Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/include/tests_boot_services
diff options
context:
space:
mode:
authorjirib <46245+jirib@users.noreply.github.com>2019-03-05 21:03:44 +0300
committerMichael Boelen <michael.boelen@cisofy.com>2019-03-05 21:03:44 +0300
commit0dafe4a02b494e0c94c3d1b89e9e9791e2fde63d (patch)
tree11d2235a3d636af9ee62f0e5bb5612d890170edd /include/tests_boot_services
parent06bf77cb3052c7417b6fe44e70428b36da68c031 (diff)
better OpenBSD support (#641)
Diffstat (limited to 'include/tests_boot_services')
-rw-r--r--include/tests_boot_services116
1 files changed, 115 insertions, 1 deletions
diff --git a/include/tests_boot_services b/include/tests_boot_services
index 325407b3..84680efc 100644
--- a/include/tests_boot_services
+++ b/include/tests_boot_services
@@ -125,7 +125,7 @@
if [ -f /usr/bin/init-openrc ]; then SERVICE_MANAGER="openrc"; fi
fi
;;
- "DragonFly" | "NetBSD" | "FreeBSD")
+ "DragonFly" | "NetBSD" | "FreeBSD" | "OpenBSD")
if [ -x /sbin/init -a -d ${ROOTDIR}etc/rc.d -a -f ${ROOTDIR}etc/rc ]; then
SERVICE_MANAGER="bsdrc"
fi
@@ -824,6 +824,120 @@
#
#################################################################################
#
+ # Test : BOOT-5262
+ # Description : Check for OpenBSD boot daemons
+ Register --test-no BOOT-5262 --os OpenBSD --weight L --network NO --category security --description "Check for OpenBSD boot daemons"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if HasData "${RCCTLBINARY}"; then
+ LogText "Result: rcctl binary found, trying that to discover information"
+ # OpenBSD (Ask rcctl(8) for running daemons)
+ LogText "Searching for running daemons (rcctl)"
+ FIND=$(${RCCTLBINARY} ls started)
+ COUNT=0
+ Report "running_service_tool=rcctl"
+ for ITEM in ${FIND}; do
+ LogText "Found running daemon: ${ITEM}"
+ Report "running_service[]=${ITEM}"
+ COUNT=$((COUNT + 1 ))
+ done
+ LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons"
+ Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN
+ Display --indent 8 --text "Result: found ${COUNT} running daemons"
+ LogText "Result: Found ${COUNT} running daemons"
+
+ # OpenBSD (Ask rcctl(8) for enabled daemons)
+ LogText "Searching for enabled daemons (rcctl)"
+ FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$')
+ COUNT=0
+ Report "boot_service_tool=rcctl"
+ for ITEM in ${FIND}; do
+ LogText "Found enabled daemon at boot: ${ITEM}"
+ Report "boot_service[]=${ITEM}"
+ COUNT=$((COUNT + 1 ))
+ done
+ LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons"
+ Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN
+ Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot"
+ LogText "Result: Found ${COUNT} enabled daemons at boot"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BOOT-5263
+ # Description : Check OpenBSD world writable startup scripts
+ Register --test-no BOOT-5263 --os OpenBSD --weight L --network NO --category security --description "Check permissions for boot files/scripts"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ CHECKDIR="${ROOTDIR}etc/rc.d"
+ LogText "Result: checking ${ROOTDIR}etc/rc.d scripts for writable bit"
+ LogText "Test: checking if directory ${DIR} exists"
+ if [ -d ${CHECKDIR} ]; then
+ LogText "Result: directory ${DIR} found"
+ LogText "Test: checking for available files in directory"
+ # OpenBSD uses symlinks to create another instance of daemons
+ FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY})
+ if [ ! -z "${FIND}" ]; then
+ LogText "Result: found files in directory, checking permissions now"
+ for FILE in ${FIND}; do
+ LogText "Test: checking permissions of file ${FILE}"
+ ShowSymlinkPath "${FILE}"
+ if [ ${FOUNDPATH} -eq 1 ]; then
+ CHECKFILE="${SYMLINK}"
+ LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${FILE})"
+ else
+ CHECKFILE="${FILE}"
+ fi
+ if IsWorldWritable ${CHECKFILE}; then
+ FOUND=1
+ LogText "Result: warning, file ${CHECKFILE} is world writable"
+ else
+ LogText "Result: good, file ${CHECKFILE} not world writable"
+ fi
+ done
+ else
+ LogText "Result: found no files in directory."
+ fi
+ else
+ LogText "Result: directory ${CHECKDIR} not found. Skipping.."
+ fi
+
+ # Other files
+ CHECKFILES="${ROOTDIR}etc/rc ${ROOT}etc/rc.conf ${ROOT}etc/rc.conf.local ${ROOTDIR}etc/rc.local"
+ for I in ${CHECKFILES}; do
+ if [ -f ${I} ]; then
+ ShowSymlinkPath "${I}"
+ if [ ${FOUNDPATH} -eq 1 ]; then
+ CHECKFILE="${SYMLINK}"
+ LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${I})"
+ else
+ CHECKFILE="${I}"
+ fi
+ LogText "Test: Checking ${CHECKFILE} file for writable bit"
+ if IsWorldWritable ${CHECKFILE}; then
+ FOUND=1
+ ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}"
+ LogText "Result: warning, file ${CHECKFILE} is world writable"
+ else
+ LogText "Result: good, file ${CHECKFILE} not world writable"
+ fi
+ fi
+ done
+
+ # Check results
+ if [ ${FOUND} -eq 1 ]; then
+ Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED
+ ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-"
+ LogText "Result: found one or more scripts which are possibly writable by other users"
+ AddHP 0 3
+ else
+ Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_OK}" --color GREEN
+ AddHP 3 3
+ fi
+ fi
+#
+#################################################################################
+#
Report "boot_loader=${BOOT_LOADER}"
Report "boot_uefi_booted=${UEFI_BOOTED}"
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-19 10:54:33 +0300