(${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1)
|
||||||
LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}"
|
LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}"
|
||||||
|
|
||||||
if [ ! -z "${FOUNDVALUE}" ]; then
|
if [ -n "${FOUNDVALUE}" ]; then
|
||||||
LogText "Result: Option ${OPTIONNAME} found"
|
LogText "Result: Option ${OPTIONNAME} found"
|
||||||
LogText "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}"
|
LogText "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}"
|
||||||
|
|
||||||
@ -201,7 +201,7 @@
|
|||||||
elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
|
elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
|
||||||
RESULT="WEAK"
|
RESULT="WEAK"
|
||||||
else
|
else
|
||||||
if [ ! -z "${EXPECTEDVALUE}" ]; then
|
if [ -n "${EXPECTEDVALUE}" ]; then
|
||||||
LogText "Expected value has multiple values, testing if active value is in list (${EXPECTEDVALUE})"
|
LogText "Expected value has multiple values, testing if active value is in list (${EXPECTEDVALUE})"
|
||||||
FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${EXPECTEDVALUE}")
|
FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${EXPECTEDVALUE}")
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
@ -211,7 +211,7 @@
|
|||||||
LogText "Result: not found"
|
LogText "Result: not found"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${MEDIUMSCOREDVALUE}" ]; then
|
if [ -n "${MEDIUMSCOREDVALUE}" ]; then
|
||||||
LogText "Medium scored value has multiple values, testing if active value is in list (${MEDIUMSCOREDVALUE})"
|
LogText "Medium scored value has multiple values, testing if active value is in list (${MEDIUMSCOREDVALUE})"
|
||||||
FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${MEDIUMSCOREDVALUE}")
|
FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${MEDIUMSCOREDVALUE}")
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
@ -296,13 +296,13 @@
|
|||||||
# Test : SSH-7440
|
# Test : SSH-7440
|
||||||
# Description : OpenSSH - AllowUsers / AllowGroups
|
# Description : OpenSSH - AllowUsers / AllowGroups
|
||||||
# Goal : Check if only a specific amount of users/groups can log in to the system
|
# Goal : Check if only a specific amount of users/groups can log in to the system
|
||||||
if [ ${OPENSSHD_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSSH option: AllowUsers and AllowGroups"
|
Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSSH option: AllowUsers and AllowGroups"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FOUND=0
|
FOUND=0
|
||||||
# AllowUsers
|
# AllowUsers
|
||||||
FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: AllowUsers set, with value ${FIND}"
|
LogText "Result: AllowUsers set, with value ${FIND}"
|
||||||
Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
|
||||||
FOUND=1
|
FOUND=1
|
||||||
@ -313,7 +313,7 @@
|
|||||||
|
|
||||||
# AllowGroups
|
# AllowGroups
|
||||||
FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: AllowUsers set ${FIND}"
|
LogText "Result: AllowUsers set ${FIND}"
|
||||||
Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
|
||||||
FOUND=1
|
FOUND=1
|
||||||
|
|||||||
@ -37,10 +37,10 @@
|
|||||||
LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
|
LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
|
||||||
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
|
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
|
||||||
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
|
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||||
FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||||
if [ ! -z "${FIND1}" -o ! -z "${FIND2}" ]; then
|
if [ -n "${FIND1}" -o -n "${FIND2}" ]; then
|
||||||
FOUND=1
|
FOUND=1
|
||||||
LogText "Result: found firewire ohci driver in disabled state"
|
LogText "Result: found firewire ohci driver in disabled state"
|
||||||
fi
|
fi
|
||||||
@ -51,7 +51,7 @@
|
|||||||
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
|
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
|
||||||
FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#")
|
FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#")
|
||||||
FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#")
|
FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#")
|
||||||
if [ ! -z "${FIND1}" -o ! -z "${FIND2}" ]; then
|
if [ -n "${FIND1}" -o -n "${FIND2}" ]; then
|
||||||
FOUND=1
|
FOUND=1
|
||||||
LogText "Result: found firewire ohci driver in disabled state"
|
LogText "Result: found firewire ohci driver in disabled state"
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -33,7 +33,7 @@
|
|||||||
#
|
#
|
||||||
# Test : STRG-1902
|
# Test : STRG-1902
|
||||||
# Description : Check rpcinfo
|
# Description : Check rpcinfo
|
||||||
if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs"
|
Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking rpcinfo registered programs"
|
LogText "Test: Checking rpcinfo registered programs"
|
||||||
@ -48,7 +48,7 @@
|
|||||||
#
|
#
|
||||||
# Test : STRG-1904
|
# Test : STRG-1904
|
||||||
# Description : Check nfs versions in rpcinfo
|
