diff options
| author | Michael Boelen <michael.boelen@cisofy.com> | 2017-04-30 18:59:35 +0300 |
|---|---|---|
| committer | Michael Boelen <michael.boelen@cisofy.com> | 2017-04-30 18:59:35 +0300 |
| commit | 4ecb9d4d05124b813cd4d7ddcaf5671c2f4c4765 (patch) | |
| tree | 282f5a4e9e3530ada04d00bda3e8ac118cf70bbd /include/tests_ports_packages | |
| parent | 5ccd0912cf74f5d3dd07e5ed5fe0e6a30571fbb5 (diff) | |
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
Diffstat (limited to 'include/tests_ports_packages')
| -rw-r--r-- | include/tests_ports_packages | 271 |
1 files changed, 167 insertions, 104 deletions
diff --git a/include/tests_ports_packages b/include/tests_ports_packages index f276e2a0..c2b02ac2 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -62,10 +62,10 @@ # # Test : PKGS-7302 # Description : Query FreeBSD/NetBSD pkg_info - if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD/NetBSD pkg_info" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 Display --indent 4 --text "- Checking pkg_info" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found pkg_info" Report "package_manager[]=pkg_info" @@ -74,13 +74,13 @@ LogText "Output:"; LogText "-----" SPACKAGES=$(${ROOTDIR}usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1 | ${SEDBINARY} -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g') for ITEM in ${SPACKAGES}; do - N=$((N + 1)) + COUNT=$((COUNT + 1)) sPKG_NAME=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f1) sPKG_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f2) LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${ITEM}" done - Report "installed_packages=${N}" + Report "installed_packages=${COUNT}" fi # ################################################################################# @@ -93,6 +93,7 @@ if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found brew" + PACKAGE_MGR_PKG=1 Report "package_manager[]=brew" LogText "Test: Querying brew to get package list" Display --indent 4 --text "- Querying brew for installed packages" @@ -120,11 +121,11 @@ Display --indent 4 --text "- Querying portage for installed packages" LogText "Output:"; LogText "-----" GPACKAGES=$(equery l '*' | ${SEDBINARY} -e 's/[.*]//g') - for J in ${GPACKAGES}; do - LogText "Found package ${J}" - INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," + for PKG in ${GPACKAGES}; do + LogText "Found package ${PKG}" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0," done - else + else LogText "Result: emerge can NOT be found on this system" fi # @@ -139,6 +140,7 @@ Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found Solaris pkginfo" Report "package_manager[]=pkginfo" + PACKAGE_MGR_PKG=1 LogText "Test: Querying pkginfo to get package list" Display --indent 4 --text "- Querying pkginfo for installed packages" LogText "Output:"; LogText "-----" @@ -159,7 +161,7 @@ if [ ! -z "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 Display --indent 4 --text "- Searching RPM package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found rpm binary (${RPMBINARY})" Report "package_manager[]=rpm" @@ -172,16 +174,16 @@ LogText "Info: looks like the rpm binary is installed, but not used for package installation" ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages" else - for J in ${SPACKAGES}; do - N=$((N + 1)) - PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{print $1}') - PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{print $2}') - LogText "Found package: ${J}" + for PKG in ${SPACKAGES}; do + COUNT=$((COUNT + 1)) + PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{print $1}') + PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{print $2}') + LogText "Found package: ${PKG}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}," done - Report "installed_packages=${N}" + Report "installed_packages=${COUNT}" fi - else + else LogText "Result: RPM binary NOT found on this system, test skipped" fi # @@ -192,10 +194,11 @@ if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 Display --indent 4 --text "- Searching pacman package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found pacman binary (${PACMANBINARY})" Report "package_manager[]=pacman" + PACKAGE_MGR_PKG=1 LogText "Test: Querying 'pacman -Q' to get package list" Display --indent 6 --text "- Querying pacman package manager" LogText "Output:"; LogText "--------" @@ -204,14 +207,14 @@ LogText "Result: pacman binary available, but package list seems to be empty" LogText "Info: looks like the pacman binary is installed, but not used for package installation" else - for J in ${SPACKAGES}; do - N=$((N + 1)) - PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{ print $1 }') - PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{ print $2 }') + for PKG in ${SPACKAGES}; do + COUNT=$((COUNT + 1)) + PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $1 }') + PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $2 }') LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" - INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG}" done - Report "installed_packages=${N}" + Report "installed_packages=${COUNT}" fi fi # @@ -237,10 +240,10 @@ else Display --indent 4 --text "- Searching update status (checkupdates)" --result "UP-TO-DATE" --color GREEN fi - else + else LogText "Result: skipping this test, can't find checkupdates binary" fi - else + else LogText "Result: pacman binary NOT found on this system, test skipped" fi # @@ -322,20 +325,20 @@ if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="zypper" FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }') if [ ! -z "${FIND}" ]; then - for I in ${FIND}; do - N=$((N + 1)) - LogText "Installed package: ${I}" - INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," + for PKG in ${FIND}; do + COUNT=$((COUNT + 1)) + LogText "Installed package: ${PKG}" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0," done - Report "installed_packages=${N}" + Report "installed_packages=${COUNT}" else # Could not find any installed packages - ReportException ${TEST_NO} "No installed packages found with Zypper" + ReportException "${TEST_NO}" "No installed packages found with Zypper" fi fi # @@ -357,10 +360,10 @@ # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) LogText "List of vulnerable packages/version:" - for I in ${FIND}; do + for PKG in ${FIND}; do VULNERABLE_PACKAGES_FOUND=1 - Report "vulnerable_package[]=${I}" - LogText "Vulnerable package: ${I}" + Report "vulnerable_package[]=${PKG}" + LogText "Vulnerable package: ${PKG}" # Decrease hardening points for every found vulnerable package AddHP 1 2 done @@ -369,27 +372,79 @@ # ################################################################################# # + # Test : PKGS-7332 + # Description : Query macOS ports + if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PKGS-7332 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --description "Query macOS ports" + if [ ${SKIPTEST} -eq 0 ]; then + FIND=$(${ROOTDIR}opt/local/bin/port installed 2>&1 | ${GREPBINARY} active | ${SORTBINARY}; ${ROOTDIR}bin/echo $?) + if [ "${FIND}" = "0" ]; then + Display --indent 4 --text "- Searching packages with port" --result "{STATUS_FOUND}" --color GREEN + Report "package_manager[]=port" + PACKAGE_MGR_PKG=1 + LogText "Result: Found port utility" + LogText "Test: Querying port to get package list" + Display --indent 6 --text "- Querying port for installed packages" + LogText "Output:"; LogText "-----" + SPACKAGES=$(${ROOTDIR}opt/local/bin/port installed | ${GREPBINARY} active) + for ITEM in ${SPACKAGES}; do + SPORT_NAME=$(echo ${ITEM} | ${CUTBINARY} -d@ -f1) + SPORT_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d@ -f2 | ${CUTBINARY} -d' ' -f1) + LogText "Installed package: ${SPORT_NAME} (version: ${SPORT_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PORTS}|${ITEM}" + done + fi + fi +# +################################################################################# +# + # Test : PKGS-7334 + # Description : Query macOS ports for available port upgrades + if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PKGS-7334 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query port for port upgrades" + if [ ${SKIPTEST} -eq 0 ]; then + COUNT=0 + LogText "Test: Querying ports for possible port upgrades" + UPACKAGES=$(${ROOTDIR}opt/local/bin/port outdated 2> /dev/null | ${CUTBINARY} -d' ' -f1) + for J in ${UPACKAGES}; do + COUNT=$((COUNT + 1)) + LogText "Upgrade available (new version): ${J}" + Report "upgrade_available[]=${J}" + done + Report "upgrade_available_count=${COUNT}" + if [ ${COUNT} -eq 0 ]; then + LogText "Result: no upgrades found" + Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_NONE}" --color GREEN + AddHP 2 2 + else + Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_FOUND}" --color YELLOW + fi + fi +# +################################################################################# +# # Test : PKGS-7345 # Description : Debian package based systems (dpkg) - if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying dpkg" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 Display --indent 4 --text "- Searching dpkg package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found dpkg binary" Report "package_manager[]=dpkg" + PACKAGE_MGR_PKG=1 LogText "Test: Querying dpkg -l to get package list" Display --indent 6 --text "- Querying package manager" LogText "Output:" SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort) for J in ${SPACKAGES}; do - N=$((N + 1)) + COUNT=$((COUNT + 