Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Boelen <michael.boelen@cisofy.com>2016-09-10 17:12:44 +0300
committerMichael Boelen <michael.boelen@cisofy.com>2016-09-10 17:12:44 +0300
commit903016df362e39444d314a81dd4a0ebc61b67da0 (patch)
treee922e2e0039428dec461bfea52ff8e503720370a
parent2534fb99a9dbc869fd90f0967c6917191b306b69 (diff)
Code cleanups and generic enhancements
Diffstat
-rw-r--r--include/tests_databases20
-rw-r--r--include/tests_file_integrity38
-rw-r--r--include/tests_file_permissions10
-rw-r--r--include/tests_filesystems125
-rw-r--r--include/tests_firewalls83
-rw-r--r--include/tests_hardening10
-rw-r--r--include/tests_homedirs26
-rw-r--r--include/tests_insecure_services2
-rw-r--r--include/tests_kernel46
-rw-r--r--include/tests_ldap12
-rw-r--r--include/tests_logging106
-rw-r--r--include/tests_mac_frameworks30
-rw-r--r--include/tests_mail_messaging30
-rw-r--r--include/tests_malware32
-rw-r--r--include/tests_memory_processes35
-rw-r--r--include/tests_nameservices198
-rw-r--r--include/tests_networking37
-rw-r--r--include/tests_php72
-rw-r--r--include/tests_snmp20
19 files changed, 458 insertions, 474 deletions
diff --git a/include/tests_databases b/include/tests_databases
index cbf1091e..d6cb3f81 100644
--- a/include/tests_databases
+++ b/include/tests_databases
@@ -23,9 +23,9 @@
#################################################################################
#
# Paths to DATADIR
- sMYSQLDBPATHS="/var/lib/mysql"
+ sMYSQLDBPATHS="${ROOTDIR}var/lib/mysql"
# Paths to my.cnf
- sMYCNFLOCS="/etc/mysql/my.cnf /usr/etc/my.cnf"
+ sMYCNFLOCS="${ROOTDIR}etc/mysql/my.cnf ${ROOTDIR}usr/etc/my.cnf"
REDIS_CONFIGURATION_FILES=""
REDIS_CONFIGURATION_FOUND=0
#
@@ -75,13 +75,13 @@
Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking MySQL root password"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Trying to login to local MySQL server without password"
- FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?`
+ FIND=$(${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: Login succeeded, no MySQL root password set!"
ReportWarning ${TEST_NO} "No MySQL root password set"
Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED
AddHP 0 5
- else
+ else
LogText "Result: Login did not succeed, so a MySQL root password is set"
Display --indent 4 --text "- Checking MySQL root password" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
@@ -102,7 +102,7 @@
POSTGRESQL_RUNNING=1
DATABASE_ENGINE_RUNNING=1
Report "postgresql_running=${POSTGRESQL_RUNNING}"
- else
+ else
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: PostgreSQL process not active"
fi
@@ -122,11 +122,11 @@
# reco: recovery (optional)
Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes"
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep"`
+ FIND=$(${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
if [ "${FIND}" = "" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: Oracle process(es) not active"
- else
+ else
Display --indent 2 --text "- Oracle processes status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Oracle is active"
ORACLE_RUNNING=1
@@ -158,7 +158,7 @@
DB2_RUNNING=1
DATABASE_ENGINE_RUNNING=1
Report "db2_running=${DB2_RUNNING}"
- else
+ else
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- DB2 instance running" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: No DB2 instances are running"
fi
@@ -193,7 +193,7 @@
FOUND=0
for DIR in ${PATHS}; do
LogText "Action: scanning directory (${DIR}) for Redis configuration files"
- FILES=$(ls ${DIR}/*.conf 2> /dev/null)
+ FILES=$(${LSBINARY} ${DIR}/*.conf 2> /dev/null)
if [ ! -z "${FILES}" ]; then
for CONFFILE in ${FILES}; do
if FileIsReadable ${CONFFILE}; then
@@ -222,7 +222,7 @@
fi
done
# Sort the list of discovered configuration files so we can make them unique
- REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | ${SEDBINARY} 's/^ //' | ${TRBINARY} ' ' '\n' | ${SORTBINARY} | uniq | ${TRBINARY} '\n' ' ')
+ REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | ${SEDBINARY} 's/^ //' | ${TRBINARY} ' ' '\n' | ${SORTBINARY} | ${UNIQBINARY} | ${TRBINARY} '\n' ' ')
for FILE in ${REDIS_CONFIGURATION_FILES}; do
if IsWorldReadable ${FILE}; then
LogText "Result: configuration file ${FILE} is world readable, this might leak sensitive information!"
diff --git a/include/tests_file_integrity b/include/tests_file_integrity
index a90eb4fe..687853ff 100644
--- a/include/tests_file_integrity
+++ b/include/tests_file_integrity
@@ -18,7 +18,8 @@
#
#################################################################################
#
- CSF_CONFIG="/etc/csf/csf.conf"
+ AIDECONFIG=""
+ CSF_CONFIG="${ROOTDIR}etc/csf/csf.conf"
FILE_INT_TOOL=""
FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found
#
@@ -34,13 +35,13 @@
Register --test-no FINT-4310 --weight L --network NO --category security --description "AFICK availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking AFICK binary"
- if [ ! "${AFICKBINARY}" = "" ]; then
+ if [ ! -z "${AFICKBINARY}" ]; then
LogText "Result: AFICK is installed (${AFICKBINARY})"
Report "file_integrity_tool[]=afick"
FILE_INT_TOOL="afick"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
LogText "Result: AFICK is not installed"
if IsVerbose; then Display --indent 4 --text "- AFICK" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
@@ -53,13 +54,13 @@
Register --test-no FINT-4314 --weight L --network NO --category security --description "AIDE availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking AIDE binary"
- if [ ! "${AIDEBINARY}" = "" ]; then
+ if [ ! -z "${AIDEBINARY}" ]; then
LogText "Result: AIDE is installed (${AIDEBINARY})"
Report "file_integrity_tool[]=aide"
FILE_INT_TOOL="aide"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
LogText "Result: AIDE is not installed"
if IsVerbose; then Display --indent 4 --text "- AIDE" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
@@ -80,7 +81,8 @@
AIDECONFIG="${I}/aide.conf"
fi
done
- if [ "${AIDECONFIG}" = "" ]; then
+
+ if [ -z "${AIDECONFIG}" ]; then
Display --indent 6 --text "- AIDE config file" --result "${STATUS_NOT_FOUND}" --color YELLOW
else
LogText "Checking configuration file ${AIDECONFIG} for errors"
@@ -101,7 +103,7 @@
Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Osiris binary"
- if [ ! "${OSIRISBINARY}" = "" ]; then
+ if [ ! -z "${OSIRISBINARY}" ]; then
LogText "Result: Osiris is installed (${OSIRISBINARY})"
Report "file_integrity_tool[]=osiris"
FILE_INT_TOOL="osiris"
@@ -120,7 +122,7 @@
Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Samhain binary"
- if [ ! "${SAMHAINBINARY}" = "" ]; then
+ if [ ! -z "${SAMHAINBINARY}" ]; then
LogText "Result: Samhain is installed (${SAMHAINBINARY})"
Report "file_integrity_tool[]=samhain"
FILE_INT_TOOL="samhain"
@@ -139,7 +141,7 @@
Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Tripwire binary"
- if [ ! "${TRIPWIREBINARY}" = "" ]; then
+ if [ ! -z "${TRIPWIREBINARY}" ]; then
LogText "Result: Tripwire is installed (${TRIPWIREBINARY})"
Report "file_integrity_tool[]=tripwire"
FILE_INT_TOOL="tripwire"
@@ -179,7 +181,7 @@
Register --test-no FINT-4330 --weight L --network NO --category security --description "mtree availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking mtree binary"
- if [ ! "${MTREEBINARY}" = "" ]; then
+ if [ ! -z "${MTREEBINARY}" ]; then
LogText "Result: mtree is installed (${MTREEBINARY})"
Report "file_integrity_tool[]=mtree"
FILE_INT_TOOL="mtree"
@@ -219,26 +221,26 @@
Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd configuration status"
if [ ${SKIPTEST} -eq 0 ]; then
# LFD configuration parameters
- ENABLED=`${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG}`
+ ENABLED=$(${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG})
if [ ! "${ENABLED}" = "" ]; then
LogText "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN
- else
+ else
LogText "Result: lfd service is configured NOT to run"
Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
fi
- ENABLED=`${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g'`
+ ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
- else
+ else
LogText "Result: lfd directory watching is disabled"
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
fi
- ENABLED=`${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g'`
+ ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
- else
+ else
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW
fi
fi
@@ -257,7 +259,7 @@
FILE_INT_TOOL="osquery"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
LogText "Result: syscheck (osquery) not installed"
if IsVerbose; then Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
@@ -271,7 +273,7 @@
Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
- if [ "${FIND}" = "" ]; then
+ if [ -z "${FIND}" ]; then
LogText "Result: No SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW
ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE"
diff --git a/include/tests_file_permissions b/include/tests_file_permissions
index 79f721b3..2d627bf9 100644
--- a/include/tests_file_permissions
+++ b/include/tests_file_permissions
@@ -34,7 +34,7 @@
LogText "Test: Checking file permissions"
for PROFILE in ${PROFILES}; do
LogText "Using profile ${PROFILE} for baseline."
