diff options
| author | mboelen <michael@cisofy.com> | 2014-09-15 14:01:09 +0400 |
|---|---|---|
| committer | mboelen <michael@cisofy.com> | 2014-09-15 14:01:09 +0400 |
| commit | c9fde8c2d11744cc0875bc3e5dd0abf096211755 (patch) | |
| tree | 0997d08919db7ec4e2aa9065c3e9aaf1671c4d6f | |
| parent | 35d32fb5e40b86632677fd2256aebeddf926394a (diff) | |
Code cleanup and small enhancements
37 files changed, 922 insertions, 923 deletions
diff --git a/include/tests_accounting b/include/tests_accounting index e751b059..0894ee9a 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -30,11 +30,11 @@ Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --description "Check for available FreeBSD accounting information" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /var/account/acct ]; then - Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN + Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN logtext "Result: /var/account/acct available" AddHP 3 3 else - Display --indent 2 --text "- Checking accounting information..." --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW logtext "Result: No accounting information available" logtext "Remark: Possibly there is another location where the accounting data is stored" ReportSuggestion ${TEST_NO} "Enable process accounting" @@ -51,19 +51,19 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check accounting information" if [ -f /var/account/pacct ]; then - Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN + Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN logtext "Result: /var/account/pacct available" AddHP 3 3 elif [ -f /var/log/account/pacct ]; then - Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN + Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN logtext "Result: /var/log/account/pacct available" AddHP 3 3 elif [ -f /var/log/pacct ]; then - Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN + Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN logtext "Result: /var/log/pacct available" AddHP 3 3 else - Display --indent 2 --text "- Checking accounting information... " --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW logtext "Result: No accounting information available (/var/account/pacct does not exist)" logtext "Remark: Possibly there is another location where the accounting data is stored" ReportSuggestion ${TEST_NO} "Enable process accounting" diff --git a/include/tests_authentication b/include/tests_authentication index 9e4d36db..abfd1c9d 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -37,7 +37,7 @@ logtext "Test: Searching accounts with UID 0" FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^:0:0:::' | cut -d ":" -f1,3 | grep ':0'` if [ ! "${FIND}" = "" ]; then - Display --indent 2 --text "- Search administrator accounts..." --result WARNING --color RED + Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED logtext "Result: Found more than one administrator accounts" ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file" for I in ${FIND}; do @@ -49,7 +49,7 @@ fi done else - Display --indent 2 --text "- Search administrator accounts..." --result OK --color GREEN + Display --indent 2 --text "- Search administrator accounts" --result OK --color GREEN logtext "Result: No accounts found with UID 0 other than root." fi fi @@ -72,16 +72,16 @@ if [ -f ${PASSWD_FILE} ]; then FIND=`cat ${PASSWD_FILE} | grep -v '^#' | cut -d ':' -f3 | uniq -d` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking for non-unique UIDs... " --result OK --color GREEN + Display --indent 2 --text "- Checking for non-unique UIDs" --result OK --color GREEN logtext "Result: all accounts found in ${PASSWD_FILE} are unique" else - Display --indent 2 --text "- Checking for non-unique UIDs... " --result WARNING --color RED + Display --indent 2 --text "- Checking for non-unique UIDs" --result WARNING --color RED logtext "Result: found multiple accounts with same UID" logtext "Output (non-unique UIDs): ${FIND}" ReportWarning ${TEST_NO} "Multiple accounts found with same UID" fi else - Display --indent 2 --text "- Checking UIDs... " --result SKIPPED --color WHITE + Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE logtext "Result: test skipped, ${PASSWD_FILE} file not available" fi logtext "Remarks: ${USER_PASSWD_DOUBLEUID_AUDIT_TEXT}" @@ -94,15 +94,15 @@ if [ -f /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 2 --text "- Checking chkgrp tool..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking chkgrp tool" --result FOUND --color GREEN logtext "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." - logtext "Test: Testing consistency of /etc/group file... " + logtext "Test: Testing consistency of /etc/group file" FIND=`/usr/sbin/chkgrp | grep -v 'is fine'` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking consistency of /etc/group file..." --result OK --color GREEN + Display --indent 4 --text "- Checking consistency of /etc/group file" --result OK --color GREEN logtext "Result: chkgrp test performed, Group file seems to be ok." else - Display --indent 4 --text "- Checking consistency of /etc/group file..." --result WARNING --color RED + Display --indent 4 --text "- Checking consistency of /etc/group file" --result WARNING --color RED logtext "Result: chkgrp found some errors. Run the tool manually to see details." logtext "chkgrp output: ${FIND}" ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file" @@ -118,7 +118,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Test : run grpck to test group files (most likely /etc/group and shadow group files) # Expected result : 0 (exit code) - logtext "Test: Checking for grpck binary..." + logtext "Test: Checking for grpck binary" if [ "${OS}" = "Linux" ]; then # Read only mode @@ -136,10 +136,10 @@ # Check exit-code if [ "${FIND}" = "0" ]; then - Display --indent 2 --text "- Checking consistency of group files (grpck)..." --result OK --color GREEN + Display --indent 2 --text "- Checking consistency of group files (grpck)" --result OK --color GREEN logtext "Result: grpck binary didn't find any errors in the group files" else - Display --indent 2 --text "- Checking consistency of group files (grpck)..." --result WARNING --color RED + Display --indent 2 --text "- Checking consistency of group files (grpck)" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files" ReportSuggestion ${TEST_NO} "Run grpck manually and check your group files" fi @@ -158,9 +158,9 @@ # Check for all shells, except: (/usr)/sbin/nologin /nonexistent FIND=`cat /etc/master.passwd | grep "[a-z]:\*:" | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking login shells..." --result OK --color GREEN + Display --indent 2 --text "- Checking login shells" --result OK --color GREEN else - Display --indent 2 --text "- Checking login shells..." --result WARNING --color RED + Display --indent 2 --text "- Checking login shells" --result WARNING --color RED for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` J=`echo ${I} | awk -F: '{ print $10 }'` @@ -183,7 +183,7 @@ fi fi else - Display --indent 2 --text "- Checking login shells..." --result SKIPPED --color WHITE + Display --indent 2 --text "- Checking login shells" --result SKIPPED --color WHITE logtext "Result: No /etc/master.passwd file found" fi fi @@ -197,10 +197,10 @@ logtext "Test: Checking for non unique group ID's in /etc/group" FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking non unique group ID's..." --result OK --color GREEN + Display --indent 2 --text "- Checking non unique group ID's" --result OK --color GREEN logtext "Result: All group ID's are unique" else - Display --indent 2 --text "- Checking non unique group ID's..." --result WARNING --color RED + Display --indent 2 --text "- Checking non unique group ID's" --result WARNING --color RED logtext "Result: Found the same group ID multiple times" logtext "Output: ${FIND}" ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID" @@ -218,10 +218,10 @@ logtext "Test: Checking for non unique group names in /etc/group" FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking non unique group names..." --result OK --color GREEN + Display --indent 2 --text "- Checking non unique group names" --result OK --color GREEN logtext "Result: All group names are unique" else - Display --indent 2 --text "- Checking non unique group names..." --result WARNING --color WARNING + Display --indent 2 --text "- Checking non unique group names" --result WARNING --color WARNING logtext "Result: Found the same group name multiple times" logtext "Output: ${FIND}" ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)" @@ -239,10 +239,10 @@ logtext "Test: Checking password file consistency (pwck)" FIND=`/usr/sbin/pwck -q -r 2> /dev/null; echo $?` if [ "${FIND}" = "0" ]; then - Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN + Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN logtext "Result: pwck check didn't find any problems" else - Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED + Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED logtext "Result: pwck found one or more errors/warnings in the password file." ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." @@ -260,10 +260,10 @@ # logtext "Test: Checking password file consistency (usrck)" # FIND=`/usr/bin/usrck -n ALL 2>; echo $?` # if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN +# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN # logtext "Result: usrck finished didn't find problems" # else -# Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED +# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED # logtext "Result: usrck found one or more errors/warnings in the password file." # ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file" # ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues." @@ -280,10 +280,10 @@ logtext "Test: Checking password file consistency (pwck)" FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` if [ "${FIND}" = "0" ]; then - Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN + Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN logtext "Result: pwck finished didn't find problems" else - Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED + Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED logtext "Result: pwck found one or more errors/warnings in the password file." ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." @@ -301,10 +301,10 @@ # logtext "Test: Checking password file consistency (pwck)" # FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` # if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN +# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN # logtext "Result: pwck finished didn't find problems" # else -# Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED +# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED # logtext "Result: pwck found one or more errors/warnings in the password file." # ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" # ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." @@ -321,10 +321,10 @@ # logtext "Test: Checking group file consistency (grpck)" # FIND=`/usr/sbin/grpck 2> /dev/null; echo $?` # if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking group file consistency..." --result OK --color GREEN +# Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN # logtext "Result: grpck finished didn't find problems" # else -# Display --indent 2 --text "- Checking group file consistency..." --result WARNING --color RED +# Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED # logtext "Result: grpck found one or more errors/warnings in the group file." # ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file" # ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues." @@ -340,7 +340,7 @@ # OpenBSD/NetBSD: unknown Register --test-no AUTH-9234 --os Linux --weight L --network NO --description "Query user accounts" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Read real system users (including root user) from /etc/passwd..." + logtext "Test: Read real system users (including root user) from /etc/passwd" FIND="" if [ "${OS}" = "FreeBSD" ]; then @@ -358,7 +358,7 @@ FIND=`awk -F: '($3 > 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` fi - Display --indent 2 --text "- Query system users (non daemons)..." --result DONE --color GREEN + Display --indent 2 --text "- Query system users (non daemons)" --result DONE --color GREEN # Check if we got any output if [ "${FIND}" = "" ]; then Display --indent 4 --text "Result: No users found/unknown result" diff --git a/include/tests_banners b/include/tests_banners index 38c42c01..c0ed7179 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -19,7 +19,6 @@ ################################################################################# # InsertSection "Banners and identification" -# Display --indent 2 --text "- Checking banners..." # ################################################################################# # @@ -67,15 +66,15 @@ logtext "Test: Testing existence /etc/motd" if [ -f /etc/motd ]; then logtext "Result: file /etc/motd exists" - Display --indent 2 --text "- /etc/motd..." --result FOUND --color GREEN + Display --indent 2 --text "- /etc/motd" --result FOUND --color GREEN if [ ! -L /etc/motd ]; then IsWorldWritable /etc/motd if [ "${FileIsWorldWritable}" = "TRUE" ]; then - Display --indent 4 --text "- /etc/motd permissions..." --result WARNING --color RED + Display --indent 4 --text "- /etc/motd permissions" --result WARNING --color RED logtext "Result: /etc/motd is world writable. Users can change this file!" ReportWarning ${TEST_NO} "H" "/etc/motd is world writable" else - Display --indent 4 --text "- /etc/motd permissions..." --result OK --color GREEN + Display --indent 4 --text "- /etc/motd permissions" --result OK --color GREEN logtext "Result: /etc/motd is not world writable." fi else @@ -83,7 +82,7 @@ fi else logtext "Result: File /etc/motd not found" - Display --indent 2 --text "- /etc/motd..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- /etc/motd" --result "NOT FOUND" --color WHITE fi fi # @@ -107,11 +106,11 @@ # Check if we have 5 or more key words if [ ${N} -gt 4 ]; then logtext "Result: Found ${N} key words, to warn unauthorized users" - Display --indent 4 --text "- /etc/motd contents..." --result OK --color GREEN + Display --indent 4 --text "- /etc/motd contents" --result OK --color GREEN AddHP 2 2 else logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased" - Display --indent 4 --text "- /etc/motd contents..." --result WEAK --color YELLOW + Display --indent 4 --text "- /etc/motd contents" --result WEAK --color YELLOW ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users" AddHP 0 1 fi @@ -125,17 +124,17 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking file /etc/issue" if [ -f /etc/issue ]; then - # Check for symlink - if [ -L /etc/issue ]; then - logtext "Result: file /etc/issue exists (symlink)" - Display --indent 2 --text "- /etc/issue..." --result SYMLINK --color GREEN - else - Display --indent 2 --text "- /etc/issue..." --result FOUND --color GREEN - fi - else - logtext "Result: file /etc/issue does not exist" - Display --indent 2 --text "- /etc/issue..." --result "NOT FOUND" --color WHITE - fi + # Check for symlink + if [ -L /etc/issue ]; then + logtext "Result: file /etc/issue exists (symlink)" + Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN + else + Display --indent 2 --text "- /etc/issue" --result FOUND --color GREEN + fi + else + logtext "Result: file /etc/issue does not exist" + Display --indent 2 --text "- /etc/issue" --result "NOT FOUND" --color WHITE + fi fi # ################################################################################# @@ -158,11 +157,11 @@ # Check if we have 5 or more key words if [ ${N} -gt 4 ]; then logtext "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users" - Display --indent 4 --text "- /etc/issue contents..." --result OK --color GREEN + Display --indent 4 --text "- /etc/issue contents" --result OK --color GREEN AddHP 2 2 else logtext "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased" - Display --indent 4 --text "- /etc/issue contents..." --result WEAK --color YELLOW + Display --indent 4 --text "- /etc/issue contents" --result WEAK --color YELLOW ReportSuggestion ${TEST_NO} "Add a legal banner to /etc/issue, to warn unauthorized users" AddHP 0 1 fi @@ -176,18 +175,18 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking file /etc/issue.net" if [ -f /etc/issue.net ]; then - # Check for symlink - if [ -L /etc/issue.net ]; then - logtext "Result: file /etc/issue.net exists (symlink)" - Display --indent 2 --text "- /etc/issue.net..." --result SYMLINK --color GREEN - else - logtext "Result: file /etc/issue.net exists" - Display --indent 2 --text "- /etc/issue.net..." --result FOUND --color GREEN - fi - else - logtext "Result: file /etc/issue.net does not exist" - Display --indent 2 --text "- /etc/issue.net..." --result "NOT FOUND" --color WHITE - fi + # Check for symlink + if [ -L /etc/issue.net ]; then + logtext "Result: file /etc/issue.net exists (symlink)" + Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN + else + logtext "Result: file /etc/issue.net exists" + Display --indent 2 --text "- /etc/issue.net" --result FOUND --color GREEN + fi + else + logtext "Result: file /etc/issue.net does not exist" + Display --indent 2 --text "- /etc/issue.net" --result "NOT FOUND" --color WHITE + fi fi # ################################################################################# @@ -201,23 +200,23 @@ N=0 logtext "Test: Checking file /etc/issue.net contents for legal key words" for I in ${LEGAL_BANNER_STRINGS}; do - FIND=`grep -i "${I}" /etc/issue.net` - if [ ! "${FIND}" = "" ]; then - logtext "Result: found string '${I}'" - N=`expr ${N} + 1` - fi - done - # Check if we have 5 or more key words - if [ ${N} -gt 4 ]; then - logtext "Result: Found ${N} key words, to warn unauthorized users" - Display --indent 4 --text "- /etc/issue.net contents..." --result OK --color GREEN - AddHP 2 2 - else - logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased" - Display --indent 4 --text "- /etc/issue.net contents..." --result WEAK --color YELLOW - ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users" - AddHP 0 1 - fi + FIND=`grep -i "${I}" /etc/issue.net` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found string '${I}'" + N=`expr ${N} + 1` + fi + done + # Check if we have 5 or more key words + if [ ${N} -gt 4 ]; then + logtext "Result: Found ${N} key words, to warn unauthorized users" + Display --indent 4 --text "- /etc/issue.net contents" --result OK --color GREEN + AddHP 2 2 + else + logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased" + Display --indent 4 --text "- /etc/issue.net contents" --result WEAK --color YELLOW + ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users" + AddHP 0 1 + fi fi # ################################################################################# diff --git a/include/tests_boot_services b/include/tests_boot_services index 56a283d4..f5c86197 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -32,11 +32,11 @@ Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)..." + logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)" if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then FOUND=1 BOOT_LOADER="GRUB" - Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN + Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi logtext "Found file ${GRUBCONFFILE}, proceeding with tests." FileIsReadable ${GRUBCONFFILE} @@ -44,7 +44,7 @@ FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'` FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'` if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then - Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED + Display --indent 6 --text "- Checking for password protection" --result WARNING --color RED logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!" logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them." logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!" @@ -53,7 +53,7 @@ logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password" AddHP 0 2 else - Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN + Display --indent 6 --text "- Checking for password protection" --result OK --color GREEN logtext "Result: GRUB has password protection." AddHP 4 4 fi @@ -66,7 +66,7 @@ if [ -f /boot/grub/grub.cfg ]; then FOUND=1 BOOT_LOADER="GRUB2" - Display --indent 4 --text "- Checking presence GRUB2... " --result FOUND --color GREEN + Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN logtext "Result: found GRUB2 configuration file (/boot/grub/grub.cfg)" # YYY password check, when documentation of GRUB2 project is improved # YYY Add check permission check (600) @@ -74,7 +74,7 @@ fi if [ ${FOUND} -eq 0 ]; then - Display --indent 4 --text "- Checking presence GRUB... " --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking presence GRUB" --result "NOT FOUND" --color WHITE logtext "Result: no GRUB configuration file found." fi fi @@ -120,13 +120,13 @@ Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then LILOCONFFILE="/etc/lilo.conf" - logtext "Test: checking for presence LILO configuration file..." + logtext "Test: checking for presence LILO configuration file" if [ -f ${LILOCONFFILE} ]; then FileIsReadable ${LILOCONFFILE} if [ ${CANREAD} -eq 1 ]; then BOOT_LOADER="LILO" - Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN - logtext "Checking password option LILO..." + Display --indent 4 --text "- Checking presence LILO" --result "OK" --color GREEN + logtext "Checking password option LILO" FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"` if [ "${FIND}" = "" ]; then Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED @@ -145,7 +145,7 @@ logtext "Result: can not read ${LILOCONFFILE} (no permission)" fi else - Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking presence LILO" --result "NOT FOUND" --color WHITE logtext "Result: LILO configuration file not found" fi fi @@ -212,18 +212,18 @@ Register --test-no BOOT-5159 --os OpenBSD --platform i386 --weight L --network NO --description "Check for OpenBSD i386 boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/boot.conf ]; then - Display --indent 2 --text "- Checking /etc/boot.conf..." --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking /etc/boot.conf" --result "FOUND" --color GREEN FIND=`grep '^boot' /etc/boot.conf` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking boot option..." --result WARNING --color RED + Display --indent 4 --text "- Checking boot option" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode." ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password" else - Display --indent 4 --text "- Checking boot option..." --result OK --color GREEN + Display --indent 4 --text "- Checking boot option" --result OK --color GREEN logtext "Ok, boot option is enabled." fi else - Display --indent 2 --text "- Checking /etc/boot.conf..." --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking /etc/boot.conf" --result "NOT FOUND" --color YELLOW logtext "Result: no /etc/boot.conf found. When using the default boot loader, physical" logtext "access to the server can be used to possibly enter single user mode." ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time." @@ -237,7 +237,7 @@ Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot services" if [ ${SKIPTEST} -eq 0 ]; then # FreeBSD (Read /etc/rc.conf file for enabled services) - logtext "Searching for services at startup (rc.conf)..." + logtext "Searching for services at startup (rc.conf)" FIND=`egrep -v -i '^#|none' /etc/rc.conf | egrep -i '_enable.*(yes|on|1)' | sort | awk -F= '{ print $1 }' | sed 's/_enable//'` N=0 for I in ${FIND}; do @@ -245,7 +245,7 @@ report "boottask[]=${I}" N=`expr ${N} + 1` done - Display --indent 2 --text "- Checking services at startup (rc.conf)..." --result "DONE" --color GREEN + Display --indent 2 --text "- Checking services at startup (rc.conf)" --result "DONE" --color GREEN Display --indent 6 --text "Result: found $N services/options set" logtext "Found $N services/options to run at startup" fi @@ -278,7 +278,7 @@ N=`expr ${N} + 1` done logtext "Suggestion: Run systemctl --full --type=service to see all services" - Display --indent 2 --text "- Check running services (systemctl)... " --result "DONE" --color GREEN + Display --indent 2 --text "- Check running services (systemctl)" --result "DONE" --color GREEN Display --indent 8 --text "Result: found $N running services" logtext "Result: Found $N enabled services" @@ -293,7 +293,7 @@ N=`expr ${N} + 1` done logtext "Suggestion: Run systemctl list-unit-files --type=service to see all services" - Display --indent 2 --text "- Check enabled services at boot (systemctl)... " --result "DONE" --color GREEN + Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "DONE" --color GREEN Display --indent 8 --text "Result: found $N enabled services" logtext "Result: Found $N running services" @@ -301,7 +301,7 @@ logtext "Result: systemctl binary not found, checking chkconfig binary" if [ ! "${CHKCONFIGBINARY}" = "" ]; then logtext "Result: chkconfig binary found, trying that to discover information" - logtext "Searching for services at startup (chkconfig, runlevel 3 and 5)... " + logtext "Searching for services at startup (chkconfig, runlevel 3 and 5)" FIND=`${CHKCONFIGBINARY} --list | egrep '3:on|5:on' | awk '{ print $1 }'` N=0 report "boot_service_tool=chkconfig" @@ -311,7 +311,7 @@ N=`expr ${N} + 1` done logtext "Suggestion: Run chkconfig --list to see all services and disable unneeded services" - Display --indent 2 --text "- Check services at startup (chkconfig)... " --result "DONE" --color GREEN + Display --indent 2 --text "- Check services at startup (chkconfig)" --result "DONE" --color GREEN Display --indent 8 --text "Result: found $N services" logtext "Result: Found $N services at startup" else @@ -372,7 +372,7 @@ logtext "Found service (at boot, runlevel 2): ${I}" N=`expr ${N} + 1` done - Display --indent 2 --text "- Check services at startup (rc2.d)... " --result "DONE" --color WHITE + Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE Display --indent 4 --text "Result: found $N services" logtext "Found $N services" fi @@ -452,13 +452,13 @@ # Check results if [ ${FOUND} -eq 1 ]; then - Display --indent 2 --text "- Check startup files (permissions)... " --result "WARNING" --color RED + Display --indent 2 --text "- Check startup files (permissions)" --result "WARNING" --color RED ReportWarning ${TEST_NO} "H" "One or more startup files can be overwritten by all users" ReportSuggestion ${TEST_NO} "Check startup scripts for world write access and change permissions if needed" logtext "Result: found one or more scripts which are possibly writable by other users" AddHP 0 3 else - Display --indent 2 --text "- Check startup files (permissions)... " --result "OK" --color GREEN + Display --indent 2 --text "- Check startup files (permissions)" --result "OK" --color GREEN AddHP 3 3 fi fi diff --git a/include/tests_crypto b/include/tests_crypto index a20087c8..83c0b364 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -65,9 +65,9 @@ done if [ ${FOUNDPROBLEM} -eq 0 ]; then - Display --indent 2 --text "- Checking SSL certificate expiration..." --result OK --color GREEN + Display --indent 2 --text "- Checking SSL certificate expiration" --result OK --color GREEN else - Display --indent 2 --text "- Checking SSL certificate expiration..." --result WARNING --color RED + Display --indent 2 --text "- Checking SSL certificate expiration" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "One or more SSL certificates expired" fi fi diff --git a/include/tests_custom.template b/include/tests_custom.template index b6686494..c21b6a5c 100644 --- a/include/tests_custom.template +++ b/include/tests_custom.template @@ -40,10 +40,10 @@ logtext "Test: checking something" ReportWarning ${TEST_NO} "M" "Test warning" if [ ${FOUND} -eq 0 ]; then - Display --indent 4 --text "- Performing custom test 1..." --result OK --color GREEN + Display --indent 4 --text "- Performing custom test 1" --result OK --color GREEN logtext "Result: the test looks great!" else - Display --indent 4 --text "- Performing custom test 1..." --result WARNING --color RED + Display --indent 4 --text "- Performing custom test 1" --result WARNING --color RED logtext "Result: hmm bad result of this test :(" ReportSuggestion ${TEST_NO} "This could be better!" fi diff --git a/include/tests_databases b/include/tests_databases index da0a3a07..4b5a8052 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -37,10 +37,10 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- MySQL process status..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- MySQL process status" --result "NOT FOUND" --color WHITE logtext "Result: MySQL process not active" else - Display --indent 2 --text "- MySQL process status..." --result "FOUND" --color GREEN + Display --indent 2 --text "- MySQL process status" --result "FOUND" --color GREEN logtext "Result: MySQL is active" MYSQL_RUNNING=1 fi @@ -70,19 +70,19 @@ if [ ! "${MYSQLCLIENTBINARY}" = "" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking MySQL root password" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Trying to login to local MySQL server without password" - FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?` - if [ "${FIND}" = "0" ]; then - logtext "Result: Login succeeded, no MySQL root password set!" - ReportWarning ${TEST_NO} "H" "No MySQL root password set" - ReportSuggestion ${TEST_NO} "Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD)" - Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED - AddHP 0 5 - else - logtext "Result: Login did not succeed, so a MySQL root password is set" - Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN - AddHP 2 2 - fi + logtext "Test: Trying to login to local MySQL server without password" + FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?` + if [ "${FIND}" = "0" ]; then + logtext "Result: Login succeeded, no MySQL root password set!" + ReportWarning ${TEST_NO} "H" "No MySQL root password set" + ReportSuggestion ${TEST_NO} "Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD)" + Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED + AddHP 0 5 + else + logtext "Result: Login did not succeed, so a MySQL root password is set" + Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN + AddHP 2 2 + fi else logtext "Test skipped, MySQL daemon not running or no MySQL client available" fi @@ -93,15 +93,15 @@ # Description : Check if PostgreSQL is being used Register --test-no DBS-1826 --weight L --network NO --description "Checking active PostgreSQL processes" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${PSBINARY} ax | grep "postgres:" | grep -v "grep"` - if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- PostgreSQL processes status..." --result "NOT FOUND" --color WHITE - logtext "Result: PostgreSQL process not active" - else - Display --indent 2 --text "- PostgreSQL processes status..." --result "FOUND" --color GREEN - logtext "Result: PostgreSQL is active" - POSTGRESQL_RUNNING=1 - fi + FIND=`${PSBINARY} ax | grep "postgres:" | grep -v "grep"` + if [ "${FIND}" = "" ]; then + Display --indent 2 --text "- PostgreSQL processes status" --result "NOT FOUND" --color WHITE + logtext "Result: PostgreSQL process not active" + else + Display --indent 2 --text "- PostgreSQL processes status" --result "FOUND" --color GREEN + logtext "Result: PostgreSQL is active" + POSTGRESQL_RUNNING=1 + fi fi # ################################################################################# @@ -120,10 +120,10 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Oracle processes status..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Oracle processes status" --result "NOT FOUND" --color WHITE logtext "Result: Oracle process(es) not active" else - Display --indent 2 --text "- Oracle processes status..." --result "FOUND" --color GREEN + Display --indent 2 --text "- Oracle processes status" --result "FOUND" --color GREEN logtext "Result: Oracle is active" ORACLE_RUNNING=1 fi diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 4b0e1792..506a87e1 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -19,7 +19,7 @@ ################################################################################# # InsertSection "Software: file integrity" - Display --indent 2 --text "- Checking file integrity tools..." + Display --indent 2 --text "- Checking file integrity tools" # Test : FINT-4310 @@ -30,10 +30,10 @@ if [ ! "${AFICKBINARY}" = "" ]; then logtext "Result: AFICK is installed (${AFICKBINARY})" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- AFICK..." --result FOUND --color GREEN + Display --indent 4 --text "- AFICK" --result FOUND --color GREEN else logtext "Result: AFICK is not installed" - Display --indent 4 --text "- AFICK..." --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE fi fi # @@ -47,10 +47,10 @@ if [ ! "${AIDEBINARY}" = "" ]; then logtext "Result: AIDE is installed (${AIDEBINARY})" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- AIDE..." --result FOUND --color GREEN + Display --indent 4 --text "- AIDE" --result FOUND --color GREEN else logtext "Result: AIDE is not installed" - Display --indent 4 --text "- AIDE..." --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE fi fi # @@ -112,10 +112,10 @@ if [ ! "${OSIRISBINARY}" = "" ]; then logtext "Result: Osiris is installed (${OSIRISBINARY})" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- Osiris..." --result FOUND --color GREEN + Display --indent 4 --text "- Osiris" --result FOUND --color GREEN else logtext "Result: Osiris is not installed" - Display --indent 4 --text "- Osiris..." --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE fi fi # @@ -129,10 +129,10 @@ if [ ! "${SAMHAINBINARY}" = "" ]; then logtext "Result: Samhain is installed (${SAMHAINBINARY})" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- Samhain..." --result FOUND --color GREEN + Display --indent 4 --text "- Samhain" --result FOUND --color GREEN else logtext "Result: Samhain is not installed" - Display --indent 4 --text "- Samhain..." --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE fi fi # @@ -146,10 +146,10 @@ if [ ! "${TRIPWIREBINARY}" = "" ]; then logtext "Result: Tripwire is installed (${TRIPWIREBINARY})" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- Tripwire..." --result FOUND --color GREEN + Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN else logtext "Result: Tripwire is not installed" - Display --indent 4 --text "- Tripwire..." --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE fi fi # @@ -163,9 +163,9 @@ IsRunning ossec-syscheckd if [ ${RUNNING} -eq 1 ]; then FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- OSSEC (syscheck)..." --result FOUND --color GREEN + Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN else - Display --indent 4 --text "- OSSEC (syscheck)..." --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE fi fi # @@ -180,10 +180,10 @@ if [ ! "${MTREEBINARY}" = "" ]; then logtext "Result: mtree is installed (${MTREEBINARY})" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- mtree..." --result FOUND --color GREEN + Display --indent 4 --text "- mtree" --result FOUND --color GREEN else logtext "Result: mtree is not installed" - Display --indent 4 --text "- mtree..." --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE fi fi # @@ -196,11 +196,11 @@ logtext "Test: Check if at least on file integrity tool is available/installed" if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then logtext "Result: found at least one file integrity tool" - Display --indent 2 --text "- Checking presence integrity tool..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking presence integrity tool" --result FOUND --color GREEN AddHP 5 5 else logtext "Result: No file integrity tools found" - Display --indent 2 --text "- Checking presence integrity tool..." --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Install a file integrity tool" AddHP 0 5 fi diff --git a/include/tests_file_permissions b/include/tests_file_permissions index b0ea1d73..0be42da9 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -18,7 +18,7 @@ # ################################################################################# # - InsertSection "System Tools" + InsertSection "File Permissions" # ################################################################################# # @@ -26,7 +26,7 @@ # Description : Perform file permissions check Register --test-no FILE-7524 --weight L --network NO --description "Perform file permissions check" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 2 --text "- Starting file permissions check..." + Display --indent 2 --text "- Starting file permissions check" logtext "Test: Checking file permissions" logtext "Using profile ${PROFILE} for baseline." FIND=`cat ${PROFILE} | egrep '^permfile:|^permdir:' | cut -d: -f2` @@ -37,17 +37,17 @@ logtext " Actual permissions: ${FILEVALUE}" logtext " Result: $PERMS" if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then - Display --indent 4 --text "${I}" --result "NOT FOUND" --color WHITE - elif [ "${PERMS}" = "OK" ]; then - Display --indent 4 --text "${I}" --result OK --color GREEN - elif [ "${PERMS}" = "BAD" ]; then - Display --indent 4 --text "${I}" --result WARNING --color RED - ReportWarning ${TEST_NO} "M" "Incorrect permissions for file ${I}" - else - logtext "UNKNOWN status for file" - fi + Display --indent 4 --text "${I}" --result "NOT FOUND" --color WHITE + elif [ "${PERMS}" = "OK" ]; then + Display --indent 4 --text "${I}" --result OK --color GREEN + elif [ "${PERMS}" = "BAD" ]; then + Display --indent 4 --text "${I}" --result WARNING --color RED + ReportWarning ${TEST_NO} "M" "Incorrect permissions for file ${I}" + else + logtext "UNKNOWN status for file" + fi done - fi + fi # ################################################################################# # diff --git a/include/tests_filesystems b/include/tests_filesystems index 82b3f0b1..5b9710eb 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -40,16 +40,16 @@ logtext "Test: Checking if ${I} is mounted separately or mounted on / file system" if [ -L ${I} ]; then logtext "Result: ${I} is a symlink. Manual check required to determine exact file system" - Display --indent 4 --text "- Checking ${I} mount point..." --result SYMLINK --color WHITE + Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE elif [ -d ${I} ]; then logtext "Result: directory ${I} exists" FIND=`mount | grep "${I}"` if [ ! "${FIND}" = "" ]; then logtext "Result: found ${I} as a separated mount point" - Display --indent 4 --text "- Checking ${I} mount point..." --result OK --color GREEN + Display --indent 4 --text "- Checking ${I} mount point" --result OK --color GREEN else logtext "Result: ${I} not found in mount list. Directory most likely stored on / file system" - Display --indent 4 --text "- Checking ${I} mount point..." --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking ${I} mount point" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition" fi else @@ -79,10 +79,10 @@ report "lvm_volume_group[]=${I}" done LVM_VG_USED=1 - Display --indent 2 --text "- Checking LVM volume groups..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking LVM volume groups" --result FOUND --color GREEN else logtext "Result: no LVM volume groups found" - Display --indent 2 --text "- Checking LVM volume groups..." --result NONE --color WHITE + Display --indent 2 --text "- Checking LVM volume groups" --result NONE --color WHITE fi fi # @@ -101,10 +101,10 @@ logtext "Found LVM volume: ${I}" report "lvm_volume[]=${I}" done - Display --indent 4 --text "- Checking LVM volumes..." --result FOUND --color GREEN + Display --indent 4 --text "- Checking LVM volumes" --result FOUND --color GREEN else logtext "Result: no LVM volume groups found" - Display --indent 4 --text "- Checking LVM volumes..." --result NONE --color WHITE + Display --indent 4 --text "- Checking LVM volumes" --result NONE --color WHITE fi fi # @@ -144,10 +144,10 @@ logtext "Test: Query /etc/fstab for available FFS/UFS mount points" FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)..." --result NONE --color WHITE + Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result NONE --color WHITE logtext "Result: unable to find any single mount point (FFS/UFS)" else - Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)..." --result FOUND --color GREEN + Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result FOUND --color GREEN report "filesystem[]=ufs" for I in ${FIND}; do logtext "FFS/UFS mount found: ${I}" @@ -165,10 +165,10 @@ logtext "Test: Query /etc/fstab for available ZFS mount points" FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Querying ZFS mount points (mount -p)..." --result NONE --color WHITE + Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result NONE --color WHITE logtext "Result: unable to find any single mount point (ZFS)" else - Display --indent 2 --text "- Querying ZFS mount points (mount -p)..." --result FOUND --color GREEN + Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result FOUND --color GREEN report "filesystem[]=zfs" for I in ${FIND}; do logtext "ZFS mount found: ${I}" @@ -206,9 +206,9 @@ report "swap_partition[]=${I}" done if [ ${FOUND} -eq 1 ]; then - Display --indent 2 --text "- Query swap partitions (fstab)..." --result OK --color GREEN + Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN else - Display --indent 2 --text "- Query swap partitions (fstab)..." --result WARNING --color YELLOW + Display --indent 2 --text "- Query swap partitions (fstab)" --result WARNING --color YELLOW ReportWarning ${TEST_NO} "L" "No swap partion found in /etc/fstab" logtext "Result: no swap partitions found in /etc/fstab" fi @@ -225,10 +225,10 @@ logtext "Test: check swap partitions with incorrect mount options" FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Testing swap partitions..." --result OK --color GREEN + Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN logtext "Result: all swap partitions have correct options (sw or swap)" else - Display --indent 2 --text "- Testing swap partitions..." --result WARNING --color RED + Display --indent 2 --text "- Testing swap partitions" --result WARNING --color RED logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})" #ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})" ReportSuggestion ${TEST_NO} "Check your /etc/fstab file. Swap partition usually have 'sw' or 'swap' in the options field (4th)." @@ -242,14 +242,14 @@ if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --description "Searching for old files in /tmp" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for old files in /tmp..." + logtext "Test: Searching for old files in /tmp" # Search for files only in /tmp, with an access time older than X days FIND=`find /tmp -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking for old files in /tmp..." --result OK --color GREEN + Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN logtext "Result: no files found in /tmp which are older than 3 months" else - Display --indent 2 --text "- Checking for old files in /tmp..." --result WARNING --color RED + Display --indent 2 --text "- Checking for old files in /tmp" --result WARNING --color RED N=0 for I in ${FIND}; do FILE=`echo ${I} | sed 's/!space!/ /g'` @@ -275,7 +275,7 @@ #for I in ${SKELDIRS}; do # - # logtext "Searching skel directory ${I}..." + # logtext "Searching skel directory ${I}" # # if [ -d ${I} ]; then # logtext "Result: Directory found, scanning for unsafe file permissions" @@ -283,20 +283,20 @@ # if [ ! "${FIND}" = "0" ]; then # FIND=`find ${I} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` # if [ "${FIND}" = "" ]; then - # Display --indent 2 --text "- Checking skel file permissions (${I})..." --result OK --color GREEN + # Display --indent 2 --text "- Checking skel file permissions (${I})" --result OK --color GREEN # logtext "Result: Directory seems to be ok, no files found with read/write/execute bit set." # logtext "Status: OK" - # else - # Display --indent 2 --text "- Checking skel file permissions (${I})..." --result WARNING --color RED + # else + # Display --indent 2 --text "- Checking skel file permissions (${I})" --result WARNING --color RED # logtext "Result: The following files do have non restrictive permissions: ${FIND}" # ReportSuggestion ${TEST_NO} "Remove the read, write or execute bit from these files (chmod o-rwx)" - # fi + # fi # else - # Display --indent 2 --text "- Checking skel file permissions (${I})..." --result EMPTY --color WHITE - # logtext "Directory ${I} is empty, no scan performed" + # Display --indent 2 --text "- Checking skel file permissions (${I})" --result EMPTY --color WHITE + # logtext "Directory ${I} is empty, no scan performed" # fi # else - # Display --indent 2 --text "- Checking skel file permissions (${I})..." --result "NOT FOUND" --color WHITE + # Display --indent 2 --text "- Checking skel file permissions (${I})" --result "NOT FOUND" --color WHITE # logtext "Result: Skel directory (${I}) not found" # fi #done @@ -311,11 +311,11 @@ # Depending on OS, number of field with 'tmp' differs FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10` if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then - Display --indent 2 --text "- Checking /tmp sticky bit..." --result OK --color GREEN + Display --indent 2 --text "- Checking /tmp sticky bit" --result OK --color GREEN logtext "Result: Sticky bit (${FIND}) found on /tmp directory" AddHP 3 3 else - Display --indent 2 --text "- Checking /tmp sticky bit..." --result WARNING --color RED + Display --indent 2 --text "- Checking /tmp sticky bit" --result WARNING --color RED ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!" ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory." AddHP 0 3 @@ -371,11 +371,11 @@ logtext "Result: ACL option NOT enabled on root file system" logtext "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option" logtext "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file" - Display --indent 2 --text "- ACL support root file system..." --result DISABLED --color YELLOW + Display --indent 2 --text "- ACL support root file system" --result DISABLED --color YELLOW AddHP 0 1 else logtext "Result: ACL option enabled on root file system" - Display --indent 2 --text "- ACL support root file system..." --result ENABLED --color GREEN + Display --indent 2 --text "- ACL support root file system" --result ENABLED --color GREEN AddHP 3 3 fi fi @@ -396,9 +396,9 @@ if [ ! "${FIND}" = "" ]; then logtext "Result: mount system / is configured with options: ${FIND}" if [ "${FIND}" = "defaults" ]; then - Display --indent 2 --text "- Mount options of /..." --result OK --color GREEN + Display --indent 2 --text "- Mount options of /" --result OK --color GREEN else - Display --indent 2 --text "- Mount options of /..." --result "NON DEFAULT" --color YELLOW + Display --indent 2 --text "- Mount options of /" --result "NON DEFAULT" --color YELLOW fi else logtext "Result: no mount point / or expected options found" @@ -424,16 +424,16 @@ logtext "Result: mount system /boot is configured with options: ${FIND}" if [ ${HARDENED} -eq 1 ]; then logtext "Result: marked /boot options as hardenened" - Display --indent 2 --text "- Mount options of /boot..." --result HARDENED --color GREEN + Display --indent 2 --text "- Mount options of /boot" --result HARDENED --color GREEN AddHP 5 5 else if [ "${FIND}" = "defaults" ]; then logtext "Result: marked /boot options as default (non hardened)" - Display --indent 2 --text "- Mount options of /boot..." --result DEFAULT --color RED + Display --indent 2 --text "- Mount options of /boot" --result DEFAULT --color RED AddHP 3 5 else logtext "Result: marked /boot options as non default (unclear about hardening)" - Display --indent 2 --text "- Mount options of /boot..." --result "NON DEFAULT" --color YELLOW + Display --indent 2 --text "- Mount options of /boot" --result "NON DEFAULT" --color YELLOW AddHP 4 5 fi fi @@ -527,11 +527,11 @@ fi done if [ ${FOUND} -eq 1 ]; then - Display --indent 2 --text "- Checking Locate database..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking Locate database" --result FOUND --color GREEN report "locate_db=${LOCATE_DB}" else logtext "Result: database not found" - Display --indent 2 --text "- Checking Locate database..." --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking Locate database" --result "NOT FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file." fi fi diff --git a/include/tests_hardening b/include/tests_hardening index fe59965e..1afa3d74 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -25,17 +25,17 @@ # Description : Check for installed compilers Register --test-no HRDN-7220 --weight L --network NO --description "Check if one or more compilers are installed" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if one or more compilers can be found on the system" - if [ ${COMPILER_INSTALLED} -eq 0 ]; then - logtext "Result: no compilers found" - Display --indent 4 --text "- Installed compiler(s)..." --result "NOT FOUND" --color GREEN - AddHP 3 3 - else - logtext "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'" - Display --indent 4 --text "- Installed compiler(s)..." --result "FOUND" --color RED - ReportSuggestion ${TEST_NO} "Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed" - AddHP 1 3 - fi + logtext "Test: Check if one or more compilers can be found on the system" + if [ ${COMPILER_INSTALLED} -eq 0 ]; then + logtext "Result: no compilers found" + Display --indent 4 --text "- Installed compiler(s)" --result "NOT FOUND" --color GREEN + AddHP 3 3 + else + logtext "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'" + Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED + ReportSuggestion ${TEST_NO} "Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed" + AddHP 1 3 + fi fi # ################################################################################# @@ -44,56 +44,56 @@ # Description : Check for permissions of installed compilers Register --test-no HRDN-7222 --weight L --network NO --description "Check compiler permissions" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if one or more compilers can be found on the system" - HARDEN_COMPILERS_NEEDED=0 - if [ ${COMPILER_INSTALLED} -eq 0 ]; then - logtext "Result: no compilers found" - else - # as - if [ ! "${ASBINARY}" = "" ]; then - logtext "Test: Check file permissions for as (Assembler)" - IsWorldExecutable ${ASBINARY} - if [ ${SYMLINK} -eq 0 ]; then - logtext "Binary: ${ASBINARY} (world executable: ${FileIsWorldExecutable})" - else - logtext "Binary: ${GCCBINARY} (symlinked to: ${sFILE}) (world executable: ${FileIsWorldExecutable})" - fi + logtext "Test: Check if one or more compilers can be found on the system" + HARDEN_COMPILERS_NEEDED=0 + if [ ${COMPILER_INSTALLED} -eq 0 ]; then + logtext "Result: no compilers found" + else + # as + if [ ! "${ASBINARY}" = "" ]; then + logtext "Test: Check file permissions for as (Assembler)" + IsWorldExecutable ${ASBINARY} + if [ ${SYMLINK} -eq 0 ]; then + logtext "Binary: ${ASBINARY} (world executable: ${FileIsWorldExecutable})" + else + logtext "Binary: ${GCCBINARY} (symlinked to: ${sFILE}) (world executable: ${FileIsWorldExecutable})" + fi if [ ${FileIsWorldExecutable} = "TRUE" ]; then AddHP 2 3 HARDEN_COMPILERS_NEEDED=1 else AddHP 3 3 fi - fi - # gcc - if [ ! "${GCCBINARY}" = "" ]; then - logtext "Test: Check file permissions for GCC compiler" - IsWorldExecutable ${GCCBINARY} - if [ ${SYMLINK} -eq 0 ]; then - logtext "Binary: ${GCCBINARY} (world executable: ${FileIsWorldExecutable})" - else - logtext "Binary: ${GCCBINARY} (symlinked to: ${sFILE}) (world executable: ${FileIsWorldExecutable})" - fi + fi + # gcc + if [ ! "${GCCBINARY}" = "" ]; then + logtext "Test: Check file permissions for GCC compiler" + IsWorldExecutable ${GCCBINARY} + if [ ${SYMLINK} -eq 0 ]; then + logtext "Binary: ${GCCBINARY} (world executable: ${FileIsWorldExecutable})" + else + logtext "Binary: ${GCCBINARY} (symlinked to: ${sFILE}) (world executable: ${FileIsWorldExecutable})" + fi if [ ${FileIsWorldExecutable} = "TRUE" ]; then AddHP 2 3 HARDEN_COMPILERS_NEEDED=1 else AddHP 3 3 fi - fi - # Report suggestion is one or more compilers can be better hardened - if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then - logtext "Result: at least one compiler could be better hardened by restricting executable access to root or group only" - ReportSuggestion ${TEST_NO} "Harden compilers and restrict access to world" - fi + fi + # Report suggestion is one or more compilers can be better hardened + if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then + logtext "Result: at least one compiler could be better hardened by restricting executable access to root or group only" + ReportSuggestion ${TEST_NO} "Harden compilers and restrict access to world" + fi - #YYY check if compilers have a specific group (like compiler, or NOT root/wheel) -# Display --indent 4 --text "- Installed compiler(s)..." --result "FOUND" --color RED - # /usr/bin/*cc* - # /usr/bin/*++* - # /usr/bin/ld - # (and 700 or 750 permissions) - fi + #YYY check if compilers have a specific group (like compiler, or NOT root/wheel) +# Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED + # /usr/bin/*cc* + # /usr/bin/*++* + # /usr/bin/ld + # (and 700 or 750 permissions) + fi fi # ################################################################################# @@ -102,22 +102,21 @@ # Description : Check for installed malware scanners Register --test-no HRDN-7230 --weight L --network NO --description "Check for malware scanner" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if one or more compilers can be found on the system" - if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then - logtext "Result: found at least one malware scanner" - Display --indent 4 --text "- Installed malware scanner..." --result "FOUND" --color GREEN - AddHP 3 3 - else - logtext "Result: no malware scanner found" - Display --indent 4 --text "- Installed malware scanner..." --result "NOT FOUND" --color RED - ReportSuggestion ${TEST_NO} "Harden the system by installing one or malware scanners to perform periodic file system scans" - AddHP 1 3 - fi + logtext "Test: Check if one or more compilers can be found on the system" + if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then + logtext "Result: found at least one malware scanner" + Display --indent 4 --text "- Installed malware scanner" --result "FOUND" --color GREEN + AddHP 3 3 + else + logtext "Result: no malware scanner found" + Display --indent 4 --text "- Installed malware scanner" --result "NOT FOUND" --color RED + ReportSuggestion ${TEST_NO} "Harden the system by installing one or malware scanners to perform periodic file system scans" + AddHP 1 3 + fi fi # ################################################################################# # - # logtext "--------------------------------------------------------------------" # logtext "| System part | Preferred value | Actual value | Points |" # logtext "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |" @@ -126,8 +125,6 @@ # logtext "--------------------------------------------------------------------" # logtext "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown " # logtext "--------------------------------------------------------------------" - - # ################################################################################# # diff --git a/include/tests_homedirs b/include/tests_homedirs index 0ec1cad1..4ee3e9b4 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -25,7 +25,6 @@ # Ignore some top level directories (not the sub directories below) IGNORE_HOME_DIRS="/bin /boot /cdrom /dev /etc /home /lib /lib64 /media /mnt /opt /proc /sbin /selinux /srv /sys /tmp /usr /var" - # ################################################################################# # @@ -34,18 +33,18 @@ # Description : Create list with home directories Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories" if [ ${SKIPTEST} -eq 0 ]; then - # Read sixth field of /etc/passwd - logtext "Test: query /etc/passwd to obtain home directories" + # Read sixth field of /etc/passwd + logtext "Test: query /etc/passwd to obtain home directories" FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | sort | uniq` - for I in ${FIND}; do - if [ -d ${I} ]; then - logtext "Result: found home directory: ${I} (directory exists)" - report "home_directory[]=${I}" - else - logtext "Result: found home directory: ${I} (directory does not exist)" - fi - done - fi + for I in ${FIND}; do + if [ -d ${I} ]; then + logtext "Result: found home directory: ${I} (directory exists)" + report "home_directory[]=${I}" + else + logtext "Result: found home directory: ${I} (directory does not exist)" + fi + done + fi # ################################################################################# # @@ -53,28 +52,28 @@ # Description : Check for suspicious shell history files Register --test-no HOME-9310 --weight L --network NO --description "Checking for suspicious shell history files" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! "${HOMEDIRS}" = "" ]; then - if [ "${OS}" = "Solaris" ]; then - # Solaris doesn't support -maxdepth - FIND=`find ${HOMEDIRS} -name ".*history" -not -type f -print` - else - FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" -not -type f -print` - fi - if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking shell history files... " --result OK --color GREEN - logtext "Result: Ok, history files are type 'file'." - else - Display --indent 2 --text "- Checking shell history files... " --result WARNING --color RED - logtext "Result: the following files seem to be of the wrong file type:" - logtext "Output: ${FIND}" - logtext "Info: above files could be redirected files to avoid logging and should be investigated" - ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file" - fi - logtext "Remarks: ${HOME_HISTORY_LOG_TEXT}" + if [ ! "${HOMEDIRS}" = "" ]; then + if [ "${OS}" = "Solaris" ]; then + # Solaris doesn't support -maxdepth + FIND=`find ${HOMEDIRS} -name ".*history" -not -type f -print` + else + FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" -not -type f -print` + fi + if [ "${FIND}" = "" ]; then + Display --indent 2 --text "- Checking shell history files" --result OK --color GREEN + logtext "Result: Ok, history files are type 'file'." + else + Display --indent 2 --text "- Checking shell history files" --result WARNING --color RED + logtext "Result: the following files seem to be of the wrong file type:" + logtext "Output: ${FIND}" + logtext "Info: above files could be redirected files to avoid logging and should be investigated" + ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file" + fi + logtext "Remarks: ${HOME_HISTORY_LOG_TEXT}" else - Display --indent 2 --text "- Checking shell history files... " --result SKIPPED --color WHITE - logtext "Result: Homedirs is empty, test will be skipped" - fi + Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE + logtext "Result: Homedirs is empty, test will be skipped" + fi fi # ################################################################################# @@ -103,7 +102,7 @@ fi #YYY - #echo -n " - Checking PATH variable vulnerabilities... " + #echo -n " - Checking PATH variable vulnerabilities" # #FIND=`find ${HOMEDIRS} -name * | grep -r 'PATH=' | egrep '=.:|:.:|:.;' | grep -v 'CDPATH'` #if [ "${FIND}" = "" ] diff --git a/include/tests_insecure_services b/include/tests_insecure_services index b0e6bae9..b55cfae6 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -32,16 +32,16 @@ Register --test-no INSE-8002 --weight L --network NO --description "Check for enabled inet daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check running processes - logtext "Test: Searching for active inet daemon..." + logtext "Test: Searching for active inet daemon" IsRunning inetd if [ ${RUNNING} -eq 1 ]; then logtext "Result: inetd is running" - Display --indent 2 --text "- Checking inetd status..." --result ACTIVE --color GREEN + Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN #YYY perform manual check INETD_ACTIVE=1 else logtext "Result: inetd is NOT running" - Display --indent 2 --text "- Checking inetd status..." --result "NOT ACTIVE" --color GREEN + Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN fi fi # @@ -53,13 +53,13 @@ Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for enabled inet daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check configuration file - logtext "Test: Searching for file ${INETD_CONFIG_FILE}..." + logtext "Test: Searching for file ${INETD_CONFIG_FILE}" if [ -f ${INETD_CONFIG_FILE} ]; then logtext "Result: ${INETD_CONFIG_FILE} exists" - Display --indent 4 --text "- Checking inetd.conf..." --result FOUND --color WHITE + Display --indent 4 --text "- Checking inetd.conf" --result FOUND --color WHITE else logtext "Result: ${INETD_CONFIG_FILE} does not exist" - Display --indent 4 --text "- Checking inetd.conf..." --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE fi # YYY immutable bit could be set # YYY permission check (already set in profile) @@ -76,9 +76,9 @@ logtext "Test: check if all services are disabled if inetd is disabled" FIND=`cat ${INETD_CONFIG_FILE} | grep -v "^#" | grep -v "^$"` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking inetd.conf services..." --result OK --color GREEN + Display --indent 4 --text "- Checking inetd.conf services" --result OK --color GREEN else - Display --indent 4 --text "- Checking inetd.conf services..." --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking inetd.conf services" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}" fi fi @@ -94,11 +94,11 @@ FIND=`grep "^telnet" ${INETD_CONFIG_FILE}` if [ "${FIND}" = "" ]; then logtext "Result: telnet not enabled in ${INETD_CONFIG_FILE}" - Display --indent 2 --text "- Checking inetd (telnet)..." --result "NOT FOUND" --color GREEN + Display --indent 2 --text "- Checking inetd (telnet)" --result "NOT FOUND" --color GREEN AddHP 3 3 else logtext "Result: telnet enabled in ${INETD_CONFIG_FILE}" - Display --indent 2 --text "- Checking inetd (telnet)..." --result WARNING --color RED + Display --indent 2 --text "- Checking inetd (telnet)" --result WARNING --color RED ReportSuggestion "${TEST_NO}" "Disable telnet in inetd configuration and use SSH instead" AddHP 1 3 fi diff --git a/include/tests_kernel b/include/tests_kernel index a0107973..ae3b8c30 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -45,11 +45,11 @@ FIND2=`echo ${FIND} | egrep "runlevel5|graphical"` if [ ! "${FIND2}" = "" ]; then logtext "Result: Found match on runlevel5/graphical" - Display --indent 2 --text "- Checking default runlevel..." --result "runlevel 5" --color GREEN + Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN report "linux_default_runlevel=5" else logtext "Result: No match found on runlevel, defaulting to runlevel 3" - Display --indent 2 --text "- Checking default runlevel..." --result "runlevel 3" --color GREEN + Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN report "linux_default_runlevel=3" fi fi @@ -62,13 +62,13 @@ logtext "Test: Checking /etc/inittab" if [ -f /etc/inittab ]; then logtext "Result: file /etc/inittab found" - logtext "Test: Checking default Linux run level..." + logtext "Test: Checking default Linux run level" FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW logtext "Result: Can't determine default run level from /etc/inittab" else - Display --indent 2 --text "- Checking default run level..." --result "${FIND}" --color GREEN + Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN logtext "Found default run level '${FIND}'" report "linux_default_runlevel=${FIND}" fi @@ -79,16 +79,16 @@ FIND=`who -r | awk '{ if ($1=="run-level") { print $2 } }'` if [ ! "${FIND}" = "" ]; then logtext "Result: Found default run level '${FIND}'" - report "linux_default_runlevel=${FIND}" - Display --indent 2 --text "- Checking default run level..." --result "RUNLEVEL ${FIND}" --color GREEN - else - logtext "Result: Can't determine default run level from who -r" - Display --indent 2 --text "- Checking default run level..." --result UNKNOWN --color YELLOW - fi - fi - fi + report "linux_default_runlevel=${FIND}" + Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN + else + logtext "Result: Can't determine default run level from who -r" + Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW + fi + fi + fi fi - fi + fi # ################################################################################# # @@ -99,10 +99,10 @@ Register --test-no KRNL-5677 --os Linux --weight L --network NO --description "Check CPU options and support" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking CPU support (NX/PAE)" - logtext "Test: Checking /proc/cpuinfo..." + logtext "Test: Checking /proc/cpuinfo" if [ -f /proc/cpuinfo ]; then logtext "Result: found /proc/cpuinfo" - logtext "Test: Checking CPU options (XD/NX/PAE)..." + logtext "Test: Checking CPU options (XD/NX/PAE)" FIND_PAE_NX=`cat /proc/cpuinfo | grep " pae " | grep " nx "` FIND_PAE=`cat /proc/cpuinfo | grep " pae "` FIND_NX=`cat /proc/cpuinfo | grep " nx "` @@ -271,7 +271,7 @@ # Description : Checking FreeBSD loaded kernel modules Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 2 --text "- Checking active kernel modules..." + Display --indent 2 --text "- Checking active kernel modules" logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}" logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}" logtext "Action: Checking modules" @@ -339,17 +339,17 @@ logtext "Kernel installed: ${FINDINST}" logtext "Kernel candidate: ${FINDCAND}" if [ "${FINDINST}" = "" ]; then - Display --indent 2 --text "- Checking for available kernel update... " --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Checking for available kernel update" --result UNKNOWN --color YELLOW logtext "Result: Exception occured, no output from apt-cache policy" ReportException "${TEST_NO}:01" logtext "Exception: apt-cache policy did not return an installed kernel version" ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty" else if [ "${FINDINST}" = "${FINDCAND}" ]; then - Display --indent 2 --text "- Checking for available kernel update... " --result OK --color GREEN + Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN logtext "Result: no kernel update available" else - Display --indent 2 --text "- Checking for available kernel update... " --result "UPDATE AVAILABLE" --color YELLOW + Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW logtext "Result: kernel update available according 'apt-cache policy'." ReportSuggestion ${TEST_NO} "Determine priority for available kernel update" fi @@ -373,12 +373,12 @@ FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core") { print "hard core enabled" } }'` if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then logtext "Result: core dumps (soft or hard) are enabled" - Display --indent 2 --text "- Checking core dumps configuration... " --result ENABLED --color YELLOW + Display --indent 2 --text "- Checking core dumps configuration" --result ENABLED --color YELLOW #YYY suggestion AddHP 1 2 else logtext "Result: core dumps (soft and hard) are both disabled" - Display --indent 2 --text "- Checking core dumps configuration... " --result DISABLED --color GREEN + Display --indent 2 --text "- Checking core dumps configuration" --result DISABLED --color GREEN CORE_DUMPS_DISABLED=1 AddHP 3 3 fi @@ -393,22 +393,22 @@ fi if [ "${FIND}" = "2" ]; then logtext "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" - Display --indent 4 --text "- Checking setuid core dumps configuration... " --result PROTECTED --color GREEN + Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN AddHP 1 1 elif [ "${FIND}" = "1" ]; then logtext "Result: all programs can perform core dumps (value 1, for debugging)" - Display --indent 2 --text "- Checking setuid core dumps configuration... " --result DEBUG --color YELLOW + Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW ReportSuggestion ${TEST_NO} "Determine if really all binaries need to be able to core dump" AddHP 0 1 else logtext "Result: found