# Description : Check nfs versions in rpcinfo
|
||||||
if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
|
Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking NFS registered versions"
|
LogText "Test: Checking NFS registered versions"
|
||||||
@ -63,7 +63,7 @@
|
|||||||
#
|
#
|
||||||
# Test : STRG-1906
|
# Test : STRG-1906
|
||||||
# Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
|
# Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
|
||||||
if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
|
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking NFS registered protocols"
|
LogText "Test: Checking NFS registered protocols"
|
||||||
@ -123,7 +123,7 @@
|
|||||||
if [ -f ${ROOTDIR}etc/exports ]; then
|
if [ -f ${ROOTDIR}etc/exports ]; then
|
||||||
LogText "Result: ${ROOTDIR}etc/exports exists"
|
LogText "Result: ${ROOTDIR}etc/exports exists"
|
||||||
FIND=$(${GREPBINARY} -v "^$" ${ROOTDIR}etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g')
|
FIND=$(${GREPBINARY} -v "^$" ${ROOTDIR}etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||||
LogText "Found line: ${I}"
|
LogText "Found line: ${I}"
|
||||||
@ -161,7 +161,7 @@
|
|||||||
Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share"
|
Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d' | ${GREPBINARY} "\*")
|
sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d' | ${GREPBINARY} "\*")
|
||||||
if [ ! -z "${sFIND}" ]; then
|
if [ -n "${sFIND}" ]; then
|
||||||
LogText "Result: all client are allowed to access a NFS share in /etc/exports"
|
LogText "Result: all client are allowed to access a NFS share in /etc/exports"
|
||||||
Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW
|
Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW
|
||||||
ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports"
|
ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports"
|
||||||
|
|||||||
@ -62,7 +62,7 @@
|
|||||||
for FILE in ${SEARCH_FILES}; do
|
for FILE in ${SEARCH_FILES}; do
|
||||||
if [ -f ${FILE} ]; then LogText "result: found chrony configuration: ${FILE}"; CHRONY_CONF_FILE="${FILE}"; fi
|
if [ -f ${FILE} ]; then LogText "result: found chrony configuration: ${FILE}"; CHRONY_CONF_FILE="${FILE}"; fi
|
||||||
done
|
done
|
||||||
if [ ! -z "${CHRONY_CONF_FILE}" ]; then
|
if [ -n "${CHRONY_CONF_FILE}" ]; then
|
||||||
IsRunning chronyd
|
IsRunning chronyd
|
||||||
if [ ${RUNNING} -eq 1 ]; then
|
if [ ${RUNNING} -eq 1 ]; then
|
||||||
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
|
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
|
||||||
@ -83,7 +83,7 @@
|
|||||||
|
|
||||||
# Check running processes
|
# Check running processes
|
||||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep")
|
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
|
FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
|
||||||
NTP_DAEMON="ntpd"
|
NTP_DAEMON="ntpd"
|
||||||
LogText "Result: found running NTP daemon in process list"
|
LogText "Result: found running NTP daemon in process list"
|
||||||
@ -98,9 +98,9 @@
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Check timedate daemon (systemd)
|
# Check timedate daemon (systemd)
|
||||||
if [ ! -z "${TIMEDATECTL}" ]; then
|
if [ -n "${TIMEDATECTL}" ]; then
|
||||||
FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
|
FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
# Check for systemd-timesyncd
|
# Check for systemd-timesyncd
|
||||||
if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then
|
if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then
|
||||||
LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf"
|
LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf"
|
||||||
@ -124,7 +124,7 @@
|
|||||||
if [ -f ${I} ]; then
|
if [ -f ${I} ]; then
|
||||||
LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
|
LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
|
||||||
FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#')
|
FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
||||||
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
|
||||||
LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
|
LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
|
||||||
@ -146,11 +146,11 @@
|
|||||||
if [ -d ${I} ]; then
|
if [ -d ${I} ]; then
|
||||||
if FileIsReadable ${I}; then
|
if FileIsReadable ${I}; then
|
||||||
FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO)
|
FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
for J in ${FIND}; do
|
for J in ${FIND}; do
|
||||||
LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
|
LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
|
||||||
FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#")
|
FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#")
|
||||||
if [ ! -z "${FIND2}" ]; then
|
if [ -n "${FIND2}" ]; then
|
||||||
LogText "Positive match found: ${FIND2}"
|
LogText "Positive match found: ${FIND2}"
|
||||||
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
||||||
fi
|
fi
|
||||||
@ -186,7 +186,7 @@
|
|||||||
if [ -f /etc/rc.conf ]; then
|