- FIND=`${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | ${CUTBINARY} -d: -f2`
+ FIND=$(${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | ${CUTBINARY} -d: -f2)
for I in ${FIND}; do
LogText "Checking ${I}"
CheckFilePermissions ${I}
@@ -43,14 +43,14 @@
LogText " Result: $PERMS"
if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then
Display --indent 4 --text "${I}" --result "${STATUS_NOT_FOUND}" --color WHITE
- elif [ "${PERMS}" = "OK" ]; then
+ elif [ "${PERMS}" = "OK" ]; then
Display --indent 4 --text "${I}" --result "${STATUS_OK}" --color GREEN
- elif [ "${PERMS}" = "BAD" ]; then
+ elif [ "${PERMS}" = "BAD" ]; then
Display --indent 4 --text "${I}" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Incorrect permissions for file ${I}"
- else
+ else
LogText "UNKNOWN status for file"
- fi
+ fi
done
done
fi
diff --git a/include/tests_filesystems b/include/tests_filesystems
index 5d46f831..94f067bf 100644
--- a/include/tests_filesystems
+++ b/include/tests_filesystems
@@ -46,20 +46,20 @@
LogText "Result: ${I} is a symlink. Manual check required to determine exact file system options"
ReportSuggestion ${TEST_NO} "Symlinked mount point needs to be checked manually" "${I}" ""
Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE
- elif [ -d ${I} ]; then
+ elif [ -d ${I} ]; then
LogText "Result: directory ${I} exists"
- FIND=`mount | ${GREPBINARY} "${I}"`
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(${MOUNTBINARY} | ${GREPBINARY} "${I}")
+ if [ ! -z "${FIND}" ]; then
LogText "Result: found ${I} as a separated mount point"
Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_OK}" --color GREEN
AddHP 10 10
- else
+ else
LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system"
Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition"
AddHP 9 10
fi
- else
+ else
LogText "Result: directory ${I} does not exist"
fi
done
@@ -76,16 +76,16 @@
LogText "Test: Checking for LVM volume groups"
case ${OS} in
AIX)
- FIND=`${LSVGBINARY} -o`
+ FIND=$(${LSVGBINARY} -o)
;;
Linux)
- FIND=`${VGDISPLAYBINARY} 2> /dev/null | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "VG Name" | ${AWKBINARY} '{ print $3 }' | sort`
+ FIND=$(${VGDISPLAYBINARY} 2> /dev/null | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "VG Name" | ${AWKBINARY} '{ print $3 }' | ${SORTBINARY})
;;
*)
ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found"
;;
esac
- if [ ! "${FIND}" = "" ]; then
+ if [ ! -z "${FIND}" ]; then
LogText "Result: found one or more volume groups"
for I in ${FIND}; do
LogText "Found LVM volume group: ${I}"
@@ -93,7 +93,7 @@
done
LVM_VG_USED=1
Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
LogText "Result: no LVM volume groups found"
if IsVerbose; then Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_NONE}" --color WHITE; fi
fi
@@ -109,11 +109,11 @@
LogText "Test: Checking for LVM volumes"
case ${OS} in
AIX)
- ACTIVE_VG_LIST=`${LSVGBINARY} -o`
- FIND=`for I in ${ACTIVE_VG_LIST}; do ${LSVGBINARY} -l ${I} | ${AWKBINARY} 'NR>2 { print $1 }'; done`
+ ACTIVE_VG_LIST=$(${LSVGBINARY} -o)
+ FIND=$(for I in ${ACTIVE_VG_LIST}; do ${LSVGBINARY} -l ${I} | ${AWKBINARY} 'NR>2 { print $1 }'; done)
;;
Linux)
- FIND=`${LVDISPLAYBINARY} | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "LV Name" | ${AWKBINARY} '{ print $3 }' | sort`
+ FIND=$(${LVDISPLAYBINARY} | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "LV Name" | ${AWKBINARY} '{ print $3 }' | ${SORTBINARY})
;;
*)
ReportException "${TEST_NO}:1" "Need specific test for gathering volume manager data"
@@ -126,7 +126,7 @@
Report "lvm_volume[]=${I}"
done
Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
LogText "Result: no LVM volume groups found"
Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_NONE}" --color WHITE
fi
@@ -147,16 +147,16 @@
Register --test-no FILE-6323 --os Linux --weight L --network NO --category security --description "Checking EXT file systems"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for Linux EXT file systems"
- FIND=`mount -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }'`
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }')
+ if [ ! -z "${FIND}" ]; then
LogText "Result: found one or more EXT file systems"
for I in ${FIND}; do
- FILESYSTEM=`echo ${I} | ${CUTBINARY} -d ',' -f1`
- FILETYPE=`echo ${I} | ${CUTBINARY} -d ',' -f2`
+ FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
+ FILETYPE=$(echo ${I} | ${CUTBINARY} -d ',' -f2)
LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})"
Report "file_systems_ext[]=${FILESYSTEM}|${FILETYPE}|"
done
- else
+ else
LogText "Result: no EXT file systems found"
Report "file_systems_ext[]=none"
fi
@@ -170,11 +170,11 @@
Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking FFS/UFS file systems"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Query /etc/fstab for available FFS/UFS mount points"
- FIND=`${AWKBINARY} '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab`
- if [ "${FIND}" = "" ]; then
+ FIND=$(${AWKBINARY} '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab)
+ if [ -z "${FIND}" ]; then
if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_NONE}" --color WHITE; fi
LogText "Result: unable to find any single mount point (FFS/UFS)"
- else
+ else
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_FOUND}" --color GREEN
Report "filesystem[]=ufs"
for I in ${FIND}; do
@@ -191,11 +191,11 @@
Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Query /etc/fstab for available ZFS mount points"
- FIND=`mount -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'`
- if [ "${FIND}" = "" ]; then
+ FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}')
+ if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
LogText "Result: unable to find any single mount point (ZFS)"
- else
+ else
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_FOUND}" --color GREEN
Report "filesystem[]=zfs"
for I in ${FIND}; do
@@ -215,7 +215,7 @@
FOUND=0
LogText "Test: query swap partitions from /etc/fstab file"
# Check if third field contains 'swap'
- FIND=`${AWKBINARY} '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | ${GREPBINARY} -v "^#"`
+ FIND=$(${AWKBINARY} '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | ${GREPBINARY} -v "^#")
for I in ${FIND}; do
FOUND=1
REAL=""
@@ -227,12 +227,12 @@
# Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>)
HAS_UUID=`echo ${I} | ${GREPBINARY} "^UUID="`
- if [ ! "${HAS_UUID}" = "" ]; then
+ if [ ! -z "${HAS_UUID}" ]; then
UUID=`echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }'`
LogText "Result: Using ${UUID} as UUID"
- if [ ! "${BLKIDBINARY}" = "" ]; then
+ if [ ! -z "${BLKIDBINARY}" ]; then
FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//')
- if [ ! "${FIND2}" = "" ]; then
+ if [ ! -z "${FIND2}" ]; then
REAL="${FIND2}"
fi
else
@@ -241,7 +241,7 @@
if [ -L /dev/disk/by-uuid/${UUID} ]; then
LogText "Result: found disk via /dev/disk/by-uuid listing"
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
- if [ ! "${sFILE}" = "" ]; then
+ if [ ! -z "${sFILE}" ]; then
REAL="${sFILE}"
LogText "Result: disk is ${REAL}"
fi
@@ -251,7 +251,7 @@
fi
fi
# Set real device
- if [ "${REAL}" = "" ]; then
+ if [ -z "${REAL}" ]; then
REAL="${I}"
fi
Report "swap_partition[]=${I},${REAL},"
@@ -275,12 +275,11 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Swap partitions should be mounted with 'sw' or 'swap'
LogText "Test: check swap partitions with incorrect mount options"
- #FIND=`${AWKBINARY} '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`
- FIND=`${AWKBINARY} '{ if ($3=="swap" && ($4!~/sw/ && $4!="defaults")) { print $1 }}' /etc/fstab`
- if [ "${FIND}" = "" ]; then
+ FIND=$(${AWKBINARY} '{ if ($3=="swap" && ($4!~/sw/ && $4!="defaults")) { print $1 }}' /etc/fstab)
+ if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_OK}" --color GREEN
LogText "Result: all swap partitions have correct options (sw or swap)"
- else
+ else
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
#ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap parition (${FIND})"
@@ -295,7 +294,7 @@
# Description : Check proc mount options (Linux >=3.3 only)
# Examples : proc /proc proc defaults,hidepid=2 0 0
# Goal : Users should not be able to see processes of other users
- if [ "${OS}" = "Linux" -a -f /proc/version ]; then
+ if [ "${OS}" = "Linux" -a -f ${ROOTDIR}proc/version ]; then
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then
@@ -308,7 +307,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least
LogText "Test: check proc mount with incorrect mount options"
- FIND=$(mount | ${EGREPBINARY} "/proc " | ${EGREPBINARY} -o "hidepid=[0-9]")
+ FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY} -o "hidepid=[0-9]")
if [ "${FIND}" = "hidepid=2" ]; then
Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN
LogText "Result: proc mount mounted with hidepid=2"
@@ -335,15 +334,15 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for old files in /tmp"
# Search for files only in /tmp, with an access time older than X days
- FIND=`find /tmp -xdev -type f -atime +${TMP_OLD_DAYS} | ${SEDBINARY} 's/ /!space!/g'`
- if [ "${FIND}" = "" ]; then
+ FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} | ${SEDBINARY} 's/ /!space!/g')
+ if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN
LogText "Result: no files found in /tmp which are older than 3 months"
- else
+ else
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED
N=0
for I in ${FIND}; do
- FILE=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'`
+ FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Old temporary file: ${FILE}"
N=$((N + 1))
done
@@ -396,28 +395,28 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: Checking acl option on ext[2-4] root file system"
- FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl`
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl)
+ if [ ! -z "${FIND}" ]; then
LogText "Result: found ACL option"
FOUND=1
- else
+ else
LogText "Result: mount point probably mounted with defaults"
LogText "Test: Checking device which holds root file system"
# Get device on which root file system is mounted. Use /dev/root if it exists, or
# else check output of mount
- if [ -b /dev/root ]; then
- FIND1="/dev/root"
- else
+ if [ -b ${ROOTDIR}dev/root ]; then
+ FIND1="${ROOTDIR}dev/root"
+ else
# Only determine device if it is EXT2/3/4
#FIND1=`mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}'`
- FIND1=`mount -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }'`
+ FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }')
fi
# Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
- if [ ! "${FIND1}" = "" ]; then
+ if [ ! -z "${FIND1}" ]; then
LogText "Result: found ${FIND1}"
LogText "Test: Checking default options on ${FIND1}"
- FIND2=`${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl"`
- if [ ! "${FIND2}" = "" ]; then
+ FIND2=$(${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl")
+ if [ ! -z "${FIND2}" ]; then
LogText "Result: found ACL option in default mount options"
FOUND=1
else
@@ -429,8 +428,8 @@
fi
LogText "Test: Checking acl option on xfs root file system"
- FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr'`
- if [ "${FIND}" = "" ]; then
+ FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr')
+ if [ -z "${FIND}" ]; then
FOUND=1
# some other tests to do ?
fi
@@ -441,7 +440,7 @@
LogText "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file"
Display --indent 2 --text "- ACL support root file system" --result "${STATUS_DISABLED}" --color YELLOW
AddHP 0 1
- else
+ else
LogText "Result: ACL option enabled on root file system"
Display --indent 2 --text "- ACL support root file system" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3
@@ -506,11 +505,11 @@
FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' /etc/fstab)
if [ "${FS_FSTAB}" = "glusterfs" ]; then
EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | ${SEDBINARY} 's/\<\(nodev\|nosuid\)\> *//g')
- if [ "${EXPECTED_FLAGS}" = "" ]; then
+ if [ -z "${EXPECTED_FLAGS}" ]; then
FS_FSTAB=""
fi
fi
- if [ ! "${FS_FSTAB}" = "" ]; then
+ if [ ! -z "${FS_FSTAB}" ]; then
FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
LogText "File system: ${FILESYSTEM}"
LogText "Expected flags: ${EXPECTED_FLAGS}"
@@ -522,7 +521,7 @@
if [ "${FLAG_AVAILABLE}" = "" ]; then
LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
FULLY_HARDENED=0
- else
+ else
LogText "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}"
PARTIALLY_HARDENED=1
fi
@@ -540,7 +539,7 @@
LogText "Result: marked ${FILESYSTEM} options as default (non hardened)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW
AddHP 3 5
- else
+ else
LogText "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW
AddHP 4 5
@@ -562,16 +561,16 @@
if [ -f /etc/fstab ]; then
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab)
BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
- if [ ! "${FIND}" = "" ]; then
+ if [ ! -z "${FIND}" ]; then
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
if [ "${BIND}" = "YES" ]; then
Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN
LogText "Result : /var/tmp is bind to /tmp"
- else
+ else
Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "NON DEFAULT" --color YELLOW
LogText "Result: /var/tmp is not bind to /tmp"
fi
- else
+ else
LogText "Result: no mount point /var/tmp or expected options found"
if IsVerbose; then Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "INFO" --color WHITE; fi
fi
@@ -693,7 +692,7 @@
# Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf
Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems"
if [ ${SKIPTEST} -eq 0 ]; then
- if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
+ if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
Display --indent 2 --text "- Disable kernel support of some filesystems"
LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf"
FOUND=0
@@ -701,13 +700,13 @@
AVAILABLE_MODPROBE_FS=""
for FS in ${LIST_FS_NOT_SUPPORTED}; do
# Check if filesystem is present in modprobe output
- FIND=`${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1`
+ FIND=$(${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1)
if [ ! -z "${FIND}" ]; then
LogText "Result: found module support in kernel: ${FIND}"
Debug "Module ${FS} present in the kernel"
LogText "Test: Checking if ${FS} is active"
# Check if FS is present in lsmod output
- FIND=`${LSMODBINARY} | ${EGREPBINARY} "^${FS}"`
+ FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
if [ -z "${FIND}" ]; then
LogText "Result: module ${FS} is not loaded in the kernel"
AddHP 2 3
diff --git a/include/tests_firewalls b/include/tests_firewalls
index 76aff719..cf1e48f2 100644
--- a/include/tests_firewalls
+++ b/include/tests_firewalls
@@ -40,8 +40,8 @@
# Description : Check iptables kernel module
Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module"
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables"`
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables")
+ if [ ! -z "${FIND}" ]; then
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="iptables"
IPTABLES_ACTIVE=1
@@ -51,14 +51,14 @@
for I in ${FIND}; do
LogText "Found module: ${I}"
done
- else
+ else
Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_NOT_FOUND}" --color WHITE
# If we can't find an active module, try to find the Linux configuration file and check that
if [ -f /proc/config.gz ]; then
LINUXCONFIGFILE="/proc/config.gz"; tCATCMD="zcat";
fi
- sLINUXCONFIGFILE="/boot/config-`uname -r`"
+ sLINUXCONFIGFILE="/boot/config-$(uname -r)"
if [ -f ${sLINUXCONFIGFILE} ]; then
LINUXCONFIGFILE=${sLINUXCONFIGFILE}; tCATCMD="cat";
fi
@@ -69,9 +69,9 @@
if [ ! "${LINUXCONFIGFILE}" = "" ]; then
if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})"
- FIND=`${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1`
- if [ ! "${FIND}" = "" ]; then
- HAVEMOD=`echo ${FIND} | ${CUTBINARY} -d '=' -f2`
+ FIND=$(${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1)
+ if [ ! -z "${FIND}" ]; then
+ HAVEMOD=$(echo ${FIND} | ${CUTBINARY} -d '=' -f2)
# Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
# active list.
if [ "${HAVEMOD}" = "y" ]; then
@@ -81,10 +81,10 @@
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="iptables"
Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
LogText "Result: no iptables found in Linux kernel config file"
fi
- else
+ else
LogText "Result: no Linux configuration file found"
Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -110,9 +110,9 @@
done
echo "${FIND}" | while read line; do
- table=`echo ${line} | ${AWKBINARY} '{ print $1 }'`
- chainname=`echo ${line} | ${AWKBINARY} '{ print $2 }'`
- policy=`echo ${line} | ${AWKBINARY} '{ print $3 }'`
+ table=$(echo ${line} | ${AWKBINARY} '{ print $1 }')
+ chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }')
+ policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }')
LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}."
LogText "Result: ${policy}"
@@ -148,8 +148,8 @@
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | wc -l | ${TRBINARY} -d ' '`
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
+ if [ ! -z "${FIND}" ]; then
FIREWALL_ACTIVE=1
if [ ${FIND} -le 10 ]; then
# Firewall is active, but clearly needs configuration
@@ -157,7 +157,7 @@
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active"
- else
+ else
LogText "Result: one or more rules are available (${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
fi
@@ -168,20 +168,19 @@
#
# Test : FIRE-4513
# Description : Check iptables for unused rules
- if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | xargs`
- if [ "${FIND}" = "" ]; then
+ FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
+ if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN
LogText "Result: There are no unused rules present"
- else
+ else
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW
LogText "Result: Found one or more possible unused rules"
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
LogText "Output: iptables rule numbers: ${FIND}"
- #ReportWarning ${TEST_NO} "Found possible unused iptables rules ($FIND)"
ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used"
LogText "Tip: iptables --list --numeric --line-numbers --verbose"
fi
@@ -198,19 +197,19 @@
# Check status with pfctl
LogText "Test: checking pf status via pfctl"
- if [ ! "${PFCTLBINARY}" = "" ]; then
- FIND=`${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | head -1 | ${AWKBINARY} '{ print $2 }'`
+ if [ ! -z "${PFCTLBINARY}" ]; then
+ FIND=$(${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | ${HEADBINARY} -1 | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "Enabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_ENABLED}" --color GREEN
LogText "Result: pf is enabled"
PFFOUND=1
AddHP 3 3
- else
+ else
if [ "${FIND}" = "Disabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED
LogText "Result: pf is disabled"
AddHP 0 3
- else
+ else
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportException ${TEST_NO} "Unknown status of pf firewall"
fi
@@ -221,11 +220,11 @@
if [ ${PFFOUND} -eq 0 ]; then
# Check for pf kernel module (FreeBSD and similar)
LogText "Test: searching for pf kernel module"
- if [ ! "${KLDSTATBINARY}" = "" ]; then
- FIND=`${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko'`
- if [ "${FIND}" = "" ]; then
+ if [ ! -z "${KLDSTATBINARY}" ]; then
+ FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko')
+ if [ -z "${FIND}" ]; then
LogText "Result: Can not find pf KLD"
- else
+ else
LogText "Result: pf KLD loaded"
PFFOUND=1
fi
@@ -239,7 +238,7 @@
Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN
PFFOUND=1
PFLOGDFOUND=1
- else
+ else
LogText "Result: pflog daemon not found in process list"
fi
fi
@@ -248,7 +247,7 @@
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="pf"
Report "firewall_software[]=pf"
- else
+ else
LogText "Result: pf not running on this system"
fi
fi
@@ -266,15 +265,15 @@
LogText "Result: /etc/pf.conf exists"
# Check results from pfctl
PFWARNINGS=$(${PFCTLBINARY} -n -f /etc/pf.conf -vvv 2>&1 | ${GREPBINARY} -i 'warning')
- if [ "${PFWARNINGS}" = "" ]; then
+ if [ -z "${PFWARNINGS}" ]; then
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN
LogText "Result: no pf filter warnings found"
- else
+ else
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
LogText "Result: found one or more warnings in the pf filter rules"
ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
fi
- else
+ else
LogText "Result: /etc/pf.conf does NOT exist"
fi
fi
@@ -298,7 +297,7 @@
FIREWALL_SOFTWARE="csf"
Report "firewall_software[]=csf"
Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
LogText "Result: ${FILE} does NOT exist"
fi
fi
@@ -310,14 +309,14 @@
if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check ipf status"
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${IPFBINARY} -n -V | ${GREPBINARY} "^Running" | ${AWKBINARY} '{ print $2 }'`
+ FIND=$(${IPFBINARY} -n -V | ${GREPBINARY} "^Running" | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "yes" ]; then
Display --indent 4 --text "- Checking ipf status" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: ipf is enabled and running"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipf"
Report "firewall_software[]=ipf"
- else
+ else
Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
LogText "Result: ipf is not running"
fi
@@ -329,9 +328,9 @@
# Description : Check IPFW (FreeBSD)
Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status"
if [ ${SKIPTEST} -eq 0 ]; then
- if [ ! "${SYSCTLBINARY}" = "" ]; then
+ if [ ! -z "${SYSCTLBINARY}" ]; then
# For now, only check for IPv4.
- FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | ${AWKBINARY} '{ print $2 }'`
+ FIND=$(${SYSCTLBINARY} net.inet.ip.fw.enable | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "1" ]; then
Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: IPFW is running for IPv4"
@@ -363,14 +362,14 @@
if [ -x /usr/libexec/ApplicationFirewall/socketfilterfw ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4532 --weight L --os "MacOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check Mac OS X application firewall"
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled"`
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled")
+ if [ ! -z "${FIND}" ]; then
Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3
LogText "Result: application firewall of Mac OS X is enabled"
APPLICATION_FIREWALL_ACTIVE=1
Report "app_fw[]=macosx-app-fw"
- else
+ else
Display --indent 2 --text "- Checking IPFW" --result "${STATUS_DISABLED}" --color YELLOW
AddHP 1 3
LogText "Result: application firewall of Mac OS X is disabled"
@@ -447,7 +446,7 @@
# YYY Solaris ipf (determine default policy)
Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
AddHP 5 5
- else
+ else
Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
LogText "Result: no host based firewall/packet filter found or configured"
ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic"
diff --git a/include/tests_hardening b/include/tests_hardening
index 91838818..93c01ff5 100644
--- a/include/tests_hardening
+++ b/include/tests_hardening
@@ -35,7 +35,7 @@
LogText "Result: no compilers found"
Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 3 3
- else
+ else
LogText "Result: found installed compiler. See top of logfile which compilers have been found or use ${GREPBINARY} to filter on 'compiler'"
Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
AddHP 1 3
@@ -54,7 +54,7 @@
LogText "Result: no compilers found"
else
# as
- if [ ! "${ASBINARY}" = "" ]; then
+ if [ ! -z "${ASBINARY}" ]; then
LogText "Test: Check file permissions for as (Assembler)"
if IsWorldExecutable ${ASBINARY}; then
LogText "Binary: found ${ASBINARY} (world executable)"
@@ -66,7 +66,7 @@
fi
fi
# gcc
- if [ ! "${GCCBINARY}" = "" ]; then
+ if [ ! -z "${GCCBINARY}" ]; then
LogText "Test: Check file permissions for GCC compiler"
if IsWorldExecutable ${GCCBINARY}; then
LogText "Binary: found ${GCCBINARY} (world executable)"
@@ -83,8 +83,8 @@
ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only"
fi
- #YYY check if compilers have a specific group (like compiler, or NOT root/wheel)
-# Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
+ # TODO check if compilers have a specific group (like compiler, or NOT root/wheel)
+ # Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
# /usr/bin/*cc*
# /usr/bin/*++*
# /usr/bin/ld
diff --git a/include/tests_homedirs b/include/tests_homedirs
index 5d9dc927..8daef43e 100644
--- a/include/tests_homedirs
+++ b/include/tests_homedirs
@@ -38,12 +38,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Read sixth field of /etc/passwd
LogText "Test: query /etc/passwd to obtain home directories"
- FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | ${SORTBINARY} -u`
+ FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | ${SORTBINARY} -u)
for I in ${FIND}; do
if [ -d ${I} ]; then
LogText "Result: found home directory: ${I} (directory exists)"
Report "home_directory[]=${I}"
- else
+ else
LogText "Result: found home directory: ${I} (directory does not exist)"
fi
done
@@ -55,17 +55,17 @@
# Description : Check for suspicious shell history files
Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files"
if [ ${SKIPTEST} -eq 0 ]; then
- if [ ! "${HOMEDIRS}" = "" ]; then
+ if [ ! -z "${HOMEDIRS}" ]; then
if [ "${OS}" = "Solaris" ]; then
# Solaris doesn't support -maxdepth
- FIND=`find ${HOMEDIRS} -name ".*history" ! -type f -print`
- else
- FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" ! -type f -print`
+ FIND=$(${FINDBINARY} ${HOMEDIRS} -name ".*history" ! -type f -print)
+ else
+ FIND=$(${FINDBINARY} ${HOMEDIRS} -maxdepth 1 -name ".*history" ! -type f -print)
fi
- if [ "${FIND}" = "" ]; then
+ if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking shell history files" --result "${STATUS_OK}" --color GREEN
LogText "Result: Ok, history files are type 'file'."
- else
+ else
Display --indent 2 --text "- Checking shell history files" --result "${STATUS_WARNING}" --color RED
LogText "Result: the following files seem to be of the wrong file type:"
LogText "Output: ${FIND}"
@@ -73,7 +73,7 @@
ReportWarning ${TEST_NO} "Incorrect file type found for shell history file"
fi
LogText "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful."