default option, some programs can dump (not processes which need to change credentials)" - Display --indent 4 --text "- Checking setuid core dumps configuration... " --result DEFAULT --color YELLOW + Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW AddHP 1 1 fi # Check ulimit settings and harden it # echo 'ulimit -S -c 0 > /dev/null 2>&1' >> /etc/profile else - logtext "Result: file /etc/security/limits.conf does not exist, skipping test" + logtext "Result: file /etc/security/limits.conf does not exist, skipping test" fi fi # diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index b50e5978..4d3a0d65 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -29,7 +29,7 @@ Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sysctl key pairs in scan profile" if [ ${SKIPTEST} -eq 0 ]; then N=0 - Display --indent 2 --text "- Comparing sysctl key pairs with scan profile..." + Display --indent 2 --text "- Comparing sysctl key pairs with scan profile" FIND=`grep "^sysctl:" ${PROFILE} | sed 's/ /:space:/g'` for I in ${FIND}; do tFINDkey=`echo ${I} | awk -F: '{ print $2 }'` diff --git a/include/tests_ldap b/include/tests_ldap index d41cd496..df931311 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -33,16 +33,16 @@ Register --test-no LDAP-2219 --weight L --network NO --description "Check running OpenLDAP instance" if [ ${SKIPTEST} -eq 0 ]; then #YYY add additional slash - FIND=`${PSBINARY} ax | grep "slapd" | grep -v "grep"` - if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking OpenLDAP instance..." --result "NOT FOUND" --color WHITE - logtext "Result: No running slapd process found." + IsRunning slapd + if [ ${RUNNING} -eq 0 ]; then + Display --indent 2 --text "- Checking OpenLDAP instance" --result "NOT FOUND" --color WHITE + logtext "Result: No running slapd process found." else - Display --indent 2 --text "- Checking OpenLDAP instance..." --result FOUND --color GREEN - logtext "Result: Found running slapd process" - SLAPDFOUND=1 - SLAPD_RUNNING=1 - fi + Display --indent 2 --text "- Checking OpenLDAP instance" --result FOUND --color GREEN + logtext "Result: Found running slapd process" + SLAPDFOUND=1 + SLAPD_RUNNING=1 + fi fi # ################################################################################# @@ -52,21 +52,21 @@ if [ ${SLAPD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LDAP-2224 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check presence slapd.conf" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching slapd.conf" - for I in ${SLAPD_CONF_LOCS}; do - if [ -f ${I}/slapd.conf ]; then - logtext "Result: found ${I}/slapd.conf" - SLAPD_CONF_LOCATION="${I}/slapd.conf" - else - logtext "Result: ${I} does not contain slapd.conf" - fi - done - # Check if we found a valid location - if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then - Display --indent 4 --text "- Checking slapd.conf..." --result FOUND --color GREEN + logtext "Test: Searching slapd.conf" + for I in ${SLAPD_CONF_LOCS}; do + if [ -f ${I}/slapd.conf ]; then + logtext "Result: found ${I}/slapd.conf" + SLAPD_CONF_LOCATION="${I}/slapd.conf" + else + logtext "Result: ${I} does not contain slapd.conf" + fi + done + # Check if we found a valid location + if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then + Display --indent 4 --text "- Checking slapd.conf" --result FOUND --color GREEN else - Display --indent 4 --text "- Checking slapd.conf..." --result "NOT FOUND" --color YELLOW - fi + Display --indent 4 --text "- Checking slapd.conf" --result "NOT FOUND" --color YELLOW + fi fi # ################################################################################# @@ -97,7 +97,6 @@ ################################################################################# # - wait_for_keypress # diff --git a/include/tests_logging b/include/tests_logging index 3080cc92..ff9a48f3 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -41,21 +41,21 @@ # Notes : Log which syslog daemon is found YYY Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for a logging daemon... " + logtext "Test: Searching for a logging daemon" FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking for a running log daemon..." --result WARNING --color RED - logtext "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" - ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured." - ReportWarning ${TEST_NO} "H" "No syslog daemon found" - AddHP 0 3 - else - Display --indent 2 --text "- Checking for a running log daemon..." --result OK --color GREEN - logtext "Result: Found a logging daemon" - SYSLOG_DAEMON_PRESENT=1 - SYSLOG_DAEMON_RUNNING=1 - AddHP 3 3 - fi + Display --indent 2 --text "- Checking for a running log daemon" --result WARNING --color RED + logtext "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" + ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured." + ReportWarning ${TEST_NO} "H" "No syslog daemon found" + AddHP 0 3 + else + Display --indent 2 --text "- Checking for a running log daemon" --result OK --color GREEN + logtext "Result: Found a logging daemon" + SYSLOG_DAEMON_PRESENT=1 + SYSLOG_DAEMON_RUNNING=1 + AddHP 3 3 + fi fi # ################################################################################# @@ -64,18 +64,18 @@ # Description : Check for a running syslog-ng daemon Register --test-no LOGG-2132 --weight L --network NO --description "Check for running syslog-ng daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for syslog-ng daemon in process list... " + logtext "Test: Searching for syslog-ng daemon in process list" FIND=`${PSBINARY} ax | grep "/syslog-ng" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then - logtext "Result: Found syslog-ng in process list" - Display --indent 4 --text "- Checking Syslog-NG status" --result FOUND --color GREEN - SYSLOG_DAEMON_PRESENT=1 - SYSLOG_NG_RUNNING=1 - else - logtext "Result: Syslog-ng NOT found in process list" - Display --indent 4 --text "- Checking Syslog-NG status" --result "NOT FOUND" --color WHITE - fi - fi + logtext "Result: Found syslog-ng in process list" + Display --indent 4 --text "- Checking Syslog-NG status" --result FOUND --color GREEN + SYSLOG_DAEMON_PRESENT=1 + SYSLOG_NG_RUNNING=1 + else + logtext "Result: Syslog-ng NOT found in process list" + Display --indent 4 --text "- Checking Syslog-NG status" --result "NOT FOUND" --color WHITE + fi + fi # ################################################################################# # @@ -84,16 +84,16 @@ if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Syslog-NG configuration file consistency" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSLOGNGBINARY} -s; echo $?` - if [ "${FIND}" = "0" ]; then - logtext "Result: Syslog-NG configuration file seems to be consistent" - Display --indent 6 --text "- Checking Syslog-NG consistency" --result OK --color GREEN - else - logtext "Result: Syslog-NG configuration file seems NOT to be consistent" - Display --indent 6 --text "- Checking Syslog-NG consistency" --result WARNING --color RED - ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file" - ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s" - fi + FIND=`${SYSLOGNGBINARY} -s; echo $?` + if [ "${FIND}" = "0" ]; then + logtext "Result: Syslog-NG configuration file seems to be consistent" + Display --indent 6 --text "- Checking Syslog-NG consistency" --result OK --color GREEN + else + logtext "Result: Syslog-NG configuration file seems NOT to be consistent" + Display --indent 6 --text "- Checking Syslog-NG consistency" --result WARNING --color RED + ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file" + ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s" + fi fi # ################################################################################# @@ -102,17 +102,17 @@ # Description : Check for a running metalog daemon Register --test-no LOGG-2210 --weight L --network NO --description "Check for running metalog daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for metalog daemon in process list... " + logtext "Test: Searching for metalog daemon in process list" FIND=`${PSBINARY} ax | grep "metalog" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then - logtext "Result: Found metalog in process list" - Display --indent 4 --text "- Checking Metalog status" --result FOUND --color GREEN - SYSLOG_DAEMON_PRESENT=1 - METALOG_RUNNING=1 - else - logtext "Result: metalog NOT found in process list" - Display --indent 4 --text "- Checking Metalog status" --result "NOT FOUND" --color WHITE - fi + logtext "Result: Found metalog in process list" + Display --indent 4 --text "- Checking Metalog status" --result FOUND --color GREEN + SYSLOG_DAEMON_PRESENT=1 + METALOG_RUNNING=1 + else + logtext "Result: metalog NOT found in process list" + Display --indent 4 --text "- Checking Metalog status" --result "NOT FOUND" --color WHITE + fi fi # ################################################################################# @@ -121,17 +121,17 @@ # Description : Check for a running rsyslog daemon Register --test-no LOGG-2230 --weight L --network NO --description "Check for running RSyslog daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for RSyslog daemon in process list... " + logtext "Test: Searching for RSyslog daemon in process list" FIND=`${PSBINARY} ax | grep "rsyslogd" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then - logtext "Result: Found rsyslogd in process list" - Display --indent 4 --text "- Checking RSyslog status" --result FOUND --color GREEN - SYSLOG_DAEMON_PRESENT=1 - RSYSLOG_RUNNING=1 - else - logtext "Result: rsyslogd NOT found in process list" - Display --indent 4 --text "- Checking RSyslog status" --result "NOT FOUND" --color WHITE - fi + logtext "Result: Found rsyslogd in process list" + Display --indent 4 --text "- Checking RSyslog status" --result FOUND --color GREEN + SYSLOG_DAEMON_PRESENT=1 + RSYSLOG_RUNNING=1 + else + logtext "Result: rsyslogd NOT found in process list" + Display --indent 4 --text "- Checking RSyslog status" --result "NOT FOUND" --color WHITE + fi fi # ################################################################################# @@ -140,17 +140,17 @@ # Description : Check for a running RFC 3195 compliant daemon (syslog via TCP) Register --test-no LOGG-2240 --weight L --network NO --description "Check for running RFC 3195 compliant daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list... " + logtext "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list" FIND=`${PSBINARY} ax | grep "rfc3195d" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then - logtext "Result: Found rfc3195d in process list" - Display --indent 4 --text "- Checking RFC 3195 daemon status" --result FOUND --color GREEN - SYSLOG_DAEMON_PRESENT=1 - RFC3195D_RUNNING=1 - else - logtext "Result: rfc3195d NOT found in process list" - Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "NOT FOUND" --color WHITE - fi + logtext "Result: Found rfc3195d in process list" + Display --indent 4 --text "- Checking RFC 3195 daemon status" --result FOUND --color GREEN + SYSLOG_DAEMON_PRESENT=1 + RFC3195D_RUNNING=1 + else + logtext "Result: rfc3195d NOT found in process list" + Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "NOT FOUND" --color WHITE + fi fi # ################################################################################# @@ -163,22 +163,22 @@ # This test should be below all other logging daemons Register --test-no LOGG-2138 --os Linux --weight L --network NO --description "Checking kernel logger daemon on Linux" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching kernel logger daemon (klogd)" - if [ ${RSYSLOG_RUNNING} -eq 0 ]; then - # Search for klogd, but ignore other lines related to klogd (like dd with input/output file) + logtext "Test: Searching kernel logger daemon (klogd)" + if [ ${RSYSLOG_RUNNING} -eq 0 ]; then + # Search for klogd, but ignore other lines related to klogd (like dd with input/output file) FIND=`${PSBINARY} ax | grep "klogd" | grep -v "dd" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then - logtext "Result: klogd running" - Display --indent 4 --text "- Checking klogd" --result FOUND --color GREEN - else - logtext "Result: No klogd found" - Display --indent 4 --text "- Checking klogd" --result "NOT FOUND" --color RED - ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files" - ReportSuggestion ${TEST_NO} "Check why klogd is not running" - fi - else - logtext "Result: test skipped, because rsyslogd is being used" - fi + logtext "Result: klogd running" + Display --indent 4 --text "- Checking klogd" --result FOUND --color GREEN + else + logtext "Result: No klogd found" + Display --indent 4 --text "- Checking klogd" --result "NOT FOUND" --color RED + ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files" + ReportSuggestion ${TEST_NO} "Check why klogd is not running" + fi + else + logtext "Result: test skipped, because rsyslogd is being used" + fi fi # ################################################################################# @@ -187,19 +187,18 @@ # Description : Check for minilogd presence on Linux systems Register --test-no LOGG-2142 --os Linux --weight L --network NO --description "Checking minilog daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Result: Checking for unkilled minilogd instances.." + logtext "Result: Checking for unkilled minilogd instances" # Search for minilogd. It shouldn't be running normally, if another syslog daemon is started - FIND=`${PSBINARY} ax | grep "minilogd" | grep -v "grep"` - if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE - logtext "Result: No minilogd is running.." - else - Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED - logtext "Result: minilogd found in process list" - # minilogd daemon seems to be running.. - ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running" - ReportSuggestion ${TEST_NO} "Check minilogd is active and if other syslog daemons are started up properly" - fi + FIND=`${PSBINARY} ax | grep "minilogd" | grep -v "grep"` + if [ "${FIND}" = "" ]; then + Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE + logtext "Result: No minilogd is running" + else + Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED + logtext "Result: minilogd found in process list" + # minilogd daemon seems to be running + ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running" + fi fi # ################################################################################# @@ -242,17 +241,17 @@ if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking logrotated files" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking which files are rotated with logrotate and if they exist" - FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'` - if [ "${FIND}" = "" ]; then - logtext "Result: nothing found" - else - logtext "Result: found one or more files which are rotated via logrotate" - for I in ${FIND}; do - logtext "Output: ${I}" - done - fi - fi + logtext "Test: Checking which files are rotated with logrotate and if they exist" + FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'` + if [ "${FIND}" = "" ]; then + logtext "Result: nothing found" + else + logtext "Result: found one or more files which are rotated via logrotate" + for I in ${FIND}; do + logtext "Output: ${I}" + done + fi + fi # ################################################################################# # @@ -261,23 +260,23 @@ if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking which directories can be found in logrotate configuration" - FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq` - if [ "${FIND}" = "" ]; then - logtext "Result: nothing found" - else - logtext "Result: found one or more directories (via logrotate configuration)" - for I in ${FIND}; do - if [ -d ${I} ]; then - logtext "Directory found: ${I}" - report "log_directory[]=${I}" - else - logtext "Directory could not be found: ${I}" - # YYY strip more parts of the name, until it can be found (and stop at /) - fi - done - fi - fi + logtext "Test: Checking which directories can be found in logrotate configuration" + FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq` + if [ "${FIND}" = "" ]; then + logtext "Result: nothing found" + else + logtext "Result: found one or more directories (via logrotate configuration)" + for I in ${FIND}; do + if [ -d ${I} ]; then + logtext "Directory found: ${I}" + report "log_directory[]=${I}" + else + logtext "Directory could not be found: ${I}" + # YYY strip more parts of the name, until it can be found (and stop at /) + fi + done + fi + fi # ################################################################################# # @@ -286,36 +285,36 @@ # succesful resolving via DNS or any other name service. Register --test-no LOGG-2152 --weight L --os Solaris --network NO --description "Checking loghost" if [ ${SKIPTEST} -eq 0 ]; then - # Try local hosts file - logtext "Result: Checking for loghost in /etc/inet/hosts" - FIND=`grep loghost /etc/inet/hosts | grep -v "^#"` - if [ ! "${FIND}" = "" ]; then - SOLARIS_LOGHOST_FOUND=1 - logtext "Result: Found loghost entry in /etc/inet/hosts" - else - logtext "Result: No loghost entry found in /etc/inet/hosts" + # Try local hosts file + logtext "Result: Checking for loghost in /etc/inet/hosts" + FIND=`grep loghost /etc/inet/hosts | grep -v "^#"` + if [ ! "${FIND}" = "" ]; then + SOLARIS_LOGHOST_FOUND=1 + logtext "Result: Found loghost entry in /etc/inet/hosts" + else + logtext "Result: No loghost entry found in /etc/inet/hosts" + + # Try name resolving if no entry is present in local host file + logtext "Result: Checking for loghost via name resolving" + FIND=`getent hosts loghost | grep loghost` + if [ ! "${FIND}" = "" ]; then + SOLARIS_LOGHOST_FOUND=1 + logtext "Result: name resolving was succesful" + logtext "Output: ${FIND}" + else + logtext "Result: name resolving didn't find results" + fi + fi - # Try name resolving if no entry is present in local host file - logtext "Result: Checking for loghost via name resolving" - FIND=`getent hosts loghost | grep loghost` - if [ ! "${FIND}" = "" ]; then - SOLARIS_LOGHOST_FOUND=1 - logtext "Result: name resolving was succesful" - logtext "Output: ${FIND}" - else - logtext "Result: name resolving didn't find results" - fi - fi - if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then - logtext "Result: loghost entry found and most likely used to send syslog messages" - Display --indent 2 --text "- Checking loghost entry" --result OK --color GREEN - else - Display --indent 2 --text "- Checking loghost entry" --result WARNING --color RED - logtext "Result: No loghost entry found" - ReportWarning ${TEST_NO} "L" "No loghost entry found" - ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services" - fi + logtext "Result: loghost entry found and most likely used to send syslog messages" + Display --indent 2 --text "- Checking loghost entry" --result OK --color GREEN + else + Display --indent 2 --text "- Checking loghost entry" --result WARNING --color RED + logtext "Result: No loghost entry found" + ReportWarning ${TEST_NO} "L" "No loghost entry found" + ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services" + fi fi # ################################################################################# @@ -326,27 +325,27 @@ if [ ${SYSLOG_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2154 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking syslog configuration file" if [ ${SKIPTEST} -eq 0 ]; then - if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then - SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf" - else - SYSLOGD_CONF="/etc/syslog.conf" - fi - if [ -f ${SYSLOGD_CONF} ]; then - logtext "Test: check if logs are also logged to a remote logging host" - FIND=`egrep "@[a-zA-Z0-9]" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"` - if [ ! "${FIND}" = "" ]; then - logtext "Result: remote logging enabled" - AddHP 5 5 - Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN - else - logtext "Result: no remote logging found" - ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection" - AddHP 1 3 - Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW - fi - else - logtext "Result: test skipped, file ${SYSLOGD_CONF} not found" - fi + if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then + SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf" + else + SYSLOGD_CONF="/etc/syslog.conf" + fi + if [ -f ${SYSLOGD_CONF} ]; then + logtext "Test: check if logs are also logged to a remote logging host" + FIND=`egrep "@[a-zA-Z0-9]" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"` + if [ ! "${FIND}" = "" ]; then + logtext "Result: remote logging enabled" + AddHP 5 5 + Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN + else + logtext "Result: no remote logging found" + ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection" + AddHP 1 3 + Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW + fi + else + logtext "Result: test skipped, file ${SYSLOGD_CONF} not found" + fi fi # ################################################################################# diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index 9dc588a6..c2d22f5e 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -40,12 +40,12 @@ IsRunning exim if [ ${RUNNING} -eq 1 ]; then logtext "Result: found running Exim process" - Display --indent 2 --text "- Checking Exim status..." --result RUNNING --color GREEN + Display --indent 2 --text "- Checking Exim status" --result RUNNING --color GREEN EXIM_RUNNING=1 SMTP_DAEMON="exim" else logtext "Result: no running Exim processes found" - Display --indent 2 --text "- Checking Exim status..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Exim status" --result "NOT FOUND" --color WHITE fi fi # @@ -57,15 +57,15 @@ #Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration" #if [ ${SKIPTEST} -eq 0 ]; then # if [ ! "${EXIMBINARY}" = "" ]; then - # logtext "Test: Searching Exim configuration file..." + # logtext "Test: Searching Exim configuration file" # FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'` # if [ ! "${FIND}" = "" ]; then - # Display --indent 2 --text "- Checking Exim configuration..." --result FOUND --color GREEN + # Display --indent 2 --text "- Checking Exim configuration" --result FOUND --color GREEN # Display --indent 4 --text "Result: configuration file is ${FIND}" # logtext "Result: found Exim" # logtext "Result: configuration file is ${FIND}" # else - # Display --indent 2 --text "- Checking Exim configuration..." --result WARNING --color RED + # Display --indent 2 --text "- Checking Exim configuration" --result WARNING --color RED # logtext "Couldn't find the Exim configuration file, however Exim seems to be installed." # fi # else @@ -86,12 +86,12 @@ #FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"` if [ ! "${FIND1}" = "" ]; then logtext "Result: found running Postfix process" - Display --indent 2 --text "- Checking Postfix status..." --result RUNNING --color GREEN + Display --indent 2 --text "- Checking Postfix status" --result RUNNING --color GREEN POSTFIX_RUNNING=1 SMTP_DAEMON="postfix" else logtext "Result: no running Postfix processes found" - Display --indent 2 --text "- Checking Postfix status..