if [ -f /etc/rc.conf ]; then
|
||||||
LogText "Test: Checking if ntpdate is enabled at startup in *BSD"
|
LogText "Test: Checking if ntpdate is enabled at startup in *BSD"
|
||||||
FIND=$(${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf)
|
FIND=$(${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
LogText "Result: ntpdate is enabled in rc.conf"
|
LogText "Result: ntpdate is enabled in rc.conf"
|
||||||
FOUND=1
|
FOUND=1
|
||||||
NTP_CONFIG_TYPE_STARTUP=1
|
NTP_CONFIG_TYPE_STARTUP=1
|
||||||
@ -219,7 +219,7 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3106
|
# Test : TIME-3106
|
||||||
# Description : Check status of systemd time synchronization
|
# Description : Check status of systemd time synchronization
|
||||||
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! -z "${TIMEDATECTL}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a -n "${TIMEDATECTL}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
|
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Check the status of time synchronization via timedatectl"
|
LogText "Test: Check the status of time synchronization via timedatectl"
|
||||||
@ -234,7 +234,7 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3112
|
# Test : TIME-3112
|
||||||
# Description : Check for valid associations from ntpq peers list
|
# Description : Check for valid associations from ntpq peers list
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's"
|
Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking for NTP association ID's from ntpq peers list"
|
LogText "Test: Checking for NTP association ID's from ntpq peers list"
|
||||||
@ -252,7 +252,7 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3116
|
# Test : TIME-3116
|
||||||
# Description : Check for stratum 16 peers
|
# Description : Check for stratum 16 peers
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16"
|
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
COUNT=0
|
COUNT=0
|
||||||
@ -290,7 +290,7 @@
|
|||||||
# Description : Check unreliable peers from peer list
|
# Description : Check unreliable peers from peer list
|
||||||
# Notes : Items with # are too far away (network distance)
|
# Notes : Items with # are too far away (network distance)
|
||||||
# Items with - are not chosen due clustering algorithm
|
# Items with - are not chosen due clustering algorithm
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
|
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking unreliable ntp peers"
|
LogText "Test: Checking unreliable ntp peers"
|
||||||
@ -313,13 +313,13 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3124
|
# Test : TIME-3124
|
||||||
# Description : Check selected time source
|
# Description : Check selected time source
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check selected time source"
|
Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check selected time source"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking selected time source"
|
LogText "Test: Checking selected time source"
|
||||||
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ if ($4=="l") { print $1 } }')
|
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ if ($4=="l") { print $1 } }')
|
||||||
FIND2=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }')
|
FIND2=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }')
|
||||||
if [ -z "${FIND}" -a ! -z "${FIND2}" ]; then
|
if [ -z "${FIND}" -a -n "${FIND2}" ]; then
|
||||||
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN
|
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN
|
||||||
FIND2=$(echo ${FIND2} | ${SEDBINARY} 's/*//g')
|
FIND2=$(echo ${FIND2} | ${SEDBINARY} 's/*//g')
|
||||||
LogText "Result: Found selected time source (value: ${FIND2})"
|
LogText "Result: Found selected time source (value: ${FIND2})"
|
||||||
@ -335,7 +335,7 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3128
|
# Test : TIME-3128
|
||||||
# Description : Check time source candidates
|
# Description : Check time source candidates
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preferred time source"
|
Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preferred time source"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking preferred time source"
|
LogText "Test: Checking preferred time source"
|
||||||
@ -358,7 +358,7 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3132
|
# Test : TIME-3132
|
||||||
# Description : Check ntpq falsetickers
|
# Description : Check ntpq falsetickers
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
|
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking preferred time source"
|
LogText "Test: Checking preferred time source"
|
||||||
@ -382,7 +382,7 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3136
|
# Test : TIME-3136
|
||||||
# Description : Check ntpq reported ntp version (Linux)
|
# Description : Check ntpq reported ntp version (Linux)
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version"
|
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
|
LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
|
||||||
@ -403,7 +403,7 @@
