diff options
author | hlein <hlein@korelogic.com> | 2017-03-07 22:23:08 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2017-03-07 22:23:08 +0300 |
commit | e054e9757c3fdc0ac794e18fa7ed9e04c11b1de1 (patch) | |
tree | e14365959cb0e18b3bfc70404dc51b827123237c /include/tests_firewalls | |
parent | 7e915df1ee898dae2f7ba86aa0dd09cabdd63261 (diff) |
Lots of cleanups (#366)
* Description fix: SafePerms works on files not dirs.
All uses of SafePerms are on files (and indeed, it would reject
directories which would have +x set).
* Lots of whitespace cleanups.
Enforce everywhere(?) the same indentations for if/fi blocks.
The standard for the Lynis codebase is 4 spaces. But sometimes
it's 1, sometimes 3, sometimes 8.
These patches standardize all(?) if blocks but _not_ else's (which
are usually indented 2, but sometimes zero); I was too lazy to
identify those (see below).
This diff is giant, but should not change code behavior at all;
diff -w shows no changes apart from whitespace.
FWIW I identified instances to check by using:
perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1)
Which produced output like:
./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated"
./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then
./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists"
...There's probably formal shellscript-beautification tools that
I'm oblivious about.
* More whitespace standardization.
* Fix a syntax error.
This looks like an if [ foo -o bar ]; was converted to if .. elif,
but incompletely.
* Add whitespace before closing ].
Without it, the shell thinks the ] is part of the last string, and
emits warnings like:
.../lynis/include/tests_authentication: line 1028: [: missing `]'
Diffstat (limited to 'include/tests_firewalls')
-rw-r--r-- | include/tests_firewalls | 54 |
1 files changed, 27 insertions, 27 deletions
diff --git a/include/tests_firewalls b/include/tests_firewalls index 4fe18533..27883c91 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -51,7 +51,7 @@ for I in ${FIND}; do LogText "Found module: ${I}" done - else + else Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_NOT_FOUND}" --color WHITE # If we can't find an active module, try to find the Linux configuration file and check that @@ -75,16 +75,16 @@ # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the # active list. if [ "${HAVEMOD}" = "y" ]; then - LogText "Result: iptables available as a module in the configuration" - IPTABLES_ACTIVE=1 - IPTABLES_INKERNEL_ACTIVE=1 - FIREWALL_ACTIVE=1 - FIREWALL_SOFTWARE="iptables" - Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN - else + LogText "Result: iptables available as a module in the configuration" + IPTABLES_ACTIVE=1 + IPTABLES_INKERNEL_ACTIVE=1 + FIREWALL_ACTIVE=1 + FIREWALL_SOFTWARE="iptables" + Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN + else LogText "Result: no iptables found in Linux kernel config file" fi - else + else LogText "Result: no Linux configuration file found" Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -157,7 +157,7 @@ LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active" - else + else LogText "Result: one or more rules are available (${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN fi @@ -175,7 +175,7 @@ if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN LogText "Result: There are no unused rules present" - else + else Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW LogText "Result: Found one or more possible unused rules" LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" @@ -209,7 +209,7 @@ LogText "Result: pf is enabled" PFFOUND=1 AddHP 3 3 - else + else Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW ReportException ${TEST_NO} "Unknown status of pf firewall" fi @@ -223,7 +223,7 @@ FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko') if [ -z "${FIND}" ]; then LogText "Result: Can not find pf KLD" - else + else LogText "Result: pf KLD loaded" PFFOUND=1 fi @@ -237,7 +237,7 @@ Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN PFFOUND=1 PFLOGDFOUND=1 - else + else LogText "Result: pflog daemon not found in process list" fi fi @@ -246,7 +246,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="pf" Report "firewall_software[]=pf" - else + else LogText "Result: pf not running on this system" fi fi @@ -267,12 +267,12 @@ if [ -z "${PFWARNINGS}" ]; then Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN LogText "Result: no pf filter warnings found" - else + else Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED LogText "Result: found one or more warnings in the pf filter rules" ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" fi - else + else LogText "Result: /etc/pf.conf does NOT exist" fi fi @@ -296,7 +296,7 @@ FIREWALL_SOFTWARE="csf" Report "firewall_software[]=csf" Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: ${FILE} does NOT exist" fi fi @@ -315,7 +315,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipf" Report "firewall_software[]=ipf" - else + else Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW LogText "Result: ipf is not running" fi @@ -340,15 +340,15 @@ if [ "${IPFW_ENABLED}" = "ipfw" ]; then Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN LogText "Result: IPFW is enabled at start-up for IPv4" - else + else Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW LogText "Result: IPFW is disabled at start-up for IPv4" fi - else + else if IsVerbose; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW; fi LogText "Result: IPFW is not running for IPv4" fi - else + else ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)" fi fi @@ -369,7 +369,7 @@ APPLICATION_FIREWALL_ACTIVE=1 Report "firewall_software[]=macosx-app-fw" Report "app_fw[]=macosx-app-fw" - else + else if IsVerbose; then Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_DISABLED}" --color YELLOW; fi AddHP 1 3 LogText "Result: application firewall of macOS is disabled" @@ -390,7 +390,7 @@ APPLICATION_FIREWALL_ACTIVE=1 Report "app_fw[]=little-snitch" Report "firewall_software[]=little-snitch" - else + else if IsVerbose; then Display --indent 2 --text "- Checking Little Snitch Daemon" --result "${STATUS_DISABLED}" --color YELLOW; fi AddHP 1 3 LogText "Result: could not find Little Snitch" @@ -411,7 +411,7 @@ FIREWALL_ACTIVE=1 NFTABLES_ACTIVE=1 Report "firewall_software[]=nftables" - else + else LogText "Result: no nftables kernel module found" fi fi @@ -441,7 +441,7 @@ if [ ${NFT_RULES_LENGTH} -le 16 ]; then FIREWALL_EMPTY_RULESET=1 LogText "Result: this firewall set has 16 rules or less and is considered to be empty" - else + else LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration" fi fi @@ -484,7 +484,7 @@ # YYY Solaris ipf (determine default policy) Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" AddHP 5 5 - else + else Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW LogText "Result: no host based firewall/packet filter found or configured" ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic" |