1)) PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f2) PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f3) LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" done - Report "installed_packages=${N}" + Report "installed_packages=${COUNT}" else LogText "Result: dpkg can NOT be found on this system, test skipped" fi @@ -399,12 +454,12 @@ # Test : PKGS-7346 # Description : Check packages which are removed, but still own configuration files, cron jobs etc # Notes : Cleanup: for pkg in $(dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3); do aptitude purge ${pkg}; done - if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 LogText "Test: Querying dpkg -l to get unpurged packages" - SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort) + SPACKAGES=$(${ROOTDIR}usr/bin/dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort) if [ -z "${SPACKAGES}" ]; then Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN LogText "Result: no packages found with left overs" @@ -413,10 +468,10 @@ LogText "Result: found one or more packages with left over configuration files, cron jobs etc" LogText "Output:" for J in ${SPACKAGES}; do - N=$((N + 1)) + COUNT=$((COUNT + 1)) LogText "Found unpurged package: ${J}" done - ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts." + ReportSuggestion ${TEST_NO} "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts." fi else LogText "Result: dpkg can NOT be found on this system, test skipped" @@ -431,8 +486,8 @@ # Add portmaster --clean-distfiles-all Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles" if [ ${SKIPTEST} -eq 0 ]; then - if [ -x /usr/local/sbin/portsclean ]; then - FIND=$(/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ') + if [ -x ${ROOTDIR}usr/local/sbin/portsclean ]; then + FIND=$(${ROOTDIR}usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ') if [ ${FIND} -eq 0 ]; then Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN LogText "Result: no unused distfiles found" @@ -452,6 +507,7 @@ if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility" if [ ${SKIPTEST} -eq 0 ]; then + COUNT=0 Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})" Report "package_manager[]=dnf" @@ -460,14 +516,14 @@ PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="dnf" SPACKAGES=$(${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}') - for J in ${SPACKAGES}; do - N=$((N + 1)) - PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1) - PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2) + for PKG in ${SPACKAGES}; do + COUNT=$((COUNT + 1)) + PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ',' -f1) + PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ',' -f2) LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" done - Report "installed_packages=${N}" + Report "installed_packages=${COUNT}" fi # ################################################################################# @@ -594,19 +650,20 @@ if [ -x ${ROOTDIR}usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query portmaster for port upgrades" if [ ${SKIPTEST} -eq 0 ]; then - N=0 + COUNT=0 LogText "Test: Querying portmaster for possible port upgrades" UPACKAGES=$(${ROOTDIR}usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }') - for J in ${UPACKAGES}; do - N=$((N + 1)) - LogText "Upgrade available (new version): ${J}" - Report "upgrade_available[]=${J}" + for PKG in ${UPACKAGES}; do + COUNT=$((COUNT + 1)) + LogText "Upgrade available (new version): ${PKG}" + Report "upgrade_available[]=${PKG}" done - Report "upgrade_available_count=${N}" - if [ ${N} -eq 0 ]; then - LogText "Result: no upgrades found" + Report "upgrade_available_count=${COUNT}" + if [ ${COUNT} -eq 0 ]; then + LogText "Result: no updates found" Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_NONE}" --color GREEN else + LogText "Result: found ${COUNT} updates" Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_FOUND}" --color YELLOW fi fi @@ -617,11 +674,11 @@ # Description : Check for vulnerable NetBSD packages (with pkg_admin) Register --test-no PKGS-7380 --os NetBSD --weight L --network NO --category security --description "Check for vulnerable NetBSD packages" if [ ${SKIPTEST} -eq 0 ]; then - if [ -x /usr/sbin/pkg_admin ]; then + if [ -x ${ROOTDIR}usr/sbin/pkg_admin ]; then PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="pkg_admin audit" - if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then - FIND=$(/usr/sbin/pkg_admin audit) + if [ -f ${ROOTDIR}var/db/pkg/pkgs-vulnerabilities ]; then + FIND=$(${ROOTDIR}usr/sbin/pkg_admin audit) if [ -z "${FIND}" ]; then LogText "Result: pkg_admin audit results are clean" Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN @@ -631,7 +688,7 @@ LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "Found one or more vulnerable packages." LogText "List of vulnerable