|
|||||||
# Test : TIME-3146
|
# Test : TIME-3146
|
||||||
# Description : Check /etc/default/ntpdate (Linux)
|
# Description : Check /etc/default/ntpdate (Linux)
|
||||||
# Notes : ntpdate-debian binary
|
# Notes : ntpdate-debian binary
|
||||||
#if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
#if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
#Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/default/ntpdate"
|
#Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/default/ntpdate"
|
||||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
#
|
#
|
||||||
@ -428,7 +428,7 @@
|
|||||||
# Description : Check empty NTP step-tickers
|
# Description : Check empty NTP step-tickers
|
||||||
# Notes : Mostly applies to Red Hat and clones
|
# Notes : Mostly applies to Red Hat and clones
|
||||||
FILE="${ROOTDIR}etc/ntp/step-tickers"
|
FILE="${ROOTDIR}etc/ntp/step-tickers"
|
||||||
if [ "${NTPD_RUNNING}" -eq 1 -a ! -z "${NTPQBINARY}" -a -f "${FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ "${NTPD_RUNNING}" -eq 1 -a -n "${NTPQBINARY}" -a -f "${FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check empty NTP step-tickers"
|
Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check empty NTP step-tickers"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FOUND=0
|
FOUND=0
|
||||||
|
|||||||
@ -71,7 +71,7 @@
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Cfengine
|
# Cfengine
|
||||||
if [ ! -z "${CFAGENTBINARY}" ]; then
|
if [ -n "${CFAGENTBINARY}" ]; then
|
||||||
LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
|
LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
|
||||||
AUTOMATION_TOOL_FOUND=1
|
AUTOMATION_TOOL_FOUND=1
|
||||||
CFENGINE_AGENT_FOUND=1
|
CFENGINE_AGENT_FOUND=1
|
||||||
@ -129,7 +129,7 @@
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${PUPPETBINARY}" ]; then
|
if [ -n "${PUPPETBINARY}" ]; then
|
||||||
LogText "Result: Puppet is installed (${PUPPETBINARY})"
|
LogText "Result: Puppet is installed (${PUPPETBINARY})"
|
||||||
AUTOMATION_TOOL_FOUND=1
|
AUTOMATION_TOOL_FOUND=1
|
||||||
Report "automation_tool_running[]=puppet-agent"
|
Report "automation_tool_running[]=puppet-agent"
|
||||||
@ -145,14 +145,14 @@
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# SaltStack
|
# SaltStack
|
||||||
if [ ! -z "${SALTMINIONBINARY}" ]; then
|
if [ -n "${SALTMINIONBINARY}" ]; then
|
||||||
LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
|
LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
|
||||||
AUTOMATION_TOOL_FOUND=1
|
AUTOMATION_TOOL_FOUND=1
|
||||||
SALT_MINION_RUNNING=1
|
SALT_MINION_RUNNING=1
|
||||||
Report "automation_tool_running[]=saltstack-minion"
|
Report "automation_tool_running[]=saltstack-minion"
|
||||||
Display --indent 4 --text "- SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${SALTMASTERBINARY}" ]; then
|
if [ -n "${SALTMASTERBINARY}" ]; then
|
||||||
LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
|
LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
|
||||||
AUTOMATION_TOOL_FOUND=1
|
AUTOMATION_TOOL_FOUND=1
|
||||||
SALT_MASTER_RUNNING=1
|
SALT_MASTER_RUNNING=1
|
||||||
@ -188,7 +188,7 @@
|
|||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
|
||||||
# Fail2ban presence
|
# Fail2ban presence
|
||||||
if [ ! -z "${FAIL2BANBINARY}" ]; then
|
if [ -n "${FAIL2BANBINARY}" ]; then
|
||||||
FAIL2BAN_FOUND=1
|
FAIL2BAN_FOUND=1
|
||||||
IDS_IPS_TOOL_FOUND=1
|
IDS_IPS_TOOL_FOUND=1
|
||||||
LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
|
LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
|
||||||
@ -209,10 +209,10 @@
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Continue if tooling is available and configuration file found
|
# Continue if tooling is available and configuration file found
|
||||||
if [ ${FAIL2BAN_FOUND} -eq 1 -a ! -z "${FAIL2BAN_CONFIG}" ]; then
|
if [ ${FAIL2BAN_FOUND} -eq 1 -a -n "${FAIL2BAN_CONFIG}" ]; then
|
||||||
Report "fail2ban_config=${FAIL2BAN_CONFIG}"
|
Report "fail2ban_config=${FAIL2BAN_CONFIG}"
|
||||||
FAIL2BANCLIENT=$(which fail2ban-client 2> /dev/null | grep -v "no [^ ]* in ")
|
FAIL2BANCLIENT=$(which fail2ban-client 2> /dev/null | grep -v "no [^ ]* in ")
|
||||||
if [ ! -z "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi
|
if [ -n "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
@ -224,7 +224,7 @@
|
|||||||
Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban"
|
Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FIND=$(${FAIL2BANCLIENT} -d | ${TRBINARY} -d '[]' | ${TRBINARY} -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | ${TRBINARY} -d ' ')
|
FIND=$(${FAIL2BANCLIENT} -d | ${TRBINARY} -d '[]' | ${TRBINARY} -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | ${TRBINARY} -d ' ')
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
for F2BSERVICE in ${FIND}; do
|
for F2BSERVICE in ${FIND}; do
|
||||||
LogText "Result: service '${F2BSERVICE}' enabled"
|
LogText "Result: service '${F2BSERVICE}' enabled"
|
||||||
Report "fail2ban_enabled_service[]=${F2BSERVICE}"
|
Report "fail2ban_enabled_service[]=${F2BSERVICE}"
