diff options
| author | Michael Boelen <michael.boelen@cisofy.com> | 2017-04-30 18:59:35 +0300 |
|---|---|---|
| committer | Michael Boelen <michael.boelen@cisofy.com> | 2017-04-30 18:59:35 +0300 |
| commit | 4ecb9d4d05124b813cd4d7ddcaf5671c2f4c4765 (patch) | |
| tree | 282f5a4e9e3530ada04d00bda3e8ac118cf70bbd | |
| parent | 5ccd0912cf74f5d3dd07e5ed5fe0e6a30571fbb5 (diff) | |
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
38 files changed, 1066 insertions, 1043 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index ba2e5fbd..6e286083 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,17 +10,28 @@ Lynis 2.5.0 (2017-05-03) - Not released yet This release is a maintenance release with focus on cleaning up the code for readability and future expansion. It includes: -* Setting ROOTDIR variable instead of fixed paths +* Use ROOTDIR variable instead of fixed paths * Introduction of IsEmpty and HasData functions for readability of code +* Renamed some variables to better indicate their purpose (counting, data type) * Removal of unused code and comments +* Deleted unused tests from database file +* Correct levels of identation During the maintenance cycle, the project got informed about a flaw that could be possibly abused. This release is therefore highly recommended. See details on [CVE-2017-8108](https://cisofy.com/security/cve/cve-2017-8108/) +Changes: +-------- +* Support for older mac OS X versions (Lion and Mountain Lion) +* Initialized variables for more binaries + Tests: ------ * MALW-3280 - Extended test with Symantec components +* PKGS-7332 - Detection of macOS ports tool and installed packages +* TOOL-5120 - Snort detection +* TOOL-5122 - Snort configuration file --------------------------------------------------------------------------------- diff --git a/db/tests.db b/db/tests.db index 2275afd8..e9235e40 100644 --- a/db/tests.db +++ b/db/tests.db @@ -46,8 +46,6 @@ AUTH-9402:test:security:authentication::Query LDAP authentication support: AUTH-9406:test:security:authentication::Query LDAP servers in client configuration: AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs: BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file: -#BANN-7119:test:security:banners::Check MOTD banner file: -#BANN-7122:test:security:banners::Check /etc/motd banner file contents: BANN-7124:test:security:banners::Check issue banner file: BANN-7126:test:security:banners::Check issue banner file contents: BANN-7128:test:security:banners::Check issue.net banner file: @@ -63,7 +61,6 @@ BOOT-5124:test:security:boot_services:FreeBSD:Check for FreeBSD boot loader pres BOOT-5126:test:security:boot_services:NetBSD:Check for NetBSD boot loader presence: BOOT-5139:test:security:boot_services::Check for LILO boot loader presence: BOOT-5142:test:security:boot_services::Check SPARC Improved boot loader (SILO): -#BOOT-5144:test:security:boot_services::Check SPARC Improved boot loader (SILO): BOOT-5155:test:security:boot_services::Check for YABOOT boot loader configuration file: BOOT-5159:test:security:boot_services:OpenBSD:Check for OpenBSD boot loader presence: BOOT-5165:test:security:boot_services:FreeBSD:Check for FreeBSD boot services: @@ -73,7 +70,6 @@ BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scr BOOT-5202:test:security:boot_services::Check uptime of system: BOOT-5260:test:security:boot_services::Check single user mode for systemd: CONT-8004:test:security:containers:Solaris:Query running Solaris zones: -#CONT-1906:test:security:containers::Query Xen guests: CONT-8102:test:security:containers::Checking Docker status and information: CONT-8104:test:security:containers::Checking Docker info for any warnings: CONT-8106:test:security:containers::Gather basic stats from Docker: @@ -81,14 +77,11 @@ CONT-8107:test:performance:containers::Check number of unused Docker containers: CONT-8108:test:security:containers::Check file permissions for Docker files: CRYP-7902:test:security:crypto::Check expire date of SSL certificates: DBS-1804:test:security:databases::Checking active MySQL process: -#DBS-1808:test:security:databases::Checking MySQL data directory: -#DBS-1812:test:security:databases::Checking MySQL data directory permissions: DBS-1816:test:security:databases::Checking MySQL root password: DBS-1818:test:security:databases::MongoDB status: DBS-1820:test:security:databases::Check MongoDB authentication: DBS-1826:test:security:databases::Checking active PostgreSQL processes: DBS-1840:test:security:databases::Checking active Oracle processes: -#DBS-1842:test:security:databases::Checking Oracle home paths: DBS-1860:test:security:databases::Checking active DB2 instances: DBS-1880:test:security:databases::Checking active Redis processes: DBS-1882:test:security:databases::Redis configuration file: @@ -112,7 +105,6 @@ FILE-7524:test:security:file_permissions::Perform file permissions check: FILE-6310:test:security:filesystems::Checking /tmp, /home and /var directory: FILE-6311:test:security:filesystems::Checking LVM volume groups: FILE-6312:test:security:filesystems::Checking LVM volumes: -#FILE-6316:test:security:filesystems:Linux:Checking /etc/fstab: FILE-6323:test:security:filesystems:Linux:Checking EXT file systems: FILE-6329:test:security:filesystems::Checking FFS/UFS file systems: FILE-6330:test:security:filesystems:FreeBSD:Checking ZFS file systems: @@ -145,7 +137,6 @@ FIRE-4586:test:security:firewalls::Check firewall logging: FIRE-4590:test:security:firewalls::Check firewall status: HOME-9302:test:security:homedirs::Create list with home directories: HOME-9310:test:security:homedirs::Checking for suspicious shell history files: -#HOME-9314:test:security:homedirs::Create list with home directories: HOME-9350:test:security:homedirs::Collecting information from home directories: HRDN-7220:test:security:hardening::Check if one or more compilers are installed: HRDN-7222:test:security:hardening::Check compiler permissions: @@ -153,12 +144,9 @@ HRDN-7230:test:security:hardening::Check for malware scanner: HTTP-6622:test:security:webservers::Checking Apache presence: HTTP-6624:test:security:webservers::Testing main Apache configuration file: HTTP-6626:test:security:webservers::Testing other Apache configuration file: -#HTTP-6628:test:security:webservers::Testing other Apache configuration file: -#HTTP-6630:test:security:webservers::Determining all loaded Apache modules: HTTP-6632:test:security:webservers::Determining all available Apache modules: HTTP-6640:test:security:webservers::Determining existence of specific Apache modules: HTTP-6641:test:security:webservers::Determining existence of specific Apache modules: -#HTTP-6642:test:security:webservers::Determining existence of specific Apache modules: HTTP-6643:test:security:webservers::Determining existence of specific Apache modules: HTTP-6702:test:security:webservers::Check nginx process: HTTP-6704:test:security:webservers::Check nginx configuration file: @@ -168,8 +156,6 @@ HTTP-6710:test:security:webservers::Check nginx SSL configuration settings: HTTP-6712:test:security:webservers::Check nginx access logging: HTTP-6714:test:security:webservers::Check for missing error logs in nginx: HTTP-6716:test:security:webservers::Check for debug mode on error log in nginx: -#HTTP-67xx:test:security:webservers::Check nginx virtual hosts: -#HTTP-67xx:test:security:webservers::Check nginx virtual hosts: HTTP-6720:test:security:webservers::Check Nginx log files: INSE-8002:test:security:insecure_services::Check for enabled inet daemon: INSE-8004:test:security:insecure_services::Check for enabled inet daemon: @@ -187,7 +173,6 @@ KRNL-5745:test:security:kernel:FreeBSD:Checking FreeBSD loaded kernel modules: KRNL-5770:test:security:kernel:Solaris:Checking active kernel modules: KRNL-5788:test:security:kernel:Linux:Checking availability new Linux kernel: KRNL-5820:test:security:kernel:Linux:Checking core dumps configuration: -#KRNL-5826:test:security:kernel:Linux:Checking core dumps configuration: KRNL-5830:test:security:kernel:Linux:Checking if system is running on the latest installed kernel: KRNL-6000:test:security:kernel_hardening::Check sysctl key pairs in scan profile: LDAP-2219:test:security:ldap::Check running OpenLDAP instance: @@ -252,14 +237,9 @@ NAME-4036:test:security:nameservices::Check Unbound configuration file: NAME-4202:test:security:nameservices::Check BIND status: NAME-4204:test:security:nameservices::Search BIND configuration file: NAME-4206:test:security:nameservices::Check BIND configuration consistency: -#NAME-4050:test:security:nameservices::Check nscd status: NAME-4210:test:security:nameservices::Check DNS banner: -#NAME-4212:test:security:nameservices::Check version setting in configuration: -#NAME-4220:test:security:nameservices::Check zone transfer: -#NAME-4222:test:security:nameservices::Check zone transfer: NAME-4230:test:security:nameservices::Check PowerDNS status: NAME-4232:test:security:nameservices::Search PowerDNS configuration file: -#NAME-4234:test:security:nameservices::Check PowerDNS configuration consistency: NAME-4236:test:security:nameservices::Check PowerDNS backends: NAME-4238:test:security:nameservices::Check PowerDNS authoritive status: NAME-4304:test:security:nameservices::Check NIS ypbind status: @@ -301,6 +281,8 @@ PKGS-7320:test:security:ports_packages:Linux:Check presence of arch-audit for Ar PKGS-7322:test:security:ports_packages:Linux:Discover vulnerable packages on Arch Linux: PKGS-7328:test:security:ports_packages::Querying Zypper for installed packages: PKGS-7330:test:security:ports_packages::Querying Zypper for vulnerable packages: +PKGS-7332:test:security:ports_packages::Detection of macOS ports and packages: +PKGS-7334:test:security:ports_packages::Detection of available updates for macOS ports: PKGS-7345:test:security:ports_packages::Querying dpkg: PKGS-7346:test:security:ports_packages::Search unpurged packages on system: PKGS-7348:test:security:ports_packages:FreeBSD:Check for old distfiles: @@ -330,7 +312,6 @@ PRNT-2306:test:security:printers_spools::Check CUPSd configuration file: PRNT-2307:test:security:printers_spools::Check CUPSd configuration file permissions: PRNT-2308:test:security:printers_spools::Check CUPSd network configuration: PRNT-2314:test:security:printers_spools::Check lpd status: -#PRNT-23xx:test::printers_spools:Check cupsd address configuration:security: PRNT-2316:test:security:printers_spools:AIX:Checking /etc/qconfig file: PRNT-2418:test:security:printers_spools:AIX:Checking qdaemon printer spooler status: PRNT-2420:test:security:printers_spools:AIX:Checking old print jobs: @@ -348,8 +329,6 @@ SHLL-6290:test:security:shells::Perform Shellshock vulnerability tests: SNMP-3302:test:security:snmp::Check for running SNMP daemon: SNMP-3304:test:security:snmp::Check SNMP daemon file location: SNMP-3306:test:security:snmp::Check SNMP communities: -#SOL-xxxx:test:security:solaris::Check for running SSH daemon: -#SOL-xxxx:test:security:solaris::Check for running SSH daemon: SQD-3602:test:security:squid::Check for running Squid daemon: SQD-3604:test:security:squid::Check Squid daemon file location: SQD-3606:test:security:squid::Check Squid version: @@ -372,7 +351,6 @@ STRG-1902:test:security:storage_nfs::Check rpcinfo registered programs: STRG-1904:test:security:storage_nfs::Check nfs rpc: STRG-1906:test:security:storage_nfs::Check nfs rpc: STRG-1920:test:security:storage_nfs::Checking NFS daemon: -#STRG-1924:test:security:storage_nfs::Checking NFS daemon: STRG-1926:test:security:storage_nfs::Checking NFS exports: STRG-1928:test:security:storage_nfs::Checking empty /etc/exports: STRG-1930:test:security:storage_nfs::Check client access to nfs share: @@ -385,13 +363,13 @@ TIME-3124:test:security:time::Check selected time source: TIME-3128:test:security:time::Check preffered time source: TIME-3132:test:security:time::Check NTP falsetickers: TIME-3136:test:security:time:Linux:Check NTP protocol version: -#TIME-3146:test:security:time:Linux:Check /etc/default/ntpdate: TIME-3148:test:performance:time:Linux:Check TZ variable: TIME-3160:test:security:time:Linux:Check empty NTP step-tickers: TIME-3170:test:security:time::Check configuration files: TOOL-5002:test:security:tooling::Checking for automation tools: TOOL-5102:test:security:tooling::Check for presence of Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: +TOOL-5120:test:security:tooling::Presence of Snort IDS: +TOOL-5122:test:security:tooling::Snort IDS configuration file: TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling: -#VIRT-1920:test::virtualization:Checking VMware guest status:security: # EOF diff --git a/include/binaries b/include/binaries index 81a9c99d..2218ec67 100644 --- a/include/binaries +++ b/include/binaries @@ -38,7 +38,7 @@ # Description : Check all system binaries # Notes : Always perform test, dependency for many other tests Register --test-no CORE-1000 --weight L --network NO --description "Check all system binaries" - BINARY_PATHS_FOUND=""; N=0 + BINARY_PATHS_FOUND=""; COUNT=0 Display --indent 2 --text "- Checking system binaries..." LogText "Status: Starting binary scan..." for SCANDIR in ${BIN_PATHS}; do @@ -55,10 +55,10 @@ LogText "Result: found the path behind this symlink (${SCANDIR} --> ${sFILE})" ORGPATH="${SCANDIR}" SCANDIR="${sFILE}" - else + else SKIPDIR=1; LogText "Result: Symlink variable empty, or directory to symlink is non-existing" fi - else + else SKIPDIR=1; LogText "Result: Could not find the location of this symlink, or is not a directory" fi fi @@ -73,12 +73,12 @@ BINARY_PATHS_FOUND="${BINARY_PATHS_FOUND}, ${SCANDIR}" LogText "Directory ${SCANDIR} exists. Starting directory scanning..." FIND=$(ls ${SCANDIR}) - for I in ${FIND}; do - N=$((N + 1)) - BINARY="${SCANDIR}/${I}" + for FILENAME in ${FIND}; do + COUNT=$((COUNT + 1)) + BINARY="${SCANDIR}/${FILENAME}" DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} " # Optimized, much quicker (limited file access needed) - case ${I} in + case ${FILENAME} in aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; LogText " Found known binary: aa-status (apparmor component) - ${BINARY}" ;; afick.pl) AFICKFOUND=1; AFICKBINARY=${BINARY}; LogText " Found known binary: afick (file integrity checker) - ${BINARY}" ;; aide) AIDEFOUND=1; AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;; @@ -205,9 +205,9 @@ ps) PSFOUND=1; PSBINARY="${BINARY}"; LogText " Found known binary: ps (process listing) - ${BINARY}" ;; puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; LogText " Found known binary: puppet (automation tooling) - ${BINARY}" ;; puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; LogText " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;; - python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;; - python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;; - python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;; + python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;; + python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;; + python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;; readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;; rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;; rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;; @@ -217,7 +217,7 @@ salt-master) SALTMASTERFOUND=1; SALTMASTERBINARY="${BINARY}"; LogText " Found known binary: salt-master (SaltStack master) - ${BINARY}" ;; salt-minion) SALTMINIONFOUND=1; SALTMINIONBINARY="${BINARY}"; LogText " Found known binary: salt-minion (SaltStack client) - ${BINARY}" ;; samhain) SAMHAINFOUND=1; SAMHAINBINARY="${BINARY}"; LogText " Found known binary: samhain (integrity tool) - ${BINARY}" ;; - service) SERVICEFOUND=1; SERVICEBINARY="${BINARY}"; LogText " Found known binary: service (system services) - ${BINARY}" ;; + service) SERVICEFOUND=1; SERVICEBINARY="${BINARY}"; LogText " Found known binary: service (system services) - ${BINARY}" ;; sed) SEDBINARY="${BINARY}" LogText " Found known binary: sed (text stream editor) - ${BINARY}" ;; @@ -226,8 +226,9 @@ smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;; smtpctl) SMTPCTLBINARY="${BINARY}"; LogText " Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;; showmount) SHOWMOUNTFOUND=1; SHOWMOUNTBINARY="${BINARY}"; LogText " Found known binary: showmount (NFS mounts) - ${BINARY}" ;; + snort) SNORTBINARY="${BINARY}"; LogText " Found known binary: snort (IDS) - ${BINARY}" ;; sockstat) SOCKSTATFOUND=1; SOCKSTATBINARY="${BINARY}"; LogText " Found known binary: sockstat (open network sockets) - ${BINARY}" ;; - sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;; + sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;; squid) SQUIDFOUND=1; SQUIDBINARY="${BINARY}"; LogText " Found known binary: squid (proxy) - ${BINARY}" ;; ss) SSFOUND=1; SSBINARY="${BINARY}"; LogText " Found known binary: ss (show sockets) - ${BINARY}" ;; sshd) SSHDFOUND=1; SSHDBINARY="${BINARY}"; SSHDVERSION=$(${BINARY} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | tr -d ',' | tr -d '\r'); LogText "Found ${BINARY} (version ${SSHDVERSION})" ;; @@ -263,22 +264,21 @@ zypper) ZYPPERFOUND=1; ZYPPERBINARY="${BINARY}"; LogText " Found known binary: zypper (package manager) - ${BINARY}" ;; esac done - else + else LogText "Result: Directory ${SCANDIR} skipped" if [ ! "${ORGPATH}" = "" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi fi - else + else LogText "Result: Directory ${SCANDIR} does NOT exist" fi done + BINARY_SCAN_FINISHED=1 BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g') LogText "Discovered directories: ${BINARY_PATHS_FOUND}" + LogText "Result: found ${COUNT} binaries" + Report "binaries_count=${COUNT}" Report "binary_paths=${BINARY_PATHS_FOUND}" - BINARY_SCAN_FINISHED=1 - LogText "Result: found ${N} binaries" - Report "binaries_count=${N}" - - else + else LogText "Result: checking of binaries skipped in this mode" fi diff --git a/include/consts b/include/consts index 75234967..0ab269b6 100644 --- a/include/consts +++ b/include/consts @@ -59,6 +59,7 @@ unset LANG AUDITD_RUNNING=0 APPLICATION_FIREWALL_ACTIVE=0 BINARY_SCAN_FINISHED=0 + BLKIDBINARY="" CAT_BINARY="" CFAGENTBINARY="" CHECK=0 @@ -98,12 +99,14 @@ unset LANG DOCKER_DAEMON_RUNNING=0 ECHOCMD="" ERROR_ON_WARNINGS=0 + FAIL2BANBINARY="" FILEBINARY="" FILEVALUE="" FIND="" FIREWALL_ACTIVE=0 FOUNDPATH=0 GETENT_BINARY="" + GRADMBINARY="" GREPBINARY="grep" GROUP_NAME="" GRPCKBINARY="" @@ -239,6 +242,7 @@ unset LANG SKIPREASON="" SKIPPED_TESTS_ROOTONLY="" SMTPCTLBINARY="" + SNORTBINARY="" SSHKEYSCANBINARY="" SSHKEYSCANFOUND=0 SSL_CERTIFICATE_PATHS="" diff --git a/include/data_upload b/include/data_upload index 90f58fd7..701827e5 100644 --- a/include/data_upload +++ b/include/data_upload @@ -38,7 +38,7 @@ # Additional options to curl if [ "${UPLOAD_OPTIONS}" = "" ]; then CURL_OPTIONS="" - else + else CURL_OPTIONS=" ${UPLOAD_OPTIONS}" fi @@ -62,7 +62,7 @@ # Check if we can find curl # Suggestion: If you want to keep the system hardened, copying the binary from a trusted source is a good alternative. # Restrict access to this binary to the user who is running this script. - if [ "${CURLBINARY}" = "" ]; then + if IsEmpty "${CURLBINARY}"; then echo "Fatal: can't find curl binary. Please install the related package or put the binary in the PATH. Quitting.." LogText "Error: Could not find cURL binary" exit 1 @@ -73,7 +73,7 @@ echo "Fatal: no license key found. Quitting.." LogText "Error: no license key was specified in the profile (${PROFILE})" ExitFatal - else + else Output "License key = ${LICENSE_KEY}" fi @@ -189,7 +189,7 @@ if [ "${UPLOAD_CODE}" = "100" ]; then Output "${WHITE}License is valid${NORMAL}" LogText "Result: license is valid" - else + else LogText "Result: error while checking license" LogText "Output: ${UPLOAD_CODE}" echo "${RED}Fatal error: ${WHITE}Error while checking the license.${NORMAL}" @@ -237,16 +237,16 @@ echo "" # Quit ExitClean - else + else Display --indent 2 --text "Data upload status" --result OK --color GREEN fi - else + else echo "${RED}Error${NORMAL}: No hostid and/or hostid2 found. Can not upload report file." echo "Suggested command: lynis show hostids" # Quit ExitFatal fi - else + else Output "${YELLOW}No report file found to upload.