diff options
author | Zach Crownover <zachary.crownover@gmail.com> | 2016-11-19 15:39:57 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2016-11-19 15:39:57 +0300 |
commit | 659d3e42c5dcc6a60dff5f1e2301064132d98c45 (patch) | |
tree | a7f30b0e5654ca25c99cd722ec549fc6c06a3979 | |
parent | 483a45e50684ae80edc278f685ea28a390a2047f (diff) |
Improve DragonFly support (#329)
* Update facter location for BSDs
BSDs tend to place third party binaries in /usr/local rather than /usr
* Add support for DragonFly boot loader detection
DragonFly BSD has the same file paths for the bootloader as FreeBSD
* Add kernel module checking for DragonFly
DragonFly BSD checks kernel modules the same way as FreeBSD
* Add DragonFly check for login shells
DragonFly's login files are the same as FreeBSD's
* Add HAMMER PFS Detection
All PFS mounts in HAMMER systems for DragonFly will be detected now
-rw-r--r-- | include/functions | 2 | ||||
-rw-r--r-- | include/tests_authentication | 44 | ||||
-rw-r--r-- | include/tests_boot_services | 17 | ||||
-rw-r--r-- | include/tests_filesystems | 21 | ||||
-rw-r--r-- | include/tests_kernel | 31 |
5 files changed, 114 insertions, 1 deletions
diff --git a/include/functions b/include/functions index 544fb52c..49e03eaa 100644 --- a/include/functions +++ b/include/functions @@ -1254,7 +1254,7 @@ # facter if [ "${SHORT}" = "" ]; then - if [ -x /usr/bin/facter ]; then + if [ -x /usr/bin/facter ] || [ -x /usr/local/bin/facter ]; then case "`facter is_virtual`" in "true") SHORT=`facter virtual` diff --git a/include/tests_authentication b/include/tests_authentication index ab424aee..42426a2a 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -194,6 +194,50 @@ # ################################################################################# # + # Test : AUTH-9489 + # Description : Check login shells for passwordless accounts + # Notes : Results should be checked + Register --test-no AUTH-9489 --os DragonFly --weight L --network NO --category security --description "Check login shells for passwordless accounts" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + LogText "Test: Checking login shells" + if [ -f /etc/master.passwd ]; then + # Check for all shells, except: (/usr)/sbin/nologin /nonexistent + FIND=`${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g'` + if [ "${FIND}" = "" ]; then + Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN + else + Display --indent 2 --text "- Login shells" --result "${STATUS_WARNING}" --color RED + for LINE in ${FIND}; do + LINE=$(echo ${LINE} | ${SEDBINARY} 's/!space!/ /g') + SHELL=$(echo ${LINE} | ${AWKBINARY} -F: '{ print $10 }') + LogText "Output: ${LINE}" + if [ -z "${SHELL}" ]; then + LogText "Result: found no shell on line" + else + LogText "Result: found possible harmful shell ${SHELL}" + if [ -f ${SHELL} ]; then + LogText "Result: shell ${SHELL} does exist" + FOUND=1 + else + LogText "Result: shell ${SHELL} does not exist" + ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${SHELL} does not exist" + fi + fi + done + if [ ${FOUND} -eq 1 ]; then + ReportWarning ${TEST_NO} "Possible harmful shell found (for passwordless account!)" + fi + fi + else + Display --indent 2 --text "- Login shells" --result "${STATUS_SKIPPED}" --color WHITE + LogText "Result: No /etc/master.passwd file found" + fi + unset LINE SHELL + fi +# +################################################################################# +# # Test : AUTH-9222 # Description : Check unique group IDs Register --test-no AUTH-9222 --weight L --network NO --category security --description "Check unique groups (IDs)" diff --git a/include/tests_boot_services b/include/tests_boot_services index 2c02ae28..0f137e6b 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -328,6 +328,23 @@ # ################################################################################# # + # Test : BOOT-5261 + # Description : Check for DragonFly boot loader + Register --test-no BOOT-5261 --os DragonFly --weight L --network NO --category security --description "Check for DragonFly boot loader presence" + if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 + if [ -f ${ROOTDIR}boot/boot1 -a -f ${ROOTDIR}boot/boot2 -a -f ${ROOTDIR}boot/loader ]; then + LogText "Result: found boot1, boot2 and loader files in ${ROOTDIR}boot" + Display --indent 2 --text "- Checking presence DragonFly loader" --result "${STATUS_FOUND}" --color GREEN + BOOT_LOADER="DragonFly" + BOOT_LOADER_FOUND=1 + else + LogText "Result: Not all expected files found in ${ROOTDIR}boot" + fi + fi +# +################################################################################# +# # Test : BOOT-5126 # Description : Check for NetBSD boot loader Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --category security --description "Check for NetBSD boot loader presence" diff --git a/include/tests_filesystems b/include/tests_filesystems index 94f067bf..84022a30 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -207,6 +207,27 @@ # ################################################################################# # + # Test : FILE-6439 + # Description : Query all HAMMER PFS mounts from /etc/fstab + Register --test-no FILE-6439 --os DragonFly --weight L --network NO --category security --description "Checking HAMMER PFS mounts" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Query /etc/fstab for available HAMMER PFS mount points" + FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "null") { print $1":"$2":"$3":"$4":" }}') + if [ -z "${FIND}" ]; then + Display --indent 2 --text "- Querying HAMMER PFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE + LogText "Result: unable to find any single PFS mount point" + else + Display --indent 2 --text "- Querying HAMMER PFS mount points (mount -p)" --result "${STATUS_FOUND}" --color GREEN + Report "filesystem[]=hammer" + for I in ${FIND}; do + LogText "HAMMER mount found: ${I}" + Report "mountpoint_hammer[]=${I}" + done + fi + fi +# +################################################################################# +# # Test : FILE-6332 # Description : Check swap partitions if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi diff --git a/include/tests_kernel b/include/tests_kernel index 61bfed61..b1ed421f 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -314,6 +314,37 @@ # ################################################################################# # + # Test : KRNL-5831 + # Description : Checking DragonFly loaded kernel modules + Register --test-no KRNL-5831 --os DragonFly --weight L --network NO --category security --description "Checking DragonFly loaded kernel modules" + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 2 --text "- Checking active kernel modules" + LogText "Test: Active kernel modules (KLDs)" + LogText "Description: View all active kernel modules (including kernel)" + LogText "Test: Checking modules" + if [ -f /sbin/kldstat ]; then + FIND=`kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6` + if [ $? -eq 0 ]; then + LogText "Loaded modules according kldstat:" + N=0 + for I in ${FIND}; do + LogText "Loaded module: ${I}" + Report "loaded_kernel_module[]=${I}" + N=$((N + 1)) + done + Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN + else + Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED + LogText "Result: Problem with executing kldstat" + fi + else + echo "[ ${WHITE}SKIPPED${NORMAL} ]" + LogText "Result: no results, can't find /sbin/kldstat" + fi + fi +# +################################################################################# +# # Test : KRNL-5770 # Description : Checking Solaris load modules Register --test-no KRNL-5770 --os Solaris --weight L --network NO --category security --description "Checking active kernel modules" |