|
||||||
@ -252,12 +252,12 @@
|
|||||||
# FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
|
# FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
|
||||||
# FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
|
# FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
|
||||||
#
|
#
|
||||||
# if [ ! -z "${FIND}" ]; then
|
# if [ -n "${FIND}" ]; then
|
||||||
# FAIL2BAN_EMAIL=1
|
# FAIL2BAN_EMAIL=1
|
||||||
# LogText "Result: found at least one jail which sends an email alert"
|
# LogText "Result: found at least one jail which sends an email alert"
|
||||||
# fi
|
# fi
|
||||||
#
|
#
|
||||||
# if [ ! -z "${FIND2}" ]; then
|
# if [ -n "${FIND2}" ]; then
|
||||||
# FAIL2BAN_SILENT=1
|
# FAIL2BAN_SILENT=1
|
||||||
# LogText "Result: found at least one jail which does NOT send an email alert"
|
# LogText "Result: found at least one jail which does NOT send an email alert"
|
||||||
# fi
|
# fi
|
||||||
@ -298,9 +298,9 @@
|
|||||||
#
|
#
|
||||||
# LogText "Checking for fail2ban iptables chains"
|
# LogText "Checking for fail2ban iptables chains"
|
||||||
#
|
#
|
||||||
# if [ ! -z "${IPTABLESBINARY}" ]; then
|
# if [ -n "${IPTABLESBINARY}" ]; then
|
||||||
# CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban)
|
# CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban)
|
||||||
# if [ ! -z "${CHECK_CHAINS}" ]; then
|
# if [ -n "${CHECK_CHAINS}" ]; then
|
||||||
# LogText "Result: found at least one iptables chain for fail2ban"
|
# LogText "Result: found at least one iptables chain for fail2ban"
|
||||||
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
|
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
|
||||||
# else
|
# else
|
||||||
|
|||||||
@ -39,7 +39,7 @@
|
|||||||
#
|
#
|
||||||
# Test to determine if USBGuard is installed. If it is, we will limit
|
# Test to determine if USBGuard is installed. If it is, we will limit
|
||||||
# suggestions from other tests.
|
# suggestions from other tests.
|
||||||
if [ ! -z "${USBGUARDBINARY}" ]; then
|
if [ -n "${USBGUARDBINARY}" ]; then
|
||||||
USBGUARD_FOUND=1
|
USBGUARD_FOUND=1
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
@ -53,10 +53,10 @@
|
|||||||
LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
|
LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
|
||||||
if [ -d /etc/modprobe.d ]; then
|
if [ -d /etc/modprobe.d ]; then
|
||||||
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
|
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||||
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
|
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
|
||||||
if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
|
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
|
||||||
FOUND=1
|
FOUND=1
|
||||||
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
|
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
|
||||||
fi
|
fi
|
||||||
@ -66,7 +66,7 @@
|
|||||||
fi
|
fi
|
||||||
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
|
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
|
||||||
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
|
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
|
||||||
if [ ! -z "${FIND}" ]; then
|
if [ -n "${FIND}" ]; then
|
||||||
FOUND=1
|
FOUND=1
|
||||||
LogText "Result: found usb-storage driver in disabled state"
|
LogText "Result: found usb-storage driver in disabled state"
|
||||||
fi
|
fi
|
||||||
@ -146,14 +146,14 @@
|
|||||||
USBGUARD_CONFIG=""
|
USBGUARD_CONFIG=""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${USBGUARD_CONFIG}" ]; then
|
if [ -n "${USBGUARD_CONFIG}" ]; then
|
||||||
LogText "Result: USBGuard configuration found (${USBGUARD_CONFIG})"
|
LogText "Result: USBGuard configuration found (${USBGUARD_CONFIG})"
|
||||||
Display --indent 4 --text "- Configuration" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- Configuration" --result "${STATUS_FOUND}" --color GREEN
|
||||||
AddHP 1 1
|
AddHP 1 1
|
||||||
|
|
||||||
LogText "Checking USBGuard restore controller device state (RestoreControllerDeviceState)"
|
LogText "Checking USBGuard restore controller device state (RestoreControllerDeviceState)"
|
||||||
USBGUARD_RESTORE_POLICY=$(${AWKBINARY} -F '=' -v OPT="RestoreControllerDeviceState" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
|
USBGUARD_RESTORE_POLICY=$(${AWKBINARY} -F '=' -v OPT="RestoreControllerDeviceState" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
|
||||||
if [ ! -z "${USBGUARD_RESTORE_POLICY}" ]; then
|
if [ -n "${USBGUARD_RESTORE_POLICY}" ]; then
|
||||||
LogText "Result: RestoreControllerDeviceState = ${USBGUARD_RESTORE_POLICY}"
|
LogText "Result: RestoreControllerDeviceState = ${USBGUARD_RESTORE_POLICY}"
|
||||||
case "${USBGUARD_RESTORE_POLICY}" in