packages/version:" - for I in $(/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do + for I in $(${ROOTDIR}usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do VULNERABLE_PACKAGES_FOUND=1 Report "vulnerable_package[]=${I}" LogText "Vulnerable package: ${I}" @@ -701,11 +758,11 @@ # Test : PKGS-7382 # Description : Check for vulnerable FreeBSD packages # Notes : Newer machines should use pkg audit instead of portaudit - if [ -x /usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit" if [ ${SKIPTEST} -eq 0 ]; then PACKAGE_AUDIT_TOOL_FOUND=1 - FIND=$(/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found') + FIND=$(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found') if [ -z "${FIND}" ]; then LogText "Result: Portaudit results are clean" Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN @@ -716,10 +773,10 @@ ReportWarning ${TEST_NO} "Found one or more vulnerable packages." ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" LogText "List of vulnerable packages/version:" - for I in $(/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do + for PKG in $(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do VULNERABLE_PACKAGES_FOUND=1 - Report "vulnerable_package[]=${I}" - LogText "Vulnerable package: ${I}" + Report "vulnerable_package[]=${PKG}" + LogText "Vulnerable package: ${PKG}" # Decrease hardening points for every found vulnerable package AddHP 1 2 done @@ -753,11 +810,11 @@ if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package" if [ ${SKIPTEST} -eq 0 ]; then - if [ -x /usr/bin/package-cleanup ]; then - LogText "Result: found YUM utils package (/usr/bin/package-cleanup)" + if [ -x ${ROOTDIR}usr/bin/package-cleanup ]; then + LogText "Result: found YUM utils package (${ROOTDIR}usr/bin/package-cleanup)" # Check for duplicates LogText "Test: Checking for duplicate packages" - FIND=$(/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?) + FIND=$(${ROOTDIR}usr/bin/package-cleanup -q --dupes > /dev/null; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: No duplicate packages found" Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN @@ -770,7 +827,7 @@ # Check for package database problems LogText "Test: Checking for database problems" - FIND=$(/usr/bin/package-cleanup --problems > /dev/null; echo $?) + FIND=$(${ROOTDIR}usr/bin/package-cleanup --problems > /dev/null; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: No package database problems found" Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN @@ -869,7 +926,7 @@ # # Test : PKGS-7387 # Description : Search for YUM GPG check - if [ -x /usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package" if [ ${SKIPTEST} -eq 0 ]; then if [ ! -z "${PYTHONBINARY}" ]; then @@ -892,16 +949,18 @@ done fi FOUND=0 - FileExists /etc/yum.conf + FileExists ${ROOTDIR}etc/yum.conf if [ ${FILE_FOUND} -eq 1 ]; then - SearchItem "^gpgenabled\s*=\s*1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi - SearchItem "^gpgcheck\s*=\s*1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi + SearchItem "^gpgenabled\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi + SearchItem "^gpgcheck\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi if [ ${FOUND} -eq 1 ]; then LogText "Result: GPG check is enabled" Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN + AddHP 3 3 else Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED ReportWarning ${TEST_NO} "No GPG signing option found in yum.conf" + AddHP 2 3 fi fi fi @@ -959,11 +1018,11 @@ # # Test : PKGS-7390 # Description : Check Ubuntu database consistency - if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ "${LINUX_VERSION}" = "Ubuntu" -a -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Package database consistency by running apt-get check" - FIND=$(/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?) + FIND=$(${ROOTDIR}usr/bin/apt-get -q=2 check 2> /dev/null; echo $?) if [ "${FIND}" = "0" ]; then Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN LogText "Result: package database seems to be consistent." @@ -979,7 +1038,7 @@ # # Test : PKGS-7392 # Description : Check Debian/Ubuntu vulnerable packages - if [ -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates" if [ ${SKIPTEST} -eq 0 ]; then VULNERABLE_PACKAGES_FOUND=0 @@ -989,16 +1048,20 @@ PACKAGE_AUDIT_TOOL="apt-get" PACKAGE_AUDIT_TOOL_FOUND=1 # Update the repository, outdated repositories don't give much information - LogText "Action: updating repository with apt-get" - /usr/bin/apt-get -q=2 update - LogText "Result: apt-get finished" - LogText "Test: Checking if /usr/lib/update-notifier/apt-check exists" - if [ -x /usr/lib/update-notifier/apt-check ]; then + if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then + LogText "Action: updating package repository