tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-10-31 11:25:05 +01:00
Code Issues Packages Projects Releases Wiki Activity
lynis/include/tests_printers_spools
mboelen afd01ece5d Remove incomplete tests, code enhancements
2015-07-22 17:37:11 +02:00

297 lines
13 KiB
Bash
Raw Blame History

#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Printers and spools
#
#################################################################################
#
CUPSD_CONFIG_LOCS="/etc/cups /usr/local/etc/cups /private/etc/cups"
CUPSD_CONFIG_FILE=""
CUPSD_RUNNING=0
CUPSD_FOUND=0
LPD_RUNNING=0
PRINTING_DAEMON=""
QDAEMON_CONFIG_ENABLED=0
QDAEMON_CONFIG_FILE=""
QDAEMON_RUNNING=0
#
#################################################################################
#
InsertSection "Printers and Spools"
#
#################################################################################
#
# Test : PRNT-2302
# Description : Check printcap file consistency
Register --test-no PRNT-2302 --os FreeBSD --weight L --network NO --description "Check for available accounting information"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching /usr/sbin/chkprintcap"
if [ ! -f /usr/sbin/chkprintcap ]; then
Display --indent 2 --text "- Checking chkprintcap" --result "NOT FOUND" --color WHITE
logtext "Result: /usr/sbin/chkprintcap NOT found, test skipped."
else
logtext "Result: /usr/sbin/chkprintcap found"
FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?`
# Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Integrity check of printcap file" --result OK --color GREEN
logtext "Result: chkprintcap did NOT gave any warnings"
else
Display --indent 2 --text "- Integrity check of printcap file" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file"
logtext "Output from chkprintcap: ${FIND}"
logtext "Run chkprintcap and check the /etc/printcap file."
fi
fi
fi
#
#################################################################################
#
# Test : PRNT-2304
# Description : Check cupsd status
Register --test-no PRNT-2304 --weight L --network NO --description "Check cupsd status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking cupsd status"
#FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd`
IsRunning cupsd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking cups daemon" --result RUNNING --color GREEN
logtext "Result: cups daemon running"
CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
else
Display --indent 2 --text "- Checking cups daemon" --result "NOT FOUND" --color WHITE
logtext "Result: cups daemon not running, cups daemon tests skipped"
fi
fi
#
#################################################################################
#
# Test : PRNT-2306
# Description : Check CUPSd configuration file
if [ ${CUPSD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching cupsd configuration file"
for I in ${CUPSD_CONFIG_LOCS}; do
if [ -f ${I}/cupsd.conf ]; then
CUPSD_CONFIG_FILE="${I}/cupsd.conf"
logtext "Result: found ${CUPSD_CONFIG_FILE}"
fi
done
if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then
Display --indent 2 --text "- Checking CUPS configuration file" --result OK --color GREEN
logtext "Result: configuration file found (${CUPSD_CONFIG_FILE})"
CUPSD_FOUND=1
else
Display --indent 2 --text "- Checking CUPS configuration file" --result "NOT FOUND" --color RED
logtext "Result: configuration file not found"
logtext "Development: no CUPS configuration file found"
fi
fi
#
#################################################################################
#
# Test : PRNT-2307
# Description : Check CUPSd configuration file permissions
# To Do : Add function
if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking CUPS configuration file permissions"
FIND=`ls -l ${CUPSD_CONFIG_FILE} | cut -c 2-10`
logtext "Result: found ${FIND}"
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
Display --indent 4 --text "- File permissions" --result "OK" --color GREEN
AddHP 1 1
else
Display --indent 4 --text "- File permissions" --result "WARNING" --color RED
ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
AddHP 1 2
fi
fi
#
#################################################################################
#
# Test : PRNT-2308
# Description : Check CUPS daemon network configuration
if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd network configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# Checking network addresses
logtext "Test: Checking CUPS daemon listening network addresses"
FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep -v "/" | awk '{ print $2 }'`
N=0
for I in ${FIND}; do
logtext "Found network address: ${I}"
N=`expr ${N} + 1`
FOUND=1
done
if [ ${FOUND} -eq 0 ]; then
ReportException "${TEST_NO}:1" "No listen statement found in CUPS configuration file"
fi
# Check if daemon is only running on localhost
if [ ${N} -eq 1 ]; then
if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
logtext "Result: CUPS daemon only running on localhost"
AddHP 2 2
else