- else
+ else
Display --indent 2 --text "- Checking shell history files" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: Homedirs is empty, test will be skipped"
fi
@@ -93,13 +93,13 @@
# Notes : For performance reasons we combine the scanning of different files, so inode caching is used
# as much as possible for every find command
# Profile opt : ignore_home_dir (multiple lines allowed), ignores home directory
- if [ ! "${REPORTFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ ! -z "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories"
if [ ${SKIPTEST} -eq 0 ]; then
- IGNORE_HOME_DIRS=`${GREPBINARY} "^config:ignore_home_dir:" ${PROFILE} | ${AWKBINARY} -F: '{ print $3 }'`
- if [ "${IGNORE_HOME_DIRS}" = "" ]; then
+ IGNORE_HOME_DIRS=$(${GREPBINARY} "^config:ignore_home_dir:" ${PROFILE} | ${AWKBINARY} -F: '{ print $3 }')
+ if [ -z "${IGNORE_HOME_DIRS}" ]; then
LogText "Result: IGNORE_HOME_DIRS empty, no paths excluded"
- else
+ else
LogText "Output: ${IGNORE_HOME_DIRS}"
fi
fi
diff --git a/include/tests_insecure_services b/include/tests_insecure_services
index ff80c4ce..d04afd7c 100644
--- a/include/tests_insecure_services
+++ b/include/tests_insecure_services
@@ -27,7 +27,7 @@
#################################################################################
#
INETD_ACTIVE=0
- INETD_CONFIG_FILE="/etc/inetd.conf"
+ INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf"
#
#################################################################################
#
diff --git a/include/tests_kernel b/include/tests_kernel
index fca531a0..61bfed61 100644
--- a/include/tests_kernel
+++ b/include/tests_kernel
@@ -456,16 +456,16 @@
Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel"
if [ ${SKIPTEST} -eq 0 ]; then
REBOOT_NEEDED=2
- FILE="/var/run/reboot-required.pkgs"
+ FILE="${ROOTDIR}var/run/reboot-required.pkgs"
LogText "Test: Checking presence ${FILE}"
if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists"
- FIND=$(wc -l < ${FILE})
+ FIND=$(${WCBINARY} -l < ${FILE})
if [ "${FIND}" = "0" ]; then
LogText "Result: No reboot needed (file empty)"
REBOOT_NEEDED=0
else
- PKGSCOUNT=$(wc -l < ${FILE})
+ PKGSCOUNT=$(${WCBINARY} -l < ${FILE})
LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages"
for I in ${FIND}; do
LogText "Package: ${I}"
@@ -476,15 +476,15 @@
LogText "Result: file ${FILE} not found"
fi
# Check if /boot exists
- if [ -d /boot ]; then
+ if [ -d ${ROOTDIR}boot ]; then
LogText "Result: /boot exists, performing more tests from here"
- FIND=$(ls /boot/* 2> /dev/null)
- if [ ! "${FIND}" = "" ]; then
- if [ -f /boot/vmlinuz -a ! -L /boot/vmlinuz ]; then
+ FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null)
+ if [ ! -z "${FIND}" ]; then
+ if [ -f ${ROOTDIR}boot/vmlinuz -a ! -L ${ROOTDIR}boot/vmlinuz ]; then
LogText "Result: found /boot/vmlinuz (not symlinked)"
NEXTLINE=0
FINDVERSION=""
- for I in `file /boot/vmlinuz-linux`; do
+ for I in $(file ${ROOTDIR}boot/vmlinuz-linux); do
if [ ${NEXTLINE} -eq 1 ]; then
FINDVERSION="${I}"
else
@@ -492,7 +492,7 @@
if [ "${I}" = "version" ]; then NEXTLINE=1; fi
fi
done
- if [ ! "${FINDVERSION}" = "" ]; then
+ if [ ! -z "${FINDVERSION}" ]; then
CURRENT_KERNEL=`uname -r`
if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then
LogText "Result: reboot needed, as current kernel is different than the one loaded"
@@ -501,11 +501,11 @@
else
ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data"
fi
- elif [ -f /boot/vmlinuz-linux ]; then
+ elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)"
LogText "Test: checking kernel version on disk"
- VERSION_ON_DISK=`file -b /boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}'`
- if [ ! "${VERSION_ON_DISK}" = "" ]; then
+ VERSION_ON_DISK=$(${FILEBINARY} -b ${ROOTDIR}boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}')
+ if [ ! -z "${VERSION_ON_DISK}" ]; then
LogText "Result: found version ${VERSION_ON_DISK}"
ACTIVE_KERNEL=`uname -r`
LogText "Result: active kernel version ${ACTIVE_KERNEL}"
@@ -521,36 +521,36 @@
ReportException "${TEST_NO}:4" "Could not find the kernel version from /boot/vmlinux-linux"
fi
else
- if [ -L /boot/vmlinuz ]; then
- LogText "Result: found symlink of /boot/vmlinuz, skipping file"
+ if [ -L ${ROOTDIR}boot/vmlinuz ]; then
+ LogText "Result: found symlink of ${ROOTDIR}boot/vmlinuz, skipping file"
else
- LogText "Result: /boot/vmlinuz not on disk, trying to find /boot/vmlinuz*"
+ LogText "Result: ${ROOTDIR}boot/vmlinuz not on disk, trying to find ${ROOTDIR}boot/vmlinuz*"
fi
# Extra current kernel version and replace dashes to allow numeric ${SORTBINARY} later on
- MYKERNEL=`uname -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g'`
+ MYKERNEL=$(${UNAMEBINARY} -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g')
LogText "Result: using ${MYKERNEL} as my kernel version (stripped)"
- FIND=$(ls /boot/vmlinuz* 2> /dev/null)
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null)
+ if [ ! -z "${FIND}" ]; then
for ITEM in ${FIND}; do
LogText "Result: found ${ITEM}"
done
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
# Ignore rescue images. Remove generic. and huge. for Slackware machines
LogText "Action: checking relevant kernels"
- KERNELS=`ls /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
+ KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ')
LogText "Output: ${KERNELS_ONE_LINE}"
- elif [ ! "$(ls /boot/kernel* 2> /dev/null)" = "" ]; then
- LogText "Output: Found a kernel file in /boot"
+ elif [ ! "$(ls ${ROOTDIR}boot/kernel* 2> /dev/null)" = "" ]; then
+ LogText "Output: Found a kernel file in ${ROOTDIR}boot"
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
# Examples:
# /boot/kernel-genkernel-x86_64-3.14.14-gentoo
- KERNELS=`ls /boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
+ KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
LogText "Output: ${KERNELS}"
else
ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected"
fi
- if [ ! "${KERNELS}" = "" ]; then
+ if [ ! -z "${KERNELS}" ]; then
FOUND_KERNEL=0
for I in ${KERNELS}; do
# Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist)
diff --git a/include/tests_ldap b/include/tests_ldap
index 0d940c5f..6c04a3bc 100644
--- a/include/tests_ldap
+++ b/include/tests_ldap
@@ -26,7 +26,7 @@
#
#################################################################################
#
- SLAPD_CONF_LOCS="/etc/ldap /etc/openldap /usr/local/etc/openldap"
+ SLAPD_CONF_LOCS="${ROOTDIR}etc/ldap ${ROOTDIR}etc/openldap ${ROOTDIR}usr/local/etc/openldap"
SLAPD_CONF_LOCATION=""
SLAPD_RUNNING=0
#
@@ -36,12 +36,12 @@
# Description : Check running OpenLDAP instance
Register --test-no LDAP-2219 --weight L --network NO --category security --description "Check running OpenLDAP instance"
if [ ${SKIPTEST} -eq 0 ]; then
- #YYY add additional slash
+ # TODO adding additional slash needed?
IsRunning slapd
if [ ${RUNNING} -eq 0 ]; then
Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: No running slapd process found."
- else
+ else
Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found running slapd process"
SLAPDFOUND=1
@@ -61,14 +61,14 @@
if [ -f ${I}/slapd.conf ]; then
LogText "Result: found ${I}/slapd.conf"
SLAPD_CONF_LOCATION="${I}/slapd.conf"
- else
+ else
LogText "Result: ${I} does not contain slapd.conf"
fi
done
# Check if we found a valid location
- if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then
+ if [ ! -z "${SLAPD_CONF_LOCATION}" ]; then
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
diff --git a/include/tests_logging b/include/tests_logging
index 8b48d4dd..538488fc 100644
--- a/include/tests_logging
+++ b/include/tests_logging
@@ -22,7 +22,7 @@
#
#################################################################################
#
- LOG_FILES_LOCS="/var/log /var/adm"
+ LOG_FILES_LOCS="${ROOTDIR}var/log ${ROOTDIR}var/adm"
LOGROTATE_CONFIG_FOUND=0
LOGROTATE_TOOL=""
METALOG_RUNNING=0
@@ -43,14 +43,14 @@
Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for a logging daemon"
- FIND=`${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep"`
- if [ "${FIND}" = "" ]; then
+ FIND=$(${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
+ if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
ReportWarning ${TEST_NO} "No syslog daemon found"
AddHP 0 3
- else
+ else
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found a logging daemon"
SYSLOG_DAEMON_PRESENT=1
@@ -72,7 +72,7 @@
Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
SYSLOG_NG_RUNNING=1
- else
+ else
LogText "Result: Syslog-ng NOT found in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -85,11 +85,11 @@
if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Syslog-NG configuration file consistency"
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${SYSLOGNGBINARY} -s; echo $?`
+ FIND=$(${SYSLOGNGBINARY} -s; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: Syslog-NG configuration file seems to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_OK}" --color GREEN
- else
+ else
LogText "Result: Syslog-NG configuration file seems NOT to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found one or more problems in Syslog-NG configuration file"
@@ -108,7 +108,7 @@
if [ ${RUNNING} -eq 1 ]; then
Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_FOUND}" --color GREEN
SYSTEMD_JOURNAL_RUNNING=1
- else
+ else
Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
@@ -126,7 +126,7 @@
Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
METALOG_RUNNING=1
- else
+ else
LogText "Result: metalog NOT found in process list"
Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -145,7 +145,7 @@
Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
RSYSLOG_RUNNING=1
- else
+ else
LogText "Result: rsyslogd NOT found in process list"
Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -164,7 +164,7 @@
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
RFC3195D_RUNNING=1
- else
+ else
LogText "Result: rfc3195d NOT found in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -188,12 +188,12 @@
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: klogd running"
Display --indent 4 --text "- Checking klogd" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
LogText "Result: No klogd found"
Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED
ReportWarning ${TEST_NO} "klogd is not running, which could lead to missing kernel messages in log files"
fi
- else
+ else
LogText "Result: test skipped, because other facility is being used to log kernel messages"
fi
fi
@@ -210,7 +210,7 @@
if [ ${RUNNING} -eq 0 ]; then