|
case "${USBGUARD_RESTORE_POLICY}" in
|
||||||
"true")
|
"true")
|
||||||
@ -184,7 +184,7 @@
|
|||||||
|
|
||||||
LogText "Checking USBGuard rule for controllers connected before daemon starts (PresentControllerPolicy)"
|
LogText "Checking USBGuard rule for controllers connected before daemon starts (PresentControllerPolicy)"
|
||||||
USBGUARD_CONTROLLER_POLICY=$(${AWKBINARY} -F '=' -v OPT="PresentControllerPolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
|
USBGUARD_CONTROLLER_POLICY=$(${AWKBINARY} -F '=' -v OPT="PresentControllerPolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
|
||||||
if [ ! -z "${USBGUARD_CONTROLLER_POLICY}" ]; then
|
if [ -n "${USBGUARD_CONTROLLER_POLICY}" ]; then
|
||||||
LogText "Result: PresentControllerPolicy = ${USBGUARD_CONTROLLER_POLICY}"
|
LogText "Result: PresentControllerPolicy = ${USBGUARD_CONTROLLER_POLICY}"
|
||||||
case "${USBGUARD_CONTROLLER_POLICY}" in
|
case "${USBGUARD_CONTROLLER_POLICY}" in
|
||||||
"allow" | "keep")
|
"allow" | "keep")
|
||||||
@ -214,7 +214,7 @@
|
|||||||
|
|
||||||
LogText "Checking USBGuard rule for devices connected before daemon starts (PresentDevicePolicy)"
|
LogText "Checking USBGuard rule for devices connected before daemon starts (PresentDevicePolicy)"
|
||||||
USBGUARD_DEVICE_POLICY=$(${AWKBINARY} -F '=' -v OPT="PresentDevicePolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
|
USBGUARD_DEVICE_POLICY=$(${AWKBINARY} -F '=' -v OPT="PresentDevicePolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
|
||||||
if [ ! -z "${USBGUARD_DEVICE_POLICY}" ]; then
|
if [ -n "${USBGUARD_DEVICE_POLICY}" ]; then
|
||||||
LogText "Result: PresentDevicePolicy = ${USBGUARD_DEVICE_POLICY}"
|
LogText "Result: PresentDevicePolicy = ${USBGUARD_DEVICE_POLICY}"
|
||||||
case "${USBGUARD_DEVICE_POLICY}" in
|
case "${USBGUARD_DEVICE_POLICY}" in
|
||||||
"allow" | "keep")
|
"allow" | "keep")
|
||||||
@ -244,7 +244,7 @@
|
|||||||
|
|
||||||
LogText "Checking USBGuard rule for devices inserted after daemon starts (InsertedDevicePolicy)"
|
LogText "Checking USBGuard rule for devices inserted after daemon starts (InsertedDevicePolicy)"
|
||||||
USBGUARD_INSERTED_POLICY=$(${AWKBINARY} -F '=' -v OPT="InsertedDevicePolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
|
USBGUARD_INSERTED_POLICY=$(${AWKBINARY} -F '=' -v OPT="InsertedDevicePolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
|
||||||
if [ ! -z "${USBGUARD_INSERTED_POLICY}" ]; then
|
if [ -n "${USBGUARD_INSERTED_POLICY}" ]; then
|
||||||
LogText "Result: InsertedDevicePolicy = ${USBGUARD_INSERTED_POLICY}"
|
LogText "Result: InsertedDevicePolicy = ${USBGUARD_INSERTED_POLICY}"
|
||||||
case "${USBGUARD_INSERTED_POLICY}" in
|
case "${USBGUARD_INSERTED_POLICY}" in
|
||||||
"allow" | "keep")
|
"allow" | "keep")
|
||||||
@ -274,7 +274,7 @@
|
|||||||
|
|
||||||
LogText "Checking USBGuard rule for devices not in RuleFile (ImplicitPolicyTarget)"
|
LogText "Checking USBGuard rule for devices not in RuleFile (ImplicitPolicyTarget)"
|
||||||
USBGUARD_DEFAULT_POLICY=$(${AWKBINARY} -F '=' -v OPT="ImplicitPolicyTarget" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
|
USBGUARD_DEFAULT_POLICY=$(${AWKBINARY} -F '=' -v OPT="ImplicitPolicyTarget" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
|
||||||
if [ ! -z "${USBGUARD_DEFAULT_POLICY}" ]; then
|
if [ -n "${USBGUARD_DEFAULT_POLICY}" ]; then
|
||||||
LogText "Result: ImplicitPolicyTarget = ${USBGUARD_DEFAULT_POLICY}"
|
LogText "Result: ImplicitPolicyTarget = ${USBGUARD_DEFAULT_POLICY}"
|
||||||
case "${USBGUARD_DEFAULT_POLICY}" in
|
case "${USBGUARD_DEFAULT_POLICY}" in
|
||||||
"allow")
|
"allow")
|
||||||
@ -304,7 +304,7 @@
|
|||||||
|
|
||||||
LogText "Checking RuleFile"
|
LogText "Checking RuleFile"
|
||||||
USBGUARD_RULES=$(${AWKBINARY} -F '=' -v OPT="RuleFile" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
|
USBGUARD_RULES=$(${AWKBINARY} -F '=' -v OPT="RuleFile" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
|
||||||
if [ ! -z "${USBGUARD_RULES}" ] && [ -f "${USBGUARD_RULES}" ]; then
|
if [ -n "${USBGUARD_RULES}" ] && [ -f "${USBGUARD_RULES}" ]; then
|
||||||
LogText "Result: RuleFile found (${USBGUARD_RULES})"
|
LogText "Result: RuleFile found (${USBGUARD_RULES})"
|
||||||
Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN
|
||||||
AddHP 1 1
|
AddHP 1 1
|
||||||
|
|||||||
@ -157,7 +157,7 @@
|
|||||||
done
|
done
|
||||||
# Search Server aliases
|
# Search Server aliases
|
||||||
for J in $(${GREPBINARY} "ServerAlias" ${I} | ${GREPBINARY} -v "^#" | ${SEDBINARY} "s/\s*ServerAlias //g" | ${SEDBINARY} "s/#.*//g"); do
|
for J in $(${GREPBINARY} "ServerAlias" ${I} | ${GREPBINARY} -v "^#" | ${SEDBINARY} "s/\s*ServerAlias //g" | ${SEDBINARY} "s/#.*//g"); do