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Postfix status" --result "NOT FOUND" --color WHITE fi fi # @@ -102,11 +102,11 @@ if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 2 --text "- Checking Postfix configuration..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking Postfix configuration" --result FOUND --color GREEN POSTFIX_CONFIGDIR=`${POSTCONFBINARY} | grep '^config_directory' | awk '{ print $3 }'` POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf" logtext "Postfix configuration directory: ${POSTFIX_CONFIGDIR}" - logtext "Postfix configuration file: ${POSTFIX_CONFIGFILE}" + logtext "Postfix configuration file: ${POSTFIX_CONFIGFILE}" fi # ################################################################################# @@ -129,11 +129,11 @@ if [ ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then SHOWWARNING=1 else - Display --indent 4 --text "- Checking Postfix banner..." --result OK --color GREEN + Display --indent 4 --text "- Checking Postfix banner" --result OK --color GREEN fi fi if [ ${SHOWWARNING} -eq 1 ]; then - Display --indent 4 --text "- Checking Postfix banner..." --result WARNING --color RED + Display --indent 4 --text "- Checking Postfix banner" --result WARNING --color RED logtext "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'." ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'" ReportSuggestion ${TEST_NO} "You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})" @@ -150,13 +150,13 @@ IsRunning dovecot if [ ${RUNNING} -eq 1 ]; then logtext "Result: found running dovecot process" - Display --indent 2 --text "- Checking Dovecot status..." --result RUNNING --color GREEN + Display --indent 2 --text "- Checking Dovecot status" --result RUNNING --color GREEN DOVECOT_RUNNING=1 IMAP_DAEMON="dovecot" POP3_DAEMON="dovecot" else logtext "Result: dovecot not found" - Display --indent 2 --text "- Checking Dovecot status..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Dovecot status" --result "NOT FOUND" --color WHITE fi fi # @@ -190,12 +190,12 @@ IsRunning qmail-smtpd if [ ${RUNNING} -eq 1 ]; then logtext "Result: found running Qmail process" - Display --indent 2 --text "- Checking Qmail status..." --result RUNNING --color GREEN + Display --indent 2 --text "- Checking Qmail status" --result RUNNING --color GREEN QMAIL_RUNNING=1 SMTP_DAEMON="qmail" else logtext "Result: no running Qmail processes found" - Display --indent 2 --text "- Checking Qmail status..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Qmail status" --result "NOT FOUND" --color WHITE fi fi # @@ -209,12 +209,12 @@ IsRunning sendmail if [ ${RUNNING} -eq 1 ]; then logtext "Result: found running Sendmail process" - Display --indent 2 --text "- Checking Sendmail status..." --result RUNNING --color GREEN + Display --indent 2 --text "- Checking Sendmail status" --result RUNNING --color GREEN SENDMAIL_RUNNING=1 SMTP_DAEMON="sendmail" else logtext "Result: no running Sendmail processes found" - Display --indent 2 --text "- Checking Sendmail status..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Sendmail status" --result "NOT FOUND" --color WHITE fi fi # @@ -228,12 +228,12 @@ FIND=`${PSBINARY} ax | grep "/smtpd" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then logtext "Result: found running smtpd process" - Display --indent 2 --text "- Checking OpenBSD smtpd status..." --result RUNNING --color GREEN + Display --indent 2 --text "- Checking OpenBSD smtpd status" --result RUNNING --color GREEN SMTPD_RUNNING=1 SMTP_DAEMON="smtpd" else logtext "Result: smtpd not found" - Display --indent 2 --text "- Checking OpenBSD smtpd status..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking OpenBSD smtpd status" --result "NOT FOUND" --color WHITE fi fi # diff --git a/include/tests_malware b/include/tests_malware index d613829c..9a4e0944 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -33,12 +33,12 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: checking presence chkrootkit" if [ ! "${CHKROOTKITBINARY}" = "" ]; then - Display --indent 2 --text "- Checking chkrootkit..." --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking chkrootkit" --result "FOUND" --color GREEN logtext "Result: Found ${CHKROOTKITBINARY}" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 else - Display --indent 2 --text "- Checking chkrootkit..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking chkrootkit" --result "NOT FOUND" --color WHITE logtext "Result: chkrootkit not found" fi fi @@ -51,12 +51,12 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: checking presence Rootkit Hunter" if [ ! "${RKHUNTERBINARY}" = "" ]; then - Display --indent 2 --text "- Checking Rootkit Hunter..." --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking Rootkit Hunter" --result "FOUND" --color GREEN logtext "Result: Found ${RKHUNTERBINARY}" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 else - Display --indent 2 --text "- Checking Rootkit Hunter..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Rootkit Hunter" --result "NOT FOUND" --color WHITE logtext "Result: Rootkit Hunter not found" fi fi @@ -101,12 +101,12 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: checking presence clamscan" if [ ! "${CLAMSCANBINARY}" = "" ]; then - Display --indent 2 --text "- Checking ClamAV scanner..." --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking ClamAV scanner" --result "FOUND" --color GREEN logtext "Result: Found ${CLAMSCANBINARY}" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 else - Display --indent 2 --text "- Checking ClamAV scanner..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking ClamAV scanner" --result "NOT FOUND" --color WHITE logtext "Result: clamscan couldn't be found" fi fi @@ -121,12 +121,12 @@ logtext "Test: checking running ClamAV daemon (clamd)" FIND=`${PSBINARY} ax | grep "/clamd" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking ClamAV daemon..." --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking ClamAV daemon" --result "FOUND" --color GREEN logtext "Result: found running clamd process" MALWARE_SCANNER_INSTALLED=1 CLAMD_RUNNING=1 else - Display --indent 2 --text "- Checking ClamAV daemon..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking ClamAV daemon" --result "NOT FOUND" --color WHITE logtext "Result: clamd not running" fi fi @@ -141,11 +141,11 @@ logtext "Test: checking running freshclam daemon" FIND=`${PSBINARY} ax | grep "/freshclam" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking freshclam..." --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking freshclam" --result "FOUND" --color GREEN logtext "Result: found running freshclam process" AddHP 2 2 else - Display --indent 4 --text "- Checking freshclam..." --result "SUGGESTION" --color YELLOW + Display --indent 4 --text "- Checking freshclam" --result "SUGGESTION" --color YELLOW logtext "Result: freshclam is not running" ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database" fi @@ -153,17 +153,23 @@ # ################################################################################# # + # Test : MALW-3288 + # Description : Check for LMD +# +################################################################################# +# + # Test : MALW-3292 # Description : Check if at least one malware scanner is installed # Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner" # if [ ${SKIPTEST} -eq 0 ]; then # if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then # logtext "Result: At least one malware scanner is installed" -# Display --indent 2 --text "- Checking presence malware scanner..." --result "FOUND" --color GREEN +# Display --indent 2 --text "- Checking presence malware scanner" --result "FOUND" --color GREEN # #AddHP 3 3 # else # logtext "Result: No malware scanners found" -# Display --indent 2 --text "- Checking presence malware scanner..." --result "NOT FOUND" --color YELLOW +# Display --indent 2 --text "- Checking presence malware scanner" --result "NOT FOUND" --color YELLOW # ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system" # #AddHP 0 3 # fi diff --git a/include/tests_memory_processes b/include/tests_memory_processes index 88c0cbc0..4522a185 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -28,7 +28,7 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ -f /proc/meminfo ]; then logtext "Result: found /proc/meminfo" - Display --indent 2 --text "- Checking /proc/meminfo... " --result FOUND --color GREEN + Display --indent 2 --text "- Checking /proc/meminfo" --result FOUND --color GREEN FIND=`cat /proc/meminfo | grep "^MemTotal" | tr -s ' ' | awk '{ print $2" "$3 }'` MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'` MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'` @@ -48,14 +48,14 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Searching /usr/sbin/prtconf" if [ -x /usr/sbin/prtconf ]; then - Display --indent 2 --text "- Querying prtconf for installed memory..." --result DONE --color GREEN + Display --indent 2 --text "- Querying prtconf for installed memory" --result DONE --color GREEN MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3` MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4` logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" report "memory_size=${MEMORY_SIZE}" report "memory_units=${MEMORY_UNITS}" else - Display --indent 2 --text "- Querying prtconf for installed memory..." --result SKIPPED --color WHITE + Display --indent 2 --text "- Querying prtconf for installed memory" --result SKIPPED --color WHITE logtext "Result: /usr/sbin/prtconf not found" fi fi @@ -75,11 +75,11 @@ fi if [ "${FIND}" = "" ]; then logtext "Result: no zombie processes found" - Display --indent 2 --text "- Searching for dead/zombie processes..." --result OK --color GREEN + Display --indent 2 --text "- Searching for dead/zombie processes" --result OK --color GREEN else logtext "Result: found one or more dead or zombie processes" logtext "Output: PIDs ${FIND}" - Display --indent 2 --text "- Searching for dead/zombie processes..." --result WARNING --color RED + Display --indent 2 --text "- Searching for dead/zombie processes" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes" fi fi @@ -99,12 +99,12 @@ fi if [ "${FIND}" = "" ]; then logtext "Result: No processes were waiting for IO requests to be handled first" - Display --indent 2 --text "- Searching for IO waiting processes..." --result OK --color GREEN + Display --indent 2 --text "- Searching for IO waiting processes" --result OK --color GREEN else logtext "Result: found one or more processes which were waiting to get IO requests handled first" logtext "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured." logtext "Output: PIDs ${FIND}" - Display --indent 2 --text "- Searching for IO waiting processes..." --result WARNING --color RED + Display --indent 2 --text "- Searching for IO waiting processes" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests" fi fi diff --git a/include/tests_nameservices b/include/tests_nameservices index f2e72ee9..e58124c4 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -44,12 +44,12 @@ FIND=`cat /etc/resolv.conf | grep "^domain" | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then logtext "Result: no default domain found" - Display --indent 2 --text "- Checking default DNS search domain..." --result NONE --color WHITE + Display --indent 2 --text "- Checking default DNS search domain" --result NONE --color WHITE else logtext "Result: found default domain" logtext "Output: ${FIND}" report "resolv_conf_domain=${FIND}" - Display --indent 2 --text "- Checking default DNS search domain..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking default DNS search domain" --result FOUND --color GREEN RESOLV_DOMAINNAME="${FIND}" fi fi @@ -78,23 +78,23 @@ # Warn if we have more than 6 search domains, which is maximum in most resolvers if [ ${N} -gt 6 ]; then logtext "Result: Found ${N} search domains" - Display --indent 2 --text "- Checking search domains..." --result WARNING --color YELLOW + Display --indent 2 --text "- Checking search domains" --result WARNING --color YELLOW ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers" else logtext "Result: Found ${N} search domains" - Display --indent 2 --text "- Checking search domains..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking search domains" --result FOUND --color GREEN fi fi else logtext "Result: /etc/resolv.conf does not exist, skipping test" - Display --indent 2 --text "- Checking search domains..." --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking search domains" --result "NOT FOUND" --color YELLOW fi # Check amount of search domains (max 1) FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '` if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" - Display --indent 4 --text "- Checking search domains lines..." --result "CONFIG ERROR" --color YELLOW + Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" else logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" @@ -113,7 +113,7 @@ FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then logtext "Result: no specific other options configured in /etc/resolv.conf" - Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "NONE" --color WHITE + Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NONE" --color WHITE else for I in ${FIND}; do logtext "Found option: ${I}" @@ -121,11 +121,11 @@ #rotate --> add performance tune point #timeout <3 --> add performe tune point done - Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "FOUND" --color GREEN fi else logtext "Result: /etc/resolv.conf not found, test skipped" - Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NOT FOUND" --color YELLOW fi fi # @@ -137,7 +137,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`uname -n` logtext "Result: 'uname -n' returned ${FIND}" - Display --indent 2 --text "- Checking uname -n output..." --result DONE --color GREEN + Display --indent 2 --text "- Checking uname -n output" --result DONE --color GREEN fi # ################################################################################# @@ -152,10 +152,10 @@ logtext "Result: file /etc/nodename exists" FIND=`cat /etc/nodename` logtext "Output: ${FIND}" - Display --indent 2 --text "- Checking /etc/nodename..." --result "DONE" --color GREEN + Display --indent 2 --text "- Checking /etc/nodename" --result "DONE" --color GREEN else logtext "Result: file /etc/nodename could not be found" - Display --indent 2 --text "- Checking /etc/nodename..." --result "NONE FOUND" --color YELLOW + Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW fi fi # @@ -210,10 +210,10 @@ if [ ! "${DOMAINNAME}" = "" ]; then logtext "Result: found domain name" report "domainname=${DOMAINNAME}" - Display --indent 2 --text "- Searching DNS domain name..." --result "FOUND" --color GREEN + Display --indent 2 --text "- Searching DNS domain name" --result "FOUND" --color GREEN Display --indent 6 --text "Domain name: ${DOMAINNAME}" else - Display --indent 2 --text "- Searching DNS domain name..." --result "UNKNOWN" --color YELLOW + Display --indent 2 --text "- Searching DNS domain name" --result "UNKNOWN" --color YELLOW ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name" fi fi @@ -228,10 +228,10 @@ FIND=`${PSBINARY} ax | grep "nscd" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then logtext "Result: nscd is running" - Display --indent 2 --text "- Checking nscd status..." --result RUNNING --color GREEN + Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN else logtext "Result: nscd is not running" - Display --indent 2 --text "- Checking nscd status..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE #YYY show performance suggestion if LDAP is used fi fi @@ -246,11 +246,11 @@ FIND=`${PSBINARY} ax | grep "/named" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then logtext "Result: found BIND process" - Display --indent 2 --text "- Checking BIND status..." --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking BIND status" --result "FOUND" --color GREEN BIND_RUNNING=1 else logtext "Result: BIND not running" - Display --indent 2 --text "- Checking BIND status..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking BIND status" --result "NOT FOUND" --color WHITE fi fi # @@ -270,9 +270,9 @@ fi done if [ ! "${BIND_CONFIG_LOCATION}" = "" ]; then - Display --indent 4 --text "- Checking BIND configuration file..." --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking BIND configuration file" --result "FOUND" --color GREEN else - Display --indent 4 --text "- Checking BIND configuration file..." --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Checking BIND configuration file" --result "NOT FOUND" --color YELLOW fi fi # @@ -289,10 +289,10 @@ FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?` if [ "${FIND}" = "0" ]; then logtext "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine" - Display --indent 4 --text "- Checking BIND configuration consistency..." --result "OK" --color GREEN + Display --indent 4 --text "- Checking BIND configuration consistency" --result "OK" --color GREEN else logtext "Result: possible errors found in ${BIND_CONFIG_LOCATION}" - Display --indent 4 --text "- Checking BIND configuration consistency..." --result WARNING --color RED + Display --indent 4 --text "- Checking BIND configuration consistency" --result WARNING --color RED ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file" fi else @@ -318,11 +318,11 @@ FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"` if [ "${FIND}" = "" ]; then logtext "Result: no useful information in banner found" - Display --indent 4 --text "- Checking BIND version in banner ..." --result "OK" --color GREEN + Display --indent 4 --text "- Checking BIND version in banner" --result "OK" --color GREEN AddHP 2 2 else logtext "Result: possible BIND version available in version banner" - Display --indent 4 --text "- Checking BIND version in banner..." --result WARNING --color RED + Display --indent 4 --text "- Checking BIND version in banner" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "Found BIND version in banner" ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file" AddHP 0 2 @@ -360,11 +360,11 @@ FIND=`${PSBINARY} ax | grep "/pdns_server" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then logtext "Result: found PowerDNS process" - Display --indent 2 --text "- Checking PowerDNS status..." --result "RUNNING" --color GREEN + Display --indent 2 --text "- Checking PowerDNS status" --result "RUNNING" --color GREEN POWERDNS_RUNNING=1 else logtext "Result: PowerDNS not running" - Display --indent 2 --text "- Checking PowerDNS status..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking PowerDNS status" --result "NOT FOUND" --color WHITE fi fi # @@ -380,13 +380,13 @@ for I in ${POWERDNS_CONFIG_LOCS}; do if [ -f ${I}/pdns.conf ]; then POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf" - logtext "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})" + logtext "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})" fi done if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then - Display --indent 4 --text "- Checking PowerDNS configuration file..." --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking PowerDNS configuration file" --result "FOUND" --color GREEN else - Display --indent 4 --text "- Checking PowerDNS configuration file..." --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Checking PowerDNS configuration file" --result "NOT FOUND" --color YELLOW fi fi # @@ -412,10 +412,10 @@ for I in ${FIND}; do logtext "Found backend: ${I}" done - Display --indent 4 --text "- Checking PowerDNS backends..." --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking PowerDNS backends" --result "FOUND" --color GREEN else logtext "Result: no PowerDNS backends found" - Display --indent 4 --text "- Checking PowerDNS backends..." --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Checking PowerDNS backends" --result "NOT FOUND" --color YELLOW fi fi # @@ -458,12 +458,12 @@ FIND=`${PSBINARY} ax | grep "ypbind" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then logtext "Result: ypbind is running" - Display --indent 2 --text "- Checking ypbind status..." --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking ypbind status" --result "FOUND" --color GREEN YPBIND_RUNNING=1 ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead" else logtext "Result: ypbind is not active" - Display --indent 2 --text "- Checking ypbind status..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking ypbind status" --result "NOT FOUND" --color WHITE fi fi # @@ -522,10 +522,10 @@ if [ ! "${NISDOMAIN}" = "" ]; then logtext "Found NIS domain: ${NISDOMAIN}" report "nisdomain=${NISDOMAIN}" - Display --indent 4 --text "- Checking NIS domain..." --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN else logtext "Result: No NIS domain found" - Display --indent 4 --text "- Checking NIS domain..." --result "UNKNOWN" --color YELLOW + Display --indent 4 --text "- Checking NIS domain" --result "UNKNOWN" --color YELLOW fi fi # @@ -553,7 +553,7 @@ fi else logtext "Result: /etc/hosts not found, test skipped" - Display --indent 4 --text "Searching duplicate line..." --result "SKIPPED" --color YELLOW + Display --indent 4 --text "Searching duplicate line" --result "SKIPPED" --color YELLOW fi fi # diff --git a/include/tests_networking b/include/tests_networking index fb6c4f6b..c0d11b5e 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -33,13 +33,13 @@ # Description : Basic nameserver configuration tests (connectivity) Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 2 --text "- Checking configured nameservers..." + Display --indent 2 --text "- Checking configured nameservers" logtext "Test: Checking /etc/resolv.conf file" if [ -f /etc/resolv.conf ]; then logtext "Result: Found /etc/resolv.conf file" FIND=`grep '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g'` if [ ! "${FIND}" = "" ]; then - Display --indent 4 --text "- Testing nameservers..." + Display --indent 4 --text "- Testing nameservers" logtext "Test: Querying nameservers" for I in ${FIND}; do logtext "Found nameserver: ${I}" @@ -53,12 +53,12 @@ # 0=good, other=bad DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?