logtext "Result: CUPS daemon running on one or more interfaces (not limited to localhost)"
ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to listen on the network"
AddHP 1 2
fi
else
logtext "Result: CUPS daemon is running on several network addresses"
ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to run on several network addresses"
AddHP 1 2
fi
# Checking sockets
logtext "Test: Checking cups daemon listening sockets"
FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep "/" | awk '{ print $2 }'`
for I in ${FIND}; do
logtext "Found socket address: ${I}"
N=`expr ${N} + 1`
done
if [ ${N} -eq 0 ]; then
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "NONE" --color WHITE
logtext "Result: no addresses found on which CUPS daemon is listening"
else
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "FOUND" --color GREEN
logtext "Result: CUPS daemon is listening on network/socket"
fi
fi
#
#################################################################################
#
# Test : PRNT-2314
# Description : Check lpd status
Register --test-no PRNT-2314 --weight L --network NO --description "Check lpd status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking lpd status"
IsRunning lpd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking lp daemon" --result RUNNING --color GREEN
logtext "Result: lp daemon running"
LPD_RUNNING=1; PRINTING_DAEMON="lp"
else
Display --indent 2 --text "- Checking lp daemon" --result "NOT RUNNING" --color WHITE
logtext "Result: lp daemon not running"
AddHP 4 4
fi
fi
#
#################################################################################
#
# Test : PRNT-23xx
# Description : Test Linux printcap file
#if [ ${CUPSD_RUNNING} -eq 1 -a ! "${CUPSD_CONFIG_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no PRNT-23xx--preqs-met ${PREQS_MET} --weight L --network NO --description "Check cupsd address configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
#if [ "${OS}" = "Linux" ]; then
# echo " - Testing printcap file [Test not implemented yet]"
# # Check printcap with checkpc command
#fi
#
#################################################################################
#
# Test : PRNT-2416
# Description : Check /etc/qconfig file
Register --test-no PRNT-2316 --os AIX --weight L --network NO --description "Checking /etc/qconfig file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking /etc/qconfig"
QDAEMON_CONFIG_FILE="/etc/qconfig"
FileIsReadable ${QDAEMON_CONFIG_FILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=`grep -v "^\*" ${QDAEMON_CONFIG_FILE} | egrep "backend|device"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
Display --indent 2 --text "- Checking /etc/qconfig file" --result FOUND --color GREEN
QDAEMON_CONFIG_ENABLED=1
else
logtext "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined"
Display --indent 2 --text "- Checking /etc/qconfig file" --result EMPTY --color WHITE
fi
else
logtext "Result: Can not read ${QDAEMON_CONFIG_FILE} (no permission)"
fi
fi
#
#################################################################################
#
# Test : PRNT-2418
# Description : Check qdaemon printer spooler status
Register --test-no PRNT-2418 --os AIX --weight L --network NO --description "Checking qdaemon printer spooler status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking qdaemon status"
IsRunning qdaemon
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: qdaemon daemon running"
Display --indent 2 --text "- Checking qdaemon daemon" --result RUNNING --color GREEN
QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon"
else
if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then
logtext "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "NOT RUNNING" --color RED
ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs"
else
logtext "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "NOT RUNNING" --color WHITE
fi
fi
fi
#
#################################################################################
#
# Test : PRNT-2420
# Description : Checking old print jobs
Register --test-no PRNT-2420 --os AIX --weight L --network NO --description "Checking old print jobs"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking old print jobs"
DirectoryExists /var/spool/lpd/qdir
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=`find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found old print job: ${FILE}"
N=`expr ${N} + 1`
done
logtext "Result: Found ${N} old print jobs in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result FOUND --color YELLOW
ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
logtext "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
else
logtext "Result: Old print jobs not found in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result "NONE" --color GREEN
fi
fi
fi
#
#################################################################################
#
report "printing_daemon=${PRINTING_DAEMON}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
Reference in New Issue View Git Blame Copy Permalink