|
||||||
if [ ! -z ${J} ]; then
|
if [ -n ${J} ]; then
|
||||||
tVHOSTS="${tVHOSTS} ${J}"
|
tVHOSTS="${tVHOSTS} ${J}"
|
||||||
cVHOSTS=$((cVHOSTS + 1))
|
cVHOSTS=$((cVHOSTS + 1))
|
||||||
fi
|
fi
|
||||||
@ -170,7 +170,7 @@
|
|||||||
|
|
||||||
# Log all virtual hosts we found
|
# Log all virtual hosts we found
|
||||||
for J in ${tVHOSTS}; do
|
for J in ${tVHOSTS}; do
|
||||||
if [ ! -z ${J} ]; then
|
if [ -n ${J} ]; then
|
||||||
LogText "Virtual host: ${J}"
|
LogText "Virtual host: ${J}"
|
||||||
#Report "apache_vhost_name[]=${J}"
|
#Report "apache_vhost_name[]=${J}"
|
||||||
fi
|
fi
|
||||||
@ -186,10 +186,10 @@
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Remove temp files
|
# Remove temp files
|
||||||
if [ -f ${TMPFILE} -a ! -z "${TMPFILE}" ]; then
|
if [ -f ${TMPFILE} -a -n "${TMPFILE}" ]; then
|
||||||
rm -f ${TMPFILE}
|
rm -f ${TMPFILE}
|
||||||
fi
|
fi
|
||||||
if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
|
if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
@ -351,7 +351,7 @@
|
|||||||
# Test : HTTP-6706
|
# Test : HTTP-6706
|
||||||
# Description : Search for includes within nginx configuration file
|
# Description : Search for includes within nginx configuration file
|
||||||
# Notes : Daemon nginx should be running, nginx.conf should be found
|
# Notes : Daemon nginx should be running, nginx.conf should be found
|
||||||
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for additional nginx configuration files"
|
Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for additional nginx configuration files"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
CreateTempFile || ExitFatal
|
CreateTempFile || ExitFatal
|
||||||
@ -402,7 +402,7 @@
|
|||||||
# Test : HTTP-6708
|
# Test : HTTP-6708
|
||||||
# Description : Check discovered nginx configuration settings for further hardening
|
# Description : Check discovered nginx configuration settings for further hardening
|
||||||
# Notes : Daemon of nginx should be running, nginx.conf should be found
|
# Notes : Daemon of nginx should be running, nginx.conf should be found
|
||||||
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings"
|
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: start parsing all discovered nginx options"
|
LogText "Test: start parsing all discovered nginx options"
|
||||||
@ -420,7 +420,7 @@
|
|||||||
LogText "Result: this configuration file is skipped, as it contains usually no interesting details"
|
LogText "Result: this configuration file is skipped, as it contains usually no interesting details"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if [ ! -z "${NGINX_CONF_FILES_ADDITIONS}" ]; then
|
if [ -n "${NGINX_CONF_FILES_ADDITIONS}" ]; then
|
||||||
for I in ${NGINX_CONF_FILES_ADDITIONS}; do
|
for I in ${NGINX_CONF_FILES_ADDITIONS}; do
|
||||||
FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}')
|
FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}')
|
||||||
if [ ! "${FILENAME}" = "mime.types" ]; then
|
if [ ! "${FILENAME}" = "mime.types" ]; then
|
||||||
@ -442,7 +442,7 @@
|
|||||||
# Test : HTTP-6710
|
# Test : HTTP-6710
|
||||||
# Description : Check SSL configuration of nginx
|
# Description : Check SSL configuration of nginx
|
||||||
# Notes : Daemon of nginx should be running, nginx.conf should be found
|
# Notes : Daemon of nginx should be running, nginx.conf should be found
|
||||||
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx SSL configuration settings"
|
Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx SSL configuration settings"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
NGINX_SSL_SUGGESTION=0
|
NGINX_SSL_SUGGESTION=0
|
||||||
@ -494,7 +494,7 @@
|
|||||||
# Test : HTTP-6712
|
# Test : HTTP-6712
|
||||||
# Description : Check logging configuration of nginx
|
# Description : Check logging configuration of nginx
|
||||||
# Notes : Daemon of nginx should be running, nginx.conf should be found
|
# Notes : Daemon of nginx should be running, nginx.conf should be found
|
||||||
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx access logging"
|
Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx access logging"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
NGINX_LOG_SUGGESTION=0
|
NGINX_LOG_SUGGESTION=0
|
||||||
@ -528,7 +528,7 @@
|
|||||||
#
|
#
|
||||||
# Test : HTTP-6714
|
# Test : HTTP-6714
|
||||||
# Description : Check missing error logs in nginx
|
# Description : Check missing error logs in nginx
|
||||||
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for missing error logs in nginx"
|
Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for missing error logs in nginx"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