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: No minilogd is running"
- else
+ else
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED
LogText "Result: minilogd found in process list"
# minilogd daemon seems to be running
@@ -224,22 +224,22 @@
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
Register --test-no LOGG-2146 --weight L --os Linux --network NO --category security --description "Checking logrotate.conf and logrotate.d"
if [ ${SKIPTEST} -eq 0 ]; then
- LogText "Test: Checking for /etc/logrotate.conf"
- if [ -f /etc/logrotate.conf ]; then
+ LogText "Test: Checking for ${ROOTDIR}etc/logrotate.conf"
+ if [ -f ${ROOTDIR}etc/logrotate.conf ]; then
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="logrotate"
- LogText "Result: /etc/logrotate.conf found (file)"
+ LogText "Result: ${ROOTDIR}etc/logrotate.conf found (file)"
else
- LogText "Result: /etc/logrotate.conf NOT found"
+ LogText "Result: ${ROOTDIR}etc/logrotate.conf NOT found"
fi
- LogText "Test: Checking for /etc/logrotate.d (directory)"
- if [ -d /etc/logrotate.d ]; then
+ LogText "Test: Checking for ${ROOTDIR}etc/logrotate.d (directory)"
+ if [ -d ${ROOTDIR}etc/logrotate.d ]; then
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="logrotate"
- LogText "Result: /etc/logrotate.d found"
+ LogText "Result: ${ROOTDIR}etc/logrotate.d found"
else
- LogText "Result: /etc/logrotate.conf found"
+ LogText "Result: ${ROOTDIR}etc/logrotate.conf found"
fi
if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then
@@ -256,14 +256,14 @@
#
# Test : LOGG-2148
# Description : Checking log files rotated with logrotate
- if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ ! -z "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which files are rotated with logrotate and if they exist"
- FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'`
- if [ "${FIND}" = "" ]; then
+ FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }')
+ if [ -z "${FIND}" ]; then
LogText "Result: nothing found"
- else
+ else
LogText "Result: found one or more files which are rotated via logrotate"
for I in ${FIND}; do
LogText "Output: ${I}"
@@ -304,21 +304,21 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Try local hosts file
LogText "Result: Checking for loghost in /etc/inet/hosts"
- FIND=`${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#"`
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#")
+ if [ ! -z "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1
LogText "Result: Found loghost entry in /etc/inet/hosts"
- else
+ else
LogText "Result: No loghost entry found in /etc/inet/hosts"
# Try name resolving if no entry is present in local host file
LogText "Result: Checking for loghost via name resolving"
FIND=`getent hosts loghost | ${GREPBINARY} loghost`
- if [ ! "${FIND}" = "" ]; then
+ if [ ! -z "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1
LogText "Result: name resolving was succesful"
LogText "Output: ${FIND}"
- else
+ else
LogText "Result: name resolving didn't find results"
fi
fi
@@ -326,7 +326,7 @@
if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then
LogText "Result: loghost entry found and most likely used to send syslog messages"
Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_OK}" --color GREEN
- else
+ else
Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED
LogText "Result: No loghost entry found"
ReportWarning ${TEST_NO} "No loghost entry found"
@@ -344,21 +344,21 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then
SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf"
- else
+ else
SYSLOGD_CONF="/etc/syslog.conf"
fi
if [ -f ${SYSLOGD_CONF} ]; then
LogText "Test: check if logs are also logged to a remote logging host"
- FIND=`${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@"`
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
+ if [ ! -z "${FIND}" ]; then
LogText "Result: remote logging enabled"
REMOTE_LOGGING_ENABLED=1
else
# Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
- DESTINATIONS=`${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}'`
+ DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
for DESTINATION in ${DESTINATIONS}; do
- FIND2=`${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)"`
- if [ ! "${FIND2}" = "" ]; then
+ FIND2=$(${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
+ if [ ! -z "${FIND2}" = "" ]; then
LogText "Result: found destination ${DESTINATION} configured for remote logging"
REMOTE_LOGGING_ENABLED=1
fi
@@ -369,7 +369,7 @@
ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
AddHP 1 3
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
- else
+ else
AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN
fi
@@ -382,11 +382,11 @@
#
# Test : LOGG-2160
# Description : Check for /etc/newsyslog.conf (FreeBSD/OpenBSD)
- if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ -f ${ROOTDIR}etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
- LogText "Result: /etc/newsyslog.conf found"
- Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result "${STATUS_FOUND}" --color GREEN
+ LogText "Result: ${ROOTDIR}etc/newsyslog.conf found"
+ Display --indent 2 --text "- Checking ${ROOTDIR}etc/newsyslog.conf" --result "${STATUS_FOUND}" --color GREEN
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="newsyslog"
fi
@@ -399,12 +399,12 @@
Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking directories in /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: parsing directories from /etc/newsyslog.conf file"
- FIND=`${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SEDBINARY} 's/\/*[a-zA-Z_.-]*$//g' | ${SORTBINARY} -u`
+ FIND=$(${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SEDBINARY} 's/\/*[a-zA-Z_.-]*$//g' | ${SORTBINARY} -u)
for I in ${FIND}; do
if [ -d ${I} ]; then
LogText "Result: Directory ${I} found and exists"
Report "log_directory[]=${I}"
- else
+ else
LogText "Result: Item ${I} is not a directory"
fi
done
@@ -415,15 +415,15 @@
#
# Test : LOGG-2164
# Description : Check for files in /etc/newsyslog.conf
- if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ -f ${ROOTDIR}etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking files specified /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
- LogText "Test: parsing files from /etc/newsyslog.conf file"
- FIND=`${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SORTBINARY} -u`
+ LogText "Test: parsing files from ${ROOTDIR}etc/newsyslog.conf file"
+ FIND=$(${AWKBINARY} '/^\// { print $1 }' ${ROOTDIR}etc/newsyslog.conf | ${SORTBINARY} -u)
for I in ${FIND}; do
if [ -f ${I} ]; then
LogText "Result: File ${I} found and exists"
- else
+ else
LogText "Result: Item ${I} is not a file"
fi
done
@@ -441,7 +441,7 @@
if [ -d ${I} ]; then
LogText "Result: directory ${I} exists"
Report "log_directory[]=${I}"
- else
+ else
LogText "Result: directory ${I} can't be found"
fi
done
@@ -455,14 +455,14 @@
Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking open log files with lsof"
- if [ ! "${LSOFBINARY}" = "" ]; then
- FIND=`${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$"`
+ if [ ! -z "${LSOFBINARY}" ]; then
+ FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
for I in ${FIND}; do
LogText "Found logfile: ${I}"
Report "open_logfile[]=${I}"
done
Display --indent 2 --text "- Checking open log files" --result "${STATUS_DONE}" --color GREEN
- else
+ else
LogText "Result: lsof not installed, skipping test"
Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color YELLOW
# Add suggestion
@@ -493,7 +493,7 @@
fi
FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
- if [ ! "${FIND}" = "" ]; then
+ if [ ! -z "${FIND}" ]; then
LogText "Result: found one or more files which are deleted, but still in use"
for I in ${FIND}; do
LogText "Found deleted file: ${I}"
diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks
index dbe833d9..37fef258 100644
--- a/include/tests_mac_frameworks
+++ b/include/tests_mac_frameworks
@@ -31,11 +31,11 @@
# Description : Check if AppArmor is installed
Register --test-no MACF-6204 --weight L --network NO --category security --description "Check AppArmor presence"
if [ ${SKIPTEST} -eq 0 ]; then
- if [ "${AASTATUSBINARY}" = "" ]; then
+ if [ -z "${AASTATUSBINARY}" ]; then
APPARMORFOUND=0
LogText "Result: aa-status binary not found, AppArmor not installed"
Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_NOT_FOUND}" --color WHITE
- else
+ else
APPARMORFOUND=1
LogText "Result: aa-status binary found, AppArmor is installed"
Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_FOUND}" --color GREEN
@@ -49,14 +49,14 @@
if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled"
if [ ${SKIPTEST} -eq 0 ]; then
- if [ ! "${AASTATUSBINARY}" = "" ]; then
+ if [ ! -z "${AASTATUSBINARY}" ]; then
# Checking AppArmor status
# 0 if apparmor is enabled and policy is loaded.
# 1 if apparmor is not enabled/loaded.
# 2 if apparmor is enabled but no policy is loaded.
# 3 if control files are not available
# 4 if apparmor status can't be read
- FIND=`${AASTATUSBINARY} > /dev/null; echo $?`
+ FIND=$(${AASTATUSBINARY} > /dev/null; echo $?)
if [ ${FIND} -eq 0 ]; then
MAC_FRAMEWORK_ACTIVE=1
LogText "Result: AppArmor is enabled and a policy is loaded"
@@ -93,10 +93,10 @@
Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking if we have sestatus binary"
- if [ ! "${SESTATUSBINARY}" = "" ]; then
+ if [ ! -z "${SESTATUSBINARY}" ]; then
LogText "Result: found sestatus binary (${SESTATUSBINARY})"
Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
LogText "Result: sestatus binary NOT found"
Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -110,22 +110,22 @@
Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status"
if [ ${SKIPTEST} -eq 0 ]; then
# Status: Enabled/Disabled
- FIND=`${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }'`
+ FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }')
if [ "${FIND}" = "enabled" ]; then
MAC_FRAMEWORK_ACTIVE=1
LogText "Result: SELinux framework is enabled"
Report "selinux_status=1"
SELINUXFOUND=1
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN
- FIND=`${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }'`
+ FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }')
Report "selinux_mode=${FIND}"
- FIND2=`${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }'`
+ FIND2=$(${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }')
LogText "Result: current SELinux mode is ${FIND}"
LogText "Result: mode configured in config file is ${FIND2}"
if [ "${FIND}" = "${FIND2}" ]; then
LogText "Result: Current SELinux mode is the same as in config file."