${NORMAL}" ExitFatal fi diff --git a/include/functions b/include/functions index c03022bc..177a297c 100644 --- a/include/functions +++ b/include/functions @@ -124,7 +124,7 @@ HPTOTAL=$((HPTOTAL + HPADDMAX)) if [ ${HPADD} -eq ${HPADDMAX} ]; then LogText "Hardening: assigned maximum number of hardening points for this item (${HPADDMAX}). Currently having ${HPPOINTS} points (out of ${HPTOTAL})" - else + else LogText "Hardening: assigned partial number of hardening points (${HPADD} of ${HPADDMAX}). Currently having ${HPPOINTS} points (out of ${HPTOTAL})" fi } @@ -151,7 +151,7 @@ FIND=$(egrep "^${SETTING};" ${SETTINGS_FILE}) if [ -z "${FIND}" ]; then echo "${SETTING};${VALUE};${DESCRIPTION};" >> ${SETTINGS_FILE} - else + else Debug "Setting '${SETTING}' was already configured, overwriting previous line '${FIND}' in ${SETTINGS_FILE} with value '${VALUE}'" # Delete line first, then add new value (inline search and replace is messy) CreateTempFile @@ -194,12 +194,12 @@ CHECKFILE=$1 if [ ! -d ${CHECKFILE} -a ! -f ${CHECKFILE} ]; then PERMS="FILE_NOT_FOUND" - else + else # If 'file' is an directory, use -d if [ -d ${CHECKFILE} ]; then FILEVALUE=$(ls -d -l ${CHECKFILE} | cut -c 2-10) PROFILEVALUE=$(grep '^permdir' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3) - else + else FILEVALUE=$(ls -l ${CHECKFILE} | cut -c 2-10) PROFILEVALUE=$(grep '^permfile' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3) fi @@ -218,33 +218,32 @@ ################################################################################ CheckItem() { - ITEM_FOUND=0 - RETVAL=255 - if [ $# -eq 2 ]; then - # Don't search in /dev/null, it's too empty there - if [ ! "${REPORTFILE}" = "/dev/null" ]; then - # Check if we can find the main type (with or without brackets) - LogText "Test: search string $2 in earlier discovered results" - FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2") - if [ ! "${FIND}" = "" ]; then - ITEM_FOUND=1 - RETVAL=0 - LogText "Result: found search string (result: $FIND)" - else - LogText "Result: search string NOT found" - RETVAL=1 - fi - else - LogText "Skipping search, as /dev/null is being used" - fi - return ${RETVAL} - else - ReportException ${TEST_NO} "Error in function call to CheckItem" - fi + ITEM_FOUND=0 + RETVAL=255 + if [ $# -eq 2 ]; then + # Don't search in /dev/null, it's too empty there + if [ ! "${REPORTFILE}" = "/dev/null" ]; then + # Check if we can find the main type (with or without brackets) + LogText "Test: search string $2 in earlier discovered results" + FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2") + if HasData "${FIND}"; then + ITEM_FOUND=1 + RETVAL=0 + LogText "Result: found search string (result: $FIND)" + else + LogText "Result: search string NOT found" + RETVAL=1 + fi + else + LogText "Skipping search, as /dev/null is being used" + fi + return ${RETVAL} + else + ReportException ${TEST_NO} "Error in function call to CheckItem" + fi } - ################################################################################ # Name : CheckUpdates() # Description : Determine if there is an update available @@ -344,12 +343,12 @@ RANDOMSTRING1=$(echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')) TEMP_FILE="/tmp/${RANDOMSTRING1}" touch ${TEMP_FILE} - else + else TEMP_FILE=$(mktemp /tmp/lynis.XXXXXXXXXX) || exit 1 fi if [ ! "${TEMP_FILE}" = "" ]; then LogText "Action: created temporary file ${TEMP_FILE}" - else + else Fatal "Could not create a temporary file" fi # Add temporary file to queue for cleanup later @@ -367,13 +366,14 @@ # Determine if a directory exists DirectoryExists() { + if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling DirectoryExists function"; fi DIRECTORY_FOUND=0 LogText "Test: checking if directory $1 exists" if [ -d $1 ]; then LogText "Result: directory $1 exists" DIRECTORY_FOUND=1 return 0 - else + else LogText "Result: directory $1 NOT found" return 1 fi @@ -434,7 +434,7 @@ Debug "Already discovered default.prf - skipping this file (${PLOC}/${PNAME})" elif [ "${PNAME}" = "custom.prf" -a ! "${CUSTOM_PROFILE}" = "" ]; then Debug "Already discovered custom.prf - skipping this file (${PLOC}/${PNAME})" - else + else if [ "${PLOC}" = "." ]; then FILE="${WORKDIR}/${PNAME}"; else FILE="${PLOC}/${PNAME}"; fi if [ -r ${FILE} ]; then PROFILES="${PROFILES} ${FILE}" @@ -460,7 +460,7 @@ echo "${RED}Fatal error: ${WHITE}No profile defined and could not find default profile${NORMAL}" echo "Search paths used --> ${tPROFILE_TARGETS}" ExitCustom 66 - else + else PROFILES=$(echo ${PROFILES} | sed 's/^ //') fi } @@ -513,10 +513,10 @@ if [ "${RESULT}" = "" ]; then RESULTPART="" - else + else if [ ${CRONJOB} -eq 0 ]; then RESULTPART=" [ ${COLOR}${RESULT}${NORMAL} ]" - else + else RESULTPART=" [ ${RESULT} ]" fi fi @@ -540,7 +540,7 @@ # Check if we already have already discovered a proper echo command tool. It not, set it default to 'echo'. if [ "${ECHOCMD}" = "" ]; then ECHOCMD="echo"; fi ${ECHOCMD} "\033[${INDENT}C${TEXT}\033[${SPACES}C${RESULTPART}${DEBUGTEXT}" - else + else echo "${TEXT}${RESULTPART}" fi fi @@ -637,7 +637,7 @@ if [ $# -eq 1 ]; then LogText "${PROGRAM_NAME} ended with exit code $1." exit $1 - else + else LogText "${PROGRAM_NAME} ended with exit code 1." exit 1 fi @@ -674,13 +674,14 @@ ################################################################################ FileExists() { + if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling FileExists function"; fi FILE_FOUND=0 LogText "Test: checking if file $1 exists" if [ -f $1 ]; then LogText "Result: file $1 exists" FILE_FOUND=1 return 0 - else + else LogText "Result: file $1 NOT found" return 1 fi @@ -718,17 +719,18 @@ # # Returns : 0 (empty), 1 (not empty) # EMPTY (0 or 1) - deprecated usage - # Usage : xyz + # Usage : if FileIsEmpty /etc/passwd; then ################################################################################ FileIsEmpty() { + if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling FileIsEmpty function"; fi EMPTY=0 LogText "Test: checking if file $1 is empty" if [ -z $1 ]; then LogText "Result: file $1 is empty" EMPTY=1 return 0 - else + else LogText "Result: file $1 is NOT empty" return 1 fi @@ -851,117 +853,117 @@ else ReportException "GetHostID" "No sha1, sha1sum, csum or openssl binary available on AIX" fi - else + else ReportException "GetHostID" "No output from entstat on interfaces: en0, ent0" fi ;; "DragonFly" | "FreeBSD") - FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') - if [ ! "${FIND}" = "" ]; then - HOSTID=$(echo ${FIND} | sha1) - else - ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD" - fi + FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') + if HasData "${FIND}"; then + HOSTID=$(echo ${FIND} | sha1) + else + ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD" + fi ;; "Linux") - # Define preferred interfaces - #PREFERRED_INTERFACES="eth0 eth1 eth2 enp0s25" - - # Only use ifconfig if no ip binary has been found - if [ ! "${IFCONFIGBINARY}" = "" ]; then - # Determine if we have ETH0 at all (not all Linux distro have this, e.g. Arch) - HASETH0=$(${IFCONFIGBINARY} | grep "^eth0") - # Check if we can find it with HWaddr on the line - FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]') - - # If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch) - if [ "${FIND}" = "" ]; then - FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr) - if [ "${FIND}" = "" ]; then - # If possible directly address eth0 to avoid risking gathering the incorrect MAC address. - # If not, then falling back to getting first interface. Better than nothing. - if [ ! "${HASETH0}" = "" ]; then - FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') - else - FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]') - if [ "${FIND}" = "" ]; then - ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)" - else - LogText "Result: No eth0 found (ether found), using first network interface to determine hostid (with ifconfig)" - fi + # Define preferred interfaces + #PREFERRED_INTERFACES="eth0 eth1 eth2 enp0s25" + + # Only use ifconfig if no ip binary has been found + if [ ! "${IFCONFIGBINARY}" = "" ]; then + # Determine if we have ETH0 at all (not all Linux distro have this, e.g. Arch) + HASETH0=$(${IFCONFIGBINARY} | grep "^eth0") + # Check if we can find it with HWaddr on the line + FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]') + + # If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch) + if IsEmpty "${FIND}"; then + FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr) + if IsEmpty "${FIND}"; then + # If possible directly address eth0 to avoid risking gathering the incorrect MAC address. + # If not, then falling back to getting first interface. Better than nothing. + if HasData "${HASETH0}"; then + FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') + else + FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]') + if IsEmpty "${FIND}"; then + ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)" + else + LogText "Result: No eth0 found (ether found), using first network interface to determine hostid (with ifconfig)" fi - else - FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]') - LogText "GetHostID: No eth0 found (but HWaddr was found), using first network interface to determine hostid, with ifconfig" fi + else + FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]') + LogText "GetHostID: No eth0 found (but HWaddr was found), using first network interface to determine hostid, with ifconfig" fi - else - # See if we can use ip binary instead - if [ ! "${IPBINARY}" = "" ]; then - # Determine if we have the common available eth0 interface - FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') - if [ "${FIND}" = "" ]; then - # Determine the MAC address of first interface with the ip command - FIND=$(${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') - if [ "${FIND}" = "" ]; then - ReportException "GetHostID" "Can't create hostid (no MAC addresses found)" - fi + fi + else + # See if we can use ip binary instead + if [ ! "${IPBINARY}" = "" ]; then + # Determine if we have the common available eth0 interface + FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') + if IsEmpty "${FIND}"; then + # Determine the MAC address of first interface with the ip command + FIND=$(${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') + if IsEmpty "${FIND}"; then + ReportException "GetHostID" "Can't create hostid (no MAC addresses found)" fi - else - ReportException "GetHostID" "Can't create hostid, missing both ifconfig and ip binary" fi + else + ReportException "GetHostID" "Can't create hostid, missing both ifconfig and ip binary" fi + fi - # Check if we found a HostID - if [ ! "${FIND}" = "" ]; then - LogText "Info: using hardware address ${FIND} to create ID" - HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }') - LogText "Result: Found HostID: ${HOSTID}" - else - ReportException "GetHostID" "Can't create HOSTID, command ip not found" - fi + # Check if we found a HostID + if HasData "${FIND}"; then + LogText "Info: using hardware address ${FIND} to create ID" + HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }') + LogText "Result: Found HostID: ${HOSTID}" + else + ReportException "GetHostID" "Can't create HOSTID, command ip not found" + fi ;; "macOS") - FIND=$(${IFCONFIGBINARY} en0 | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') - if [ ! "${FIND}" = "" ]; then - HOSTID=$(echo ${FIND} | shasum | awk '{ print $1 }') - else - ReportException "GetHostID" "No MAC address returned on macOS" - fi - LYNIS_HOSTID2_PART1=$(hostname -s) - if [ ! -z "${LYNIS_HOSTID2_PART1}" ]; then - LogText "Info: using hostname ${LYNIS_HOSTID2_PART1}" - LYNIS_HOSTID2_PART2=$(sysctl -n kern.uuid 2> /dev/null) - if [ ! -z "${LYNIS_HOSTID2_PART2}" ]; then - LogText "Info: using UUID ${LYNIS_HOSTID2_PART2}" - else - LogText "Info: could not create HOSTID2 as kern.uuid sysctl key is missing" - fi - HOSTID2=$(echo "${LYNIS_HOSTID2_PART1}${LYNIS_HOSTID2_PART2}" | shasum -a 256 | awk '{ print $1 }') - else - LogText "Info: could not create HOSTID2 as hostname is missing" - fi + FIND=$(${IFCONFIGBINARY} en0 | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') + if [ ! "${FIND}" = "" ]; then + HOSTID=$(echo ${FIND} | shasum | awk '{ print $1 }') + else + ReportException "GetHostID" "No MAC address returned on macOS" + fi + LYNIS_HOSTID2_PART1=$(hostname -s) + if [ ! -z "${LYNIS_HOSTID2_PART1}" ]; then + LogText "Info: using hostname ${LYNIS_HOSTID2_PART1}" + LYNIS_HOSTID2_PART2=$(sysctl -n kern.uuid 2> /dev/null) + if [ ! -z "${LYNIS_HOSTID2_PART2}" ]; then + LogText "Info: using UUID ${LYNIS_HOSTID2_PART2}" + else + LogText "Info: could not create HOSTID2 as kern.uuid sysctl key is missing" + fi + HOSTID2=$(echo "${LYNIS_HOSTID2_PART1}${LYNIS_HOSTID2_PART2}" | shasum -a 256 | awk '{ print $1 }') + else + LogText "Info: could not create HOSTID2 as hostname is missing" + fi ;; "NetBSD") - FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') - if [ ! "${FIND}" = "" ]; then - HOSTID=$(echo ${FIND} | sha1) - else - ReportException "GetHostID" "No MAC address returned on NetBSD" - fi + FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') + if HasData "${FIND}"; then + HOSTID=$(echo ${FIND} | sha1) + else + ReportException "GetHostID" "No MAC address returned on NetBSD" + fi ;; "OpenBSD") - FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') - if [ ! "${FIND}" = "" ]; then - HOSTID=$(echo ${FIND} | sha1) - else - ReportException "GetHostID" "No MAC address returned on OpenBSD" - fi + FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') + if HasData "${FIND}"; then + HOSTID=$(echo ${FIND} | sha1) + else + ReportException "GetHostID" "No MAC address returned on OpenBSD" + fi ;; "Solaris") @@ -979,10 +981,10 @@ HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }') elif [ ! "${OPENSSLBINARY}" = "" ]; then HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }') - else + else ReportException "GetHostID" "Can not find sha1/sha1sum or openssl" fi - else + else ReportException "GetHostID" "No interface found op Solaris to create HostID" fi ;; @@ -1000,7 +1002,7 @@ fi done fi - else + else ReportException "GetHostID" "Can't create HOSTID as there is no SHA1 hash tool available (sha1, sha1sum, openssl)" fi @@ -1027,13 +1029,13 @@ if [ ! "${SHA1SUMBINARY}" = "" ]; then HOSTID=$(cat /etc/ssh/${I} | ${SHA1SUMBINARY} | awk '{ print $1 }') LogText "result: Created HostID with SSH key ($I): ${HOSTID}" - else + else ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing" fi fi fi done - else + else LogText "Result: no /etc/ssh directory found, skipping" fi fi @@ -1055,7 +1057,7 @@ fi fi done - else + else LogText "Result: no /etc/ssh directory found, skipping" fi @@ -1216,10 +1218,10 @@ ################################################################################ IsEmpty() { - if [ $# -eq 1 ]; then - if [ -z "$1" ]; then return 0; else return 1; fi - else + if [ $# -eq 0 ]; then ExitFatal "Function IsEmpty called without parameters - look in log to determine where this happened, or use sh -x lynis to see all details." + else + if [ -z "$1" ]; then return 0; else return 1; fi fi } @@ -1232,6 +1234,7 @@ ################################################################################ IsRunning() { + if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsRunning function"; fi RUNNING=0 PSOPTIONS="" if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then PSOPTIONS=" ax"; fi @@ -1240,7 +1243,7 @@ RUNNING=1 LogText "IsRunning: process '$1' found (${FIND})" return 0 - else + else LogText "IsRunning: process '$1' not found" return 1 fi @@ -1290,14 +1293,14 @@ if [ "${PERMS}" = "" ]; then PERMS=$(ls -n ${FILE} | ${AWKBINARY} '{ print $3":"$4 }') fi - else + else ReportException "IsOwnedByRoot" "Functions needs 1 argument" return 255 fi if [ "${PERMS}" = "0:0" ]; then if IsDeveloperMode; then LogText "Debug: found incorrect file permissions on ${FILE}"; fi return 0 - else + else return 1 fi } @@ -1340,10 +1343,10 @@ LogText "Result: facter says this machine is not a virtual" ;; esac - else + else LogText "Result: facter utility not found" fi - else + else LogText "Result: skipped facter test, as we already found machine type" fi @@ -1356,10 +1359,10 @@ LogText "Result: found ${FIND}" SHORT="${FIND}" fi - else + else LogText "Result: systemd-detect-virt not found" fi - else + else LogText "Result: skipped systemd test, as we already found machine type" fi @@ -1372,13 +1375,13 @@ if [ ! "${FIND}" = "" ]; then LogText "Result: found ${FIND}" SHORT="${FIND}" - else + else LogText "Result: can't find hypervisor vendor with lscpu" fi - else + else LogText "Result: lscpu not found" fi - else + else LogText "Result: skipped lscpu test, as we already found machine type" fi @@ -1387,7 +1390,8 @@ if [ "${SHORT}" = "" ]; then if [ -x /usr/bin/dmidecode ]; then DMIDECODE_BINARY="/usr/bin/dmidecode" elif [ -x /usr/sbin/dmidecode ]; then DMIDECODE_BINARY="/usr/sbin/dmidecode" - else DMIDECODE_BINARY="" + else + DMIDECODE_BINARY="" fi if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then LogText "Test: trying to guess virtualization with dmidecode" @@ -1395,13 +1399,13 @@ if [ ! "${FIND}" = "" ]; then LogText "Result: found ${FIND}" SHORT="${FIND}" - else + else LogText "Result: can't find product name with dmidecode" fi - else + else LogText "Result: dmidecode not found (or no access)" fi - else + else LogText "Result: skipped dmidecode test, as we already found machine type" fi # Other options @@ -1423,7 +1427,7 @@ if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi IsRunning VBoxClient if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi - else + else LogText "Result: skipped processes test, as we already found platform" fi @@ -1432,10 +1436,10 @@ LogText "Test: checking specific files for Amazon" if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then SHORT="amazon-ec2" - else + else LogText "Result: system not hosted on Amazon" fi - else + else LogText "Result: skipped Amazon EC2 test, as we already found platform" fi @@ -1450,21 +1454,21 @@ if [ ! "${FIND}" = "" ]; then SHORT="${FIND}" fi - else + else LogText "Result: skipped sysctl test, as we already found platform" fi # lshw - if [ "${SHORT}" = "" ]; then + if HasData "${SHORT}"; then if [ ${PRIVILEGED} -eq 1 ]; then if [ -x /usr/bin/lshw ]; then LogText "Test: trying to guess virtualization with lshw" FIND=$(lshw -quiet -class system 2> /dev/null | awk '{ if ($1=="product:") { print $2 }}') - if [ ! "${FIND}" = "" ]; then + if HasData "${FIND}"; then LogText "Result: found ${FIND}" SHORT="${FIND}" fi - else + else LogText "Result: lshw not found" fi else @@ -1508,7 +1512,7 @@ elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then LogText "Result: unknown if this system is a virtual machine" Report "vm=2" - else + else LogText "Result: system seems to be non-virtual" fi } @@ -1524,6 +1528,7 @@ ################################################################################ IsWorldReadable() { + if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldReadable function"; fi sFILE=$1 # Check for symlink if [ -L ${sFILE} ]; then @@ -1533,7 +1538,7 @@ if [ -f ${sFILE} -o -d ${sFILE} ]; then FINDVAL=$(ls -ld ${sFILE} | cut -c 8) if [ "${FINDVAL}" = "r" ]; then return 0; else return 1; fi - else + else return 255 fi } @@ -1550,6 +1555,7 @@ # Function IsWorldExecutable IsWorldExecutable() { + if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldExecutable function"; fi sFILE=$1 # Check for symlink if [ -L ${sFILE} ]; then @@ -1559,7 +1565,7 @@ if [ -f ${sFILE} -o -d ${sFILE} ]; then FINDVAL=$(ls -l ${sFILE} | cut -c 10) if [ "${FINDVAL}" = "x" ]; then return 0; else return 1; fi - else + else return 255 fi } @@ -1575,6 +1581,7 @@ ################################################################################ IsWorldWritable() { + if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldWritable function"; fi sFILE=$1 FileIsWorldWritable="" @@ -1583,7 +1590,7 @@ FINDVAL=$(ls -ld ${sFILE} | cut -c 9) if IsDeveloperMode; then Debug "File mode of ${sFILE} is ${FINDVAL}"; fi if [ "${FINDVAL}" = "w" ]; then return 0; else return 1; fi - else + else return 255 fi } @@ -1752,7 +1759,7 @@ if [ "${VALUE}" = "off" ]; then LogText "Result: found logging disabled for one virtual host" NGINX_ACCESS_LOG_DISABLED=1 - else + else if [ ! "${VALUE}" = "" ]; then # If multiple values follow, select first one VALUE=$(echo ${VALUE} | awk '{ print $1 }') @@ -1796,7 +1803,7 @@ if [ ! -f ${FILE} ]; then NGINX_ERROR_LOG_MISSING=1 fi - else + else LogText "Warning: did not find a filename after error_log in nginx configuration" fi ;; @@ -1908,18 +1915,18 @@ PortIsListening() { if [ "${LSOFBINARY}" = "" ]; then return 255 - else + else if [ $# -eq 2 ] && [ $1 = "TCP" -o $1 = "UDP" ]; then LogText "Test: find service listening on $1:$2" if [ $1 = "TCP" ]; then FIND=$(${LSOFBINARY} -i${1} -s${1}:LISTEN -P -n | grep ":${2} "); else FIND=$(${LSOFBINARY} -i${1} -P -n | grep ":${2} "); fi if [ ! "${FIND}" = "" ]; then LogText "Result: found service listening on port $2 ($1)" return 0 - else + else LogText "Result: did not find service listening on port $2 ($1)" return 1 fi - else + else return 255 ReportException ${TEST_NO} "Error in function call to PortIsListening" fi @@ -1945,7 +1952,7 @@ # If the No-Break version of echo is known, use that (usually breaks in combination with -e) if [ ! "${ECHONB}" = "" ]; then ${ECHONB} "$1" - else + else ${ECHOCMD} -en "$1" fi fi @@ -2023,7 +2030,7 @@ ROOT_ONLY=1 elif [ "$1" = "NO" -o "$1" = "no" ]; then ROOT_ONLY=0 - else + else Debug "Invalid option for --root-only parameter of Register function" fi ;; @@ -2111,7 +2118,7 @@ if IsVerbose; then Debug "Performing test ID ${TEST_NO} (${TEST_DESCRIPTION})"; fi fi TESTS_EXECUTED="${TEST_NO}|${TESTS_EXECUTED}" - else + else if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Skipped test ${TEST_NO} (${TEST_DESCRIPTION})"; fi if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Reason to skip: ${SKIPREASON}"; fi TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}" @@ -2167,7 +2174,7 @@ if [ -f ${PIDFILE} ]; then rm -f $PIDFILE; LogText "PID file removed (${PIDFILE})" - else + else LogText "PID file not found (${PIDFILE})" fi fi @@ -2190,14 +2197,14 @@ if [ -f ${TMPFILE} ]; then LogText "Action: removing temporary file ${TMPFILE}" rm -f ${TMPFILE} - else + else LogText "Info: temporary file ${TMPFILE} was already removed" fi - else + else LogText "Found invalid temporary file (${FILE}), not removed. Check your /tmp directory." fi done - else + else LogText "No temporary files to be deleted" fi } @@ -2429,10 +2436,10 @@ LogText "File permissions are OK" return 0 fi - else + else ReportException "SafePerms()" "Invalid number of arguments for function" fi - else + else PERMS_OK=1 return 0 fi @@ -2483,11 +2490,11 @@ LogText "Result: found search string '${STRING}'" if [ ${MASK_LOG} -eq 0 ]; then LogText "Full string returned: ${FIND}"; fi RETVAL=0 - else + else LogText "Result: search search string '${STRING}' NOT found" RETVAL=1 fi - else + else LogText "Skipping search, file (${FILE}) does not exist" ReportException "${TEST_NO}" "Test is trying to search for a string in nonexistent file" fi @@ -2664,7 +2671,7 @@ sFILE="${tFILE}" LogText "Result: symlink found, pointing to directory ${sFILE}" FOUNDPATH=1 - else + else # Check the full path of the symlink, strip the filename, copy the path and linked filename together tDIR=$(echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}') tFILE="${tDIR}/${tFILE}" @@ -2700,7 +2707,7 @@ LogText "Result: file ${tFILE} in ${tDIR} not found" fi fi - else + else LogText "Result: file ${sFILE} is not a symlink" fi # Now check if our new location is actually a file or directory destination @@ -2710,7 +2717,7 @@ fi if [ ${FOUNDPATH} -eq 1 ]; then SYMLINK="${sFILE}" - else + else SYMLINK="" fi } @@ -2735,7 +2742,7 @@ STRING=$(echo $1 | tr '[:lower:]' '[:upper:]') if [ "${I}" = "${STRING}" ]; then RETVAL=0; LogText "Atomic test ($1) skipped by configuration (skip-test)"; fi done - else + else ReportException "SkipAtomicTest()" "Function called without right number of arguments (1)" fi return $RETVAL @@ -2860,7 +2867,7 @@ if [ "${RETVAL}" -lt 2 ]; then return ${RESULT} - else + else Fatal "ERROR: No result returned from function (TestValue). Incorrect usage?" #ExitFatal fi @@ -2964,14 +2971,14 @@ RETVAL=1 if [ "$#" -ne "2" ]; then ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}" - else + else LogText "${FUNCNAME}: checking value for application ${APP}" LogText "${FUNCNAME}: ${OPTION} is set to ${1}" if [ "$1" != "$2" ]; then LogText "${FUNCNAME}: ${1} is not equal to ${2}" RETVAL=0 - else + else LogText "${FUNCNAME}: ${1} is equal to ${2}" fi fi @@ -2988,14 +2995,14 @@ RETVAL=1 if [ "$#" -ne "2" ]; then ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}" - else + else LogText "${FUNCNAME}: checking value for application ${APP}" LogText "${FUNCNAME}: ${OPTION} is set to ${1}" LogText "${FUNCNAME}: checking if ${1} is greater than ${2}" if [ "$1" > "$2" ]; then LogText "${FUNCNAME}: ${1} is greater than ${2}" RETVAL=0 - else + else LogText "${FUNCNAME}: ${1} is not greater than ${2}" fi fi @@ -3013,7 +3020,7 @@ RETVAL=1 if [ "$#" -ne "2" ]; then ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}" - else + else LogText "${FUNCNAME}: checking value for application ${APP}" LogText "${FUNCNAME}: ${OPTION} is set to ${1}" LogText "${FUNCNAME}: checking if ${1} is greater or equal ${2}" @@ -3035,7 +3042,7 @@ RETVAL=1 if [ "$#" -ne "2" ]; then ReportException "${TEST_NO}" "Error in function call to TestCase_GreaterOrEqual" - else + else LogText "${FUNCNAME}: checking value for application ${APP}" LogText "${FUNCNAME}: ${OPTION} is set to ${1}" @@ -3059,7 +3066,7 @@ RETVAL=1 if [ "$#" -ne "2" ]; then ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}" - else + else LogText "${FUNCNAME}: checking value for application ${APP}" LogText "${FUNCNAME}: ${OPTION} is set to ${1}" LogText "${FUNCNAME}: checking if ${1} is less or equal ${2}" diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index 86c90c81..a3f85bed 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -19,30 +19,29 @@ ################################################################################# if [ $# -eq 0 ]; then - Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}" Display --text " "; Display --text " " ExitFatal - else +else FILE=$(echo $1 | egrep "^http|https") - if [ ! "${FILE}" = "" ] ; then + if HasData "${FILE}"; then CreateTempFile TMP_FILE="${TEMP_FILE}" Display --indent 2 --text "Downloading URL ${FILE} with wget" wget -o ${TMP_FILE} ${FILE} if [ $? -gt 0 ]; then AUDIT_FILE="${TMP_FILE}" - else + else if [ -f ${TMP_FILE} ]; then rm -f ${TMP_FILE} fi Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}" ExitFatal fi - else + else if [ -f $1 ]; then AUDIT_FILE="$1" - else + else Display --indent 2 --text "File $1 does not exist" ExitFatal fi @@ -98,7 +97,7 @@ InsertSection "Basics" FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g') if [ "${FIND}" = "" ]; then ReportWarning "dockerfile" "No maintainer found. Unclear who created this file." - else + else MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}') Display --indent 2 --text "Maintainer" --result "${MAINTAINER}" fi @@ -114,7 +113,7 @@ InsertSection "Basics" FIND=$(egrep "apt-get(.