with apt-get" + ${ROOTDIR}usr/bin/apt-get -q=2 update + LogText "Result: apt-get finished" + else + LogText "Result: using a possibly outdated repository, as updating is disabled via configuration" + fi + LogText "Test: Checking if ${ROOTDIR}usr/lib/update-notifier/apt-check exists" + if [ -x ${ROOTDIR}usr/lib/update-notifier/apt-check ]; then PACKAGE_AUDIT_TOOL="apt-check" - LogText "Result: found /usr/lib/update-notifier/apt-check" + LogText "Result: found ${ROOTDIR}usr/lib/update-notifier/apt-check" LogText "Test: checking if any of the updates contain security updates" # apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only - FIND=$(/usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }') + FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }') # Check if we get the proper line back and amount of security patches available if [ -z "${FIND}" ]; then LogText "Result: did not find security updates line" @@ -1028,9 +1091,9 @@ LogText "Result: found vulnerable package(s) via apt-get (-security channel)" PACKAGE_AUDIT_TOOL="apt-get" PACKAGE_AUDIT_TOOL_FOUND=1 - for I in ${FIND}; do - LogText "Found vulnerable package: ${I}" - Report "vulnerable_package[]=${I}" + for PKG in ${FIND}; do + LogText "Found vulnerable package: ${PKG}" + Report "vulnerable_package[]=${PKG}" done fi if [ ${SCAN_PERFORMED} -eq 1 ]; then @@ -1052,7 +1115,7 @@ # # Test : PKGS-7393 # Description : Check Gentoo vulnerable packages - if [ -x /usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -x ${ROOTDIR}usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7393 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Gentoo vulnerable packages" if [ ${SKIPTEST} -eq 0 ]; then VULNERABLE_PACKAGES_FOUND=0 @@ -1063,19 +1126,19 @@ # "most friendly" way. if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then LogText "Action: updating portage with emerge-webrsync" - /usr/bin/emerge-webrsync --quiet 2> /dev/null + ${ROOTDIR}usr/bin/emerge-webrsync --quiet 2> /dev/null LogText "Result: emerge-webrsync finished" else LogText "Result: using a possibly outdated repository, as updating is disabled" fi - LogText "Test: checking if /usr/bin/glsa-check exists" - if [ -x /usr/bin/glsa-check ]; then + LogText "Test: checking if ${ROOTDIR}usr/bin/glsa-check exists" + if [ -x ${ROOTDIR}usr/bin/glsa-check ]; then PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="glsa-check" - LogText "Result: found /usr/bin/glsa-check" + LogText "Result: found ${ROOTDIR}usr/bin/glsa-check" LogText "Test: checking if there are any vulnerable packages" # glsa-check reports the GLSA date/ID string, not the vulnerable package. - FIND=$(/usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l) + FIND=$(${ROOTDIR}usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l) if [ -z "${FIND}" ]; then LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found." LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result" @@ -1093,7 +1156,7 @@ AddHP 0 25 fi fi - else + else LogText "Result: glsa-check tool not found" ReportSuggestion ${TEST_NO} "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks." fi @@ -1106,11 +1169,11 @@ if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking /usr/bin/apt-show-versions" - if [ -x /usr/bin/apt-show-versions ]; then - LogText "Result: found /usr/bin/apt-show-versions" + LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions" + if [ -x ${ROOTDIR}usr/bin/apt-show-versions ]; then + LogText "Result: found ${ROOTDIR}usr/bin/apt-show-versions" LogText "Test: Checking packages which can be upgraded via apt-show-versions" - FIND=$(/usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${ROOTDIR}usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g') if [ -z "${FIND}" ]; then LogText "Result: no packages found which can be upgraded" Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN @@ -1124,8 +1187,8 @@ LogText "${ITEM}" done fi - else - LogText "Result: /usr/bin/apt-show-versions not found" + else + LogText "Result: ${ROOTDIR}usr/bin/apt-show-versions not found" Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes" fi @@ -1143,7 +1206,7 @@ Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages" LogText "Result: no package audit tool found" - else + else Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN Display --indent 4 --text "Found: ${PACKAGE_AUDIT_TOOL}" LogText "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}" @@ -1158,7 +1221,7 @@ ################################################################################# # # Description : AIX patches - # Notes : /usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1 + # Notes : ${ROOTDIR}usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1 # ################################################################################# # |