` if [ "${DNSRESPONSE}" = "0" ]; then - Display --indent 8 --text "Nameserver: ${I}..." --result OK --color GREEN + Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN logtext "Nameserver ${I} seems to respond to queries from this host." # Count responsive nameservers NUMBERACTIVENS=`expr ${NUMBERACTIVENS} + 1` else - Display --indent 8 --text "Nameserver: ${I}..." --result "NO RESPONSE" --color RED + Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED logtext "Result: nameserver ${I} does NOT respond" logtext "Exit-code from dig: ${DNSRESPONSE}" ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)." @@ -66,7 +66,7 @@ fi else logtext "Result: Nameserver test for ${I} skipped, 'dig' not installed" - Display --indent 6 --text "Nameserver: ${I}... " --result SKIPPED --color YELLOW + Display --indent 6 --text "Nameserver: ${I}" --result SKIPPED --color YELLOW fi done fi @@ -82,19 +82,19 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DIGBINARY}" = "" ]; then if [ ${NUMBERACTIVENS} -lt 2 ]; then - Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result WARNING --color RED + Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result WARNING --color RED logtext "Result: less than 2 responsive nameservers found" ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers" logtext "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc." ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible" AddHP 1 2 else - Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result OK --color GREEN + Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result OK --color GREEN logtext "Result: found at least 2 responsive nameservers" AddHP 3 3 fi else - Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result SKIPPED --color YELLOW + Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result SKIPPED --color YELLOW logtext "Result: dig not installed, test can't be fully performed" fi else @@ -109,17 +109,17 @@ if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Find default gateway (route)" if [ $SKIPTEST -eq 0 ]; then - logtext "Test: Searching default gateway(s)..." + logtext "Test: Searching default gateway(s)" FIND=`${NETSTATBINARY} -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do logtext "Result: Found default gateway ${I}" report "default_gateway[]=${I}" done - Display --indent 2 --text "- Checking default gateway..." --result DONE --color GREEN + Display --indent 2 --text "- Checking default gateway" --result DONE --color GREEN else logtext "Result: No default gateway found" - Display --indent 2 --text "- Checking default gateway..." --result "NONE FOUND" --color WHITE + Display --indent 2 --text "- Checking default gateway" --result "NONE FOUND" --color WHITE fi fi # @@ -279,7 +279,7 @@ esac # Retrieve information from sockstat, when available - logtext "Test: Retrieving sockstat information to find listening ports..." + logtext "Test: Retrieving sockstat information to find listening ports" if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do N=`expr ${N} + 1` @@ -296,9 +296,9 @@ done fi if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then - Display --indent 2 --text "- Getting listening ports (TCP/UDP)..." --result SKIPPED --color YELLOW + Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result SKIPPED --color YELLOW else - Display --indent 2 --text "- Getting listening ports (TCP/UDP)..." --result DONE --color GREEN + Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result DONE --color GREEN Display --indent 6 --text "* Found ${N} ports" fi fi @@ -311,7 +311,7 @@ if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking promiscuous interfaces (BSD)" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking promiscuous interfaces (FreeBSD)..." + logtext "Test: Checking promiscuous interfaces (FreeBSD)" FIND=`${IFCONFIGBINARY} | grep PROMISC | cut -d ':' -f1` if [ ! "${FIND}" = "" ]; then logtext "Result: Promiscuous interfaces: ${FIND}" @@ -329,10 +329,10 @@ # Show result if [ ${FOUNDPROMISC} -eq 0 ]; then - Display --indent 2 --text "- Checking promiscuous interfaces..." --result OK --color GREEN + Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN logtext "Result: No promiscuous interfaces found" else - Display --indent 2 --text "- Checking promiscuous interfaces..." --result WARNING --color RED + Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED fi fi # @@ -364,10 +364,10 @@ # Show result if [ ${FOUNDPROMISC} -eq 0 ]; then - Display --indent 2 --text "- Checking promiscuous interfaces..." --result OK --color GREEN + Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN logtext "Result: No promiscuous interfaces found" else - Display --indent 2 --text "- Checking promiscuous interfaces..." --result WARNING --color RED + Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED fi fi # @@ -380,8 +380,8 @@ # # Test : NETW-3024 # Description : Netstat/socktstat compare (FreeBSD) - # echo -n " - Comparing output sockstat and netstat... " - # logtext "Comparing output of sockstat and netstat... " + # echo -n " - Comparing output sockstat and netstat" + # logtext "Comparing output of sockstat and netstat" # NETSTATOUTPUT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort | uniq` # # if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then @@ -401,15 +401,15 @@ if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Using netstat for check for connections in WAIT state..." + logtext "Test: Using netstat for check for connections in WAIT state" FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'` if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="100"; fi logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then - Display --indent 2 --text "- Checking waiting connections..." --result WARNING --color YELLOW + Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW ReportWarning ${TEST_NO} "H" "Found too much connections in WAIT state (${FIND})" else - Display --indent 2 --text "- Checking waiting connections..." --result OK --color GREEN + Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN logtext "Result: ${FIND} connections are in WAIT state" fi fi @@ -422,12 +422,12 @@ if [ ${SKIPTEST} -eq 0 ]; then IsRunning dhclient if [ ${RUNNING} -eq 1 ]; then - Display --indent 2 --text "- Checking status DHCP client..." --result RUNNING --color WHITE + Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE #YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine #report "manual[]=System is running DHCP client" DHCP_CLIENT_RUNNING=1 else - Display --indent 2 --text "- Checking status DHCP client..." --result "NOT ACTIVE" --color WHITE + Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE fi fi # diff --git a/include/tests_php b/include/tests_php index fcb582a2..11135491 100644 --- a/include/tests_php +++ b/include/tests_php @@ -61,7 +61,7 @@ if [ "${tFILES}" = "" ]; then logtext "Result: no files found for ${I}" else - logtext "Result: found files in location ${I}, checking.." + logtext "Result: found files in location ${I}, checking" for I in ${tFILES}; do if [ -f ${I} ]; then logtext "Result: file ${I} exists, adding to php.ini array" @@ -72,11 +72,11 @@ done if [ ! "${PHPINIFILE}" = "" ]; then - Display --indent 2 --text "- Checking PHP..." --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking PHP" --result "FOUND" --color GREEN logtext "Result: using single file ${PHPINIFILE} for main php.ini tests" logtext "Result: using php.ini array ${PHPINI_ALLFILES} for further tests" else - Display --indent 2 --text "- Checking PHP..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking PHP" --result "NOT FOUND" --color WHITE logtext "Result: no php.ini file found" fi fi @@ -109,13 +109,13 @@ done if [ ${FOUND} -eq 0 ]; then logtext "Result: all PHP functions can be executed" - Display --indent 4 --text "- Checking PHP disabled functions..." --result "NONE" --color YELLOW + Display --indent 4 --text "- Checking PHP disabled functions" --result "NONE" --color YELLOW ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions" logtext "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)" AddHP 0 1 else logtext "Result: one or more PHP functions are disabled/blacklisted" - Display --indent 4 --text "- Checking PHP disabled functions..." --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking PHP disabled functions" --result "FOUND" --color GREEN AddHP 3 3 fi fi @@ -139,16 +139,16 @@ fi Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking PHP register_globals option.." + logtext "Test: Checking PHP register_globals option" FIND=`cat ${PHPINIFILE} | egrep -i 'register_globals.*(on|yes|1)' | grep -v '^;'` if [ ! "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking register_globals option..." --result WARNING --color RED + Display --indent 4 --text "- Checking register_globals option" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off" logtext "Result: register_globals option is turned on, which can be a risk for variable value overwriting." AddHP 1 2 else - Display --indent 4 --text "- Checking register_globals option..." --result OK --color GREEN + Display --indent 4 --text "- Checking register_globals option" --result OK --color GREEN logtext "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value." ReportManual ${TEST_NO}:01 AddHP 2 2 @@ -163,16 +163,16 @@ if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking expose_php option.." + logtext "Test: Checking expose_php option" FIND=`cat ${PHPINIFILE} | egrep -i 'expose_php.*(off|no|0)' | grep -v '^;'` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking expose_php option..." --result ON --color RED + Display --indent 4 --text "- Checking expose_php option" --result ON --color RED ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers." ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off" report "Result: expose_php option is turned on, which can expose useful information for an attacker" AddHP 1 2 else - Display --indent 4 --text "- Checking expose_php option..." --result OFF --color GREEN + Display --indent 4 --text "- Checking expose_php option" --result OFF --color GREEN logtext "Result: Found 'expose_php' in disabled state (0, no, or off)" AddHP 2 2 fi @@ -187,15 +187,15 @@ if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking PHP enable_dl option.." + logtext "Test: Checking PHP enable_dl option" FIND=`cat ${PHPINIFILE} | egrep -i 'enable_dl.*(off|no|0)' | grep -v '^;'` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking enable_dl option..." --result ON --color YELLOW + Display --indent 4 --text "- Checking enable_dl option" --result ON --color YELLOW report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP" AddHP 0 1 else - Display --indent 4 --text "- Checking enable_dl option..." --result OFF --color GREEN + Display --indent 4 --text "- Checking enable_dl option" --result OFF --color GREEN logtext "Result: Found 'enable_dl' in disabled state (0, no, or off)" AddHP 2 2 fi @@ -210,15 +210,15 @@ if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking PHP allow_url_fopen option.." + logtext "Test: Checking PHP allow_url_fopen option" FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_fopen.*(off|no|0)' | grep -v '^;'` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking allow_url_fopen option..." --result ON --color YELLOW + Display --indent 4 --text "- Checking allow_url_fopen option" --result ON --color YELLOW report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP" AddHP 0 1 else - Display --indent 4 --text "- Checking allow_url_fopen option..." --result OFF --color GREEN + Display --indent 4 --text "- Checking allow_url_fopen option" --result OFF --color GREEN logtext "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)" AddHP 2 2 fi @@ -233,15 +233,15 @@ if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking PHP allow_url_include option.." + logtext "Test: Checking PHP allow_url_include option" FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_include.*(off|no|0)' | grep -v '^;'` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking allow_url_include option..." --result ON --color YELLOW + Display --indent 4 --text "- Checking allow_url_include option" --result ON --color YELLOW report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP" AddHP 0 1 else - Display --indent 4 --text "- Checking allow_url_include option..." --result OFF --color GREEN + Display --indent 4 --text "- Checking allow_url_include option" --result OFF --color GREEN logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)" AddHP 2 2 fi diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 7693a0e6..f4d2680c 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -24,7 +24,7 @@ # ################################################################################# # - Display --indent 2 --text "- Searching package managers..." + Display --indent 2 --text "- Searching package managers" # Test : PKGS-7301 # Description : Query FreeBSD pkg @@ -33,12 +33,12 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`pkg -N 2>&1; echo $?` if [ "${FIND}" = "0" ]; then - Display --indent 4 --text "- Searching packages with pkg..." --result FOUND --color GREEN + Display --indent 4 --text "- Searching packages with pkg" --result FOUND --color GREEN report "package_manager[]=pkg" PACKAGE_MGR_PKG=1 #logtext "Result: Found pkg" - #logtext "Test: Querying pkg to get package list..." - #Display --indent 6 --text "- Querying pkg for installed packages..." + #logtext "Test: Querying pkg to get package list" + #Display --indent 6 --text "- Querying pkg for installed packages" #logtext "Output:"; logtext "-----" #SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'` #for J in ${SPACKAGES}; do @@ -48,7 +48,7 @@ # report "installed_package[]=${sPKG_NAME}|${sPKG_VERSION}|" #done else - Display --indent 4 --text "- Searching pkg..." --result "NOT INSTALLED" --color YELLOW + Display --indent 4 --text "- Searching pkg" --result "NOT INSTALLED" --color YELLOW fi fi # @@ -60,11 +60,11 @@ Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD/NetBSD pkg_info" if [ ${SKIPTEST} -eq 0 ]; then N=0 - Display --indent 4 --text "- Checking pkg_info..." --result FOUND --color GREEN + Display --indent 4 --text "- Checking pkg_info" --result FOUND --color GREEN logtext "Result: Found pkg_info" report "package_manager[]=pkg_info" - logtext "Test: Querying pkg_info to get package list..." - Display --indent 6 --text "- Querying pkg_info for installed packages..." + logtext "Test: Querying pkg_info to get package list" + Display --indent 6 --text "- Querying pkg_info for installed packages" logtext "Output:"; logtext "-----" SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'` for J in ${SPACKAGES}; do @@ -88,10 +88,10 @@ # if [ ${SKIPTEST} -eq 0 ]; then # SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3` # if [ "${SDOUBLEINSTALLED}" = "" ]; then -# Display --indent 6 --text "- Querying pkg_info for double installed packages..." --result OK --color GREEN +# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result OK --color GREEN # logtext "Ok, no packages show up twice or more in the package listing." # else -# Display --indent 6 --text "- Querying pkg_info for double installed packages..." --result WARNING --color RED +# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result WARNING --color RED # for J in ${SDOUBLEINSTALLED}; do # ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})" # logtext "This package ${J} is visible twice or more in the pkg_info listing." @@ -102,7 +102,7 @@ # done # fi # else -# Display --indent 4 --text "- Searching pkg_info..." --result "NOT FOUND" --color WHITE +# Display --indent 4 --text "- Searching pkg_info" --result "NOT FOUND" --color WHITE # logtext "Result: pkg_info can NOT be found on this system" # fi # @@ -113,11 +113,11 @@ if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 4 --text "- Searching pkginfo..." --result FOUND --color GREEN + Display --indent 4 --text "- Searching pkginfo" --result FOUND --color GREEN logtext "Result: Found Solaris pkginfo" report "package_manager[]=pkginfo" logtext "Test: Querying pkginfo to get package list" - Display --indent 4 --text "- Querying pkginfo for installed packages..." + Display --indent 4 --text "- Querying pkginfo for installed packages" logtext "Output:"; logtext "-----" # Strip SUNW from strings SPACKAGES=`/usr/bin/pkginfo -i | tr -s ' ' | cut -d ' ' -f2 | sed "s#^SUNW##"` @@ -138,11 +138,11 @@ Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with RPM" if [ ${SKIPTEST} -eq 0 ]; then N=0 - Display --indent 4 --text "- Searching RPM package manager..." --result FOUND --color GREEN + Display --indent 4 --text "- Searching RPM package manager" --result FOUND --color GREEN logtext "Result: Found rpm binary (${RPMBINARY})" report "package_manager[]=rpm" logtext "Test: Querying 'rpm -qa' to get package list" - Display --indent 6 --text "- Querying RPM package manager..." + Display --indent 6 --text "- Querying RPM package manager" logtext "Output:"; logtext "--------" SPACKAGES=`${RPMBINARY} -qa | sort` if [ "${SPACKAGES}" = "" ]; then @@ -169,11 +169,11 @@ Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with pacman" if [ ${SKIPTEST} -eq 0 ]; then N=0 - Display --indent 4 --text "- Searching pacman package manager..." --result FOUND --color GREEN + Display --indent 4 --text "- Searching pacman package manager" --result FOUND --color GREEN logtext "Result: Found pacman binary (${PACMANBINARY})" report "package_manager[]=pacman" logtext "Test: Querying 'pacman -Q' to get package list" - Display --indent 6 --text "- Querying pacman package manager..." + Display --indent 6 --text "- Querying pacman package manager" logtext "Output:"; logtext "--------" SPACKAGES=`${PACMANBINARY} -Q | sort | sed 's/ /,/g'` if [ "${SPACKAGES}" = "" ]; then @@ -266,7 +266,7 @@ logtext "Result: Found dpkg binary" report "package_manager[]=dpkg" logtext "Test: Querying dpkg -l to get package list" - Display --indent 6 --text "- Querying package manager..." + Display --indent 6 --text "- Querying package manager" logtext "Output:" SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' '#' | sort` for J in ${SPACKAGES}; do @@ -403,7 +403,7 @@ # Don't check yet, output of found vulnerable packages unclear (YYY) else logtext "Result: ${FIND}" - #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages..." --result WARNING --color RED + #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED #logtext "Result: pkg audit found one or more installed packages which are vulnerable." #ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." #ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" @@ -593,7 +593,7 @@ # Test : PKGS-7388 # Description : Check security repository in Debian/ubuntu apt sources.list file if [ -f /etc/apt/sources.list -a -d /etc/apt/sources.list.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7388 --os preqs-met ${PREQS_MET} --weight L --network NO --description "Check security repository in Debian/ubuntu apt sources.list file" + Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check security repository in Debian/ubuntu apt sources.list file" if [ $SKIPTEST -eq 0 ]; then FOUND=0 if [ ! "${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY}" = "yes" ]; then @@ -646,11 +646,11 @@ logtext "Test: Package database consistency by running apt-get check" FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?` if [ "${FIND}" = "0" ]; then - Display --indent 2 --text "- Checking APT package database..." --result OK --color GREEN + Display --indent 2 --text "- Checking APT package database" --result OK --color GREEN logtext "Result: package database seems to be consistent." else logtext "Result: package database is most likely NOT consistent" - Display --indent 2 --text "- Checking APT package database..." --result WARNING --color RED + Display --indent 2 --text "- Checking APT package database" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code." ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check." fi @@ -701,7 +701,7 @@ # Show packages which would be upgraded and match 'security' in repository name FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq` if [ ! "${FIND}" = "" ]; then - #Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED + #Display --indent 2 --text "- Checking vulnerable packages" --result WARNING --color RED VULNERABLE_PACKAGES_FOUND=1 SCAN_PERFORMED=1 logtext "Result: found vulnerable package(s) via apt-get (-security channel)" @@ -716,13 +716,13 @@ if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades" - Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED + Display --indent 2 --text "- Checking vulnerable packages" --result WARNING --color RED else - Display --indent 2 --text "- Checking vulnerable packages..." --result OK --color GREEN + Display --indent 2 --text "- Checking vulnerable packages" --result OK --color GREEN logtext "Result: no vulnerable packages found" fi else - Display --indent 2 --text "- Checking vulnerable packages (apt-get only)..." --result DONE --color GREEN + Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result DONE --color GREEN logtext "Result: test not fully executed (missing apt-check output)" fi fi @@ -741,11 +741,11 @@ FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then logtext "Result: no packages found which can be upgraded" - Display --indent 2 --text "- Checking upgradeable packages..." --result NONE --color GREEN + Display --indent 2 --text "- Checking upgradeable packages" --result NONE --color GREEN AddHP 3 3 else logtext "Result: found one or more packages which can be upgraded" - Display --indent 2 --text "- Checking upgradeable packages..." --result FOUND --color YELLOW + Display --indent 2 --text "- Checking upgradeable packages" --result FOUND --color YELLOW # output: program/repository upgradeable from version X to Y for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` @@ -754,7 +754,7 @@ fi else logtext "Result: /usr/bin/apt-show-versions not found" - Display --indent 2 --text "- Checking upgradeable packages..." --result SKIPPED --color WHITE + Display --indent 2 --text "- Checking upgradeable packages" --result SKIPPED --color WHITE ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes" fi fi @@ -768,11 +768,11 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: checking for package audit tool" if [ ${PKG_AUDIT_TOOL_FOUND} -eq 0 ]; then - Display --indent 2 --text "- Checking package audit tool..." --result NONE --color RED + Display --indent 2 --text "- Checking package audit tool" --result NONE --color RED ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages" logtext "Result: no package audit tool found" else - Display --indent 2 --text "- Checking package audit tool..." --result INSTALLED --color GREEN + Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN Display --indent 4 --text "Found: ${PKG_AUDIT_TOOL}" logtext "Result: found package audit tool: ${PKG_AUDIT_TOOL}" fi diff --git a/include/tests_printers_spools b/include/tests_printers_spools index 1a5fdac6..34147e85 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -37,7 +37,7 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Searching /usr/sbin/chkprintcap" if [ ! -f /usr/sbin/chkprintcap ]; then - Display --indent 2 --text "- Checking chkprintcap..