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN
- else
+ else
LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
ReportWarning ${TEST_NO} "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
@@ -145,19 +145,19 @@
Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence"
if [ ${SKIPTEST} -eq 0 ]; then
# Check Linux kernel configuration
- if [ ! "${LINUXCONFIGFILE}" = "" -a -f "${LINUXCONFIGFILE}" ]; then
- FIND=`${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE}`
+ if [ ! -z "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then
+ FIND=$(${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE})
if [ ! "${FIND}" = "" ]; then
LogText "Result: grsecurity available (in kernel config)"
GRSEC_FOUND=1
- else
+ else
LogText "Result: no grsecurity found in kernel config"
fi
fi
if [ ${GRSEC_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
- else
+ else
Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
@@ -172,7 +172,7 @@
Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
LogText "Result: found implemented MAC framework"
- else
+ else
Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_NONE}" --color YELLOW
AddHP 2 3
LogText "Result: found no implemented MAC framework"
diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging
index 827c580b..4e6cd8ee 100644
--- a/include/tests_mail_messaging
+++ b/include/tests_mail_messaging
@@ -28,11 +28,13 @@
#
DOVECOT_RUNNING=0
EXIM_RUNNING=0
- SMTP_DAEMON=""
+ IMAP_DAEMON=""
+ OPENSMTPD_RUNNING=0
+ POP3_DAEMON=""
POSTFIX_RUNNING=0
QMAIL_RUNNING=0
SENDMAIL_RUNNING=0
- OPENSMTPD_RUNNING=0
+ SMTP_DAEMON=""
#
#################################################################################
#
@@ -47,7 +49,7 @@
Display --indent 2 --text "- Checking Exim status" --result "${STATUS_RUNNING}" --color GREEN
EXIM_RUNNING=1
SMTP_DAEMON="exim"
- else
+ else
LogText "Result: no running Exim processes found"
Display --indent 2 --text "- Checking Exim status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -62,15 +64,13 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check Postfix status"
# Some other processes also use master, therefore it should include both master and postfix
- FIND1=`${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"`
- #FIND2=`${PSBINARY} ax | ${GREPBINARY} "qmgr" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"`
- #FIND3=`${PSBINARY} ax | ${GREPBINARY} "pickup" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"`
- if [ ! "${FIND1}" = "" ]; then
+ FIND1=$(${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep")
+ if [ ! -z "${FIND1}" ]; then
LogText "Result: found running Postfix process"
Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_RUNNING}" --color GREEN
POSTFIX_RUNNING=1
SMTP_DAEMON="postfix"
- else
+ else
LogText "Result: no running Postfix processes found"
Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -84,7 +84,7 @@
Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking Postfix configuration" --result "${STATUS_FOUND}" --color GREEN
- POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^config_directory' | ${AWKBINARY} '{ print $3 }'`
+ POSTFIX_CONFIGDIR=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^config_directory' | ${AWKBINARY} '{ print $3 }')
POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
LogText "Postfix configuration file: ${POSTFIX_CONFIGFILE}"
@@ -135,7 +135,7 @@
DOVECOT_RUNNING=1
IMAP_DAEMON="dovecot"
POP3_DAEMON="dovecot"
- else
+ else
LogText "Result: dovecot not found"
Display --indent 2 --text "- Checking Dovecot status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -154,7 +154,7 @@
Display --indent 2 --text "- Checking Qmail status" --result "${STATUS_RUNNING}" --color GREEN
QMAIL_RUNNING=1
SMTP_DAEMON="qmail"
- else
+ else
LogText "Result: no running Qmail processes found"
Display --indent 2 --text "- Checking Qmail status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -173,7 +173,7 @@
Display --indent 2 --text "- Checking Sendmail status" --result "${STATUS_RUNNING}" --color GREEN
SENDMAIL_RUNNING=1
SMTP_DAEMON="sendmail"
- else
+ else
LogText "Result: no running Sendmail processes found"
Display --indent 2 --text "- Checking Sendmail status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -183,17 +183,17 @@
#
# Test : MAIL-8920
# Description : Check OpenSMTPD process status
- if [ ! "${SMTPCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ ! -z "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check smtpd status"
- FIND=`${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep"`
+ FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep")
if [ ! "${FIND}" = "" ]; then
LogText "Result: found running smtpd process"
Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN
OPENSMTPD_RUNNING=1
SMTP_DAEMON="opensmtpd"
- else
+ else
LogText "Result: smtpd not found"
Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
diff --git a/include/tests_malware b/include/tests_malware
index 19523931..0cc9424f 100644
--- a/include/tests_malware
+++ b/include/tests_malware
@@ -41,13 +41,13 @@
Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence chkrootkit"
- if [ ! "${CHKROOTKITBINARY}" = "" ]; then
+ if [ ! -z "${CHKROOTKITBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
Report "malware_scanner[]=chkrootkit"
- else
+ else
LogText "Result: chkrootkit not found"
fi
fi
@@ -59,13 +59,13 @@
Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence Rootkit Hunter"
- if [ ! "${RKHUNTERBINARY}" = "" ]; then
+ if [ ! -z "${RKHUNTERBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
Report "malware_scanner[]=rkhunter"
- else
+ else
LogText "Result: Rootkit Hunter not found"
fi
fi
@@ -83,7 +83,7 @@
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
Report "malware_scanner[]=lmd"
- else
+ else
LogText "Result: LMD not found"
fi
fi
@@ -113,11 +113,11 @@
LogText "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first
if [ -x /opt/McAfee/cma/bin/cma ]; then
- IsRunning cma
- if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
- else
- IsRunning cmdagent
- if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
+ IsRunning cma
+ if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
+ else
+ IsRunning cmdagent
+ if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
fi
if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
@@ -167,7 +167,7 @@
MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1
AddHP 2 2
- else
+ else
LogText "Result: clamscan couldn't be found"
fi
fi
@@ -185,7 +185,7 @@
LogText "Result: found running clamd process"
MALWARE_SCANNER_INSTALLED=1
CLAMD_RUNNING=1
- else
+ else
LogText "Result: clamd not running"
fi
fi
@@ -204,7 +204,7 @@
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running freshclam process"
AddHP 2 2
- else
+ else
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: freshclam is not running"
ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
@@ -218,14 +218,14 @@
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then
- CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan'`
- if [ ! "${CLAMSCANBINARY}" = "" ]; then
+ CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan')
+ if [ ! -z "${CLAMSCANBINARY}" ]; then
LogText "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1
AddHP 3 3
- else
+ else
LogText "Result: ClamXav malware scanner not found"
AddHP 0 3
fi
diff --git a/include/tests_memory_processes b/include/tests_memory_processes
index c767ddd0..a46650b0 100644
--- a/include/tests_memory_processes
+++ b/include/tests_memory_processes
@@ -33,13 +33,13 @@
if [ -f /proc/meminfo ]; then
LogText "Result: found /proc/meminfo"
Display --indent 2 --text "- Checking /proc/meminfo" --result "${STATUS_FOUND}" --color GREEN
- FIND=`${AWKBINARY} '/^MemTotal/ { print $2, $3 }' /proc/meminfo`
- MEMORY_SIZE=`echo ${FIND} | ${AWKBINARY} '{ print $1 }'`
- MEMORY_UNITS=`echo ${FIND} | ${AWKBINARY} '{ print $2 }'`
+ FIND=$(${AWKBINARY} '/^MemTotal/ { print $2, $3 }' /proc/meminfo)
+ MEMORY_SIZE=$(echo ${FIND} | ${AWKBINARY} '{ print $1 }')
+ MEMORY_UNITS=$(echo ${FIND} | ${AWKBINARY} '{ print $2 }')
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}"
- else
+ else
LogText "Result: /proc/meminfo file not found on this system"
fi
fi
@@ -48,17 +48,18 @@
#
# Test : PROC-3604
# Description : Query /proc/meminfo
+ # Notes : TODO - prtconf replacement
Register --test-no PROC-3604 --os Solaris --weight L --network NO --category security --description "Query prtconf for memory details"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching /usr/sbin/prtconf"
if [ -x /usr/sbin/prtconf ]; then
Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_DONE}" --color GREEN
- MEMORY_SIZE=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f3`
- MEMORY_UNITS=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f4`
+ MEMORY_SIZE=$(/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f3)
+ MEMORY_UNITS=$(/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f4)
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}"
- else
+ else
Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: /usr/sbin/prtconf not found"
fi
@@ -73,14 +74,14 @@
Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check dead or zombie processes"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "AIX" ]; then
- FIND=`${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | xargs`
- else
- FIND=`${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | xargs`
+ FIND=$(${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | ${XARGSBINARY})
+ else
+ FIND=$(${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | ${XARGSBINARY})
fi
- if [ "${FIND}" = "" ]; then
+ if [ -z "${FIND}" ]; then
LogText "Result: no zombie processes found"
Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_OK}" --color GREEN
- else
+ else
LogText "Result: found one or more dead or zombie processes"
LogText "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_WARNING}" --color RED
@@ -97,14 +98,14 @@
Register --test-no PROC-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check heavy IO waiting based processes"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "AIX" ]; then
- FIND=`${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | xargs`
- else
- FIND=`${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | xargs`
+ FIND=$(${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | ${XARGSBINARY})
+ else
+ FIND=$(${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | ${XARGSBINARY})
fi
- if [ "${FIND}" = "" ]; then
+ if [ -z "${FIND}" ]; then
LogText "Result: No processes were waiting for IO requests to be handled first"
Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_OK}" --color GREEN
- else
+ else
LogText "Result: found one or more processes which were waiting to get IO requests handled first"
LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
LogText "Output: PIDs ${FIND}"
diff --git a/include/tests_nameservices b/include/tests_nameservices
index 4b4c2863..e7bb7800 100644
--- a/include/tests_nameservices
+++ b/include/tests_nameservices
@@ -27,10 +27,10 @@
#################################################################################
#
BIND_RUNNING=0
- BIND_CONFIG_LOCS="/etc /etc/bind /usr/local/etc /usr/local/etc/namedb"
+ BIND_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/bind ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/namedb"
BIND_CONFIG_LOCATION=""
POWERDNS_RUNNING=0
- POWERDNS_CONFIG_LOCS="/etc/powerdns /usr/local/etc"
+ POWERDNS_CONFIG_LOCS="${ROOTDIR}etc/powerdns ${ROOTDIR}usr/local/etc"
POWERDNS_AUTH_CONFIG_LOCATION=""
POWERDNS_AUTH_MASTER=0
POWERDNS_AUTH_SLAVE=0
@@ -43,14 +43,14 @@
# Description : Check main domain (domain <domain name> in /etc/resolv.conf)
Register --test-no NAME-4016 --weight L --network NO --category security --description "Check /etc/resolv.conf default domain"
if [ ${SKIPTEST} -eq 0 ]; then
- LogText "Test: check /etc/resolv.conf for default domain"
- if [ -f /etc/resolv.conf ]; then
- LogText "Result: /etc/resolv.conf found"
- FIND=`${AWKBINARY} '/^domain/ { print $2 }' /etc/resolv.conf`
- if [ "${FIND}" = "" ]; then
+ LogText "Test: check ${ROOTDIR}etc/resolv.conf for default domain"
+ if [ -f ${ROOTDIR}etc/resolv.conf ]; then
+ LogText "Result: ${ROOTDIR}etc/resolv.conf found"
+ FIND=$(${AWKBINARY} '/^domain/ { print $2 }' ${ROOTDIR}etc/resolv.conf)
+ if [ -z "${FIND}" ]; then
LogText "Result: no default domain found"
if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_NONE}" --color WHITE; fi
- else
+ else
LogText "Result: found default domain"
LogText "Output: ${FIND}"
Report "resolv_conf_domain=${FIND}"
@@ -68,13 +68,13 @@
Register --test-no NAME-4018 --weight L --network NO --category security --description "Check /etc/resolv.conf search domains"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
- LogText "Test: check /etc/resolv.conf for search domains"
- if [ -f /etc/resolv.conf ]; then
- LogText "Result: /etc/resolv.conf found"
- FIND=`${AWKBINARY} '/^search/ { print $2 }' /etc/resolv.conf`
- if [ "${FIND}" = "" ]; then
+ LogText "Test: check ${ROOTDIR}etc/resolv.conf for search domains"
+ if [ -f ${ROOTDIR}etc/resolv.conf ]; then
+ LogText "Result: ${ROOTDIR}etc/resolv.conf found"
+ FIND=$(${AWKBINARY} '/^search/ { print $2 }' ${ROOTDIR}etc/resolv.conf)
+ if [ -z "${FIND}" ]; then
LogText "Result: no search domains found, default domain is being used"
- else
+ else
for I in ${FIND}; do
LogText "Found search domain: ${I}"
Report "resolv_conf_search_domain[]=${I}"
@@ -85,25 +85,25 @@
LogText "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