*) install" ${AUDIT_FILE}) if [ ! "${FIND}" = "" ]; then LogText "Found installation via apt-get" - else + else LogText "No installations found via apt-get" fi ;; @@ -151,14 +150,14 @@ InsertSection "Basics" LogText "Checking usage of wget" FIND_WGET=$(grep wget ${AUDIT_FILE}) - if [ ! "${FIND_WGET}" = "" ]; then + if HasData "${FIND_WGET}"; then Display --indent 4 --text "Download tool" --result "wget" FILE_DOWNLOAD=1 fi FIND=$(grep "^ADD http" ${AUDIT_FILE}) - if [ ! "${FIND}" = "" ]; then + if HasData "${FIND}"; then FILE_DOWNLOAD=1 ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed" LogText "Details: ${FIND}" @@ -168,10 +167,10 @@ InsertSection "Basics" SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE}) - if [ ! "${SSL_USED_FIND}" = "" ]; then + if HasData "${SSL_USED_FIND}"; then SSL_USED="YES" COLOR="GREEN" - else + else SSL_USED="NO" COLOR="RED" ReportSuggestion "Use SSL downloads when possible to increase security (DNSSEC, HTTPS, validation of domain, avoid MitM)" @@ -182,7 +181,7 @@ InsertSection "Basics" KEYS_USED=$(egrep "(apt-key adv)" ${AUDIT_FILE}) Display --indent 2 --text "Signing keys used" --result ${SSL_USED} Display --indent 2 --text "All downloads properly checked" --result "?" - else + else Display --indent 2 --text "No files seems to be downloaded in this Dockerfile" fi @@ -192,7 +191,7 @@ InsertSection "Basics" InsertSection "Permissions" FIND=$(grep -i "chmod 777" ${AUDIT_FILE}) - if [ ! "${FIND}" = "" ]; then + if HasData "${FIND}"; then ReportWarning "dockerfile" "Warning: chmod 777 found" fi # diff --git a/include/helper_show b/include/helper_show index c5f20ddd..30289924 100644 --- a/include/helper_show +++ b/include/helper_show @@ -187,11 +187,11 @@ if [ $# -gt 0 ]; then "commands") if [ $# -eq 1 ]; then ${ECHOCMD} "\n${WHITE}Commands:${NORMAL}" - for I in ${COMMANDS}; do - ${ECHOCMD} "lynis ${CYAN}${I}${NORMAL}" + for ITEM in ${COMMANDS}; do + ${ECHOCMD} "lynis ${CYAN}${ITEM}${NORMAL}" done ${ECHOCMD} "" - else + else shift if [ $# -eq 1 ]; then case $1 in @@ -200,7 +200,7 @@ if [ $# -gt 0 ]; then "update") ${ECHOCMD} "No help available yet" ;; *) DisplayError "Unknown argument for 'commands'" esac - else + else shift case $1 in "dockerfile") @@ -223,7 +223,7 @@ if [ $# -gt 0 ]; then if [ -z "${LOGFILE}" ]; then DisplayError "Could not find log file to parse"; fi if [ $# -eq 1 ]; then DisplayError "This command needs a test ID (e.g. CORE-1000) to search for." - else + else shift if [ $# -eq 1 ]; then TESTID="$1" @@ -255,14 +255,14 @@ if [ $# -gt 0 ]; then ${ECHOCMD} "==========================" ${ECHOCMD} "" ${ECHOCMD} "${WHITE}Commands${NORMAL}:" - for I in ${COMMANDS}; do - ${ECHOCMD} "${CYAN}${I}${NORMAL}" + for ITEM in ${COMMANDS}; do + ${ECHOCMD} "${CYAN}${ITEM}${NORMAL}" done ${ECHOCMD} "" ${ECHOCMD} "Use 'lynis show help ${CYAN}<command>${NORMAL}' to see details" ${ECHOCMD} ""; ${ECHOCMD} "" ${ECHOCMD} "${WHITE}Options${NORMAL}:\n${GRAY}${OPTIONS}${NORMAL}" - else + else shift case $1 in "audit") ${ECHOCMD} "${AUDIT_HELP}" ;; @@ -274,7 +274,7 @@ if [ $# -gt 0 ]; then esac fi ;; - "helpers") for I in ${HELPERS}; do ${ECHOCMD} ${I}; done ;; + "helpers") for ITEM in ${HELPERS}; do ${ECHOCMD} ${ITEM}; done ;; "hostids" | "hostid") ${ECHOCMD} "hostid=${HOSTID}" ${ECHOCMD} "hostid2=${HOSTID2}" @@ -295,7 +295,7 @@ if [ $# -gt 0 ]; then ${ECHOCMD} "OS_VERSION=${OS_VERSION}" ;; "pidfile") ${ECHOCMD} "${PIDFILE}" ;; - "profile" | "profiles") for I in ${PROFILES}; do ${ECHOCMD} ${I}; done ;; + "profile" | "profiles") for ITEM in ${PROFILES}; do ${ECHOCMD} ${ITEM}; done ;; "profiledir") ${ECHOCMD} "${PROFILEDIR}" ;; "plugindir") ${ECHOCMD} "${PLUGINDIR}" ;; "release") ${ECHOCMD} "${PROGRAM_VERSION}-${PROGRAM_RELEASE_TYPE}" ;; @@ -314,7 +314,7 @@ if [ $# -gt 0 ]; then *) ${ECHOCMD} "${RED}Error${NORMAL}: Invalid argument provided to 'lynis show settings'\n\n" ${ECHOCMD} "Suggestions:" - for I in ${SHOW_SETTINGS_ARGS}; do ${ECHOCMD} "lynis show settings ${I}"; done + for ITEM in ${SHOW_SETTINGS_ARGS}; do ${ECHOCMD} "lynis show settings ${ITEM}"; done ExitFatal ;; esac @@ -431,10 +431,10 @@ if [ $# -gt 0 ]; then "?") ${ECHOCMD} "${SHOW_ARGS}" ;; *) ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis show" ;; esac - else +else ${ECHOCMD} "\n ${WHITE}Provide an additional argument${NORMAL}\n\n" - for I in ${SHOW_ARGS}; do - ${ECHOCMD} " lynis show ${BROWN}${I}${NORMAL}" + for ITEM in ${SHOW_ARGS}; do + ${ECHOCMD} " lynis show ${BROWN}${ITEM}${NORMAL}" done ${ECHOCMD} "\n" diff --git a/include/helper_update b/include/helper_update index 4b8bced4..6418ea95 100644 --- a/include/helper_update +++ b/include/helper_update @@ -69,11 +69,11 @@ elif [ "$1" = "info" ]; then echo -n " Status : " if [ ${PROGRAM_LV} -eq 0 ]; then echo "${RED}Unknown${NORMAL}"; - elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then + elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then echo "${YELLOW}Outdated${NORMAL}"; echo " Installed version : ${PROGRAM_AC}" echo " Latest version : ${PROGRAM_LV}" - else + else echo "${GREEN}Up-to-date${NORMAL}" fi echo " Release date : ${PROGRAM_RELEASE_DATE}" diff --git a/include/osdetection b/include/osdetection index 8c900a86..dc53f51f 100644 --- a/include/osdetection +++ b/include/osdetection @@ -46,6 +46,8 @@ OS_VERSION_NAME="unknown" OS_FULLNAME="macOS (unknown version)" case ${OS_VERSION} in + 10.7 | 10.7.[0-9]*) OS_FULLNAME="Mac OS X 10.7 (Lion)" ;; + 10.8 | 10.8.[0-9]*) OS_FULLNAME="Mac OS X 10.8 (Mountain Lion)" ;; 10.9 | 10.9.[0-9]*) OS_FULLNAME="Mac OS X 10.9 (Mavericks)" ;; 10.10 | 10.10.[0-9]*) OS_FULLNAME="Mac OS X 10.10 (Yosemite)" ;; 10.11 | 10.11.[0-9]*) OS_FULLNAME="Mac OS X 10.11 (El Capitan)" ;; diff --git a/include/parameters b/include/parameters index 1b095fab..238f1c8d 100644 --- a/include/parameters +++ b/include/parameters @@ -40,7 +40,7 @@ echo "${RED}Error: ${WHITE}Missing file name or URL${NORMAL}" echo "Example: $0 audit dockerfile /root/Dockerfile" ExitFatal - else + else shift; shift HELPER_PARAMS="$1" HELPER="audit_dockerfile" @@ -55,7 +55,7 @@ echo "${RED}Error: ${WHITE}Missing remote location${NORMAL}" echo "Example: $0 audit system remote 192.168.1.100" ExitFatal - else + else REMOTE_TARGET="$3" shift; shift; shift # shift out first three arguments EXTRA_PARAMS="" @@ -88,7 +88,7 @@ ;; esac - else + else echo "${RED}Error: ${WHITE}Need a target to audit${NORMAL}" echo " " echo "Examples:" @@ -232,8 +232,8 @@ --tests --upload --version_(-V)" - for I in ${OPTIONS}; do - echo "${I}" | tr '_' ' ' + for ITEM in ${OPTIONS}; do + echo "${ITEM}" | tr '_' ' ' done ExitClean ;; @@ -386,7 +386,7 @@ if [ -f lynis.8 ]; then nroff -man lynis.8 exit 0 - else + else echo "Error: man page file not found (lynis.8)" echo "If you are running an installed version of Lynis, use 'man lynis'" exit 1 diff --git a/include/profiles b/include/profiles index 9a8e161a..dc509454 100644 --- a/include/profiles +++ b/include/profiles @@ -223,9 +223,9 @@ # Plugin directory plugindir | plugin-dir) - if [ "${PLUGINDIR}" = "" ]; then + if IsEmpty "${PLUGINDIR}"; then PLUGINDIR="${VALUE}" - else + else LogText "Plugin directory was already set to ${PLUGINDIR} before (most likely as a program argument), not overwriting" fi AddSetting "plugin-dir" "${PLUGINDIR}" "Plugin directory" diff --git a/include/report b/include/report index 80bacfe5..b5f7522d 100644 --- a/include/report +++ b/include/report @@ -22,64 +22,55 @@ # ################################################################################# # - - # - ################################################################################# - # # Hardening Index # Define approximately how strong a machine has been hardened - # - ################################################################################# - # - # If no hardening has been found, set value to 1 - if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi - HPINDEX=$((HPPOINTS * 100 / HPTOTAL)) - HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL)) - # Set color related to rating - if [ ${HPINDEX} -lt 50 ]; then - HPCOLOR="${RED}" - HIDESCRIPTION="System has not or a low amount been hardened" - fi - if [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then - HPCOLOR="${YELLOW}" - HIDESCRIPTION="System has been hardened, but could use additional hardening" - fi - if [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then - HPCOLOR="${GREEN}" - HIDESCRIPTION="System seem to be decent hardened" - fi - if [ ${HPINDEX} -gt 89 ]; then - HPCOLOR="${GREEN}" - HIDESCRIPTION="System seem to be well hardened" - fi - case ${HPAOBLOCKS} in - 0) HPBLOCKS="#"; HPEMPTY=" " ;; - 1) HPBLOCKS="#"; HPEMPTY=" " ;; - 2) HPBLOCKS="##"; HPEMPTY=" " ;; - 3) HPBLOCKS="###"; HPEMPTY=" " ;; - 4) HPBLOCKS="####"; HPEMPTY=" " ;; - 5) HPBLOCKS="#####"; HPEMPTY=" " ;; - 6) HPBLOCKS="######"; HPEMPTY=" " ;; - 7) HPBLOCKS="#######"; HPEMPTY=" " ;; - 8) HPBLOCKS="########"; HPEMPTY=" " ;; - 9) HPBLOCKS="#########"; HPEMPTY=" " ;; - 10) HPBLOCKS="##########"; HPEMPTY=" " ;; - 11) HPBLOCKS="###########"; HPEMPTY=" " ;; - 12) HPBLOCKS="############"; HPEMPTY=" " ;; - 13) HPBLOCKS="#############"; HPEMPTY=" " ;; - 14) HPBLOCKS="##############"; HPEMPTY=" " ;; - 15) HPBLOCKS="###############"; HPEMPTY=" " ;; - 16) HPBLOCKS="################"; HPEMPTY=" " ;; - 17) HPBLOCKS="#################"; HPEMPTY=" " ;; - 18) HPBLOCKS="##################"; HPEMPTY=" " ;; - 19) HPBLOCKS="###################"; HPEMPTY=" " ;; - 20) HPBLOCKS="####################"; HPEMPTY="" ;; - esac + # If no hardening has been found, set value to 1 + if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi + HPINDEX=$((HPPOINTS * 100 / HPTOTAL)) + HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL)) + # Set color related to rating + if [ ${HPINDEX} -lt 50 ]; then + HPCOLOR="${RED}" + HIDESCRIPTION="System has not or a low amount been hardened" + elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then + HPCOLOR="${YELLOW}" + HIDESCRIPTION="System has been hardened, but could use additional hardening" + elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then + HPCOLOR="${GREEN}" + HIDESCRIPTION="System seem to be decent hardened" + elif [ ${HPINDEX} -gt 89 ]; then + HPCOLOR="${GREEN}" + HIDESCRIPTION="System seem to be well hardened" + fi + + case ${HPAOBLOCKS} in + 0) HPBLOCKS="#"; HPEMPTY=" " ;; + 1) HPBLOCKS="#"; HPEMPTY=" " ;; + 2) HPBLOCKS="##"; HPEMPTY=" " ;; + 3) HPBLOCKS="###"; HPEMPTY=" " ;; + 4) HPBLOCKS="####"; HPEMPTY=" " ;; + 5) HPBLOCKS="#####"; HPEMPTY=" " ;; + 6) HPBLOCKS="######"; HPEMPTY=" " ;; + 7) HPBLOCKS="#######"; HPEMPTY=" " ;; + 8) HPBLOCKS="########"; HPEMPTY=" " ;; + 9) HPBLOCKS="#########"; HPEMPTY=" " ;; + 10) HPBLOCKS="##########"; HPEMPTY=" " ;; + 11) HPBLOCKS="###########"; HPEMPTY=" " ;; + 12) HPBLOCKS="############"; HPEMPTY=" " ;; + 13) HPBLOCKS="#############"; HPEMPTY=" " ;; + 14) HPBLOCKS="##############"; HPEMPTY=" " ;; + 15) HPBLOCKS="###############"; HPEMPTY=" " ;; + 16) HPBLOCKS="################"; HPEMPTY=" " ;; + 17) HPBLOCKS="#################"; HPEMPTY=" " ;; + 18) HPBLOCKS="##################"; HPEMPTY=" " ;; + 19) HPBLOCKS="###################"; HPEMPTY=" " ;; + 20) HPBLOCKS="####################"; HPEMPTY="" ;; + esac - HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]" - LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" - LogText "Hardening strength: ${HIDESCRIPTION}" + HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]" + LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" + LogText "Hardening strength: ${HIDESCRIPTION}" # Only show overview if not running in quiet mode @@ -111,7 +102,7 @@ SWARNINGS=$(${GREPBINARY} -i 'warning:' ${LOGFILE} | sed 's/ /!space!/g') if [ -z "${SWARNINGS}" ]; then echo " ${OK}Great, no warnings${NORMAL}"; echo "" - else + else echo " ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):" echo " ${WHITE}----------------------------${NORMAL}" for WARNING in ${SWARNINGS}; do @@ -132,7 +123,7 @@ if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi if [ -z "${IS_CUSTOM}" ]; then echo " ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}" - else + else echo " ${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}" fi echo "" @@ -144,7 +135,7 @@ if [ "${SSUGGESTIONS}" = "" ]; then echo " ${OK}No suggestions${NORMAL}"; echo "" - else + else echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):" echo " ${WHITE}----------------------------${NORMAL}" for SUGGESTION in ${SSUGGESTIONS}; do @@ -165,7 +156,7 @@ if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi if [ -z "${IS_CUSTOM}" ]; then echo " ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}" - else + else echo " ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}" fi echo "" @@ -203,7 +194,8 @@ echo " ${SECTION}Lynis Modules${NORMAL}:" if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi - else COMPLIANCE="${YELLOW}?"; + else + COMPLIANCE="${YELLOW}?" fi echo " - Compliance Status [${COMPLIANCE}${NORMAL}]" echo " - Security Audit [${GREEN}V${NORMAL}]" @@ -218,7 +210,7 @@ echo " ${NOTICE}Notice: ${WHITE}${PROGRAM_NAME} ${GEN_UPDATE_AVAILABLE}${NORMAL}" echo " ${GEN_CURRENT_VERSION} : ${WHITE}${PROGRAM_AC}${NORMAL} ${GEN_LATEST_VERSION} : ${WHITE}${PROGRAM_LV}${NORMAL}" echo "================================================================================" - else + else ########################################################################################### # # Software quality program @@ -252,9 +244,9 @@ # Split entries FIND=$(echo ${FIND} | sed 's/====/ /g') # Display found entries - for I in ${FIND}; do - J=$(echo ${I} | sed 's/:space:/ /g') - echo " ${J}" + for ITEM in ${FIND}; do + OUTPUT=$(echo ${ITEM} | sed 's/:space:/ /g') + echo " ${OUTPUT}" done echo "" echo "================================================================================" diff --git a/include/tests_banners b/include/tests_banners index 24490572..1596bc43 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -26,7 +26,7 @@ # ################################################################################# # - BANNER_FILES="/etc/issue /etc/issue.net /etc/motd" + BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd" LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence intrusion law legal monitor owner policy policies private prohibited record restricted secure subject terms this unauthorized" # ################################################################################# @@ -35,109 +35,51 @@ # Description : Check FreeBSD COPYRIGHT banner file Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --category security --description "Check COPYRIGHT banner file" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT" - if [ -f /COPYRIGHT ]; then - Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN - if [ -s /COPYRIGHT ]; then - LogText "Result: /COPYRIGHT available and contains text" - else - LogText "Result: /COPYRIGHT available, but empty" + LogText "Test: Testing existence ${ROOTDIR}COPYRIGHT or ${ROOTDIR}etc/COPYRIGHT" + if [ -f ${ROOTDIR}COPYRIGHT ]; then + Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN + if [ -s ${ROOTDIR}COPYRIGHT ]; then + LogText "Result: ${ROOTDIR}COPYRIGHT available and contains text" + else + LogText "Result: ${ROOTDIR}COPYRIGHT available, but empty" fi - else - Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE - LogText "Result: /COPYRIGHT not found" + else + Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE + LogText "Result: ${ROOTDIR}COPYRIGHT not found" fi - if [ -f /etc/COPYRIGHT ]; then - Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN - if [ -s /etc/COPYRIGHT ]; then - LogText "Result: /etc/COPYRIGHT available and contains text" - else - LogText "Result: /etc/COPYRIGHT available, but empty" + if [ -f ${ROOTDIR}etc/COPYRIGHT ]; then + Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN + if [ -s ${ROOTDIR}etc/COPYRIGHT ]; then + LogText "Result: ${ROOTDIR}etc/COPYRIGHT available and contains text" + else + LogText "Result: ${ROOTDIR}etc/COPYRIGHT available, but empty" fi - else - Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE - LogText "Result: /etc/COPYRIGHT not found" + else + Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE + LogText "Result: ${ROOTDIR}etc/COPYRIGHT not found" fi fi # ################################################################################# # - # Test : BANN-7119 - # Description : Check MOTD banner file - #Register --test-no BANN-7119 --weight L --network NO --category security --description "Check MOTD banner file" - #if [ ${SKIPTEST} -eq 0 ]; then - # LogText "Test: Testing existence /etc/motd" - # if [ -f /etc/motd ]; then - # LogText "Result: file /etc/motd exists" - # Display --indent 2 --text "- /etc/motd" --result "${STATUS_FOUND}" --color GREEN - # if [ ! -L /etc/motd ]; then - # if IsWorldWritable /etc/motd; then - # Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_WARNING}" --color RED - # LogText "Result: /etc/motd is world writable. Users can change this file!" - # ReportWarning ${TEST_NO} "/etc/motd is world writable" - # else - # Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_OK}" --color GREEN - # LogText "Result: /etc/motd is not world writable." - # fi - # else - # LogText "Result: file /etc/motd is symlink" - # fi - # else - # LogText "Result: File /etc/motd not found" - # Display --indent 2 --text "- /etc/motd" --result "${STATUS_NOT_FOUND}" --color WHITE - # fi - #fi -# -################################################################################# -# - # Test : BANN-7122 - # Description : Check motd file to see if it contains some form of message - # to discourage unauthorized users to leave the system alone - #if [ -f /etc/motd -a ! -L /etc/motd ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no BANN-7122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/motd banner file contents" - #if [ ${SKIPTEST} -eq 0 ]; then - # N=0 - # LogText "Test: Checking file /etc/motd contents for legal key words" - # for I in ${LEGAL_BANNER_STRINGS}; do - # FIND=$(${GREPBINARY} -i "${I}" /etc/motd) - # if [ ! "${FIND}" = "" ]; then - # LogText "Result: found string '${I}'" - # N=$((N + 1)) - # fi - # done - # # Check if we have 5 or more key words - # if [ ${N} -gt 4 ]; then - # LogText "Result: Found ${N} key words, to warn unauthorized users" - # Display --indent 4 --text "- /etc/motd contents" --result "${STATUS_OK}" --color GREEN - # AddHP 2 2 - # else - # LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased" - # Display --indent 4 --text "- /etc/motd contents" --result WEAK --color YELLOW - # ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users" - # AddHP 0 1 - # fi - #fi -# -################################################################################# -# # Test : BANN-7124 # Description : Check issue banner file Register --test-no BANN-7124 --weight L --network NO --category security --description "Check issue banner file" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking file /etc/issue" - if [ -f /etc/issue ]; then + LogText "Test: Checking file ${ROOTDIR}etc/issue" + if [ -f ${ROOTDIR}etc/issue ]; then # Check for symlink - if [ -L /etc/issue ]; then - LogText "Result: file /etc/issue exists (symlink)" - Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN - else - Display --indent 2 --text "- /etc/issue" --result "${STATUS_FOUND}" --color GREEN + if [ -L ${ROOTDIR}etc/issue ]; then + LogText "Result: file ${ROOTDIR}etc/issue exists (symlink)" + Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result SYMLINK --color GREEN + else + Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_FOUND}" --color GREEN fi - else - LogText "Result: file /etc/issue does not exist" - Display --indent 2 --text "- /etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE - fi + else + LogText "Result: file ${ROOTDIR}etc/issue does not exist" + Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE + fi fi # ################################################################################# @@ -145,26 +87,26 @@ # Test : BANN-7126 # Description : Check issue file to see if it contains some form of message # to discourage unauthorized users to leave the system alone - if [ -f /etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -f ${ROOTDIR}etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue banner file contents" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 FILE="${ROOTDIR}etc/issue" LogText "Test: Checking file ${FILE} contents for legal key words" - for I in ${LEGAL_BANNER_STRINGS}; do - FIND=$(${GREPBINARY} -i "${I}" ${FILE}) - if [ ! -z "${FIND}" ]; then - LogText "Result: found string '${I}'" - N=$((N + 1)) + for ITEM in ${LEGAL_BANNER_STRINGS}; do + FIND=$(${GREPBINARY} -i "${ITEM}" ${FILE}) + if HasData "${FIND}"; then + LogText "Result: found string '${ITEM}'" + COUNT=$((COUNT + 1)) fi done # Check if we have 5 or more key words - if [ ${N} -gt 4 ]; then - LogText "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users" + if [ ${COUNT} -gt 4 ]; then + LogText "Result: Found ${COUNT} key words (5 or more suggested), to warn unauthorized users" Display --indent 4 --text "- ${FILE} contents" --result "${STATUS_OK}" --color GREEN AddHP 2 2 - else - LogText "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased" + else + LogText "Result: Found only ${COUNT} key words (5 or more suggested), to warn unauthorized users and could be increased" Display --indent 4 --text "- ${FILE} contents" --result WEAK --color YELLOW ReportSuggestion ${TEST_NO} "Add a legal banner to ${FILE}, to warn unauthorized users" AddHP 0 1 @@ -178,19 +120,19 @@ # Description : Check issue.net banner file Register --test-no BANN-7128 --weight L --network NO --category security --description "Check issue.net banner file" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking file /etc/issue.net" - if [ -f /etc/issue.net ]; then + LogText "Test: Checking file ${ROOTDIR}etc/issue.net" + if [ -f ${ROOTDIR}etc/issue.net ]; then # Check for symlink - if [ -L /etc/issue.net ]; then - LogText "Result: file /etc/issue.net exists (symlink)" - Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN - else - LogText "Result: file /etc/issue.net exists" - Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_FOUND}" --color GREEN + if [ -L ${ROOTDIR}etc/issue.net ]; then + LogText "Result: file ${ROOTDIR}etc/issue.net exists (symlink)" + Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result SYMLINK --color GREEN + else + LogText "Result: file ${ROOTDIR}etc/issue.net exists" + Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_FOUND}" --color GREEN fi - else - LogText "Result: file /etc/issue.net does not exist" - Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE + else + LogText "Result: file ${ROOTDIR}etc/issue.net does not exist" + Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -199,26 +141,26 @@ # Test : BANN-7130 # Description : Check issue.net file to see if it contains some form of message # to discourage unauthorized users to leave the system alone - if [ -f /etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -f ${ROOTDIR}etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue.net banner file contents" if [ ${SKIPTEST} -eq 0 ]; then - N=0 - LogText "Test: Checking file /etc/issue.net contents for legal key words" - for I in ${LEGAL_BANNER_STRINGS}; do - FIND=$(${GREPBINARY} -i "${I}" /etc/issue.net) - if [ ! "${FIND}" = "" ]; then - LogText "Result: found string '${I}'" - N=$((N + 1)) + COUNT=0 + LogText "Test: Checking file ${ROOTDIR}etc/issue.net contents for legal key words" + for ITEM in ${LEGAL_BANNER_STRINGS}; do + FIND=$(${GREPBINARY} -i "${ITEM}" ${ROOTDIR}etc/issue.net) + if HasData "${FIND}"; then + LogText "Result: found string '${ITEM}'" + COUNT=$((COUNT + 1)) fi done # Check if we have 5 or more key words - if [ ${N} -gt 4 ]; then - LogText "Result: Found ${N} key words, to warn unauthorized users" - Display --indent 4 --text "- /etc/issue.net contents" --result "${STATUS_OK}" --color GREEN + if [ ${COUNT} -gt 4 ]; then + LogText "Result: Found ${COUNT} key words, to warn unauthorized users" + Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result "${STATUS_OK}" --color GREEN AddHP 2 2 - else - LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased" - Display --indent 4 --text "- /etc/issue.net contents" --result WEAK --color YELLOW + else + LogText "Result: Found only ${COUNT} key words, to warn unauthorized users and could be increased" + Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result WEAK --color YELLOW ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users" AddHP 0 1 fi diff --git a/include/tests_boot_services b/include/tests_boot_services index 41c00867..35b2e460 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -414,12 +414,12 @@ Register --test-no BOOT-5142 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 - if [ -f /etc/silo.conf ]; then + if [ -f ${ROOTDIR}etc/silo.conf ]; then LogText "Result: Found SILO configuration file (/etc/silo.conf)" Display --indent 2 --text "- Checking boot loader SILO" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="SILO" BOOT_LOADER_FOUND=1 - else + else LogText "Result: no SILO configuration file found." fi fi @@ -497,24 +497,24 @@ # Description : Check for FreeBSD boot services Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --category security --description "Check for FreeBSD boot services" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! -z "${SERVICEBINARY}" ]; then + if HasData "${SERVICEBINARY}"; then # FreeBSD (Ask services(8) for enabled services) LogText "Searching for services at startup (service)" FIND=$(${SERVICEBINARY} -e | ${SEDBINARY} 's|^.*\/||' | ${SORTBINARY}) else # FreeBSD (Read /etc/rc.conf file for enabled services) LogText "Searching for services at startup (rc.conf)" - FIND=$(${EGREPBINARY} -v -i '^#|none' /etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//') + FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//') fi - N=0 - for I in ${FIND}; do - LogText "Found service (service/rc.conf): ${I}" - Report "boottask[]=${I}" - N=$((N + 1)) + COUNT=0 + for ITEM in ${FIND}; do + LogText "Found service (service/rc.conf): ${ITEM}" + Report "boottask[]=${ITEM}" + COUNT=$((COUNT + 1)) done Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "${STATUS_DONE}" --color GREEN - Display --indent 6 --text "Result: found $N services/options set" - LogText "Found $N services/options to run at startup" + Display --indent 6 --text "Result: found ${COUNT} services/options set" + LogText "Found ${COUNT} services/options to run at startup" fi # ################################################################################# @@ -527,56 +527,56 @@ CHECKED=0 LogText "Test: checking presence systemctl binary" # Determine if we have systemctl on board - if [ ! -z "${SYSTEMCTLBINARY}" ]; then + if HasData "${SYSTEMCTLBINARY}"; then LogText "Result: systemctl binary found, trying that to discover information" # Running services LogText "Searching for running services (systemctl services only)" FIND=$(${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }') - N=0 + COUNT=0 Report "running_service_tool=systemctl" - for I in ${FIND}; do - LogText "Found running service: ${I}" - Report "running_service[]=${I}" - N=$((N + 1)) + for ITEM in ${FIND}; do + LogText "Found running service: ${ITEM}" + Report "running_service[]=${ITEM}" + COUNT=$((COUNT + 1)) done LogText "Note: Run systemctl --full --type=service to see all services" Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN - Display --indent 8 --text "Result: found $N running services" - LogText "Result: Found $N enabled services" + Display --indent 8 --text "Result: found ${COUNT} running services" + LogText "Result: Found ${COUNT} enabled services" # Services at boot LogText "Searching for enabled services (systemctl services only)" FIND=$(${SYSTEMCTLBINARY} list-unit-files --type=service | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }') - N=0 + COUNT=0 Report "boot_service_tool=systemctl" - for I in ${FIND}; do - LogText "Found enabled service at boot: ${I}" - Report "boot_service[]=${I}" - N=$((N + 1)) + for ITEM in ${FIND}; do + LogText "Found enabled service at boot: ${ITEM}" + Report "boot_service[]=${ITEM}" + COUNT=$((COUNT + 1)) done LogText "Note: Run systemctl list-unit-files --type=service to see all services" Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN - Display --indent 8 --text "Result: found $N enabled services" - LogText "Result: Found $N running services" + Display --indent 8 --text "Result: found ${COUNT} enabled services" + LogText "Result: Found ${COUNT} running services" - else + else LogText "Result: systemctl binary not found, checking chkconfig binary" if [ ! -z "${CHKCONFIGBINARY}" ]; then LogText "Result: chkconfig binary found, trying that to discover information" LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)" FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }') - N=0 + COUNT=0 Report "boot_service_tool=chkconfig" - for I in ${FIND}; do - LogText "Found service (at boot, runlevel 3 or 5): ${I}" - Report "boot_service[]=${I}" - N=$((N + 1)) + for ITEM in ${FIND}; do + LogText "Found service (at boot, runlevel 3 or 5): ${ITEM}" + Report "boot_service[]=${ITEM}" + COUNT=$((COUNT + 1)) done LogText "Hint: Run chkconfig --list to see all services and disable unneeded services" Display --indent 2 --text "- Check services at startup (chkconfig)" --result "${STATUS_DONE}" --color GREEN - Display --indent 8 --text "Result: found $N services" - LogText "Result: Found $N services at startup" + Display --indent 8 --text "Result: found ${COUNT} services" + LogText "Result: Found ${COUNT} services at startup" else LogText "Result: both systemctl and chkconfig not found. Skipping this test" fi @@ -598,14 +598,14 @@ LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found" FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort) if [ ! -z "${FIND}" ]; then - N=0 + COUNT=0 for SERVICE in ${FIND}; do LogText "Found service (at boot, runlevel 2): ${SERVICE}" - N=$((N + 1)) + COUNT=$((COUNT + 1)) done Display --indent 2 --text "- Check services at startup (rc2.d)" --result "${STATUS_DONE}" --color WHITE - Display --indent 4 --text "Result: found $N services" - LogText "Result: found $N services" + Display --indent 4 --text "Result: found ${COUNT} services" + LogText "Result: found ${COUNT} services" fi elif [ -z "${sRUNLEVEL}" ]; then ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup" @@ -623,35 +623,35 @@ FOUND=0 CHECKDIRS="${ROOTDIR}etc/init.d ${ROOTDIR}etc/rc.d ${ROOTDIR}etc/rcS.d" - LogText "Result: checking /etc/init.d scripts for writable bit" - for I in ${CHECKDIRS}; do - LogText "Test: checking if directory ${I} exists" - if [ -d ${I} ]; then - LogText "Result: directory ${I} found" + LogText "Result: checking ${ROOTDIR}etc/init.d scripts for writable bit" + for DIR in ${CHECKDIRS}; do + LogText "Test: checking if directory ${DIR} exists" + if [ -d ${DIR} ]; then + LogText "Result: directory ${DIR} found" LogText "Test: checking for available files in directory" - FIND=$(${FINDBINARY} ${I} -type f -print) + FIND=$(${FINDBINARY} ${DIR} -type f -print) if [ ! -z "${FIND}" ]; then LogText "Result: found files in directory, checking permissions now" - for J in ${FIND}; do - LogText "Test: checking permissions of file ${J}" - if IsWorldWritable ${J}; then + for FILE in ${FIND}; do + LogText "Test: checking permissions of file ${FILE}" + if IsWorldWritable ${FILE}; then FOUND=1 - LogText "Result: warning, file ${J} is world writable" + LogText "Result: warning, file ${FILE} is world writable" else - LogText "Result: good, file ${J} not world writable" + LogText "Result: good, file ${FILE} not world writable" fi done else LogText "Result: found no files in directory." fi else - LogText "Result: directory ${I} not found. Skipping.." + LogText "Result: directory ${DIR} not found. Skipping.." fi done # /etc/rc[0-6].d for NO in 0 1 2 3 4 5 6; do - LogText "Test: Checking /etc/rc${NO}.d scripts for writable bit" + LogText "Test: Checking ${ROOTDIR}etc/rc${NO}.d scripts for writable bit" if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print) for I in ${FIND}; do diff --git a/include/tests_containers b/include/tests_containers index 78e58a58..739f9878 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -41,16 +41,16 @@ LogText "Test: query zoneadm to list all running zones" FIND=$(${ROOTDIR}usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }') if [ ! -z "${FIND}" ]; then - N=0 - for I in ${FIND}; do - N=$((N + 1)) - ZONEID=$(echo ${I} | ${CUTBINARY} -d ':' -f1) - ZONENAME=$(echo ${I} | ${CUTBINARY} -d ':' -f2) + COUNT=0 + for ITEM in ${FIND}; do + COUNT=$((COUNT + 1)) + ZONEID=$(echo ${ITEM} | ${CUTBINARY} -d ':' -f1) + ZONENAME=$(echo ${ITEM} | ${CUTBINARY} -d ':' -f2) LogText "Result: found zone ${ZONENAME} (running)" Report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]" done - LogText "Result: total of ${N} running zones" - Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN + LogText "Result: total of ${COUNT} running zones" + Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${COUNT} zones" --color GREEN else LogText "Result: no running zones found" Display --indent 2 --text "- Checking Solaris Zones" --result "${STATUS_NONE}" --color WHITE @@ -59,7 +59,9 @@ # ################################################################################# # - # Test : CONT-1906 + # Do you have Xen running? Help us testing this test and submit a pull request on GitHub + + # Test : CONT-1906 TODO # Description : Query running Xen zones #if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi #Register --test-no CONT-1906 --weight L --network NO --category security --description "Query Xen guests" @@ -95,7 +97,7 @@ # Test : CONT-8104 # Description : Checking Docker info for any warnings # Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory - if [ ! -z "${DOCKERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if HasData "${DOCKERBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Docker info for any warnings" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 diff --git a/include/tests_databases b/include/tests_databases index ed2b60d7..42f14665 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -86,7 +86,7 @@ if IsVerbose; then Display --indent 4 --text "- Checking MySQL root password" --result "${STATUS_OK}" --color GREEN; fi AddHP 2 2 fi - else + else LogText "Test skipped, MySQL daemon not running or no MySQL client available" fi # @@ -118,14 +118,14 @@ LogText "Result: found MongoDB configuration file (${FILE})" LogText "Test: determine authorization setting in new style YAML format" AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)") - if [ ! -z "${AUTH_IN_CONFIG}" ]; then + if HasData "${AUTH_IN_CONFIG}"; then LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format)" MONGODB_AUTHORIZATION_ENABLED=1 else LogText "Result: did NOT find authorization option enabled in configuration file (with YAML format)" LogText "Test: now searching for old style configuration (auth = true) in configuration file" AUTH_IN_CONFIG=$(${GREPBINARY} "auth = true" ${FILE} | ${GREPBINARY} -v "noauth" | ${GREPBINARY} -E -v "(^#|#auth)") - if [ -z "${AUTH_IN_CONFIG}" ]; then + if IsEmpty "${AUTH_IN_CONFIG}"; then LogText "Result: did NOT find auth = true in configuration file" else LogText "Result: GOOD, found authorization option enabled in configuration file (old format)" @@ -139,7 +139,7 @@ # Now check authorization on the command line if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then - if [ ! -z "${PGREPBINARY}" ]; then + if HasData "${PGREPBINARY}"; then AUTH_ON_CMDLINE=$(for I in $(${PGREPBINARY} mongo); do cat /proc/${I}/cmdline | xargs -0 echo | ${GREPBINARY} -E "\-\-auth( |$)"; done) if [ ! -z "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi else diff --git a/include/tests_filesystems b/include/tests_filesystems index fa178a12..ecf556d2 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -279,7 +279,7 @@ done if [ ${FOUND} -eq 1 ]; then Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_OK}" --color GREEN - else + else Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_NONE}" --color YELLOW LogText "Result: no swap partitions found in /etc/fstab" fi @@ -350,29 +350,29 @@ # # Test : FILE-6354 # Description : Search files within /tmp which are older than 3 months - if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -d ${ROOTDIR}tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Searching for old files in /tmp" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Searching for old files in /tmp" - # Search for files only in /tmp, with an access time older than X days - FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} | ${SEDBINARY} 's/ /!space!/g') - if [ -z "${FIND}" ]; then - Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN - LogText "Result: no files found in /tmp which are older than 3 months" + LogText "Test: Searching for old files in ${ROOTDIR}tmp" + # Search for files only in ${ROOTDIR}tmp, with an access time older than X days + FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | ${SEDBINARY} 's/ /!space!/g') + if IsEmpty "${FIND}"; then + Display --indent 2 --text "- Checking for old files in ${ROOTDIR}tmp" --result "${STATUS_OK}" --color GREEN + LogText "Result: no files found in ${ROOTDIR}tmp which are older than 3 months" else - Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED - N=0 - for I in ${FIND}; do - FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') + Display --indent 2 --text "- Checking for old files in ${ROOTDIR}tmp" --result "${STATUS_FOUND}" --color RED + COUNT=0 + for ITEM in ${FIND}; do + FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g') LogText "Old temporary file: ${FILE}" - N=$((N + 1)) + COUNT=$((COUNT + 1)) done - LogText "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days" - LogText "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain" + LogText "Result: found old files in ${ROOTDIR}tmp, which were not modified in the last ${TMP_OLD_DAYS} days" + LogText "Advice: check and clean up unused files in ${ROOTDIR}tmp. Old files can fill up a disk or contain" LogText "private information and should be deleted it not being used actively. Use a tool like lsof to" LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary" LogText "directories by setting a boot option." - ReportSuggestion ${TEST_NO} "Check ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days" + ReportSuggestion ${TEST_NO} "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days" fi fi # @@ -380,18 +380,18 @@ # # Test : FILE-6362 # Description : Check for sticky bit on /tmp - if [ -d /tmp -a ! -L /tmp ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /tmp or /tmp is symlinked"; fi + if [ -d ${ROOTDIR}tmp -a ! -L ${ROOTDIR}tmp ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /tmp or /tmp is symlinked"; fi Register --test-no FILE-6362 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking /tmp sticky bit" if [ ${SKIPTEST} -eq 0 ]; then # Depending on OS, number of field with 'tmp' differs - FIND=$(${LSBINARY} -ld /tmp | ${AWKBINARY} '$1 ~ /[tT]/ { print 1 }') + FIND=$(${LSBINARY} -ld ${ROOTDIR}tmp | ${AWKBINARY} '$1 ~ /[tT]/ { print 1 }') if [ "${FIND}" = "1" ]; then - Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_OK}" --color GREEN - LogText "Result: sticky bit found on /tmp directory" + Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_OK}" --color GREEN + LogText "Result: sticky bit found on ${ROOTDIR}tmp directory" AddHP 3 3 else - Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_WARNING}" --color RED - ReportSuggestion ${TEST_NO} "Set the sticky bit on /tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit" + Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_WARNING}" --color RED + ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit" AddHP 0 3 fi unset FIND @@ -440,10 +440,10 @@ if [ ! -z "${FIND2}" ]; then LogText "Result: found ACL option in default mount options" FOUND=1 - else + else LogText "Result: no ACL option found in default mount options list" fi - else + else LogText "Result: No file system found with root file system" fi fi @@ -566,7 +566,7 @@ AddHP 4 5 fi fi - else + else LogText "Result: file system ${FILESYSTEM} not found in /etc/fstab" fi done @@ -579,8 +579,8 @@ # Description : Bind mount the /var/tmp directory to /tmp Register --test-no FILE-6376 --os Linux --weight L --network NO --category security --description "Determine if /var/tmp is bound to /tmp" if [ ${SKIPTEST} -eq 0 ]; then - if [ -f /etc/fstab ]; then - FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab) + if [ -f ${ROOTDIR}etc/fstab ]; then + FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' ${ROOTDIR}etc/fstab) BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }') if [ ! -z "${FIND}" ]; then LogText "Result: mount system /var/tmp is configured with options: ${FIND}" @@ -600,7 +600,7 @@ # ################################################################################# # - # Test : FILE-6378 + # Test : FILE-6378 TODO # Description : Check for nodirtime option # Want to contribute to Lynis? Create this test @@ -608,7 +608,7 @@ # ################################################################################# # - # Test : FILE-6380 + # Test : FILE-6380 TODO # Description : Check for relatime # Want to contribute to Lynis? Create this test @@ -616,7 +616,7 @@ # ################################################################################# # - # Test : FILE-6390 + # Test : FILE-6390 TODO # Description : Check writeback/journalling mode (ext3) # More info : data=writeback | data=ordered | data=journal @@ -625,7 +625,7 @@ # ################################################################################# # - # Test : FILE-6394 + # Test : FILE-6394 TODO # Description : Check vm.swappiness (Linux) # Want to contribute to Lynis? Create this test @@ -633,7 +633,7 @@ # ################################################################################# # - # Test : FILE-6398 + # Test : FILE-6398 TODO # Description : Check if JBD (Journal Block Device) driver is loaded # Want to contribute to Lynis? Create this test @@ -651,20 +651,20 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking locate database" FOUND=0 - LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database" - for I in ${LOCATE_DBS}; do - if [ -f ${I} ]; then - LogText "Result: locate database found (${I})" + LOCATE_DBS="${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/slocate/slocate.db ${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database" + for FILE in ${LOCATE_DBS}; do + if [ -f ${FILE} ]; then + LogText "Result: locate database found (${FILE})" FOUND=1 - LOCATE_DB="${I}" - else - LogText "Result: file ${I} not found" + LOCATE_DB="${FILE}" + else + LogText "Result: file ${FILE} not found" fi done if [ ${FOUND} -eq 1 ]; then Display --indent 2 --text "- Checking Locate database" --result "${STATUS_FOUND}" --color GREEN Report "locate_db=${LOCATE_DB}" - else + else LogText "Result: database not found" Display --indent 2 --text "- Checking Locate database" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file." @@ -673,7 +673,7 @@ # ################################################################################# # - # Test : FILE-6420 + # Test : FILE-6420 TODO # Description : Check automount process # Want to contribute to Lynis? Create this test @@ -681,7 +681,7 @@ # ################################################################################# # - # Test : FILE-6422 + # Test : FILE-6422 TODO # Description : Check automount maps (files or for example LDAP based) # Notes : Warn when automounter is running @@ -690,7 +690,7 @@ # ################################################################################# # - # Test : FILE-6424 + # Test : FILE-6424 TODO # Description : Check automount map files # Want to contribute to Lynis? Create this test @@ -698,7 +698,7 @@ # ################################################################################# # - # Test : FILE-6425 + # Test : FILE-6425 TODO # Description : Check mounted files systems via automounter # Notes : Warn when no systems are mounted? @@ -728,11 +728,11 @@ LogText "Test: Checking if ${FS} is active" # Check if FS is present in lsmod output FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}") - if [ -z "${FIND}" ]; then + if IsEmpty "${FIND}"; then LogText "Result: module ${FS} is not loaded in the kernel" AddHP 2 3 - #Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN - # Tip to disable a particular module if it is not loaded + if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi + # Tip to disable a particular module if it is not loaded TODO #ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'" FOUND=1 AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} " @@ -742,7 +742,7 @@ fi else AddHP 3 3 - #Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN + if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi fi done if [ ${FOUND} -eq 1 ]; then diff --git a/include/tests_firewalls b/include/tests_firewalls index c1fca4ff..fd6338a2 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -166,7 +166,7 @@ LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active" - else + else LogText "Result: one or more rules are available (${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN fi @@ -181,10 +181,10 @@ Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY}) - if [ -z "${FIND}" ]; then + if IsEmpty "${FIND}"; then Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN LogText "Result: There are no unused rules present" - else + else Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW LogText "Result: Found one or more possible unused rules" LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" @@ -226,7 +226,7 @@ LogText "Result: pf is enabled" PFFOUND=1 AddHP 3 3 - else + else Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW ReportException ${TEST_NO} "Unknown status of pf firewall" fi @@ -240,11 +240,11 @@ FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko') if [ -z "${FIND}" ]; then LogText "Result: Can not find pf KLD" - else + else LogText "Result: pf KLD loaded" PFFOUND=1 fi - else + else LogText "Result: no kldstat binary, skipping this part" fi @@ -254,7 +254,7 @@ Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN PFFOUND=1 PFLOGDFOUND=1 - else + else LogText "Result: pflog daemon not found in process list" fi fi @@ -263,7 +263,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="pf" Report "firewall_software[]=pf" - else + else LogText "Result: pf not running on this system" fi fi @@ -284,12 +284,12 @@ if [ -z "${PFWARNINGS}" ]; then Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN LogText "Result: no pf filter warnings found" - else + else Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED LogText "Result: found one or more warnings in the pf filter rules" ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" fi - else + else LogText "Result: /etc/pf.conf does NOT exist" fi fi @@ -313,7 +313,7 @@ FIREWALL_SOFTWARE="csf" Report "firewall_software[]=csf" Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: ${FILE} does NOT exist" fi fi @@ -332,7 +332,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipf" Report "firewall_software[]=ipf" - else + else Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW LogText "Result: ipf is not running" fi @@ -357,15 +357,15 @@ if [ "${IPFW_ENABLED}" = "ipfw" ]; then Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN LogText "Result: IPFW is enabled at start-up for IPv4" - else + else Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW LogText "Result: IPFW is disabled at start-up for IPv4" fi - else + else if IsVerbose; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW; fi LogText "Result: IPFW is not running for IPv4" fi - else + else ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)" fi fi @@ -386,7 +386,7 @@ APPLICATION_FIREWALL_ACTIVE=1 Report "firewall_software[]=macosx-app-fw" Report "app_fw[]=macosx-app-fw" - else + else if IsVerbose; then Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_DISABLED}" --color YELLOW; fi AddHP 1 3 LogText "Result: application firewall of macOS is disabled" @@ -407,7 +407,7 @@ APPLICATION_FIREWALL_ACTIVE=1 Report "app_fw[]=little-snitch" Report "firewall_software[]=little-snitch" - else + else if IsVerbose; then Display --indent 2 --text "- Checking Little Snitch Daemon" --result "${STATUS_DISABLED}" --color YELLOW; fi AddHP 1 3 LogText "Result: could not find Little Snitch" @@ -418,7 +418,7 @@ # # Test : FIRE-4536 # Description : Check nftables kernel module - if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables") @@ -428,7 +428,7 @@ FIREWALL_ACTIVE=1 NFTABLES_ACTIVE=1 Report "firewall_software[]=nftables" - else + else LogText "Result: no nftables kernel module found" fi fi @@ -437,7 +437,7 @@ # # Test : FIRE-4538 # Description : Check nftables configuration - if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables basic configuration" if [ ${SKIPTEST} -eq 0 ]; then # Retrieve nft version @@ -450,7 +450,7 @@ # # Test : FIRE-4540 # Description : Check nftables configuration - if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for empty nftables configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check for empty ruleset @@ -458,19 +458,13 @@ if [ ${NFT_RULES_LENGTH} -le 16 ]; then FIREWALL_EMPTY_RULESET=1 LogText "Result: this firewall set has 16 rules or less and is considered to be empty" - else + else LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration" fi fi # ################################################################################# # - # Ideas: - # Suggestion to disable iptables if nftables is enabled - # Check for specific features in nftables releases -# -################################################################################# -# # Test : FIRE-4586 # Description : Check firewall logging if [ ${FIREWALL_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi @@ -501,7 +495,7 @@ # YYY Solaris ipf (determine default policy) Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" AddHP 5 5 - else + else Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW LogText "Result: no host based firewall/packet filter found or configured" ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic" @@ -521,5 +515,11 @@ Report "firewall_software=${FIREWALL_SOFTWARE}" WaitForKeyPress # +################################################################################# +# + # TODO + # Suggestion to disable iptables if nftables is enabled + # Check for specific features in nftables releases +# #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com diff --git a/include/tests_hardening b/include/tests_hardening index ff4bd697..61004a1a 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -52,7 +52,7 @@ HARDEN_COMPILERS_NEEDED=0 if [ ${COMPILER_INSTALLED} -eq 0 ]; then LogText "Result: no compilers found" - else + else # as if [ ! -z "${ASBINARY}" ]; then LogText "Test: Check file permissions for as (Assembler)" diff --git a/include/tests_kernel b/include/tests_kernel index 258d9826..494680a1 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -40,10 +40,10 @@ if [ ${SKIPTEST} -eq 0 ]; then # Checking if we can find the systemd default target LogText "Test: Checking for systemd default.target" - if [ -L /etc/systemd/system/default.target ]; then + if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then LogText "Result: symlink found" if HasData "${READLINKBINARY}"; then - FIND=$(${READLINKBINARY} /etc/systemd/system/default.target) + FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target) if ! HasData "${FIND}"; then LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target" ReportException "${TEST_NO}:01" @@ -65,9 +65,9 @@ fi else LogText "Result: no systemd found, so trying inittab" - LogText "Test: Checking /etc/inittab" - if [ -f /etc/inittab ]; then - LogText "Result: file /etc/inittab found" + LogText "Test: Checking ${ROOTDIR}etc/inittab" + if [ -f ${ROOTDIR}etc/inittab ]; then + LogText "Result: file ${ROOTDIR}etc/inittab found" LogText "Test: Checking default Linux run level" FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' ${ROOTDIR}etc/inittab | head -n 1) if IsEmpty "${FIND}"; then @@ -211,13 +211,13 @@ Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN if HasData "${FIND}"; then LogText "Loaded modules according lsmod:" - N=0 - for I in ${FIND}; do - LogText "Loaded module: ${I}" - Report "loaded_kernel_module[]=${I}" - N=$((N + 1)) + COUNT=0 + for ITEM in ${FIND}; do + LogText "Loaded module: ${ITEM}" + Report "loaded_kernel_module[]=${ITEM}" + COUNT=$((COUNT + 1)) done - Display --indent 6 --text "Found ${N} active modules" + Display --indent 6 --text "Found ${COUNT} active modules" else LogText "Result: no loaded modules found" LogText "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel" @@ -295,13 +295,13 @@ FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6) if [ $? -eq 0 ]; then LogText "Loaded modules according kldstat:" - N=0 - for I in ${FIND}; do - LogText "Loaded module: ${I}" - Report "loaded_kernel_module[]=${I}" - N=$((N + 1)) + COUNT=0 + for ITEM in ${FIND}; do + LogText "Loaded module: ${ITEM}" + Report "loaded_kernel_module[]=${ITEM}" + COUNT=$((COUNT + 1)) done - Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN + Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN else Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED LogText "Result: Problem with executing kldstat" @@ -321,24 +321,24 @@ LogText "Test: Active kernel modules (KLDs)" LogText "Description: View all active kernel modules (including kernel)" LogText "Test: Checking modules" - if [ -f /sbin/kldstat ]; then - FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6) + if [ -f ${ROOTDIR}sbin/kldstat ]; then + FIND=$(${ROOTDIR}sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6) if [ $? -eq 0 ]; then LogText "Loaded modules according kldstat:" - N=0 - for I in ${FIND}; do - LogText "Loaded module: ${I}" - Report "loaded_kernel_module[]=${I}" - N=$((N + 1)) + COUNT=0 + for ITEM in ${FIND}; do + LogText "Loaded module: ${ITEM}" + Report "loaded_kernel_module[]=${ITEM}" + COUNT=$((COUNT + 1)) done - Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN + Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN else Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED LogText "Result: Problem with executing kldstat" fi else echo "[ ${WHITE}SKIPPED${NORMAL} ]" - LogText "Result: no results, can't find /sbin/kldstat" + LogText "Result: no results, can NOT find ${ROOTDIR}sbin/kldstat" fi fi # @@ -351,9 +351,9 @@ LogText "Test: searching loaded kernel modules" FIND=$(/usr/sbin/modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort) if HasData "${FIND}"; then - for I in ${FIND}; do - LogText "Found module: ${I}" - Report "loaded_kernel_module[]=${I}" + for ITEM in ${FIND}; do + LogText "Found module: ${ITEM}" + Report "loaded_kernel_module[]=${ITEM}" done Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_DONE}" --color GREEN else @@ -370,21 +370,21 @@ Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching apt-cache, to determine if a newer kernel is available" - if [ -x /usr/bin/apt-cache ]; then - LogText "Result: found /usr/bin/apt-cache" - LogText "Test: checking readlink location of /vmlinuz" - if [ -f /vmlinuz ]; then - FINDKERNFILE=$(readlink -f /vmlinuz) + if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then + LogText "Result: found ${ROOTDIR}usr/bin/apt-cache" + LogText "Test: checking readlink location of ${ROOTDIR}vmlinuz" + if [ -f ${ROOTDIR}vmlinuz ]; then + FINDKERNFILE=$(readlink -f ${ROOTDIR}vmlinuz) LogText "Output: readlink reported file ${FINDKERNFILE}" LogText "Test: checking package from dpkg -S" FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}') LogText "Output: dpkg -S reported package ${FINDKERNEL}" - elif [ -e /dev/grsec ]; then + elif [ -e ${ROOTDIR}dev/grsec ]; then FINDKERNEL=linux-image-$(uname -r) - LogText "/vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" + LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" else - LogText "This system is missing /vmlinuz. Unable to check whether kernel is up-to-date." - ReportSuggestion ${TEST_NO} "Determine why /vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz" + LogText "This system is missing ${ROOTDIR}vmlinuz. Unable to check whether kernel is up-to-date." + ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz" fi LogText "Test: Using apt-cache policy to determine if there is an update available" FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') diff --git a/include/tests_logging b/include/tests_logging index 26930809..819f5436 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -281,21 +281,21 @@ # # Test : LOGG-2150 # Description : Checking log directories rotated with logrotate - if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if HasData "${LOGROTATEBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which directories can be found in logrotate configuration" - FIND=$(${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u) - if [ "${FIND}" = "" ]; then + FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u) + if IsEmpty "${FIND}" ]; then LogText "Result: nothing found" - else + else LogText "Result: found one or more directories (via logrotate configuration)" - for I in ${FIND}; do - if [ -d ${I} ]; then - LogText "Directory found: ${I}" - Report "log_directory[]=${I}" - else - LogText "Directory could not be found: ${I}" + for DIR in ${FIND}; do + if [ -d ${DIR} ]; then + LogText "Directory found: ${DIR}" + Report "log_directory[]=${DIR}" + else + LogText "Result: Directory could not be found: ${DIR}" fi done fi @@ -379,7 +379,7 @@ AddHP 5 5 Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN fi - else + else LogText "Result: test skipped, file ${SYSLOGD_CONF} not found" fi fi diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 7d4cc2ad..8c36b25c 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -126,7 +126,7 @@ # # Test : MACF-6234 # Description : Check SELINUX status - if [ ! "${SESTATUSBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if HasData "${SESTATUSBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status" if [ ${SKIPTEST} -eq 0 ]; then # Status: Enabled/Disabled @@ -151,7 +151,7 @@ Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED fi Display --indent 8 --text "Current SELinux mode: ${FIND}" - else + else LogText "Result: SELinux framework is disabled" Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW fi @@ -180,7 +180,7 @@ else Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE fi - if [ ! -z "${GRADMBINARY}" ]; then + if HasData "${GRADMBINARY}"; then FIND=$(${GRADMBINARY} --status) if [ "${FIND}" = "The RBAC system is currently enabled." ]; then MAC_FRAMEWORK_ACTIVE=1 diff --git a/include/tests_malware b/include/tests_malware index 03773bc1..eb9da488 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -36,7 +36,7 @@ MCAFEE_SCANNER_RUNNING=0 MALWARE_SCANNER_INSTALLED=0 SOPHOS_SCANNER_RUNNING=0 - SYMANTEC_SCANNER_RUNNING= + SYMANTEC_SCANNER_RUNNING=0 # ################################################################################# # diff --git a/include/tests_nameservices b/include/tests_nameservices index a3bd9b92..11dbc2b3 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -67,26 +67,26 @@ # Notes : Maximum of one search keyword is allowed in /etc/resolv.conf Register --test-no NAME-4018 --weight L --network NO --category security --description "Check /etc/resolv.conf search domains" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 LogText "Test: check ${ROOTDIR}etc/resolv.conf for search domains" if [ -f ${ROOTDIR}etc/resolv.conf ]; then LogText "Result: ${ROOTDIR}etc/resolv.conf found" FIND=$(${AWKBINARY} '/^search/ { print $2 }' ${ROOTDIR}etc/resolv.conf) - if [ -z "${FIND}" ]; then + if IsEmpty "${FIND}"; then LogText "Result: no search domains found, default domain is being used" else - for I in ${FIND}; do - LogText "Found search domain: ${I}" - Report "resolv_conf_search_domain[]=${I}" - N=$((N + 1)) + for ITEM in ${FIND}; do + LogText "Found search domain: ${ITEM}" + Report "resolv_conf_search_domain[]=${ITEM}" + COUNT=$((COUNT + 1)) done # Warn if we have more than 6 search domains, which is maximum in most resolvers - if [ ${N} -gt 6 ]; then - LogText "Result: Found ${N} search domains" + if [ ${COUNT} -gt 6 ]; then + LogText "Result: Found ${COUNT} search domains" Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers" else - LogText "Result: Found ${N} search domains" + LogText "Result: Found ${COUNT} search domains" Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN fi fi @@ -115,15 +115,16 @@ if [ -f ${ROOTDIR}etc/resolv.conf ]; then LogText "Result: ${ROOTDIR}etc/resolv.conf found" FIND=$(${GREPBINARY} "^options" ${ROOTDIR}etc/resolv.conf | ${AWKBINARY} '{ print $2 }') - if [ "${FIND}" = "" ]; then + if IsEmpty "${FIND}"; then LogText "Result: no specific other options configured in /etc/resolv.conf" if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi else - for I in ${FIND}; do - LogText "Found option: ${I}" - Report "resolv_conf_option[]=${I}" - #rotate --> add performance tune point - #timeout <3 --> add performe tune point + for ITEM in ${FIND}; do + LogText "Found option: ${ITEM}" + Report "resolv_conf_option[]=${ITEM}" + # TODO add suggestions for the related options + # rotate --> add performance tune point + # timeout --> add performe tune point when smaller than 3 seconds done Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN fi @@ -171,25 +172,10 @@ Register --test-no NAME-4028 --weight L --network NO --category security --description "Check domain name" if [ ${SKIPTEST} -eq 0 ]; then DOMAINNAME="" - # NIS - #LogText "Test: Checking file /etc/domainname" - #if [ -f /etc/domainname ]; then - # LogText "Result: file /etc/domainname exists" - # FIND2=$(cat /etc/domainname) - # if [ ! "${FIND}" = "" ]; then - # LogText "Found domain name: ${FIND}" - # DOMAINNAME="${FIND}" - # else - # LogText "Result: no domain name found in file" - # fi - # else - # LogText "Result: file /etc/domainname does not exist" - #fi - LogText "Test: Checking if dnsdomainname command is available" - if [ ! -z "${DNSDOMAINNAMEBINARY}" ]; then + if HasData "${DNSDOMAINNAMEBINARY}"; then FIND2=$(${DNSDOMAINNAMEBINARY} 2> /dev/null) - if [ ! "${FIND2}" = "" ]; then + if HasData "${FIND2}"; then LogText "Result: dnsdomainname command returned a value" LogText "Found domain name: ${FIND2}" DOMAINNAME="${FIND2}" @@ -280,7 +266,7 @@ Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW ReportWarning "${TEST_NO}" "Found Unbound configuration file issues (run unbound-checkconf)" fi - else + else LogText "Result: skipped, can't find unbound-checkconf utility" fi fi @@ -338,25 +324,18 @@ if [ "${FIND}" = "0" ]; then LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine" Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_OK}" --color GREEN - else + else LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}" Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file" fi - else + else LogText "Result: named-checkconf not found, skipping test" fi fi # ################################################################################# # - # Test : NAME-4208 - # Description : Check DNS server type (master, slave, caching, forwarding) - #Register --test-no NAME-4050 --weight L --network NO --category security --description "Check nscd status" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# # Test : NAME-4210 # Description : Check if we can determine useful information from banner if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi @@ -379,21 +358,21 @@ # ################################################################################# # - # Test : NAME-4212 + # Test : NAME-4212 TODO # Description : Check version option in BIND configuration #if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi #Register --test-no NAME-4212 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check version setting in configuration" # ################################################################################# # - # Test : NAME-4220 + # Test : NAME-4220 TODO # Description : Check if we can perform a zone transfer of primary domain #Register --test-no NAME-4220 --weight L --network NO --category security --description "Check zone transfer" #if [ ${SKIPTEST} -eq 0 ]; then # ################################################################################# # - # Test : NAME-4222 + # Test : NAME-4222 TODO # Description : Check if we can perform a zone transfer of PTR (of primary domain) #Register --test-no NAME-4222 --weight L --network NO --category security --description "Check zone transfer" #if [ ${SKIPTEST} -eq 0 ]; then @@ -410,7 +389,7 @@ LogText "Result: found PowerDNS process" Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_RUNNING}" --color GREEN POWERDNS_RUNNING=1 - else + else LogText "Result: PowerDNS not running" if IsVerbose; then Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi @@ -424,13 +403,13 @@ Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search PowerDNS configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Search PowerDNS configuration file" - for I in ${POWERDNS_CONFIG_LOCS}; do - if [ -f ${I}/pdns.conf ]; then - POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf" + for DIR in ${POWERDNS_CONFIG_LOCS}; do + if [ -f ${DIR}/pdns.conf ]; then + POWERDNS_AUTH_CONFIG_LOCATION="${DIR}/pdns.conf" LogText "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})" fi done - if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then + if HasData "${POWERDNS_AUTH_CONFIG_LOCATION}"; then Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_FOUND}" --color GREEN else Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW @@ -455,9 +434,9 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for PowerDNS backends" FIND=$(${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}) - if [ ! -z "${FIND}" ]; then - for I in ${FIND}; do - LogText "Found backend: ${I}" + if HasData "${FIND}"; then + for ITEM in ${FIND}; do + LogText "Found backend: ${ITEM}" done Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_FOUND}" --color GREEN else @@ -514,7 +493,7 @@ else ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead" fi - else + else LogText "Result: ypbind is not active" if IsVerbose; then Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi @@ -623,7 +602,7 @@ if [ "${sFIND}" != "" ]; then LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts" Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN - else + else LogText "Result: No entry found for ${HOSTNAME} in /etc/hosts" Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving" @@ -636,7 +615,7 @@ # # Test : NAME-4406 # Description : Check server hostname mapping - if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if HasData "${HOSTNAME}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check server hostname not locally mapped in /etc/hosts" diff --git a/include/tests_networking b/include/tests_networking index d5a93d8e..ddb846d2 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -216,7 +216,6 @@ Register --test-no NETW-3004 --weight L --network NO --category security --description "Search for available network interfaces" if [ ${SKIPTEST} -eq 0 ]; then FIND="" - N=0 case ${OS} in AIX) FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }') @@ -239,12 +238,11 @@ ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find available network interfaces" ;; esac - if [ ! -z "${FIND}" ]; then - for I in ${FIND}; do - NETWORK_INTERFACES="${NETWORK_INTERFACES}|${I}" - LogText "Found network interface: ${I}" - N=$((N + 1)) - Report "network_interface[]=${I}" + if HasData "${FIND}"; then + for ITEM in ${FIND}; do + NETWORK_INTERFACES="${NETWORK_INTERFACES}|${ITEM}" + LogText "Found network interface: ${ITEM}" + Report "network_interface[]=${ITEM}" done else ReportException "${TEST_NO}:1" "No interfaces found on this system (OS=${OS})" @@ -272,7 +270,7 @@ if [ ! -z "${IPBINARY}" ]; then LogText "Test: Using ip binary to gather hardware addresses" FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }') - else + else ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)" fi fi @@ -294,11 +292,9 @@ ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find MAC information" ;; esac - N=0 - for I in ${FIND}; do - LogText "Found MAC address: ${I}" - N=$((N + 1)) - Report "network_mac_address[]=${I}" + for ITEM in ${FIND}; do + LogText "Found MAC address: ${ITEM}" + Report "network_mac_address[]=${ITEM}" done fi # @@ -350,20 +346,17 @@ ReportException "${TEST_NO}:1" "IP address information test not implemented for this operating system" ;; esac - N=0 + # IPv4 - for I in ${FIND}; do - LogText "Found IPv4 address: ${I}" - N=$((N + 1)) - Report "network_ipv4_address[]=${I}" + for ITEM in ${FIND}; do + LogText "Found IPv4 address: ${ITEM}" + Report "network_ipv4_address[]=${ITEM}" done # IPv6 - for I in ${FIND2}; do - LogText "Found IPv6 address: ${I}" - N=$((N + 1)) - Report "network_ipv6_address[]=${I}" + for ITEM in ${FIND2}; do + LogText "Found IPv6 address: ${ITEM}" + Report "network_ipv6_address[]=${ITEM}" done - fi # ################################################################################# @@ -373,7 +366,7 @@ Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports" if [ ${SKIPTEST} -eq 0 ]; then FIND=""; FIND2="" - N=0 + COUNT=0 case ${OS} in DragonFly|FreeBSD) if [ ! -z "${SOCKSTATBINARY}" ]; then @@ -390,13 +383,13 @@ FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:') # TCP FIND2=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:') - else + else if [ ! "${SSBINARY}" = "" ]; then # UDP FIND=$(${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local) # TCP FIND2=$(${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local) - else + else ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports" fi fi @@ -440,26 +433,26 @@ # Retrieve information from sockstat, when available LogText "Test: Retrieving sockstat information to find listening ports" - if [ ! "${FIND}" = "" ]; then - for I in ${FIND}; do - N=$((N + 1)) - LogText "Found listening info: ${I}" - Report "network_listen_port[]=${I}" + if HasData "${FIND}"; then + for ITEM in ${FIND}; do + COUNT=$((COUNT + 1)) + LogText "Found listening info: ${ITEM}" + Report "network_listen_port[]=${ITEM}" done fi if [ ! "${FIND2}" = "" ]; then - for I in ${FIND2}; do - N=$((N + 1)) - LogText "Found listening info: ${I}" - Report "network_listen_port[]=${I}" + for ITEM in ${FIND2}; do + COUNT=$((COUNT + 1)) + LogText "Found listening info: ${ITEM}" + Report "network_listen_port[]=${ITEM}" done fi if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW else Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN - Display --indent 6 --text "* Found ${N} ports" + Display --indent 6 --text "* Found ${COUNT} ports" fi fi # @@ -473,14 +466,14 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking promiscuous interfaces (FreeBSD)" FIND=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1) - if [ ! "${FIND}" = "" ]; then + if HasData "${FIND}"; then LogText "Result: Promiscuous interfaces: ${FIND}" - for I in ${FIND}; do + for ITEM in ${FIND}; do WHITELISTED=0 for PROFILE in ${PROFILES}; do - Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}" - ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}) - if [ ! "${ISWHITELISTED}" = "" ]; then + Debug "Checking if interface ${ITEM} is whitelisted in profile ${PROFILE}" + ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${ITEM}:" ${PROFILE}) + if HasData "${ISWHITELISTED}"; then WHITELISTED=1 LogText "Result: this interface was whitelisted in profile (${PROFILE})" fi @@ -536,15 +529,17 @@ if [ ${FOUNDPROMISC} -eq 0 ]; then Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN LogText "Result: No promiscuous interfaces found" - else + else Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED fi fi # ################################################################################# # - # Test : NETW-3020 - # Description : Checking multipath configuration (Solaris) + # Do you have a multipath configuration on Linux or other OS? Create a related test and send in a pull request on GitHub + + # Test : NETW-3020 TODO + # Description : Checking multipath configuration # ################################################################################# # @@ -557,7 +552,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Using netstat for check for connections in WAIT state" FIND=$(${NETSTATBINARY} -an | ${GREPBINARY} WAIT | ${WCBINARY} -l | ${AWKBINARY} '{ print $1 }') - if [ -z "${OPTIONS_CONN_MAX_WAIT_STATE}" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi + if IsEmpty "${OPTIONS_CONN_MAX_WAIT_STATE}"; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW diff --git a/include/tests_ports_packages b/include/tests_ports_packages index f276e2a0..c2b02ac2 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -62,10 +62,10 @@ # # Test : PKGS-7302 # Description : Query FreeBSD/NetBSD pkg_info - if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD/NetBSD pkg_info" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 Display --indent 4 --text "- Checking pkg_info" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found pkg_info" Report "package_manager[]=pkg_info" @@ -74,13 +74,13 @@ LogText "Output:"; LogText "-----" SPACKAGES=$(${ROOTDIR}usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1 | ${SEDBINARY} -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g') for ITEM in ${SPACKAGES}; do - N=$((N + 1)) + COUNT=$((COUNT + 1)) sPKG_NAME=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f1) sPKG_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f2) LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${ITEM}" done - Report "installed_packages=${N}" + Report "installed_packages=${COUNT}" fi # ################################################################################# @@ -93,6 +93,7 @@ if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found brew" + PACKAGE_MGR_PKG=1 Report "package_manager[]=brew" LogText "Test: Querying brew to get package list" Display --indent 4 --text "- Querying brew for installed packages" @@ -120,11 +121,11 @@ Display --indent 4 --text "- Querying portage for installed packages" LogText "Output:"; LogText "-----" GPACKAGES=$(equery l '*' | ${SEDBINARY} -e 's/[.*]//g') - for J in ${GPACKAGES}; do - LogText "Found package ${J}" - INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," + for PKG in ${GPACKAGES}; do + LogText "Found package ${PKG}" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0," done - else + else LogText "Result: emerge can NOT be found on this system" fi # @@ -139,6 +140,7 @@ Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found Solaris pkginfo" Report "package_manager[]=pkginfo" + PACKAGE_MGR_PKG=1 LogText "Test: Querying pkginfo to get package list" Display --indent 4 --text "- Querying pkginfo for installed packages" LogText "Output:"; LogText "-----" @@ -159,7 +161,7 @@ if [ ! -z "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 Display --indent 4 --text "- Searching RPM package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found rpm binary (${RPMBINARY})" Report "package_manager[]=rpm" @@ -172,16 +174,16 @@ LogText "Info: looks like the rpm binary is installed, but not used for package installation" ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages" else - for J in ${SPACKAGES}; do - N=$((N + 1)) - PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{print $1}') - PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{print $2}') - LogText "Found package: ${J}" + for PKG in ${SPACKAGES}; do + COUNT=$((COUNT + 1)) + PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{print $1}') + PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{print $2}') + LogText "Found package: ${PKG}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}," done - Report "installed_packages=${N}" + Report "installed_packages=${COUNT}" fi - else + else LogText "Result: RPM binary NOT found on this system, test skipped" fi # @@ -192,10 +194,11 @@ if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 Display --indent 4 --text "- Searching pacman package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found pacman binary (${PACMANBINARY})" Report "package_manager[]=pacman" + PACKAGE_MGR_PKG=1 LogText "Test: Querying 'pacman -Q' to get package list" Display --indent 6 --text "- Querying pacman package manager" LogText "Output:"; LogText "--------" @@ -204,14 +207,14 @@ LogText "Result: pacman binary available, but package list seems to be empty" LogText "Info: looks like the pacman binary is installed, but not used for package installation" else - for J in ${SPACKAGES}; do - N=$((N + 1)) - PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{ print $1 }') - PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{ print $2 }') + for PKG in ${SPACKAGES}; do + COUNT=$((COUNT + 1)) + PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $1 }') + PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $2 }') LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" - INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG}" done - Report "installed_packages=${N}" + Report "installed_packages=${COUNT}" fi fi # @@ -237,10 +240,10 @@ else Display --indent 4 --text "- Searching update status (checkupdates)" --result "UP-TO-DATE" --color GREEN fi - else + else LogText "Result: skipping this test, can't find checkupdates binary" fi - else + else LogText "Result: pacman binary NOT found on this system, test skipped" fi # @@ -322,20 +325,20 @@ if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="zypper" FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }') if [ ! -z "${FIND}" ]; then - for I in ${FIND}; do - N=$((N + 1)) - LogText "Installed package: ${I}" - INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," + for PKG in ${FIND}; do + COUNT=$((COUNT + 1)) + LogText "Installed package: ${PKG}" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0," done - Report "installed_packages=${N}" + Report "installed_packages=${COUNT}" else # Could not find any installed packages - ReportException ${TEST_NO} "No installed packages found with Zypper" + ReportException "${TEST_NO}" "No installed packages found with Zypper" fi fi # @@ -357,10 +360,10 @@ # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) LogText "List of vulnerable packages/version:" - for I in ${FIND}; do + for PKG in ${FIND}; do VULNERABLE_PACKAGES_FOUND=1 - Report "vulnerable_package[]=${I}" - LogText "Vulnerable package: ${I}" + Report "vulnerable_package[]=${PKG}" + LogText "Vulnerable package: ${PKG}" # Decrease hardening points for every found vulnerable package AddHP 1 2 done @@ -369,27 +372,79 @@ # ################################################################################# # + # Test : PKGS-7332 + # Description : Query macOS ports + if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PKGS-7332 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --description "Query macOS ports" + if [ ${SKIPTEST} -eq 0 ]; then + FIND=$(${ROOTDIR}opt/local/bin/port installed 2>&1 | ${GREPBINARY} active | ${SORTBINARY}; ${ROOTDIR}bin/echo $?) + if [ "${FIND}" = "0" ]; then + Display --indent 4 --text "- Searching packages with port" --result "{STATUS_FOUND}" --color GREEN + Report "package_manager[]=port" + PACKAGE_MGR_PKG=1 + LogText "Result: Found port utility" + LogText "Test: Querying port to get package list" + Display --indent 6 --text "- Querying port for installed packages" + LogText "Output:"; LogText "-----" + SPACKAGES=$(${ROOTDIR}opt/local/bin/port installed | ${GREPBINARY} active) + for ITEM in ${SPACKAGES}; do + SPORT_NAME=$(echo ${ITEM} | ${CUTBINARY} -d@ -f1) + SPORT_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d@ -f2 | ${CUTBINARY} -d' ' -f1) + LogText "Installed package: ${SPORT_NAME} (version: ${SPORT_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PORTS}|${ITEM}" + done + fi + fi +# +################################################################################# +# + # Test : PKGS-7334 + # Description : Query macOS ports for available port upgrades + if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PKGS-7334 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query port for port upgrades" + if [ ${SKIPTEST} -eq 0 ]; then + COUNT=0 + LogText "Test: Querying ports for possible port upgrades" + UPACKAGES=$(${ROOTDIR}opt/local/bin/port outdated 2> /dev/null | ${CUTBINARY} -d' ' -f1) + for J in ${UPACKAGES}; do + COUNT=$((COUNT + 1)) + LogText "Upgrade available (new version): ${J}" + Report "upgrade_available[]=${J}" + done + Report "upgrade_available_count=${COUNT}" + if [ ${COUNT} -eq 0 ]; then + LogText "Result: no upgrades found" + Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_NONE}" --color GREEN + AddHP 2 2 + else + Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_FOUND}" --color YELLOW + fi + fi +# +################################################################################# +# # Test : PKGS-7345 # Description : Debian package based systems (dpkg) - if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying dpkg" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 Display --indent 4 --text "- Searching dpkg package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found dpkg binary" Report "package_manager[]=dpkg" + PACKAGE_MGR_PKG=1 LogText "Test: Querying dpkg -l to get package list" Display --indent 6 --text "- Querying package manager" LogText "Output:" SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort) for J in ${SPACKAGES}; do - N=$((N + 1)) + COUNT=$((COUNT + 1)) PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f2) PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f3) LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" done - Report "installed_packages=${N}" + Report "installed_packages=${COUNT}" else LogText "Result: dpkg can NOT be found on this system, test skipped" fi @@ -399,12 +454,12 @@ # Test : PKGS-7346 # Description : Check packages which are removed, but still own configuration files, cron jobs etc # Notes : Cleanup: for pkg in $(dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3); do aptitude purge ${pkg}; done - if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 LogText "Test: Querying dpkg -l to get unpurged packages" - SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort) + SPACKAGES=$(${ROOTDIR}usr/bin/dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort) if [ -z "${SPACKAGES}" ]; then Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN LogText "Result: no packages found with left overs" @@ -413,10 +468,10 @@ LogText "Result: found one or more packages with left over configuration files, cron jobs etc" LogText "Output:" for J in ${SPACKAGES}; do - N=$((N + 1)) + COUNT=$((COUNT + 1)) LogText "Found unpurged package: ${J}" done - ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts." + ReportSuggestion ${TEST_NO} "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts." fi else LogText "Result: dpkg can NOT be found on this system, test skipped" @@ -431,8 +486,8 @@ # Add portmaster --clean-distfiles-all Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles" if [ ${SKIPTEST} -eq 0 ]; then - if [ -x /usr/local/sbin/portsclean ]; then - FIND=$(/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ') + if [ -x ${ROOTDIR}usr/local/sbin/portsclean ]; then + FIND=$(${ROOTDIR}usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ') if [ ${FIND} -eq 0 ]; then Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN LogText "Result: no unused distfiles found" @@ -452,6 +507,7 @@ if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility" if [ ${SKIPTEST} -eq 0 ]; then + COUNT=0 Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})" Report "package_manager[]=dnf" @@ -460,14 +516,14 @@ PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="dnf" SPACKAGES=$(${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}') - for J in ${SPACKAGES}; do - N=$((N + 1)) - PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1) - PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2) + for PKG in ${SPACKAGES}; do + COUNT=$((COUNT + 1)) + PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ',' -f1) + PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ',' -f2) LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" done - Report "installed_packages=${N}" + Report "installed_packages=${COUNT}" fi # ################################################################################# @@ -594,19 +650,20 @@ if [ -x ${ROOTDIR}usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query portmaster for port upgrades" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 LogText "Test: Querying portmaster for possible port upgrades" UPACKAGES=$(${ROOTDIR}usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }') - for J in ${UPACKAGES}; do - N=$((N + 1)) - LogText "Upgrade available (new version): ${J}" - Report "upgrade_available[]=${J}" + for PKG in ${UPACKAGES}; do + COUNT=$((COUNT + 1)) + LogText "Upgrade available (new version): ${PKG}" + Report "upgrade_available[]=${PKG}" done - Report "upgrade_available_count=${N}" - if [ ${N} -eq 0 ]; then - LogText "Result: no upgrades found" + Report "upgrade_available_count=${COUNT}" + if [ ${COUNT} -eq 0 ]; then + LogText "Result: no updates found" Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_NONE}" --color GREEN else + LogText "Result: found ${COUNT} updates" Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_FOUND}" --color YELLOW fi fi @@ -617,11 +674,11 @@ # Description : Check for vulnerable NetBSD packages (with pkg_admin) Register --test-no PKGS-7380 --os NetBSD --weight L --network NO --category security --description "Check for vulnerable NetBSD packages" if [ ${SKIPTEST} -eq 0 ]; then - if [ -x /usr/sbin/pkg_admin ]; then + if [ -x ${ROOTDIR}usr/sbin/pkg_admin ]; then PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="pkg_admin audit" - if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then - FIND=$(/usr/sbin/pkg_admin audit) + if [ -f ${ROOTDIR}var/db/pkg/pkgs-vulnerabilities ]; then + FIND=$(${ROOTDIR}usr/sbin/pkg_admin audit) if [ -z "${FIND}" ]; then LogText "Result: pkg_admin audit results are clean" Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN @@ -631,7 +688,7 @@ LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "Found one or more vulnerable packages." LogText "List of vulnerable packages/version:" - for I in $(/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do + for I in $(${ROOTDIR}usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do VULNERABLE_PACKAGES_FOUND=1 Report "vulnerable_package[]=${I}" LogText "Vulnerable package: ${I}" @@ -701,11 +758,11 @@ # Test : PKGS-7382 # Description : Check for vulnerable FreeBSD packages # Notes : Newer machines should use pkg audit instead of portaudit - if [ -x /usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit" if [ ${SKIPTEST} -eq 0 ]; then PACKAGE_AUDIT_TOOL_FOUND=1 - FIND=$(/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found') + FIND=$(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found') if [ -z "${FIND}" ]; then LogText "Result: Portaudit results are clean" Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN @@ -716,10 +773,10 @@ ReportWarning ${TEST_NO} "Found one or more vulnerable packages." ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" LogText "List of vulnerable packages/version:" - for I in $(/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do + for PKG in $(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do VULNERABLE_PACKAGES_FOUND=1 - Report "vulnerable_package[]=${I}" - LogText "Vulnerable package: ${I}" + Report "vulnerable_package[]=${PKG}" + LogText "Vulnerable package: ${PKG}" # Decrease hardening points for every found vulnerable package AddHP 1 2 done @@ -753,11 +810,11 @@ if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package" if [ ${SKIPTEST} -eq 0 ]; then - if [ -x /usr/bin/package-cleanup ]; then - LogText "Result: found YUM utils package (/usr/bin/package-cleanup)" + if [ -x ${ROOTDIR}usr/bin/package-cleanup ]; then + LogText "Result: found YUM utils package (${ROOTDIR}usr/bin/package-cleanup)" # Check for duplicates LogText "Test: Checking for duplicate packages" - FIND=$(/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?) + FIND=$(${ROOTDIR}usr/bin/package-cleanup -q --dupes > /dev/null; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: No duplicate packages found" Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN @@ -770,7 +827,7 @@ # Check for package database problems LogText "Test: Checking for database problems" - FIND=$(/usr/bin/package-cleanup --problems > /dev/null; echo $?) + FIND=$(${ROOTDIR}usr/bin/package-cleanup --problems > /dev/null; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: No package database problems found" Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN @@ -869,7 +926,7 @@ # # Test : PKGS-7387 # Description : Search for YUM GPG check - if [ -x /usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package" if [ ${SKIPTEST} -eq 0 ]; then if [ ! -z "${PYTHONBINARY}" ]; then @@ -892,16 +949,18 @@ done fi FOUND=0 - FileExists /etc/yum.conf + FileExists ${ROOTDIR}etc/yum.conf if [ ${FILE_FOUND} -eq 1 ]; then - SearchItem "^gpgenabled\s*=\s*1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi - SearchItem "^gpgcheck\s*=\s*1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi + SearchItem "^gpgenabled\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi + SearchItem "^gpgcheck\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi if [ ${FOUND} -eq 1 ]; then LogText "Result: GPG check is enabled" Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN + AddHP 3 3 else Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED ReportWarning ${TEST_NO} "No GPG signing option found in yum.conf" + AddHP 2 3 fi fi fi @@ -959,11 +1018,11 @@ # # Test : PKGS-7390 # Description : Check Ubuntu database consistency - if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ "${LINUX_VERSION}" = "Ubuntu" -a -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Package database consistency by running apt-get check" - FIND=$(/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?) + FIND=$(${ROOTDIR}usr/bin/apt-get -q=2 check 2> /dev/null; echo $?) if [ "${FIND}" = "0" ]; then Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN LogText "Result: package database seems to be consistent." @@ -979,7 +1038,7 @@ # # Test : PKGS-7392 # Description : Check Debian/Ubuntu vulnerable packages - if [ -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates" if [ ${SKIPTEST} -eq 0 ]; then VULNERABLE_PACKAGES_FOUND=0 @@ -989,16 +1048,20 @@ PACKAGE_AUDIT_TOOL="apt-get" PACKAGE_AUDIT_TOOL_FOUND=1 # Update the repository, outdated repositories don't give much information - LogText "Action: updating repository with apt-get" - /usr/bin/apt-get -q=2 update - LogText "Result: apt-get finished" - LogText "Test: Checking if /usr/lib/update-notifier/apt-check exists" - if [ -x /usr/lib/update-notifier/apt-check ]; then + if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then + LogText "Action: updating package repository with apt-get" + ${ROOTDIR}usr/bin/apt-get -q=2 update + LogText "Result: apt-get finished" + else + LogText "Result: using a possibly outdated repository, as updating is disabled via configuration" + fi + LogText "Test: Checking if ${ROOTDIR}usr/lib/update-notifier/apt-check exists" + if [ -x ${ROOTDIR}usr/lib/update-notifier/apt-check ]; then PACKAGE_AUDIT_TOOL="apt-check" - LogText "Result: found /usr/lib/update-notifier/apt-check" + LogText "Result: found ${ROOTDIR}usr/lib/update-notifier/apt-check" LogText "Test: checking if any of the updates contain security updates" # apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only - FIND=$(/usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }') + FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }') # Check if we get the proper line back and amount of security patches available if [ -z "${FIND}" ]; then LogText "Result: did not find security updates line" @@ -1028,9 +1091,9 @@ LogText "Result: found vulnerable package(s) via apt-get (-security channel)" PACKAGE_AUDIT_TOOL="apt-get" PACKAGE_AUDIT_TOOL_FOUND=1 - for I in ${FIND}; do - LogText "Found vulnerable package: ${I}" - Report "vulnerable_package[]=${I}" + for PKG in ${FIND}; do + LogText "Found vulnerable package: ${PKG}" + Report "vulnerable_package[]=${PKG}" done fi if [ ${SCAN_PERFORMED} -eq 1 ]; then @@ -1052,7 +1115,7 @@ # # Test : PKGS-7393 # Description : Check Gentoo vulnerable packages - if [ -x /usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7393 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Gentoo vulnerable packages" if [ ${SKIPTEST} -eq 0 ]; then VULNERABLE_PACKAGES_FOUND=0 @@ -1063,19 +1126,19 @@ # "most friendly" way. if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then LogText "Action: updating portage with emerge-webrsync" - /usr/bin/emerge-webrsync --quiet 2> /dev/null + ${ROOTDIR}usr/bin/emerge-webrsync --quiet 2> /dev/null LogText "Result: emerge-webrsync finished" else LogText "Result: using a possibly outdated repository, as updating is disabled" fi - LogText "Test: checking if /usr/bin/glsa-check exists" - if [ -x /usr/bin/glsa-check ]; then + LogText "Test: checking if ${ROOTDIR}usr/bin/glsa-check exists" + if [ -x ${ROOTDIR}usr/bin/glsa-check ]; then PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="glsa-check" - LogText "Result: found /usr/bin/glsa-check" + LogText "Result: found ${ROOTDIR}usr/bin/glsa-check" LogText "Test: checking if there are any vulnerable packages" # glsa-check reports the GLSA date/ID string, not the vulnerable package. - FIND=$(/usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l) + FIND=$(${ROOTDIR}usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l) if [ -z "${FIND}" ]; then LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found." LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result" @@ -1093,7 +1156,7 @@ AddHP 0 25 fi fi - else + else LogText "Result: glsa-check tool not found" ReportSuggestion ${TEST_NO} "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks." fi @@ -1106,11 +1169,11 @@ if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking /usr/bin/apt-show-versions" - if [ -x /usr/bin/apt-show-versions ]; then - LogText "Result: found /usr/bin/apt-show-versions" + LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions" + if [ -x ${ROOTDIR}usr/bin/apt-show-versions ]; then + LogText "Result: found ${ROOTDIR}usr/bin/apt-show-versions" LogText "Test: Checking packages which can be upgraded via apt-show-versions" - FIND=$(/usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${ROOTDIR}usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g') if [ -z "${FIND}" ]; then LogText "Result: no packages found which can be upgraded" Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN @@ -1124,8 +1187,8 @@ LogText "${ITEM}" done fi - else - LogText "Result: /usr/bin/apt-show-versions not found" + else + LogText "Result: ${ROOTDIR}usr/bin/apt-show-versions not found" Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes" fi @@ -1143,7 +1206,7 @@ Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages" LogText "Result: no package audit tool found" - else + else Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN Display --indent 4 --text "Found: ${PACKAGE_AUDIT_TOOL}" LogText "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}" @@ -1158,7 +1221,7 @@ ################################################################################# # # Description : AIX patches - # Notes : /usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1 + # Notes : ${ROOTDIR}usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1 # ################################################################################# # diff --git a/include/tests_printers_spools b/include/tests_printers_spools index 9241ef05..c28a460d 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -46,7 +46,7 @@ if [ ! -f ${ROOTDIR}usr/sbin/chkprintcap ]; then Display --indent 2 --text "- Checking chkprintcap" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: ${ROOTDIR}usr/sbin/chkprintcap NOT found, test skipped" - else + else LogText "Result: ${ROOTDIR}usr/sbin/chkprintcap found" FIND=$(${ROOTDIR}usr/sbin/chkprintcap > /dev/null ; echo $?) # Only an exit code of zero should come back. Use string instead of integer, due unexpected trash @@ -88,19 +88,19 @@ Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching cupsd configuration file" - for I in ${CUPSD_CONFIG_LOCS}; do - if [ -f ${I}/cupsd.conf ]; then - if FileIsReadable ${I}/cupsd.conf; then - CUPSD_CONFIG_FILE="${I}/cupsd.conf" + for DIR in ${CUPSD_CONFIG_LOCS}; do + if [ -f ${DIR}/cupsd.conf ]; then + if FileIsReadable ${DIR}/cupsd.conf; then + CUPSD_CONFIG_FILE="${DIR}/cupsd.conf" LogText "Result: found ${CUPSD_CONFIG_FILE}" fi fi done - if [ ! -z "${CUPSD_CONFIG_FILE}" ]; then + if HasData "${CUPSD_CONFIG_FILE}"; then Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_OK}" --color GREEN LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})" CUPSD_FOUND=1 - else + else Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_NOT_FOUND}" --color RED LogText "Result: configuration file not found" LogText "Development: no CUPS configuration file found" @@ -111,17 +111,17 @@ # # Test : PRNT-2307 # Description : Check CUPSd configuration file permissions - # To Do : Add function + # TODO : Add function if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking CUPS configuration file permissions" - FIND=$(ls -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10) + FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10) LogText "Result: found ${FIND}" if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN AddHP 1 1 - else + else Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict." AddHP 1 2 @@ -139,17 +139,17 @@ # Checking network addresses LogText "Test: Checking CUPS daemon listening network addresses" FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') - N=0 - for I in ${FIND}; do - LogText "Found network address: ${I}" - N=$((N + 1)) + COUNT=0 + for ITEM in ${FIND}; do + LogText "Found network address: ${ITEM}" + COUNT=$((COUNT + 1)) FOUND=1 done # Check if daemon is only running on localhost if [ ${FOUND} -eq 0 ]; then LogText "Result: no listen statement found in CUPS configuration file" - elif [ ${N} -eq 1 ]; then + elif [ ${COUNT} -eq 1 ]; then if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then LogText "Result: CUPS daemon only running on localhost" AddHP 2 2 @@ -167,12 +167,12 @@ # Checking sockets LogText "Test: Checking cups daemon listening sockets" FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }') - for I in ${FIND}; do - LogText "Found socket address: ${I}" - N=$((N + 1)) + for ITEM in ${FIND}; do + LogText "Found socket address: ${ITEM}" + COUNT=$((COUNT + 1)) done - if [ ${N} -eq 0 ]; then + if [ ${COUNT} -eq 0 ]; then Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_NONE}" --color WHITE LogText "Result: no addresses found on which CUPS daemon is listening" else @@ -236,12 +236,12 @@ LogText "Result: qdaemon daemon running" Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_RUNNING}" --color GREEN QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon" - else + else if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then LogText "Result: qdaemon daemon not running" Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs" - else + else LogText "Result: qdaemon daemon not running" Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE fi @@ -255,17 +255,17 @@ Register --test-no PRNT-2420 --os AIX --weight L --network NO --category security --description "Checking old print jobs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking old print jobs" - DirectoryExists /var/spool/lpd/qdir + DirectoryExists ${ROOTDIR}var/spool/lpd/qdir if [ ${DIRECTORY_FOUND} -eq 1 ]; then - FIND=$(find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g') - if [ ! -z "${FIND}" ]; then - N=0 - for I in ${FIND}; do - FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') + FIND=$(find ${ROOTDIR}var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g') + if HasData "${FIND}"; then + COUNT=0 + for ITEM in ${FIND}; do + FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g') LogText "Found old print job: ${FILE}" - N=$((N + 1)) + COUNT=$((COUNT + 1)) done - LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir" + LogText "Result: Found ${COUNT} old print jobs in /var/spool/lpd/qdir" Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed" LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed" diff --git a/include/tests_scheduling b/include/tests_scheduling index 2e2c1b8b..33f1f8a1 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -36,8 +36,9 @@ Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )") - if [ -z "${FIND}" ]; then + if IsEmpty "${FIND}"; then LogText "Result: no cron daemon found" + AddHP 3 3 else LogText "Result: cron daemon running" CROND_RUNNING=1 @@ -63,42 +64,42 @@ if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FindCronJob ${CRONTAB_FILE} - for I in ${sCRONJOBS}; do - LogText "Found cronjob (${CRONTAB_FILE}): ${I}" - Report "cronjob[]=${I}" + for ITEM in ${sCRONJOBS}; do + LogText "Found cronjob (${CRONTAB_FILE}): ${ITEM}" + Report "cronjob[]=${ITEM}" done fi CRON_DIRS="${ROOTDIR}etc/cron.d" - for I in ${CRON_DIRS}; do - LogText "Test: checking directory ${I}" - if [ -d ${I} ]; then - if FileIsReadable ${I}; then - LogText "Result: found directory ${I}" - LogText "Test: searching files in ${I}" - FIND=$(${FINDBINARY} ${I} -type f -print | ${GREPBINARY} -v ".placeholder") - if [ -z "${FIND}" ]; then - LogText "Result: no files found in ${I}" + for DIR in ${CRON_DIRS}; do + LogText "Test: checking directory ${DIR}" + if [ -d ${DIR} ]; then + if FileIsReadable ${DIR}; then + LogText "Result: found directory ${DIR}" + LogText "Test: searching files in ${DIR}" + FIND=$(${FINDBINARY} ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder") + if IsEmpty "${FIND}"; then + LogText "Result: no files found in ${DIR}" else - LogText "Result: found one or more files in ${I}. Analyzing files.." - for J in ${FIND}; do - if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi - if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi - FindCronJob ${J} - if [ ! -z "${sCRONJOBS}" ]; then + LogText "Result: found one or more files in ${DIR}. Analyzing files.." + for FILE in ${FIND}; do + if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi + if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi + FindCronJob ${FILE} + if HasData "${sCRONJOBS}"; then for K in ${sCRONJOBS}; do - LogText "Result: Found cronjob (${J}): ${K}" - Report "cronjob[]=${J}" + LogText "Result: Found cronjob (${FILE}): ${K}" + Report "cronjob[]=${FILE}" done fi done - LogText "Result: done with analyzing files in ${I}" + LogText "Result: done with analyzing files in ${DIR}" fi else - LogText "Result: can not read file or directory ${I}" + LogText "Result: can not read file or directory ${DIR}" fi else - LogText "Result: directory ${I} does not exist" + LogText "Result: directory ${DIR} does not exist" fi done @@ -218,11 +219,11 @@ if [ ${SKIPTEST} -eq 0 ]; then AT_UNKNOWN=0 case ${OS} in - FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;; - HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;; - Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;; - OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;; - SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;; + FreeBSD) AT_ALLOW="${ROOTDIR}var/at/at.allow"; AT_DENY="${ROOTDIR}var/at/at.deny" ;; + HPUX) AT_ALLOW="${ROOTDIR}usr/lib/cron/at.allow"; AT_DENY="${ROOTDIR}usr/lib/cron/at.deny" ;; + Linux) AT_ALLOW="${ROOTDIR}etc/at.allow"; AT_DENY="${ROOTDIR}etc/at.deny" ;; + OpenBSD) AT_ALLOW="${ROOTDIR}var/cron/at.allow"; AT_DENY="${ROOTDIR}var/cron/at.deny" ;; + SunOS) AT_ALLOW="${ROOTDIR}etc/cron.d/at.allow"; AT_DENY="${ROOTDIR}etc/cron.d/at.deny" ;; *) AT_UNKNOWN=1; LogText "Test skipped, files for at unknown" ;; esac if [ ${AT_UNKNOWN} -eq 0 ]; then @@ -232,14 +233,14 @@ if [ ${CANREAD} -eq 1 ]; then LogText "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs" FIND=$(${SORTBINARY} ${AT_ALLOW}) - if [ -z "${FIND}" ]; then + if IsEmpty "${FIND}"; then LogText "Result: File empty, no users are allowed to schedule at jobs" else - for I in ${FIND}; do - LogText "Allowed at user: ${I}" + for ITEM in ${FIND}; do + LogText "Allowed at user: ${ITEM}" done fi - else + else LogText "Result: can not read ${AT_ALLOW} (no permission)" fi else @@ -253,8 +254,8 @@ if [ -z "${FIND}" ]; then LogText "Result: file is empty, no users are denied access to schedule jobs" else - for I in ${FIND}; do - LogText "Denied at user: ${I}" + for ITEM in ${FIND}; do + LogText "Denied at user: ${ITEM}" done fi else @@ -281,10 +282,10 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check scheduled at jobs" FIND=$(atq | ${GREPBINARY} -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g') - if [ ! -z "${FIND}" ]; then + if HasData "${FIND}"; then LogText "Result: found one or more jobs" - for I in ${FIND}; do - VALUE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') + for ITEM in ${FIND}; do + VALUE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g') LogText "Found at job: ${VALUE}" done Display --indent 4 --text "- Checking at jobs" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_shells b/include/tests_shells index c6c1cff5..d79560e9 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -88,7 +88,7 @@ else LogText "Shell ${I} not installed. Probably a dummy or non existing shell." fi - done + done Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})." else LogText "Result: /etc/shells not found, skipping test" @@ -203,14 +203,14 @@ LogText "Result: could not find export, readonly or typeset -r in /etc/profile" fi fi - else + else LogText "Result: skip /etc/profile.d directory test, directory not available on this system" fi if [ ${IDLE_TIMEOUT} -eq 1 ]; then Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 - else + else Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_NONE}" --color YELLOW AddHP 1 3 fi diff --git a/include/tests_squid b/include/tests_squid index 6d36baa3..a86e083d 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -201,63 +201,62 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid access control lists" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 LogText "Test: checking ACLs" FIND=$(${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g') if [ "${FIND}" = "" ]; then LogText "Result: No ACLs found" Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED else - for I in ${FIND}; do - N=$((N + 1)) - I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') - LogText "Found ACL: ${I}" - #Report "squid_acl=${I}" + for ITEM in ${FIND}; do + COUNT=$((COUNT + 1)) + ITEM=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g') + LogText "Found ACL: ${ITEM}" + #Report "squid_acl=${ITEM}" # TODO done - LogText "Result: Found ${N} ACLs" - Display --indent 6 --text "- Checking Access Control Lists" --result "${N} ACLs FOUND" --color GREEN + LogText "Result: Found ${COUNT} ACLs" + Display --indent 6 --text "- Checking Access Control Lists" --result "${COUNT} ACLs FOUND" --color GREEN fi fi # ################################################################################# # - # Test : SQD-3624 [T] + # Test : SQD-3624 # Description : Check unsecure ports in Safe_ports list if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid safe ports" if [ ${SKIPTEST} -eq 0 ]; then - N=0 LogText "Test: checking ACL Safe_ports http_access option" FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports") - if [ -z "${FIND}" ]; then + if IsEmpty "${FIND}"; then LogText "Result: no Safe_ports found" Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" else LogText "Result: checking ACL safe ports" FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }') - if [ -z "${FIND2}" ]; then + if IsEmpty "${FIND2}"; then Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" AddHP 0 1 else LogText "Result: Safe_ports found" - for I in ${FIND}; do - LogText "Found safe port: ${I}" + for ITEM in ${FIND}; do + LogText "Found safe port: ${ITEM}" done Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "${STATUS_FOUND}" --color GREEN AddHP 1 1 fi - #SQUID_DAEMON_UNSAFE_PORTS_LIST - for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do - LogText "Test: Checking port ${I} in Safe_ports list" - FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}) - if [ -z "${FIND2}" ]; then - Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN + + for ITEM in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do + LogText "Test: Checking port ${ITEM} in Safe_ports list" + FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${ITEM}" ${SQUID_DAEMON_CONFIG}) + if IsEmpty "${FIND2}"; then + Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 1 1 else - Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED - ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}" + Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_FOUND}" --color RED + ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}" AddHP 0 1 fi done @@ -277,10 +276,9 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option" if [ ${SKIPTEST} -eq 0 ]; then - N=0 LogText "Test: checking option reply_body_max_size" FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g') - if [ -z "${FIND}" ]; then + if IsEmpty "${FIND}"; then LogText "Result: option reply_body_max_size not configured" Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED AddHP 1 2 diff --git a/include/tests_time b/include/tests_time index f08ce0d8..05781c81 100644 --- a/include/tests_time +++ b/include/tests_time @@ -250,30 +250,30 @@ if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 LogText "Test: Checking stratum 16 sources from ntpq peers list" FIND=$(${NTPQBINARY} -p -n | ${AWKBINARY} '{ if ($2!