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking chkprintcap" --result "NOT FOUND" --color WHITE logtext "Result: /usr/sbin/chkprintcap NOT found, test skipped." else logtext "Result: /usr/sbin/chkprintcap found" @@ -64,11 +64,11 @@ logtext "Test: Checking cupsd status" FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd` if [ ! "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking cups daemon..." --result RUNNING --color GREEN + Display --indent 2 --text "- Checking cups daemon" --result RUNNING --color GREEN logtext "Result: cups daemon running" CUPSD_RUNNING=1; PRINTING_DAEMON="cups" else - Display --indent 2 --text "- Checking cups daemon..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking cups daemon" --result "NOT FOUND" --color WHITE logtext "Result: cups daemon not running, cups daemon tests skipped" fi fi @@ -88,11 +88,11 @@ fi done if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then - Display --indent 2 --text "- Checking CUPS configuration file..." --result OK --color GREEN + Display --indent 2 --text "- Checking CUPS configuration file" --result OK --color GREEN logtext "Result: configuration file found (${CUPSD_CONFIG_FILE})" CUPSD_FOUND=1 else - Display --indent 2 --text "- Checking CUPS configuration file..." --result "NOT FOUND" --color RED + Display --indent 2 --text "- Checking CUPS configuration file" --result "NOT FOUND" --color RED logtext "Result: configuration file not found" logtext "Development: no CUPS configuration file found" fi @@ -164,10 +164,10 @@ done if [ ${N} -eq 0 ]; then - Display --indent 2 --text "- Checking CUPS addresses/sockets..." --result "NONE" --color WHITE + Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "NONE" --color WHITE logtext "Result: no addresses found on which CUPS daemon is listening" else - Display --indent 2 --text "- Checking CUPS addresses/sockets..." --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "FOUND" --color GREEN logtext "Result: CUPS daemon is listening on network/socket" fi fi @@ -199,7 +199,7 @@ #Register --test-no PRNT-23xx--preqs-met ${PREQS_MET} --weight L --network NO --description "Check cupsd address configuration" #if [ ${SKIPTEST} -eq 0 ]; then #if [ "${OS}" = "Linux" ]; then - # echo " - Testing printcap file... [Test not implemented yet]" + # echo " - Testing printcap file [Test not implemented yet]" # # Check printcap with checkpc command #fi # diff --git a/include/tests_shells b/include/tests_shells index e1e1cdbe..91430fc7 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -46,13 +46,13 @@ # Description : check all console TTYs in which root user can enter single user mode without password Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking console TTYs..." + logtext "Test: Checking console TTYs" FIND=`cat /etc/ttys | egrep '^console' | grep -v 'insecure'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking console TTYs... " --result OK --color GREEN + Display --indent 2 --text "- Checking console TTYs" --result OK --color GREEN logtext "Result: console is secured against single user mode without password." else - Display --indent 2 --text "- Checking console TTYs... " --result WARNING --color RED + Display --indent 2 --text "- Checking console TTYs" --result WARNING --color RED logtext "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!" logtext "Output /etc/ttys:" logtext "${FIND}" @@ -74,13 +74,13 @@ # Description : which shells are available according /etc/shells Register --test-no SHLL-6211 --weight L --network NO --description "Checking available and valid shells" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for /etc/shells..." + logtext "Test: Searching for /etc/shells" if [ -f /etc/shells ]; then logtext "Result: Found /etc/shells file" logtext "Test: Reading available shells from /etc/shells" SSHELLS=`cat /etc/shells | grep "^/"` CSSHELLS=0; CSSHELLS_ALL=0 - Display --indent 2 --text "- Checking shells from /etc/shells..." + Display --indent 2 --text "- Checking shells from /etc/shells" for I in ${SSHELLS}; do CSSHELLS_ALL=`expr ${CSSHELLS_ALL} + 1` report "available_shell[]=${I}" @@ -181,15 +181,15 @@ # Description : Check default umask # Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask" # if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking /etc/profile..." +# logtext "Test: Checking /etc/profile" # if [ -f /etc/profile ]; then # FIND=`grep "^umask" | awk '{ print $2 }'` # if [ "${FIND}" = "" ]; then # logtext "Result: xxx" -# Display --indent 2 --text "- Checking default umask... " --result OK --color GREEN +# Display --indent 2 --text "- Checking default umask" --result OK --color GREEN # else # logtext "Result: xxx" -# Display --indent 2 --text "- Checking default umask... " --result WARNING --color RED +# Display --indent 2 --text "- Checking default umask" --result WARNING --color RED # #ReportWarning ${TEST_NO} "M" "xxx" # #ReportSuggestion ${TEST_NO} "xxx" # fi diff --git a/include/tests_snmp b/include/tests_snmp index 92344a17..e05a9bf1 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -30,17 +30,17 @@ # Description : Check for a running SNMP daemon Register --test-no SNMP-3302 --weight L --network NO --description "Check for running SNMP daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for a SNMP daemon..." - # Check running processes - FIND=`${PSBINARY} ax | grep "snmpd" | grep -v "grep"` - if [ ! "${FIND}" = "" ]; then - SNMP_DAEMON_RUNNING=1 - logtext "Result: SNMP daemon is running" - Display --indent 2 --text "- Checking running SNMP daemon..." --result FOUND --color GREEN - else - logtext "Result: No running SNMP daemon found" - Display --indent 2 --text "- Checking running SNMP daemon..." --result "NOT FOUND" --color WHITE - fi + logtext "Test: Searching for a SNMP daemon" + # Check running processes + IsRunning snmpd + if [ ${RUNNING} -eq 1 ]; then + SNMP_DAEMON_RUNNING=1 + logtext "Result: SNMP daemon is running" + Display --indent 2 --text "- Checking running SNMP daemon" --result FOUND --color GREEN + else + logtext "Result: No running SNMP daemon found" + Display --indent 2 --text "- Checking running SNMP daemon" --result "NOT FOUND" --color WHITE + fi fi # ################################################################################# @@ -51,19 +51,19 @@ Register --test-no SNMP-3304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP daemon file location" if [ ${SKIPTEST} -eq 0 ]; then logtext "Action: searching for snmpd.conf file" - for I in ${SNMP_DAEMON_CONFIG_LOCS}; do - if [ -f "${I}/snmpd.conf" ]; then - logtext "Result: ${I}/snmpd.conf exists" - SNMPD_DAEMON_CONFIG="${I}/snmpd.conf" - fi - done - if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then - logtext "Result: No snmpd configuration found" - Display --indent 4 --text "- Checking SNMP configuration..." --result "NOT FOUND" --color WHITE - else - logtext "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}" - Display --indent 4 --text "- Checking SNMP configuration..." --result "FOUND" --color GREEN - fi + for I in ${SNMP_DAEMON_CONFIG_LOCS}; do + if [ -f "${I}/snmpd.conf" ]; then + logtext "Result: ${I}/snmpd.conf exists" + SNMPD_DAEMON_CONFIG="${I}/snmpd.conf" + fi + done + if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then + logtext "Result: No snmpd configuration found" + Display --indent 4 --text "- Checking SNMP configuration" --result "NOT FOUND" --color WHITE + else + logtext "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}" + Display --indent 4 --text "- Checking SNMP configuration" --result "FOUND" --color GREEN + fi fi # ################################################################################# @@ -87,10 +87,10 @@ # Check status of test if [ ${WARN} -eq 0 ]; then - Display --indent 2 --text "- Checking SNMP community strings..." --result OK --color GREEN + Display --indent 2 --text "- Checking SNMP community strings" --result OK --color GREEN AddHP 2 2 else - Display --indent 2 --text "- Checking SNMP community strings..." --result WARNING --color RED + Display --indent 2 --text "- Checking SNMP community strings" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "Found easy guessable SNMP community string" fi fi diff --git a/include/tests_solaris b/include/tests_solaris index 556444c6..9ebf7393 100644 --- a/include/tests_solaris +++ b/include/tests_solaris @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2014, Michael Boelen (michael.boelen@cisofy.com), The Netherlands +# Web site: http://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -26,17 +26,17 @@ # Description : Check if Stop-A is disabled # Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon" # if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Searching for a SSH daemon..." -# # Check running processes -# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"` -# if [ ! "${FIND}" = "" ]; then -# SSH_DAEMON_RUNNING=1 -# logtext "Result: Stop-A is disabled" -# Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN -# else -# logtext "Result: Stop-A is NOT disabled" -# Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE -# fi +# logtext "Test: Searching for a SSH daemon" +# # Check running processes +# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"` +# if [ ! "${FIND}" = "" ]; then +# SSH_DAEMON_RUNNING=1 +# logtext "Result: Stop-A is disabled" +# Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN +# else +# logtext "Result: Stop-A is NOT disabled" +# Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE +# fi # fi # ################################################################################# @@ -45,17 +45,17 @@ # Description : Check if vold is disabled, to disallow unaudited mounts # Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon" # if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Searching for a SSH daemon..." -# # Check running processes -# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"` -# if [ ! "${FIND}" = "" ]; then -# SSH_DAEMON_RUNNING=1 -# logtext "Result: Stop-A is disabled" -# Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN -# else -# logtext "Result: Stop-A is NOT disabled" -# Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE -# fi +# logtext "Test: Searching for a SSH daemon" +# # Check running processes +# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"` +# if [ ! "${FIND}" = "" ]; then +# SSH_DAEMON_RUNNING=1 +# logtext "Result: Stop-A is disabled" +# Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN +# else +# logtext "Result: Stop-A is NOT disabled" +# Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE +# fi # fi # diff --git a/include/tests_squid b/include/tests_squid index eedd23e2..27b1af42 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -35,17 +35,17 @@ # programs. Register --test-no SQD-3602 --weight L --network NO --description "Check for running Squid daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for a Squid daemon..." + logtext "Test: Searching for a Squid daemon" FOUND=0 # Check running processes FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"` if [ ! "${FIND}" = "" ]; then SQUID_DAEMON_RUNNING=1 logtext "Result: Squid daemon is running" - Display --indent 2 --text "- Checking running Squid daemon..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking running Squid daemon" --result FOUND --color GREEN else logtext "Result: No running Squid daemon found" - Display --indent 2 --text "- Checking running Squid daemon..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking running Squid daemon" --result "NOT FOUND" --color WHITE fi fi # @@ -71,10 +71,10 @@ done if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then logtext "Result: No Squid configuration file found" - Display --indent 4 --text "- Searching Squid configuration file..." --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Searching Squid configuration file" --result "NOT FOUND" --color YELLOW else logtext "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}" - Display --indent 4 --text "- Searching Squid configuration..." --result FOUND --color GREEN + Display --indent 4 --text "- Searching Squid configuration" --result FOUND --color GREEN fi fi # @@ -85,21 +85,21 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! "${SQUIDBINARY}" = "" ]; then - logtext "Result: Squid binary found (${SQUIDBINARY})" - # Skip check if a setuid/setgid bit is found - FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print` - if [ "${FIND}" = "" ]; then - FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'` - Display --indent 4 --text "- Checking Squid version..." --result "FOUND" --color GREEN - SQUID_VERSION="${FIND2}" - else - logtext "Result: test skipped for security reasons, setuid/setgid bit set" - Display --indent 4 --text "- Checking Squid version..." --result "SKIPPED" --color RED - fi - else - logtext "Result: no Squid binary found" - fi + if [ ! "${SQUIDBINARY}" = "" ]; then + logtext "Result: Squid binary found (${SQUIDBINARY})" + # Skip check if a setuid/setgid bit is found + FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print` + if [ "${FIND}" = "" ]; then + FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'` + Display --indent 4 --text "- Checking Squid version" --result "FOUND" --color GREEN + SQUID_VERSION="${FIND2}" + else + logtext "Result: test skipped for security reasons, setuid/setgid bit set" + Display --indent 4 --text "- Checking Squid version" --result "SKIPPED" --color RED + fi + else + logtext "Result: no Squid binary found" + fi fi # ################################################################################# @@ -119,12 +119,13 @@ Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" - FIND=`cat ${SQUID_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` - for I in ${FIND}; do - I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Found Squid option: ${I}" - done - Display --indent 4 --text "- Checking defined Squid options..." --result "DONE" --color GREEN + FIND=`cat ${SQUID_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` + for I in ${FIND}; do + I=`echo ${I} | sed 's/!space!/ /g'` + logtext "Found Squid option: ${I}" + report "squid_option=${I}" + done + Display --indent 4 --text "- Checking defined Squid options" --result "DONE" --color GREEN fi # ################################################################################# @@ -147,13 +148,13 @@ FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` if [ ! "${FIND}" = "" ]; then logtext "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" - Display --indent 4 --text "- Checking Squid configuration file permissions..." --result WARNING --color RED + Display --indent 4 --text "- Checking Squid configuration file permissions" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access" ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive" AddHP 0 2 else logtext "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions" - Display --indent 4 --text "- Checking Squid configuration file permissions..." --result OK --color GREEN + Display --indent 4 --text "- Checking Squid configuration file permissions" --result OK --color GREEN AddHP 2 2 fi fi @@ -161,7 +162,7 @@ ################################################################################# # if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then - Display --indent 4 --text "- Checking Squid access control..." + Display --indent 4 --text "- Checking Squid access control" fi # ################################################################################# @@ -171,18 +172,18 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid authentication methods" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check auth_param option for authentication methods" - FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'` - if [ "${FIND}" = "" ]; then - logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" - Display --indent 6 --text "- Checking Squid authentication methods..." --result "NONE" --color YELLOW - else - Display --indent 6 --text "- Checking Squid authentication methods..." --result "FOUND" --color GREEN - for I in ${FIND}; do - logtext "Result: found authentication method ${I}" - report "squid_auth_method=${I}" - done - fi + logtext "Test: check auth_param option for authentication methods" + FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'` + if [ "${FIND}" = "" ]; then + logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" + Display --indent 6 --text "- Checking Squid authentication methods" --result "NONE" --color YELLOW + else + Display --indent 6 --text "- Checking Squid authentication methods" --result "FOUND" --color GREEN + for I in ${FIND}; do + logtext "Result: found authentication method ${I}" + report "squid_auth_method=${I}" + done + fi fi # ################################################################################# @@ -192,19 +193,19 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check external Squid authentication" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check external_acl_type option for external authentication helpers" - FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}` - if [ "${FIND}" = "" ]; then - logtext "No external_acl_type found" - Display --indent 6 --text "- Checking Squid external authentication methods..." --result "NONE" --color YELLOW - else - Display --indent 6 --text "- Checking Squid external authentication methods..." --result "FOUND" --color GREEN - for I in ${FIND}; do - logtext "Result: found external authentication method helper" - logtext "Output: ${FIND}" - #report "squid_external_acl_type=TRUE" - done - fi + logtext "Test: check external_acl_type option for external authentication helpers" + FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}` + if [ "${FIND}" = "" ]; then + logtext "No external_acl_type found" + Display --indent 6 --text "- Checking Squid external authentication methods" --result "NONE" --color YELLOW + else + Display --indent 6 --text "- Checking Squid external authentication methods" --result "FOUND" --color GREEN + for I in ${FIND}; do + logtext "Result: found external authentication method helper" + logtext "Output: ${FIND}" + #report "squid_external_acl_type=TRUE" + done + fi fi # ################################################################################# @@ -214,22 +215,22 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid access control lists" if [ ${SKIPTEST} -eq 0 ]; then - N=0 - logtext "Test: checking ACLs" - FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` - if [ "${FIND}" = "" ]; then - logtext "Result: No ACLs found" - Display --indent 6 --text "- Checking Access Control Lists..." --result "NONE" --color RED - else - for I in ${FIND}; do - N=`expr ${N} + 1` - I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Found ACL: ${I}" - #report "squid_acl=${I}" - done - logtext "Result: Found ${N} ACLs" - Display --indent 6 --text "- Checking Access Control Lists..." --result "${N} ACLs FOUND" --color GREEN - fi + N=0 + logtext "Test: checking ACLs" + FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` + if [ "${FIND}" = "" ]; then + logtext "Result: No ACLs found" + Display --indent 6 --text "- Checking Access Control Lists" --result "NONE" --color RED + else + for I in ${FIND}; do + N=`expr ${N} + 1` + I=`echo ${I} | sed 's/!space!/ /g'` + logtext "Found ACL: ${I}" + #report "squid_acl=${I}" + done + logtext "Result: Found ${N} ACLs" + Display --indent 6 --text "- Checking Access Control Lists" --result "${N} ACLs FOUND" --color GREEN + fi fi # ################################################################################# @@ -239,48 +240,48 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid safe ports" if [ ${SKIPTEST} -eq 0 ]; then - N=0 - logtext "Test: checking ACL Safe_ports http_access option" - FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"` - if [ "${FIND}" = "" ]; then - logtext "Result: no Safe_ports found" - Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option..." --result "NOT FOUND" --color YELLOW - ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" - else - logtext "Result: checking ACL safe ports" - FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'` - if [ "${FIND2}" = "" ]; then - Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "NONE FOUND" --color YELLOW - ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" - AddHP 0 1 - else - logtext "Result: Safe_ports found" - for I in ${FIND}; do - logtext "Found safe port: ${I}" - done - Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "FOUND" --color GREEN - AddHP 1 1 - fi - #SQUID_DAEMON_UNSAFE_PORTS_LIST - for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do - logtext "Test: Checking port ${I} in Safe_ports list" - FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` - if [ "${FIND2}" = "" ]; then - Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "NOT FOUND" --color GREEN - AddHP 1 1 - else - Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "FOUND" --color RED - ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}" - AddHP 0 1 - fi - done - fi + N=0 + logtext "Test: checking ACL Safe_ports http_access option" + FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"` + if [ "${FIND}" = "" ]; then + logtext "Result: no Safe_ports found" + Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "NOT FOUND" --color YELLOW + ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" + else + logtext "Result: checking ACL safe ports" + FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'` + if [ "${FIND2}" = "" ]; then + Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW + ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" + AddHP 0 1 + else + logtext "Result: Safe_ports found" + for I in ${FIND}; do + logtext "Found safe port: ${I}" + done + Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "FOUND" --color GREEN + AddHP 1 1 + fi + #SQUID_DAEMON_UNSAFE_PORTS_LIST + for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do + logtext "Test: Checking port ${I} in Safe_ports list" + FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` + if [ "${FIND2}" = "" ]; then + Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN + AddHP 1 1 + else + Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "FOUND" --color RED + ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}" + AddHP 0 1 + fi + done + fi fi # ################################################################################# # if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then - Display --indent 4 --text "- Checking Squid Denial of Service tuning options..." + Display --indent 4 --text "- Checking Squid Denial of Service tuning options" fi # ################################################################################# @@ -309,7 +310,7 @@ ################################################################################# # if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then - Display --indent 4 --text "- Checking Squid general options..." + Display --indent 4 --text "- Checking Squid general options" fi # ################################################################################# @@ -340,10 +341,10 @@ # Squid #Hardening: -# $1 $3 -# acl snmp_community -# acl maxconn -# acl max_user_ip +# $1 $3 +# acl snmp_community +# acl maxconn +# acl max_user_ip # # follow_x_forwarded_for #Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well) diff --git a/include/tests_ssh b/include/tests_ssh index b434d5fb..84fc1239 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -33,13 +33,13 @@ # Description : Check for a running SSH daemon Register --test-no SSH-7402 --weight L --network NO --description "Check for running SSH daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for a SSH daemon..." + logtext "Test: Searching for a SSH daemon" IsRunning sshd if [ ${RUNNING} -eq 1 ]; then SSH_DAEMON_RUNNING=1 - Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN else - Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE fi fi # @@ -70,11 +70,11 @@ done if [ "${SSH_DAEMON_CONFIG}" = "" ]; then logtext "Result: No sshd configuration found" - Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Searching SSH configuration" --result "NOT FOUND" --color YELLOW ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found" else logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" - Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN + Display --indent 4 --text "- Searching SSH configuration" --result FOUND --color GREEN fi fi # @@ -85,16 +85,16 @@ # if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi # Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port" # if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Searching for a SSH daemon..." +# logtext "Test: Searching for a SSH daemon" # CheckOption "^Port " ${SSH_DAEMON_CONFIG} # if [ ${FOUND} -eq 1 ]; then # FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'` # # Check if this output is numeric and usuable for later (e.g. in netstat output) -# Display --indent 2 --text "- Checking SSH listening port..." --result FOUND --color GREEN +# Display --indent 2 --text "- Checking SSH listening port" --result FOUND --color GREEN # logtext "Result: setting port number to ${FIND}" # SSH_DAEMON_PORT="${FIND}" # else -# Display --indent 2 --text "- Checking SSH listening port..." --result "NOT FOUND" --color WHITE +# Display --indent 2 --text "- Checking SSH listening port" --result "NOT FOUND" --color WHITE # logtext "Result: setting port to default number, as no other port has been configured" # SSH_DAEMON_PORT="22" # fi @@ -113,7 +113,7 @@ I=`echo ${I} | sed 's/!space!/ /g'` logtext "Found SSH option: ${I}" done - Display --indent 4 --text "- Checking defined SSH options..." --result "DONE" --color GREEN + Display --indent 4 --text "- Checking defined SSH options" --result "DONE" --color GREEN fi # ################################################################################# @@ -127,18 +127,18 @@ FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'` if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then logtext "Result: PermitRootLogin is enabled, root can login directly" - Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED + Display --indent 4 --text "- SSH option: PermitRootLogin" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "Root can directly login via SSH" AddHP 0 3 else # YYY add test for DenyUsers root if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then logtext "Result: PermitRootLogin is disabled. Root can't login directly" - Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN + Display --indent 4 --text "- SSH option: PermitRootLogin" --result DISABLED --color GREEN AddHP 3 3 else logtext "Result: Value of PermitRootLogin is unknown (not defined)" - Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE + Display --indent 4 --text "- SSH option: PermitRootLogin" --result DEFAULT --color WHITE fi fi fi @@ -154,17 +154,17 @@ FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'` if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then logtext "Result: Protocol option is set to allow SSH protocol version 1" - Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED + Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed" AddHP 0 3 else if [ "${FIND}" = "2" ]; then logtext "Result: only protocol 2 is allowed" - Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN + Display --indent 4 --text "- SSH option: Protocol" --result OK --color GREEN AddHP 3 3 else logtext "Result: value of Protocol is unknown (not defined)" - Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE + Display --indent 4 --text "- SSH option: Protocol" --result DEFAULT --color WHITE fi fi fi @@ -180,18 +180,18 @@ FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'` if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked" - Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED + Display --indent 4 --text "- SSH option: StrictModes" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "StrictModes is turned off" ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config" AddHP 0 3 else if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then logtext "Result: StrictModes active, file permissions are checked" - Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN + Display --indent 4 --text "- SSH option: StrictModes" --result OK --color GREEN AddHP 3 3 else logtext "Result: value of StrictModes is unknown (not defined)" - Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE + Display --indent 4 --text "- SSH option: StrictModes" --result DEFAULT --color WHITE fi fi fi @@ -207,17 +207,17 @@ # FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'` # if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then # logtext "Result: Protocol option is set to allow SSH protocol version 1" -# Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED +# Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED # ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed" # AddHP 0 3 # else # if [ "${FIND}" = "2" ]; then # logtext "Result: only protocol 2 is allowed" -# Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN +# Display --indent 4 --text "- SSH option: Protocol" --result OK --color GREEN # AddHP 3 3 # else # logtext "Result: value of Protocol is unknown (not defined)" -# Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE +# Display --indent 4 --text "- SSH option: Protocol" --result DEFAULT --color WHITE # fi # fi # fi @@ -235,22 +235,22 @@ FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` if [ ! "${FIND}" = "" ]; then logtext "Result: AllowUsers set, with value ${FIND}" - Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN + Display --indent 4 --text "- SSH option: AllowUsers" --result FOUND --color GREEN FOUND=1 else logtext "Result: AllowUsers is not set" - Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- SSH option: AllowUsers" --result "NOT FOUND" --color WHITE fi # AllowGroups FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` if [ ! "${FIND}" = "" ]; then logtext "Result: AllowUsers set ${FIND}" - Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN + Display --indent 4 --text "- SSH option: AllowGroups" --result FOUND --color GREEN FOUND=1 else logtext "Result: AllowGroups is not set" - Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- SSH option: AllowGroups" --result "NOT FOUND" --color WHITE fi if [ ${FOUND} -eq 1 ]; then diff --git a/include/tests_storage b/include/tests_storage index cdad2bcb..ddd51c5c 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -52,12 +52,12 @@ fi if [ ${FOUND} -eq 0 ]; then logtext "Result: usb-storage driver is not explicitly disabled" - Display --indent 2 --text "- Checking usb-storage driver (modprobe config)..." --result "NOT DISABLED" --color WHITE + Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" AddHP 2 3 else logtext "Result: usb-storage driver is disabled" - Display --indent 2 --text "- Checking usb-storage driver (modprobe config)..." --result "DISABLED" --color GREEN + Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "DISABLED" --color GREEN AddHP 3 3 fi fi @@ -94,13 +94,13 @@ if [ ${FOUND} -eq 0 ]; then logtext "Result: firewire ohci driver is not explicitly disabled" - Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)..." --result "NOT DISABLED" --color WHITE + Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "NOT DISABLED" --color WHITE ReportSuggestion ${TEST_NO} "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft" # after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u AddHP 2 3 else logtext "Result: firewire ohci driver is disabled" - Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)..." --result "DISABLED" --color GREEN + Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "DISABLED" --color GREEN AddHP 3 3 fi fi diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index defdf679..6526dba6 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -27,10 +27,9 @@ # ################################################################################# # - # Test : STRG-1902 # Description : Check rpcinfo - if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check rpcinfo registered programs" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking rpcinfo registered programs" @@ -38,14 +37,14 @@ for I in ${FIND}; do logtext "rpcinfo: ${I}" done - Display --indent 2 --text "- Query rpc registered programs..." --result "DONE" --color GREEN + Display --indent 2 --text "- Query rpc registered programs" --result "DONE" --color GREEN fi # ################################################################################# # # Test : STRG-1904 # Description : Check nfs versions in rpcinfo - if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking NFS registered versions" @@ -53,7 +52,7 @@ for I in ${FIND}; do logtext "Found version: ${I}" done - Display --indent 2 --text "- Query NFS versions..." --result "DONE" --color GREEN + Display --indent 2 --text "- Query NFS versions" --result "DONE" --color GREEN fi # ################################################################################# @@ -81,7 +80,7 @@ if [ "${FIND}" = "" ]; then logtext "Output: no NFS port number found" fi - Display --indent 2 --text "- Query NFS protocols..." --result "DONE" --color GREEN + Display --indent 2 --text "- Query NFS protocols" --result "DONE" --color GREEN fi # ################################################################################# @@ -94,10 +93,10 @@ FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"` if [ "${FIND}" = "" ]; then logtext "Output: NFS daemon is not running" - Display --indent 2 --text "- Check running NFS daemon..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Check running NFS daemon" --result "NOT FOUND" --color WHITE else logtext "Output: NFS daemon is running" - Display --indent 2 --text "- Check running NFS daemon.." --result "FOUND" --color GREEN + Display --indent 2 --text "- Check running NFS daemon" --result "FOUND" --color GREEN NFS_DAEMON_RUNNING=1 fi fi @@ -129,10 +128,10 @@ logtext "Result: /etc/exports does not contain exported file systems" NFS_EXPORTS_EMPTY=1 fi - Display --indent 4 --text "- Checking /etc/exports..." --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking /etc/exports" --result "FOUND" --color GREEN else logtext "Result: file /etc/exports does not exist" - Display --indent 4 --text "- Checking /etc/exports..." --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking /etc/exports" --result "NOT FOUND" --color WHITE fi fi # @@ -144,7 +143,7 @@ Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports" if [ ${SKIPTEST} -eq 0 ]; then if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then - Display --indent 6 --text "- Checking empty /etc/exports..." --result SUGGESTION --color YELLOW + Display --indent 6 --text "- Checking empty /etc/exports" --result SUGGESTION --color YELLOW logtext "Result: /etc/exports seems to have no exported file systems" ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system" fi @@ -161,12 +160,12 @@ sFIND=`${SHOWMOUNTBINARY} -e | awk '{ print $2 }' | sed '1d'| grep "\*"` if [ "${sFIND}" != "" ]; then logtext "Result: all client are allowed to access a NFS share in /etc/exports" - Display --indent 4 --text "- Checking NFS client access..." --result "ALL CLIENTS" --color YELLOW + Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports" AddHP 2 3 else logtext "Result: only some clients are allowed to access a NFS share" - Display --indent 4 --text "- Checking NFS client access..." --result OK --color GREEN + Display --indent 4 --text "- Checking NFS client access" --result OK --color GREEN AddHP 3 3 fi fi diff --git a/include/tests_tcpwrappers b/include/tests_tcpwrappers index 949adbf0..282724c0 100644 --- a/include/tests_tcpwrappers +++ b/include/tests_tcpwrappers @@ -30,9 +30,9 @@ # Description : Basic nameserver configuration tests (connectivity) # Register --test-no TCPW-xxxx --weight L --network YES --description "Basic nameserver configuration tests" # if [ ${SKIPTEST} -eq 0 ]; then -# Display --indent 2 --text "- Checking configured nameservers..." +# Display --indent 2 --text "- Checking configured nameservers" # logtext "Test: Checking /etc/resolv.conf file" -# Display --indent 8 --text "Nameserver: ${I}..." --result OK --color GREEN +# Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN # ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)." # ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond" # fi diff --git a/include/tests_time b/include/tests_time index 6282afef..3d3ff3af 100644 --- a/include/tests_time +++ b/include/tests_time @@ -47,7 +47,7 @@ Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client" if [ ${SKIPTEST} -eq 0 ]; then # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate) - logtext "Test: Searching for a running NTP daemon or available client... " + logtext "Test: Searching for a running NTP daemon or available client" FOUND=0 # Check running processes @@ -140,10 +140,10 @@ done if [ ${FOUND_IN_CRON} -eq 1 ]; then - Display --indent 2 --text "- Checking NTP client in cron files..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN logtext "Result: found ntpdate or rdate in cron directory" else - Display --indent 2 --text "- Checking NTP client in cron.d files..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE logtext "Result: no ntpdate or rdate found in cron directories" fi @@ -154,7 +154,7 @@ logtext "Result: found ntpdate action when network interface comes up" FOUND=1 NTP_CONFIG_TYPE_EVENTBASED=1 - Display --indent 2 --text "- Checking event based ntpdate (if-up)..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking event based ntpdate (if-up)" --result FOUND --color GREEN else logtext "Result: file /etc/network/if-up.d/ntpdate does not exist" fi @@ -297,11 +297,11 @@ logtext "Test: Checking preferred time source" FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking time source candidates..." --result NONE --color YELLOW + Display --indent 2 --text "- Checking time source candidates" --result NONE --color YELLOW logtext "Result: No other time source candidates found" ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates" else - Display --indent 2 --text "- Checking time source candidates..." --result OK --color GREEN + Display --indent 2 --text "- Checking time source candidates" --result OK --color GREEN logtext "Result: Found one or more candidates to synchronize time with." for I in ${FIND}; do I=`echo ${I} | sed 's/+//g'` @@ -320,10 +320,10 @@ logtext "Test: Checking preferred time source" FIND=`${NTPQBINARY} -p -n | grep '^x'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking falsetickers..." --result OK --color GREEN + Display --indent 2 --text "- Checking falsetickers" --result OK --color GREEN logtext "Result: No falsetickers found (items preceeding with an 'x')" else - Display --indent 2 --text "- Checking falsetickers..." --result NONE --color YELLOW + Display --indent 2 --text "- Checking falsetickers" --result NONE --color YELLOW logtext "Result: Found one or more falsetickers (items preceeding with an 'x')" for I in ${FIND}; do I=`echo ${I} | sed 's/x//g'` @@ -345,11 +345,11 @@ logtext "Test: Checking NTP protocol version (ntpq -c ntpversion)" FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking NTP version..." --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Checking NTP version" --result UNKNOWN --color YELLOW logtext "Result: No NTP version found" ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version" else - Display --indent 2 --text "- Checking NTP version..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking NTP version" --result FOUND --color GREEN logtext "Result: Found NTP version ${FIND}" report "ntp_version=${FIND}" fi diff --git a/include/tests_tooling b/include/tests_tooling index 70701f9a..4d28b653 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -35,7 +35,7 @@ PUPPET_MASTER_RUNNING=0 Register --test-no TOOL-5002 --weight L --network NO --description "Checking for automation tools" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 2 --text "- Checking automation tooling..." + Display --indent 2 --text "- Checking automation tooling" # Cfengine if [ ! "${CFAGENTBINARY}" = "" ]; then diff --git a/include/tests_virtualization b/include/tests_virtualization index 4afd6d03..a7acf81f 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -39,10 +39,10 @@ report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]" done logtext "Result: total of ${N} running zones" - Display --indent 2 --text "- Checking Solaris Zones..." --result "FOUND ${N} zones" --color GREEN + Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN else logtext "Result: no running zones found" - Display --indent 2 --text "- Checking Solaris Zones..." --result NONE --color WHITE + Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE fi fi # @@ -71,7 +71,7 @@ # if [ ${SKIPTEST} -eq 0 ]; then # # Initialise # VMWARE_GUEST=0 -# Display --indent 2 --text "- Checking VMware guest status..." +# Display --indent 2 --text "- Checking VMware guest status" # #YYY check memory driver file # #YYY check LKM list # #YYY check vmware tools diff --git a/include/tests_webservers b/include/tests_webservers index e6f00154..0e05786c 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -56,7 +56,7 @@ if [ "${HTTPDBINARY}" = "" ]; then Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE else - logtext "Test: Scanning for Apache binary..." + logtext "Test: Scanning for Apache binary" IS_APACHE=`${HTTPDBINARY} -v | egrep '[aA]pache'` if [ "${IS_APACHE}" = "" ]; then logtext "Result: ${HTTPDBINARY} is not Apache" @@ -121,7 +121,7 @@ if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6626 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing other Apache configuration file" if [ ${SKIPTEST} -eq 0 ]; then - #Display --indent 4 --text "- Searching Apache virtual hosts..." + #Display --indent 4 --text "- Searching Apache virtual hosts" for I in ${sTEST_APACHE_TARGETS}; do if [ -d ${I} ]; then find ${I} -name "*.conf" -print >> ${TMPFILE2} @@ -200,7 +200,7 @@ # # Check if option ServerTokens is configured # SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'` # if [ ! "${SERVERTOKENSTEST}" = "" ]; then -# Display --indent 4 --text "- Checking option ServerTokens..." --result FOUND --color WHITE +# Display --indent 4 --text "- Checking option ServerTokens" --result FOUND --color WHITE # SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '` # logtext "Option ServerTokens found: ${SERVERTOKENSTEST}" # SERVERTOKENSEXPECTED=`cat ${PROFILE} | grep 'apache' | grep 'ServerTokens' | cut -d ':' -f3` @@ -213,7 +213,7 @@ # logtext "Expected: ${SERVERTOKENSEXPECTED}" # fi # else -# Display --indent 4 --text "- Checking option ServerTokens..." --result "NOT FOUND" --color WHITE +# Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE # fi # # else @@ -224,9 +224,9 @@ # # # Display results from checks # if [ ${SERVERTOKENSFOUND} -eq 1 ]; then -# Display --indent 6 --text "- Value of ServerTokens..." --result OK --color GREEN +# Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN # else -# Display --indent 6 --text "- Value of ServerTokens..." --result WARNING --color RED +# Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED # ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template" # fi # fi @@ -467,7 +467,7 @@ Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check discovered nginx configuration settings" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: start parsing all discovered nginx options" - Display --indent 4 --text "- Parsing configuration options..." + Display --indent 4 --text "- Parsing configuration options" ParseNginx fi # @@ -527,7 +527,7 @@ Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx access logging" if [ ${SKIPTEST} -eq 0 ]; then NGINX_LOG_SUGGESTION=0 - Display --indent 6 --text "- Checking log file configuration..." + Display --indent 6 --text "- Checking log file configuration" # Check for missing access log if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then @@ -616,10 +616,10 @@ # done # if [ ${N} -eq 0 ]; then # logtext "Result: no reverse proxying functionality found" -# Display --indent 4 --text "- Searching reverse proxy functionality..." --result "NOT FOUND" --color WHITE +# Display --indent 4 --text "- Searching reverse proxy functionality" --result "NOT FOUND" --color WHITE # else # logtext "Result: found ${N} addresses for which nginx will be a reverse proxy" -# Display --indent 4 --text "- Searching reverse proxy functionality..." --result "${N} FOUND" --color GREEN +# Display --indent 4 --text "- Searching reverse proxy functionality" --result "${N} FOUND" --color GREEN # fi # fi # @@ -642,10 +642,10 @@ # done # if [ ${N} -eq 0 ]; then # logtext "Result: no virtual hosts found" -# Display --indent 4 --text "- Searching virtual hosts..." --result "NOT FOUND" --color WHITE +# Display --indent 4 --text "- Searching virtual hosts" --result "NOT FOUND" --color WHITE # else # logtext "Result: found ${N} virtual hosts" -# Display --indent 4 --text "- Searching virtual hosts..." --result "${N} FOUND" --color GREEN +# Display --indent 4 --text "- Searching virtual hosts" --result "${N} FOUND" --color GREEN # fi # fi # |