- else
+ else
LogText "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
fi
fi
- else
- LogText "Result: /etc/resolv.conf does not exist, skipping test"
+ else
+ LogText "Result: ${ROOTDIR}etc/resolv.conf does not exist, skipping test"
Display --indent 2 --text "- Checking search domains" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
# Check amount of search domains (max 1)
- FIND=`${GREPBINARY} -c "^search" /etc/resolv.conf`
- if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
- LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
- Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
- ReportWarning ${TEST_NO} "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
- else
- LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
- fi
+ FIND=$(${GREPBINARY} -c "^search" ${ROOTDIR}etc/resolv.conf)
+ if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
+ LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
+ Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
+ ReportWarning ${TEST_NO} "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
+ else
+ LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
+ fi
fi
#
#################################################################################
@@ -112,14 +112,14 @@
# Description : Check non default resolv.conf options
Register --test-no NAME-4020 --weight L --network NO --category security --description "Check non default options"
if [ ${SKIPTEST} -eq 0 ]; then
- LogText "Test: check /etc/resolv.conf for non default options"
- if [ -f /etc/resolv.conf ]; then
- LogText "Result: /etc/resolv.conf found"
- FIND=`${GREPBINARY} "^options" /etc/resolv.conf | ${AWKBINARY} '{ print $2 }'`
+ LogText "Test: check ${ROOTDIR}etc/resolv.conf for non default options"
+ if [ -f ${ROOTDIR}etc/resolv.conf ]; then
+ LogText "Result: ${ROOTDIR}etc/resolv.conf found"
+ FIND=$(${GREPBINARY} "^options" ${ROOTDIR}etc/resolv.conf | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then
LogText "Result: no specific other options configured in /etc/resolv.conf"
if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi
- else
+ else
for I in ${FIND}; do
LogText "Found option: ${I}"
Report "resolv_conf_option[]=${I}"
@@ -128,7 +128,7 @@
done
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN
fi
- else
+ else
LogText "Result: /etc/resolv.conf not found, test skipped"
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
@@ -140,7 +140,7 @@
# Description : Check Solaris uname -n output
Register --test-no NAME-4024 --os Solaris --weight L --network NO --category security --description "Solaris uname -n output"
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`uname -n`
+ FIND=$(${UNAMEBINARY} -n)
LogText "Result: 'uname -n' returned ${FIND}"
Display --indent 2 --text "- Checking uname -n output" --result "${STATUS_DONE}" --color GREEN
fi
@@ -158,7 +158,7 @@
FIND=`cat /etc/nodename`
LogText "Output: ${FIND}"
Display --indent 2 --text "- Checking /etc/nodename" --result "${STATUS_DONE}" --color GREEN
- else
+ else
LogText "Result: file /etc/nodename could not be found"
Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW
fi
@@ -189,24 +189,24 @@
LogText "Test: Checking if dnsdomainname command is available"
if [ ! "${DNSDOMAINNAMEBINARY}" = "" ]; then
- FIND2=`${DNSDOMAINNAMEBINARY} 2> /dev/null`
+ FIND2=$(${DNSDOMAINNAMEBINARY} 2> /dev/null)
if [ ! "${FIND2}" = "" ]; then
LogText "Result: dnsdomainname command returned a value"
LogText "Found domain name: ${FIND2}"
DOMAINNAME="${FIND2}"
- else
+ else
LogText "Result: dnsdomainname command returned no value"
fi
- else
+ else
LogText "Result: dnsdomainname binary not found, skip specific test"
fi
# If files and commands can't be found, use defined value from resolv.conf
- if [ "${DOMAINNAME}" = "" ]; then
- if [ ! "${RESOLV_DOMAINNAME}" = "" ]; then
- LogText "Result: using domain name from /etc/resolv.conf"
+ if [ -z "${DOMAINNAME}" ]; then
+ if [ ! -z "${RESOLV_DOMAINNAME}" ]; then
+ LogText "Result: using domain name from ${ROOTDIR}etc/resolv.conf"
DOMAINNAME=${RESOLV_DOMAINNAME}
- else
+ else
LogText "Result: using domain name from FQDN hostname"
#DOMAINNAME=${FQDN#${HOSTNAME}.}
DOMAINNAME=`echo ${FQDN} | ${CUTBINARY} -d . -f2-`
@@ -218,7 +218,7 @@
Report "domainname=${DOMAINNAME}"
Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN
Display --indent 6 --text "Domain name: ${DOMAINNAME}"
- else
+ else
Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name"
fi
@@ -236,7 +236,7 @@
NAME_CACHE_USED=1
LogText "Result: nscd is running"
Display --indent 2 --text "- Checking nscd status" --result "${STATUS_RUNNING}" --color GREEN
- else
+ else
LogText "Result: nscd is not running"
if IsVerbose; then Display --indent 2 --text "- Checking nscd status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
@@ -255,10 +255,10 @@
NAME_CACHE_USED=1
LogText "Result: Unbound daemon is running"
Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_RUNNING}" --color GREEN
- else
+ else
LogText "Result: Unbound daemon is not running"
if IsVerbose; then Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
- fi
+ fi
fi
#
#################################################################################
@@ -277,7 +277,7 @@
UNBOUND_CONFIG_OK=1
LogText "Result: Configuration is fine"
Display --indent 2 --text "- Checking configuration file" --result "${STATUS_OK}" --color GREEN
- else
+ else
LogText "Result: Unbound daemon is not running"
Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW
ReportWarning "${TEST_NO}" "Found Unbound configuration file issues (run unbound-checkconf)"
@@ -299,7 +299,7 @@
LogText "Result: found BIND process"
Display --indent 2 --text "- Checking BIND status" --result "${STATUS_FOUND}" --color GREEN
BIND_RUNNING=1
- else
+ else
LogText "Result: BIND not running"
if IsVerbose; then Display --indent 2 --text "- Checking BIND status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
@@ -321,7 +321,7 @@
done
if [ ! -z "${BIND_CONFIG_LOCATION}" ]; then
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
@@ -370,7 +370,7 @@
LogText "Result: no useful information in banner found"
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
- else
+ else
LogText "Result: possible BIND version available in version banner"
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found BIND version in banner"
@@ -434,7 +434,7 @@
done
if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
@@ -456,13 +456,13 @@
Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS backends"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for PowerDNS backends"
- FIND=`${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}`
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION})
+ if [ ! -z "${FIND}" ]; then
for I in ${FIND}; do
LogText "Found backend: ${I}"
done
Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
LogText "Result: no PowerDNS backends found"
Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
@@ -472,26 +472,26 @@
#
# Test : NAME-4238
# Description : Check PowerDNS authoritive status
- if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritive status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for PowerDNS master status"
- FIND=`${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}`
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
+ if [ ! -z "${FIND}" ]; then
LogText "Found master=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive master: YES"
POWERDNS_AUTH_MASTER=1
- else
+ else
LogText "Result: most likely not master (no master=yes)"
Display --indent 4 --text "- PowerDNS authoritive master: NO"
fi
LogText "Test: Checking for PowerDNS slave status"
- FIND=`${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}`
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
+ if [ ! -z "${FIND}" ]; then
LogText "Found slave=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive slave: YES"
POWERDNS_AUTH_SLAVE=1
- else
+ else
LogText "Result: most likely not slave (no slave=yes)"
Display --indent 4 --text "- PowerDNS authoritive slave: NO"
fi
@@ -531,56 +531,56 @@
Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking `domainname` for NIS domain value"
- FIND=`${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)"`
- if [ ! "${FIND}" = "" ]; then
+ FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)")
+ if [ ! -z "${FIND}" ]; then
LogText "Value: ${FIND}"
NISDOMAIN="${FIND}"
- else
+ else
LogText "Result: no NIS domain found in command output"
fi
# Solaris / Linux style
- LogText "Test: Checking file /etc/defaultdomain"
- if [ -f /etc/defaultdomain ]; then
- LogText "Result: file /etc/defaultdomain exists"
- FIND2=`cat /etc/defaultdomain`
- if [ ! "${FIND2}" = "" ]; then
+ LogText "Test: Checking file ${ROOTDIR}etc/defaultdomain"
+ if [ -f ${ROOTDIR}etc/defaultdomain ]; then
+ LogText "Result: file ${ROOTDIR}etc/defaultdomain exists"
+ FIND2=`cat ${ROOTDIR}etc/defaultdomain`
+ if [ ! -z "${FIND2}" ]; then
LogText "Output: ${FIND2}"
NISDOMAIN="${FIND2}"
- else
+ else
LogText "Result: no NIS domain found in file"
fi
fi
# Red Hat style
- LogText "Test: checking /etc/sysconfig/network"
- if [ -f /etc/sysconfig/network ]; then
- LogText "Result: file /etc/sysconfig/network exists"
+ LogText "Test: checking ${ROOTDIR}etc/sysconfig/network"
+ if [ -f ${ROOTDIR}etc/sysconfig/network ]; then
+ LogText "Result: file ${ROOTDIR}etc/sysconfig/network exists"
LogText "Test: checking NISDOMAIN value in file"
- FIND3=`${GREPBINARY} "^NISDOMAIN" /etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g'`
- if [ ! "${FIND3}" = "" ]; then
+ FIND3=$(${GREPBINARY} "^NISDOMAIN" ${ROOTDIR}etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g')
+ if [ ! -z "${FIND3}" ]; then
LogText "Found NIS domain: ${FIND3}"
NISDOMAIN="${FIND3}"
- else
+ else
LogText "Result: No NIS domain found in file"
fi
- else
- LogText "Result: file /etc/sysconfig/network does not exist"
+ else
+ LogText "Result: file ${ROOTDIR}etc/sysconfig/network does not exist"
fi
if [ ! "${SYSCTLBINARY}" = "" ]; then
# Check sysctl (e.g. FreeBSD)
LogText "Test: checking sysctl for kern.domainname"
- FIND=`${SYSCTLBINARY} -a 2>&1 | ${GREPBINARY} "^kern.domainname" | ${AWKBINARY} -F: '{ print $2 }' | ${SEDBINARY} 's/ //g' | ${GREPBINARY} -v "^$"`
+ FIND=$(${SYSCTLBINARY} -a 2>&1 | ${GREPBINARY} "^kern.domainname" | ${AWKBINARY} -F: '{ print $2 }' | ${SEDBINARY} 's/ //g' | ${GREPBINARY} -v "^$")
if [ ! "${FIND}" = "" ]; then
LogText "Result: found NIS domain via sysctl"
NISDOMAIN="${FIND}"
fi
fi
# Check if we found any NIS domain
- if [ ! "${NISDOMAIN}" = "" ]; then
+ if [ ! -z "${NISDOMAIN}" ]; then
LogText "Found NIS domain: ${NISDOMAIN}"
Report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
LogText "Result: No NIS domain found"
Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_UNKNOWN}" --color YELLOW
fi
@@ -588,31 +588,29 @@
#
#################################################################################
#
- if [ -f /etc/hosts ]; then
- Display --indent 2 --text "- Checking /etc/hosts"
- fi
+ if [ -f ${ROOTDIR}etc/hosts ]; then Display --indent 2 --text "- Checking ${ROOTDIR}etc/hosts"; fi
# Test : NAME-4402
# Description : Check /etc/hosts configuration
Register --test-no NAME-4402 --weight L --network NO --category security --description "Check duplicate line in /etc/hosts"
if [ ${SKIPTEST} -eq 0 ]; then
- LogText "Test: check duplicate line in /etc/hosts"
- if [ -f /etc/hosts ]; then
- sFIND=`${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${AWKBINARY} '{ print $1, $2 }' | ${SORTBINARY} | uniq -d`
+ LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts"
+ if [ -f ${ROOTDIR}etc/hosts ]; then
+ sFIND=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${AWKBINARY} '{ print $1, $2 }' | ${SORTBINARY} | ${UNIQBINARY} -d)
if [ "${sFIND}" = "" ]; then
LogText "Result: OK, no duplicate lines found"
- Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN
- else
+ Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN
+ else
LogText "Found duplicate line: ${sFIND}"
LogText "Result: found duplicate line"
- Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW
- ReportSuggestion "${TEST_NO}" "Remove duplicate lines in /etc/hosts"
+ Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW
+ ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts"
fi
else
- LogText "Result: /etc/hosts not found, test skipped"
+ LogText "Result: ${ROOTDIR}etc/hosts not found, test skipped"
Display --indent 4 --text "Searching duplicate line" --result "${STATUS_SKIPPED}" --color YELLOW
fi
- fi
+ fi
#
#################################################################################
#
@@ -623,7 +621,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check /etc/hosts contains an entry for this server name"
if [ -f /etc/hosts ]; then
- sFIND=`${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' /etc/hosts | ${GREPBINARY} -i ${HOSTNAME}`
+ sFIND=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' /etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
if [ "${sFIND}" != "" ]; then
LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN
@@ -645,15 +643,15 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check server hostname not locally mapped in /etc/hosts"
sFIND=`${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}`
- if [ ! "${sFIND}" = "" ]; then
- LogText "Result: Found this server hostname mapped to a local address"
- LogText "Output: ${sFIND}"
- Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_SUGGESTION}" --color YELLOW
- LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface."
- ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system"
+ if [ ! "${sFIND}" = "" ]; then
+ LogText "Result: Found this server hostname mapped to a local address"
+ LogText "Output: ${sFIND}"
+ Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_SUGGESTION}" --color YELLOW
+ LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface."
+ ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system"
else
- LogText "Result: this server hostname is not mapped to a local address"
- Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_OK}" --color GREEN
+ LogText "Result: this server hostname is not mapped to a local address"
+ Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_OK}" --color GREEN
fi
fi
#
diff --git a/include/tests_networking b/include/tests_networking
index 608a28e3..9c890128 100644
--- a/include/tests_networking
+++ b/include/tests_networking
@@ -246,7 +246,7 @@
N=$((N + 1))
Report "network_interface[]=${I}"
done
- else
+ else
ReportException "${TEST_NO}:1" "No interfaces found on this system (OS=${OS})"
fi
fi
@@ -268,7 +268,7 @@
Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=`${IFCONFIGBINARY} -a | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u`
- else
+ else
if [ ! "${IPBINARY}" = "" ]; then
LogText "Test: Using ip binary to gather hardware addresses"
FIND=`${IPBINARY} link | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }'`
@@ -323,12 +323,12 @@
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2`
# Version which works for multiple types of ifconfig (e.g. Slackware)
FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'`
- else
+ else
if [ ! "${IPBINARY}" = "" ]; then
LogText "Test: Using ip binary to gather IP addresses"
FIND=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//'`
FIND2=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//'`
- else
+ else
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
fi
fi
@@ -548,23 +548,6 @@
#
#################################################################################
#
- # Test : NETW-3024
- # Description : Netstat/socktstat compare (FreeBSD)
- # echo -n " - Comparing output sockstat and netstat"
- # LogText "Comparing output of sockstat and netstat"
- # NETSTATOUTPUT=`netstat -an | ${GREPBINARY} -v 'TIME_WAIT' | ${GREPBINARY} -v 'ESTABLISHED' | ${GREPBINARY} -v 'SYN_SENT' | ${GREPBINARY} -v 'CLOSE_WAIT' | ${GREPBINARY} -v 'LAST_ACK' | ${GREPBINARY} -v 'SYN_RECV' | ${GREPBINARY} -v 'CLOSING' | ${CUTBINARY} -c 1-44 | ${GREPBINARY} '*.' | ${CUTBINARY} -c 24-32 | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v '*' | ${SORTBINARY} -u`
- #
- # if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then
- # ShowResult OK
- # else
- # echo "[ ${BAD}Warning!${NORMAL} ]"
- # LogText "WARNING!"
- # LogText "Sockstat tested output: ${SOCKSTAT}"
- # LogText "Netstat tested output: ${NETSTAT}"
- # fi
-#
-#################################################################################
-#
# Test : NETW-3028
# Description : Checking for many waiting connections
# Type : Performance
@@ -573,13 +556,13 @@
Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking connections in WAIT state"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Using netstat for check for connections in WAIT state"
- FIND=`${NETSTATBINARY} -an | ${GREPBINARY} WAIT | wc -l | ${AWKBINARY} '{ print $1 }'`
- if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
+ FIND=$(${NETSTATBINARY} -an | ${GREPBINARY} WAIT | ${WCBINARY} -l | ${AWKBINARY} '{ print $1 }')
+ if [ -z "${OPTIONS_CONN_MAX_WAIT_STATE}" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})"
- else
+ else
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_OK}" --color GREEN
LogText "Result: ${FIND} connections are in WAIT state"
fi
@@ -595,7 +578,7 @@
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE
DHCP_CLIENT_RUNNING=1
- else
+ else
Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
fi
fi
@@ -607,7 +590,7 @@
Register --test-no NETW-3032 --os Linux --weight L --network NO --category security --description "Checking for ARP monitoring software"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
-
+
# arpwatch
IsRunning arpwatch
if [ ${RUNNING} -eq 1 ]; then
@@ -615,7 +598,7 @@
ARPWATCH_RUNNING=1
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
fi
-
+
# arpon
IsRunning arpon
if [ ${RUNNING} -eq 1 ]; then
diff --git a/include/tests_php b/include/tests_php
index 7e6c548b..6f447b96 100644
--- a/include/tests_php
+++ b/include/tests_php
@@ -40,6 +40,8 @@
PHPINIDIRS="/etc/php5/conf.d \
/etc/php.d"
+
+ PHPVERSION=""
#
#################################################################################
#
@@ -93,26 +95,26 @@
#
# Test : PHP-2320
# Description : Check php disable functions option
- if [ ! "${PHPINI_ALLFILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PHPINI_ALLFILES}; do
LogText "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}"
- FIND=`${GREPBINARY} "^disable_functions.*=" ${I}`
- if [ "${FIND}" = "" ]; then
- LogText "Result: ${I}: disabled_functions not found"
+ FIND=$(${GREPBINARY} "^disable_functions.*=" ${I})
+ if [ -z "${FIND}" ]; then
+ LogText "Result: ${I}: disabled_functions not found"
else
- LogText "Result: ${I}: found disabled_functions"
- FOUND=1
+ LogText "Result: ${I}: found disabled_functions"
+ FOUND=1
fi
- FIND=`${GREPBINARY} "^suhosin.executor.func.blacklist=" ${I}`
- if [ "${FIND}" = "" ]; then
- LogText "Result: ${I}: suhosin.executor.func.blacklist not found"
+ FIND=$(${GREPBINARY} "^suhosin.executor.func.blacklist=" ${I})
+ if [ -z "${FIND}" ]; then
+ LogText "Result: ${I}: suhosin.executor.func.blacklist not found"
else
- LogText "Result: ${I}: found suhosin.executor.func.blacklist"
- FOUND=1
+ LogText "Result: ${I}: found suhosin.executor.func.blacklist"
+ FOUND=1
fi
done
if [ ${FOUND} -eq 0 ]; then
@@ -121,7 +123,7 @@
ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions"
LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
AddHP 0 1
- else
+ else
LogText "Result: one or more PHP functions are disabled/blacklisted"
Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
@@ -133,34 +135,34 @@
# Test : PHP-2368
# Description : Check php register_globals option
# Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
- if [ ! "${PHPINIFILE}" = "" -a ! "${PHPVERSION}" = "" -a ! "${EGREPBINARY}" = "" ]; then
+ if [ ! -z "${PHPINIFILE}" -a ! -z "${PHPVERSION}" -a ! -z "${EGREPBINARY}" ]; then
if [ -f "${PHPINIFILE}" ]; then
- FIND=`echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])"`
+ FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
if [ "${FIND}" = "" ]; then
PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals"
- else
+ else
PREQS_MET="YES"; Debug "Found PHP version 4 or up to 5.3 (${FIND}) which we are going to scan"
fi
- else
+ else
Debug "File php.ini (${PHPINIFILE}) not found"
fi
else
- PREQS_MET="NO"
- Debug "Skipping test: php.ini not found, or PHP version empty"
- Debug "php.ini: ${PHPINIFILE}"
- Debug "version: ${PHPVERSION}"
+ PREQS_MET="NO"
+ Debug "Skipping test: php.ini not found, or PHP version empty"
+ Debug "php.ini: ${PHPINIFILE}"
+ Debug "version: ${PHPVERSION}"
fi
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP register_globals option"
- FIND=`${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'`
+ FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
AddHP 1 2
- else
+ else
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_OK}" --color GREEN
LogText "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value."
ReportManual ${TEST_NO}:01
@@ -177,19 +179,19 @@
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking expose_php option"
- FIND=`${EGREPBINARY} -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'`
- if [ "${FIND}" = "" ]; then
+ FIND=$(${EGREPBINARY} -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
+ if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED
ReportWarning ${TEST_NO} "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
Report "Result: expose_php option is turned on, which can expose useful information for an attacker"
AddHP 1 2
- else
+ else
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'expose_php' in disabled state (0, no, or off)"
AddHP 2 2
fi
- #YYY Check through all files
+ # TODO Check through all files
fi
#
#################################################################################
@@ -207,7 +209,7 @@
Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules"
AddHP 0 1
- else
+ else
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'enable_dl' in disabled state (not present, 0, no, or off)"
AddHP 2 2
@@ -223,18 +225,18 @@
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_fopen option"
- FIND=`${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'`
- if [ "${FIND}" = "" ]; then
+ FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
+ if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
LogText "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
AddHP 0 1
- else
+ else
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
AddHP 2 2
fi
- #YYY Check through all files
+ # TODO Check through all files
fi
#
#################################################################################
@@ -242,17 +244,17 @@
# Test : PHP-2378
# Description : Check PHP allow_url_include option
# Notes : Extend test to check all PHP files YYY
- if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_include option"
- FIND=`${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'`
- if [ "${FIND}" = "" ]; then
+ FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
+ if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
AddHP 0 1
- else
+ else
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
AddHP 2 2
diff --git a/include/tests_snmp b/include/tests_snmp
index ae2fa62f..ae2eb18a 100644
--- a/include/tests_snmp
+++ b/include/tests_snmp
@@ -22,7 +22,7 @@
#
#################################################################################
#
- SNMP_DAEMON_CONFIG_LOCS="/etc/snmp"
+ SNMP_DAEMON_CONFIG_LOCS="${ROOTDIR}etc/snmp"
SNMP_DAEMON_CONFIG=""
SNMP_DAEMON_RUNNING=0
#
@@ -41,7 +41,7 @@
SNMP_DAEMON_RUNNING=1
LogText "Result: SNMP daemon is running"
Display --indent 2 --text "- Checking running SNMP daemon" --result "${STATUS_FOUND}" --color GREEN
- else
+ else
LogText "Result: No running SNMP daemon found"
Display --indent 2 --text "- Checking running SNMP daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -57,15 +57,15 @@
LogText "Test: searching for snmpd.conf file"
for I in ${SNMP_DAEMON_CONFIG_LOCS}; do
if [ -f "${I}/snmpd.conf" ]; then
- LogText "Result: ${I}/snmpd.conf exists"
- SNMPD_DAEMON_CONFIG="${I}/snmpd.conf"
+ LogText "Result: ${I}/snmpd.conf exists"
+ SNMP_DAEMON_CONFIG="${I}/snmpd.conf"
fi
done
- if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then
+ if [ -z "${SNMP_DAEMON_CONFIG}" ]; then
LogText "Result: No snmpd configuration found"
Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_NOT_FOUND}" --color WHITE
- else
- LogText "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}"
+ else
+ LogText "Restult: using last found configuration file: ${SNMP_DAEMON_CONFIG}"
Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_FOUND}" --color GREEN
fi
fi
@@ -74,12 +74,12 @@
#
# Test : SNMP-3306
# Description : Determine SNMP communities
- if [ ! "${SNMPD_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ ! "${SNMP_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP communities"
if [ ${SKIPTEST} -eq 0 ]; then
WARN=0
LogText "Test: reading active snmp communities"
- FIND=`${AWKBINARY} '/^com2sec/ { print $4 }' ${SNMPD_DAEMON_CONFIG}`
+ FIND=$(${AWKBINARY} '/^com2sec/ { print $4 }' ${SNMP_DAEMON_CONFIG})
for I in ${FIND}; do
LogText "Output: ${I}"
if [ "${I}" = "public" -o "${I}" = "private" ]; then
@@ -93,7 +93,7 @@
if [ ${WARN} -eq 0 ]; then
Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
- else
+ else
Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found easy guessable SNMP community string"
fi
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-04 13:35:40 +0300