=".POOL." && $3=="16") { print $1 }}') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN LogText "Result: All peers are lower than stratum 16" else - for I in ${FIND}; do - LogText "Found stratum 16 peer: ${I}" - FIND2=$(${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE}) - if [ -z "${FIND2}" ]; then - N=$((N + 1)) - Report "ntp_stratum_16_peer[]=${I}" + for ITEM in ${FIND}; do + LogText "Found stratum 16 peer: ${ITEM}" + FIND2=$(${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${ITEM}:" ${PROFILE}) + if IsEmpty "${FIND2}"; then + COUNT=$((COUNT + 1)) + Report "ntp_stratum_16_peer[]=${ITEM}" else - LogText "Output: host ${I} ignored by profile" + LogText "Output: host ${ITEM} ignored by profile" fi done # Check if one or more high stratum time servers are found - if [ ${N} -eq 0 ]; then + if [ ${COUNT} -eq 0 ]; then Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN LogText "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile" else Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED - LogText "Result: Found one or more high stratum (16) peers)" + LogText "Result: Found ${COUNT} high stratum (16) peers)" ReportSuggestion ${TEST_NO} "Check ntpq peers output for stratum 16 peers" fi fi @@ -457,7 +457,7 @@ fi LogText "Information: step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec." LogText "Risk: ntp will not run at boot if the time difference between the server and client by more then 1000 sec." - else + else LogText "Result: test skipped because ${FILE} not found" fi fi diff --git a/include/tests_tooling b/include/tests_tooling index ef02c035..f9f13071 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -31,6 +31,8 @@ FAIL2BAN_EMAIL=0 FAIL2BAN_SILENT=0 PERFORM_FAIL2BAN_TESTS=0 + SNORT_FOUND=0 + SNORT_RUNNING=0 # ################################################################################# # @@ -160,7 +162,7 @@ # ################################################################################# # -# Intrusion Prevention tools +# Intrusion Detection and Prevention tools # ################################################################################# # @@ -285,7 +287,7 @@ # if [ ! -z "${CHECK_CHAINS}" ]; then # LogText "Result: found at least one iptables chain for fail2ban" # Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN - # else + # else # LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work" # Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED # AddHP 0 3 @@ -300,6 +302,52 @@ # ################################################################################# # + # Test : TOOL-5120 + # Description : Check for Snort + Register --test-no TOOL-5120 --weight L --network NO --category security --description "Check for presence of Snort" + if [ ${SKIPTEST} -eq 0 ]; then + + # Snort presence + if [ -n "${SNORTBINARY}" ]; then + SNORT_FOUND=1 + IDS_IPS_TOOL_FOUND=1 + LogText "Result: Snort is installed (${SNORTBINARY})" + Report "ids_ips_tooling[]=snort" + Display --indent 2 --text "- Checking presence of Snort" --result "${STATUS_FOUND}" --color GREEN + fi + + IsRunning snort + if [ ${SNORT_RUNNING} -eq 1 ]; then + SNORT_FOUND=1 + SNORT_RUNNING=1 + SNORT_LOG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $4}' | ${HEADBINARY} -1) + else + LogText "Result: Snort not present (Snort not running)" + fi + fi +# +################################################################################# +# + # Test : TOOL-5122 + # Description : Check for Snort configuration + Register --test-no TOOL-5122 --weight L --network NO --category security --description "Check Snort configuration file" + if [ ${SKIPTEST} -eq 0 ]; then + + # Continue if tooling is available and snort is running + if [ -n ${SNORT_FOUND} ] || [ -n ${SNORT_RUNNING} ]; then + if [ ${SNORT_FOUND} -eq 1 ] && [ ${SNORT_RUNNING} -eq 1 ]; then + SNORT_CONFIG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $3}' | ${HEADBINARY} -1) + if HasData "${SNORT_CONFIG}"; then + LogText "Result: found Snort configuration file: ${SNORT_CONFIG}" + Report "snort_config=${SNORT_CONFIG}" + fi + SNORT=$(which snort 2> /dev/null) + fi + fi + fi +# +################################################################################# +# # Test : TOOL-5190 # Description : Check for an IDS/IPS tool Register --test-no TOOL-5190 --weight L --network NO --category security --description "Check presence of IDS/IPS tool" diff --git a/include/tests_webservers b/include/tests_webservers index c72d7037..597d1066 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -87,7 +87,7 @@ else PREQS_MET="NO" fi - else + else PREQS_MET="NO" fi Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file" @@ -193,6 +193,9 @@ # ################################################################################# # + # TODO + # Do you have Apache running and want to contribute? Help us testing this control and send in a pull request + # Test : HTTP-6630 # Description : Search for all loaded modules #if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi @@ -219,24 +222,24 @@ Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining all available Apache modules" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching available Apache modules" - N=0 - for I in ${APACHE_MODULES_LOCS}; do - DirectoryExists ${I} + COUNT=0 + for DIR in ${APACHE_MODULES_LOCS}; do + DirectoryExists ${DIR} if [ ${DIRECTORY_FOUND} -eq 1 ]; then - FIND=$(find ${I} -name "mod_*" -print | sort) - for J in ${FIND}; do - Report "apache_module[]=${J}" - LogText "Result: found Apache module ${J}" - N=$((N + 1)) + FIND=$(${FINDBINARY} ${DIR} -name "mod_*" -print | ${SORTBINARY}) + for ITEM in ${FIND}; do + Report "apache_module[]=${ITEM}" + LogText "Result: found Apache module ${ITEM}" + COUNT=$((COUNT + 1)) done fi done - if [ ${N} -eq 0 ]; then + if [ ${COUNT} -eq 0 ]; then Display --indent 4 --text "* Loadable modules" --result "${STATUS_NONE}" --color WHITE ReportException "${TEST_NO}:1" "No loadable Apache modules found" else - Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND}" --color GREEN - Display --indent 8 --text "- Found ${N} loadable modules" + Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND} (${COUNT})" --color GREEN + Display --indent 8 --text "- Found ${COUNT} loadable modules" fi fi # @@ -300,7 +303,7 @@ # ################################################################################# # - # Test : HTTP-6660 + # Test : HTTP-6660 TODO # Description : Search for "TraceEnable off" in configuration files # ################################################################################# @@ -311,7 +314,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching running nginx process" FIND=$(${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep") - if [ ! -z "${FIND}" ]; then + if HasData "${FIND}"; then LogText "Result: found running nginx process(es)" Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN NGINX_RUNNING=1 @@ -330,14 +333,14 @@ Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching nginx configuration file" - for I in ${NGINX_CONF_LOCS}; do - if [ -f ${I}/nginx.conf ]; then - NGINX_CONF_LOCATION="${I}/nginx.conf" + for DIR in ${NGINX_CONF_LOCS}; do + if [ -f ${DIR}/nginx.conf ]; then + NGINX_CONF_LOCATION="${DIR}/nginx.conf" LogText "Found file ${NGINX_CONF_LOCATION}" - NGINX_CONF_FILES="${I}/nginx.conf" + NGINX_CONF_FILES="${DIR}/nginx.conf" fi done - if [ ! -z "${NGINX_CONF_LOCATION}" ]; then + if HasData "${NGINX_CONF_LOCATION}"; then LogText "Result: found nginx configuration file" Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}" Display --indent 4 --text "- Searching nginx configuration file" --result "${STATUS_FOUND}" --color GREEN @@ -357,7 +360,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Remove temp file if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi - N=0 + COUNT=0 ${SEDBINARY} -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE} # Search for included configuration files (may include directories and wild cards) FIND=$(${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g') @@ -366,7 +369,7 @@ for J in ${FIND2}; do # Ensure that we are parsing normal files if [ -f ${J} ]; then - N=$((N + 1)) + COUNT=$((COUNT + 1)) LogText "Result: found Nginx configuration file ${J}" Report "nginx_sub_conf_file[]=${J}" FileIsReadable ${J} @@ -390,10 +393,10 @@ # Remove unsorted file for next tests if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi - if [ ${N} -eq 0 ]; then + if [ ${COUNT} -eq 0 ]; then LogText "Result: no nginx include statements found" else - Display --indent 6 --text "- Found nginx includes" --result "${N} FOUND" --color GREEN + Display --indent 6 --text "- Found nginx includes" --result "${COUNT} FOUND" --color GREEN fi fi # @@ -407,14 +410,14 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: start parsing all discovered nginx options" Display --indent 4 --text "- Parsing configuration options" - for I in ${NGINX_CONF_FILES}; do - FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}') + for FILE in ${NGINX_CONF_FILES}; do + FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}') if [ ! "${FILENAME}" = "mime.types" ]; then - if FileIsReadable ${I}; then - Display --indent 8 --text "- ${I}" - ParseNginx ${I} + if FileIsReadable ${FILE}; then + Display --indent 8 --text "- ${FILE}" + ParseNginx ${FILE} else - Display --indent 8 --text "- ${I}" --result "SKIPPED (NOT READABLE)" --color YELLOW + Display --indent 8 --text "- ${FILE}" --result "SKIPPED (NOT READABLE)" --color YELLOW fi else LogText "Result: this configuration file is skipped, as it contains usually no interesting details" @@ -34,7 +34,7 @@ PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com" # Version details - PROGRAM_RELEASE_DATE="2017-04-23" + PROGRAM_RELEASE_DATE="2017-04-30" PROGRAM_RELEASE_TIMESTAMP=1490800090 PROGRAM_RELEASE_TYPE="dev" # dev or final PROGRAM_VERSION="2.5.0" @@ -416,7 +416,7 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${ if [ ${WRONGOPTION} -eq 1 ]; then echo " ${RED}Error${NORMAL}: ${WHITE}Invalid option '${WRONGOPTION_value}'${NORMAL}" - else + else if [ ${VIEWHELP} -eq 0 ]; then echo " ${RED}No command provided.${WHITE} Exiting..${NORMAL}" echo "" @@ -572,13 +572,13 @@ ${NORMAL} if [ -z "${PLUGINDIR}" ]; then #LogText "Result: Searching for plugindir" tPLUGIN_TARGETS="/usr/local/lynis/plugins /usr/local/share/lynis/plugins /usr/share/lynis/plugins /etc/lynis/plugins ./plugins" - for I in ${tPLUGIN_TARGETS}; do - if [ -d ${I} -a -z "${PLUGINDIR}" ]; then - PLUGINDIR=${I} + for DIR in ${tPLUGIN_TARGETS}; do + if [ -d ${DIR} -a -z "${PLUGINDIR}" ]; then + PLUGINDIR=${DIR} Debug "Result: found plugindir ${PLUGINDIR}" fi done - else + else Debug "Plugin was already set before to ${PLUGINDIR} (most likely via program argument or profile)" fi @@ -706,9 +706,9 @@ ${NORMAL} fi # Test for older releases, without testing via update mechanism - if [ "$OS" = "Solaris" ]; then + if [ "${OS}" = "Solaris" ]; then NOW=$(nawk 'BEGIN{print srand()}') - else + else NOW=$(date "+%s") fi @@ -780,7 +780,7 @@ ${NORMAL} ################################################################################# # # Check for systemd presence - if [ -d /lib/systemd/system -a -f /usr/lib/systemd/systemd ]; then + if [ -d ${ROOTDIR}lib/systemd/system -a -f ${ROOTDIR}usr/lib/systemd/systemd ]; then LogText "Result: systemd is using systemd" HAS_SYSTEMD=1 Report "systemd=1" @@ -796,7 +796,7 @@ ${NORMAL} Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "YES" --color GREEN if IsDebug; then Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "YES" --color GREEN - else + else Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "NO" --color RED fi fi diff --git a/plugins/custom_plugin.template b/plugins/custom_plugin.template index 8890cec1..72ce3ce0 100644 --- a/plugins/custom_plugin.template +++ b/plugins/custom_plugin.template @@ -62,7 +62,7 @@ # Check if a directory exists if [ -d ${DIR} ]; then LogText "Result: log entry for easier debugging or additional information" - else + else FOUNDPROBLEM=1 LogText "Result: directory ${DIR} was not found!" ReportWarning "${TEST_NO}" "This is a test warning line" "${DIR}" "text:Create directory ${DIR}" @@ -70,7 +70,7 @@ if [ ${FOUNDPROBLEM} -eq 0 ]; then Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN - else + else Display --indent 2 --text "- Checking if everything is OK..." --result WARNING --color RED ReportSuggestion ${TEST_NO} "This is a suggestion" fi diff --git a/plugins/plugin_pam_phase1 b/plugins/plugin_pam_phase1 index 2d890a1f..c67c9aee 100644 --- a/plugins/plugin_pam_phase1 +++ b/plugins/plugin_pam_phase1 @@ -6,12 +6,12 @@ #----------------------------------------------------- # PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com> # PLUGIN_CATEGORY=authentication -# PLUGIN_DATE=2017-03-01 +# PLUGIN_DATE=2017-04-30 # PLUGIN_DESC=PAM # PLUGIN_NAME=pam # PLUGIN_PACKAGE=all # PLUGIN_REQUIRED_TESTS= -# PLUGIN_VERSION=1.0.1 +# PLUGIN_VERSION=1.0.2 #----------------------------------------------------- ######################################################################### # @@ -27,8 +27,8 @@ if [ ${SKIPTEST} -eq 0 ]; then for LINE in $(${GREPBINARY} -v "^#" ${FILE} | ${TRBINARY} -d " "); do for I in ${LINE}; do - OPTION=$(echo ${I} | awk -F= '{ print $1 }') - VALUE=$(echo ${I} | awk -F= '{ print $2 }') + OPTION=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }') + VALUE=$(echo ${I} | ${AWKBINARY} -F= '{ print $2 }') case ${OPTION} in minlen) DigitsOnly ${VALUE} @@ -69,8 +69,7 @@ if [ -d ${PAM_DIRECTORY} ]; then LogText "Result: /etc/pam.d exists" FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print) - # First check /etc/pam.conf if it exists. - #if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi + for PAM_FILE in ${FIND_FILES}; do LogText "Now checking PAM file ${PAM_FILE}" while read line; do @@ -370,7 +369,7 @@ Report "authentication_two_factor_required=${PAM_2F_AUTH_ENABLED}" if [ ! "${AUTH_UNLOCK_TIME}" = "-1" ]; then LogText "[PAM] Authentication unlock time: ${AUTH_UNLOCK_TIME}" Report "authentication_unlock_time=${AUTH_UNLOCK_TIME}" - else +else LogText "[PAM] Authentication unlock time: not configured" fi @@ -383,7 +382,7 @@ fi if [ ! "${MIN_PASSWORD_LENGTH}" = "-1" ]; then LogText "[PAM] Minimum password length: ${MIN_PASSWORD_LENGTH}" Report "minimum_password_length=${MIN_PASSWORD_LENGTH}" - else +else LogText "[PAM] Minimum password length: not configured" fi @@ -395,7 +394,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then # Show how many password class are required out of 4 LogText "[PAM] Minimum password class out of 4: ${MIN_PASSWORD_CLASS}" Report "min_password_class=${MIN_PASSWORD_CLASS}" - else + else LogText "[PAM] Minimum password class setting of ${MIN_PASSWORD_CLASS} out of 4 is ignored since at least 1 class are forced" Report "min_password_class=ignored" fi @@ -445,7 +444,7 @@ fi if [ ! -z "${MAX_PASSWORD_RETRY}" ]; then LogText "[PAM] Password maximum retry: ${MAX_PASSWORD_RETRY}" Report "max_password_retry=${MAX_PASSWORD_RETRY}" - else +else LogText "[PAM] Password maximum retry: Not configured" fi @@ -460,7 +459,7 @@ if [ ${PAM_PASSWORD_PWHISTORY_ENABLED} -eq 1 ]; then LogText "[PAM] Password history with pam_pwhistory enabled: ${PAM_PASSWORD_PWHISTORY_ENABLED}" LogText "[PAM] Password history with pam_pwhistory amount: ${PAM_PASSWORD_PWHISTORY_AMOUNT}" Report "password_history_amount=${PAM_PASSWORD_PWHISTORY_AMOUNT}" - else +else LogText "[PAM] Password history with pam_pwhistory IS NOT enabled" fi @@ -468,7 +467,7 @@ if [ ${PAM_PASSWORD_UXHISTORY_ENABLED} -eq 1 ]; then LogText "[PAM] Password history with pam_unix enabled: ${PAM_PASSWORD_UXHISTORY_ENABLED}" LogText "[PAM] Password history with pam_unix amount: ${PAM_PASSWORD_UXHISTORY_AMOUNT}" Report "password_history_amount=${PAM_PASSWORD_UXHISTORY_AMOUNT}" - else +else LogText "[PAM] Password history with pam_unix IS NOT enabled" fi diff --git a/plugins/plugin_systemd_phase1 b/plugins/plugin_systemd_phase1 index a3544c3d..ef19cac0 100644 --- a/plugins/plugin_systemd_phase1 +++ b/plugins/plugin_systemd_phase1 @@ -16,12 +16,12 @@ #----------------------------------------------------- # PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com> # PLUGIN_CATEGORY=essentials -# PLUGIN_DATE=2016-04-28 +# PLUGIN_DATE=2017-04-30 # PLUGIN_DESC=Tests related to systemd tooling # PLUGIN_NAME=systemd # PLUGIN_PACKAGE=community # PLUGIN_REQUIRED_TESTS= -# PLUGIN_VERSION=1.0.1 +# PLUGIN_VERSION=1.0.2 #----------------------------------------------------- # ######################################################################### @@ -42,7 +42,7 @@ FIND=$(${SYSTEMCTLBINARY} > /dev/null) if [ $? -gt 0 ]; then Report "systemctl_error_message=${FIND}" - else + else SYSTEMD_RUNNING=1 fi Report "systemctl_exit_code=$?" @@ -63,7 +63,7 @@ Report "systemd_version=${FIND}" LogText "Result: found systemd version ${FIND}" fi - FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1) + FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1` if [ ! "${FIND}" = "" ]; then Report "systemd_builtin_components=${FIND}" LogText "Result: found builtin components list" @@ -77,7 +77,7 @@ if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }') + FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'` if [ ! "${FIND}" = "" ]; then LogText "Result: found systemd unit files via systemctl list-unit-files" for I in ${FIND}; do @@ -94,7 +94,7 @@ if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }') + FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'` if [ ! "${FIND}" = "" ]; then LogText "Result: found systemd unit files via systemctl list-unit-files" for I in ${FIND}; do @@ -125,11 +125,11 @@ if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|") + FIND=$(${FINDBINARY} ${ROOTDIR}usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|") if [ ! "${FIND}" = "" ]; then Report "systemd_binaries=${FIND}" LogText "Result: found systemd binaries in /usr/lib/systemd" - else + else LogText "Result: no binaries found in /usr/lib/systemd" fi fi @@ -160,7 +160,7 @@ if [ ! "${FIND}" = "" ]; then Report "journal_contains_errors=1" for I in ${FIND}; do - LINE=$(echo ${I} | sed 's/:space:/ /g') + LINE=`echo ${I} | sed 's/:space:/ /g'` LogText "Output (fails): ${LINE}" done else @@ -176,7 +176,7 @@ if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}') + FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'` Report "journal_disk_size=${FIND}" LogText "Result: journals are ${FIND} in size" fi @@ -188,7 +188,7 @@ if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g') + FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'` Report "journal_meta_data=${FIND}" fi # @@ -228,7 +228,7 @@ if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }') + FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do Report "systemd_unit_not_found[]=${I}" @@ -243,7 +243,7 @@ if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}') + FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'` if [ ! "${FIND}" = "" ]; then LogText "Result: found one or more services with faulty state" for I in ${FIND}; do @@ -261,7 +261,7 @@ Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress if [ ${SKIPTEST} -eq 0 ]; then SYSTEMD_COREDUMP_USED=1 - FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump) + FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump` if [ ! "${FIND}" = "" ]; then LogText "Result: systemd uses systemd-coredump to handle coredumps" Report "systemd_coredump_used=1" @@ -285,7 +285,7 @@ if [ ! "${FIND}" = "" ]; then Report "journal_coredumps_lastday=1" LogText "Result: found recent coredumps" - else + else Report "journal_coredumps_lastday=0" LogText "Result: found no coredumps" fi |