NGINX_LOG_SUGGESTION=0
|
NGINX_LOG_SUGGESTION=0
|
||||||
@ -549,7 +549,7 @@
|
|||||||
#
|
#
|
||||||
# Test : HTTP-6716
|
# Test : HTTP-6716
|
||||||
# Description : Check debug mode on error log in nginx
|
# Description : Check debug mode on error log in nginx
|
||||||
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for debug mode on error log in nginx"
|
Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for debug mode on error log in nginx"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
NGINX_LOG_SUGGESTION=0
|
NGINX_LOG_SUGGESTION=0
|
||||||
@ -606,8 +606,8 @@
|
|||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Remove temp file (double check)
|
# Remove temp file (double check)
|
||||||
if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
|
if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
|
||||||
if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
|
if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
|
||||||
|
|
||||||
WaitForKeyPress
|
WaitForKeyPress
|
||||||
|
|
||||||
|
|||||||
@ -48,7 +48,7 @@
|
|||||||
# Bash completion support
|
# Bash completion support
|
||||||
#
|
#
|
||||||
# Detect if bash is used for active user
|
# Detect if bash is used for active user
|
||||||
#if [ ! -z "${ETC_PATHS}" ]; then
|
#if [ -n "${ETC_PATHS}" ]; then
|
||||||
# for I in ${ETC_PATHS}; do
|
# for I in ${ETC_PATHS}; do
|
||||||
# if [ -d ${I}/bash_completion.d ]; then
|
# if [ -d ${I}/bash_completion.d ]; then
|
||||||
# if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
|
# if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
|
||||||
|
|||||||
12
lynis
12
lynis
@ -538,8 +538,8 @@ ${NORMAL}
|
|||||||
Report "os_fullname=${OS_FULLNAME}"
|
Report "os_fullname=${OS_FULLNAME}"
|
||||||
Report "os_version=${OS_VERSION}"
|
Report "os_version=${OS_VERSION}"
|
||||||
if [ "${OS}" = "Linux" ]; then Report "linux_version=${LINUX_VERSION}"; fi
|
if [ "${OS}" = "Linux" ]; then Report "linux_version=${LINUX_VERSION}"; fi
|
||||||
if [ ! -z "${OS_KERNELVERSION}" ]; then Report "os_kernel_version=${OS_KERNELVERSION}"; fi
|
if [ -n "${OS_KERNELVERSION}" ]; then Report "os_kernel_version=${OS_KERNELVERSION}"; fi
|
||||||
if [ ! -z "${OS_KERNELVERSION_FULL}" ]; then Report "os_kernel_version_full=${OS_KERNELVERSION_FULL}"; fi
|
if [ -n "${OS_KERNELVERSION_FULL}" ]; then Report "os_kernel_version_full=${OS_KERNELVERSION_FULL}"; fi
|
||||||
|
|
||||||
Report "hostname=${HOSTNAME}"
|
Report "hostname=${HOSTNAME}"
|
||||||
|
|
||||||
@ -635,7 +635,7 @@ ${NORMAL}
|
|||||||
LogText "Note: the end-of-life of '${OS_FULLNAME}' could not be checked. Entry missing in software-eol.db?"
|
LogText "Note: the end-of-life of '${OS_FULLNAME}' could not be checked. Entry missing in software-eol.db?"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi
|
if [ -n "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi
|
||||||
echo " Kernel version: ${OS_KERNELVERSION}"
|
echo " Kernel version: ${OS_KERNELVERSION}"
|
||||||
echo " Hardware platform: ${HARDWARE}"
|
echo " Hardware platform: ${HARDWARE}"
|
||||||
echo " Hostname: ${HOSTNAME}"
|
echo " Hostname: ${HOSTNAME}"
|
||||||
@ -658,9 +658,9 @@ ${NORMAL}
|
|||||||
LogText "Operating system: ${OS}"
|
LogText "Operating system: ${OS}"
|
||||||
LogText "Operating system name: ${OS_NAME}"
|
LogText "Operating system name: ${OS_NAME}"
|
||||||
LogText "Operating system version: ${OS_VERSION}"
|
LogText "Operating system version: ${OS_VERSION}"
|
||||||
if [ ! -z "${OS_MODE}" ]; then LogText "Operating system mode: ${OS_MODE}"; fi
|
if [ -n "${OS_MODE}" ]; then LogText "Operating system mode: ${OS_MODE}"; fi
|
||||||
LogText "Kernel version: ${OS_KERNELVERSION}"
|
LogText "Kernel version: ${OS_KERNELVERSION}"
|
||||||
if [ ! -z "${OS_KERNELVERSION_FULL}" ]; then
|
if [ -n "${OS_KERNELVERSION_FULL}" ]; then
|
||||||
LogText "Kernel version (full): ${OS_KERNELVERSION_FULL}"
|
LogText "Kernel version (full): ${OS_KERNELVERSION_FULL}"
|
||||||
fi
|
fi
|
||||||
LogText "Hardware platform: ${HARDWARE}"
|
LogText "Hardware platform: ${HARDWARE}"
|
||||||
@ -872,7 +872,7 @@ ${NORMAL}
|
|||||||
for PROFILE in ${PROFILES}; do
|
for PROFILE in ${PROFILES}; do
|
||||||
LogText "Action: checking plugin status in profile: ${PROFILE}"
|
LogText "Action: checking plugin status in profile: ${PROFILE}"
|
||||||
FIND3=$(grep "^plugin=${FIND2}" ${PROFILE})
|
FIND3=$(grep "^plugin=${FIND2}" ${PROFILE})
|
||||||
if [ ! -z "${FIND3}" ]; then
|
if [ -n "${FIND3}" ]; then
|
||||||
FOUND=0
|
FOUND=0
|
||||||
for I in ${DISABLED_PLUGINS}; do
|
for I in ${DISABLED_PLUGINS}; do
|
||||||
if [ "${I}" = "${FIND2}" ]; then
|
if [ "${I}" = "${FIND2}" ]; then
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user