diff options
| author | Michael Boelen <michael.boelen@cisofy.com> | 2022-03-14 13:54:55 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-14 13:54:55 +0300 |
| commit | 64758216f20bfb198ae45a258fb2bb9e8ecdbc45 (patch) | |
| tree | 4490942f0973e25a044a19499313018e70eef24e | |
| parent | 5cd4b239b58e53bfb7d0d9b57abaccc638c44bed (diff) | |
| parent | 0664dea9469867c6e9ef1883ef5e44861902b776 (diff) | |
Merge pull request #1271 from fizista/symlink_file
Allow symlinks to be used when searching for configuration files
| -rw-r--r-- | include/tests_authentication | 4 | ||||
| -rw-r--r-- | include/tests_boot_services | 8 | ||||
| -rw-r--r-- | include/tests_databases | 2 | ||||
| -rw-r--r-- | include/tests_kernel | 17 | ||||
| -rw-r--r-- | include/tests_logging | 2 | ||||
| -rw-r--r-- | include/tests_scheduling | 4 | ||||
| -rw-r--r-- | include/tests_shells | 4 | ||||
| -rw-r--r-- | include/tests_squid | 2 |
8 files changed, 22 insertions, 21 deletions
diff --git a/include/tests_authentication b/include/tests_authentication index 46d1735b..0552d646 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -607,7 +607,7 @@ Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED ;; esac - SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)" + SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} -L ${SUDOERS_D} -type f -print)" fi for f in ${SUDO_CONFIG_FILES}; do LogText "Test: checking file (${f})" @@ -764,7 +764,7 @@ LogText "Result: directory /etc/pam.d exists" Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: searching PAM configuration files" - FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort) + FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort) for FILE in ${FIND}; do LogText "Found file: ${FILE}" done diff --git a/include/tests_boot_services b/include/tests_boot_services index 4a5fb3df..5901cd70 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -347,7 +347,7 @@ FOUND=0 if [ -d "${ROOTDIR}etc/grub.d" ]; then - CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') + CONF_FILES=$(${FINDBINARY} -L "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" else CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg" @@ -785,7 +785,7 @@ if [ -d ${DIR} ]; then LogText "Result: directory ${DIR} found" LogText "Test: checking for available files in directory" - FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY}) + FIND=$(${FINDBINARY} -L ${DIR} -type f -print | ${SORTBINARY}) if [ -n "${FIND}" ]; then LogText "Result: found files in directory, checking permissions now" for FILE in ${FIND}; do @@ -809,7 +809,7 @@ for NO in 0 1 2 3 4 5 6; do LogText "Test: Checking ${ROOTDIR}etc/rc${NO}.d scripts for writable bit" if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then - FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print | ${SORTBINARY}) + FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/rc${NO}.d -type f -print | ${SORTBINARY}) for I in ${FIND}; do if IsWorldWritable ${I}; then FOUND=1 @@ -1017,7 +1017,7 @@ LogText "Result: directory ${DIR} found" LogText "Test: checking for available files in directory" # OpenBSD uses symlinks to create another instance of daemons - FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY}) + FIND=$(${FINDBINARY} -L ${CHECKDIR} -type f -print | ${SORTBINARY}) if [ -n "${FIND}" ]; then LogText "Result: found files in directory, checking permissions now" for FILE in ${FIND}; do diff --git a/include/tests_databases b/include/tests_databases index 9a8755bf..f5bc22ae 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -204,7 +204,7 @@ Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration" if [ ${SKIPTEST} -eq 0 ]; then FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data" - CONFIG_FILES=$(${FINDBINARY} ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") + CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") for CF in ${CONFIG_FILES}; do Report "postgresql_config_file[]=${CF}" LogText "Found configuration file (${CF})" diff --git a/include/tests_kernel b/include/tests_kernel index ffc5b9e0..ad914bfb 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -470,9 +470,9 @@ # check conf files in possibly existing coredump.conf.d folders # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. # while there could be multiple files overwriting each other, we are checking the number of occurrences - SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) - SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l) - SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') + SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) + SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l) + SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}') SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}') if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \ @@ -513,7 +513,7 @@ LogText "Test: Checking if 'ulimit -c 0' exists in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" # use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts) ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" - ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" + ULIMIT_C_VALUE_SUB="$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN @@ -531,16 +531,17 @@ Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW fi fi - # Limits option + + # Limits options for DIR in "/" "/usr/"; do LogText "Test: Checking presence ${DIR}etc/security/limits.conf" if [ -f "${DIR}etc/security/limits.conf" ]; then LogText "Result: file ${DIR}etc/security/limits.conf exists" LogText "Test: Checking if core dumps are disabled in ${DIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. - FIND1=$(${FINDBINARY} "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) - FIND2=$(${FINDBINARY} "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) - FIND3=$(${FINDBINARY} "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) + FIND1=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) + FIND2=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) + FIND3=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file. if [ "${FIND3}" = "core dumps disabled" ]; then diff --git a/include/tests_logging b/include/tests_logging index 7b3c203b..b6acdbe5 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -387,7 +387,7 @@ fi TARGET="${ROOTDIR}etc/rsyslog.d" if [ -d ${TARGET} ]; then - FILES=$(${FINDBINARY} ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ') + FILES=$(${FINDBINARY} -L ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ') for F in ${FILES}; do F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g') LogText "Test: analyzing file ${F} for remote target" diff --git a/include/tests_scheduling b/include/tests_scheduling index 196a2e77..3aa004c6 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -77,7 +77,7 @@ if FileIsReadable ${DIR}; then LogText "Result: found directory ${DIR}" LogText "Test: searching files in ${DIR}" - FIND=$(${FINDBINARY} ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder") + FIND=$(${FINDBINARY} -L ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder") if IsEmpty "${FIND}"; then LogText "Result: no files found in ${DIR}" else @@ -112,7 +112,7 @@ LogText "Result: found directory ${I}" if FileIsReadable ${I}; then LogText "Test: searching files in ${I}" - FIND=$(${FINDBINARY} ${I} -type f -print 2> /dev/null | ${GREPBINARY} -v ".placeholder") + FIND=$(${FINDBINARY} -L ${I} -type f -print 2> /dev/null | ${GREPBINARY} -v ".placeholder") if [ -z "${FIND}" ]; then LogText "Result: no files found in ${I}" else diff --git a/include/tests_shells b/include/tests_shells index 9598cfbc..8ecbde2c 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -167,9 +167,9 @@ FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null) if [ -n "${FIND}" ]; then # Determine if we can find a TMOUT value - FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') + FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') # Determine if the value is exported (with export, readonly, or typeset) - FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') + FIND2=$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') if [ -n "${FIND}" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do diff --git a/include/tests_squid b/include/tests_squid index c6b5174a..c486108c 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -131,7 +131,7 @@ Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}" - FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)) + FIND=$(find -L ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)) if [ -n "${FIND}" ]; then LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED |