Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/include/tests_printers_spoolers
diff options
context:
space:
mode:
authorMichael Boelen <michael.boelen@cisofy.com>2020-04-02 14:20:06 +0300
committerMichael Boelen <michael.boelen@cisofy.com>2020-04-02 14:20:06 +0300
commitca6fc134ddee6b408bf1381a4346b15b0791c8ab (patch)
tree1ccb4e96fcc8fa7eca067b965b585f90f3c307c6 /include/tests_printers_spoolers
parent4fe1cb92a56f6e008d9bd040f4a0f2c1116fb333 (diff)
Renamed spools to spoolers
Diffstat (limited to 'include/tests_printers_spoolers')
-rw-r--r--include/tests_printers_spoolers289
1 files changed, 289 insertions, 0 deletions
diff --git a/include/tests_printers_spoolers b/include/tests_printers_spoolers
new file mode 100644
index 00000000..18c48beb
--- /dev/null
+++ b/include/tests_printers_spoolers
@@ -0,0 +1,289 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2013, Michael Boelen
+# Copyright 2007-2020, CISOfy
+#
+# Website : https://cisofy.com
+# Blog : http://linux-audit.com
+# GitHub : https://github.com/CISOfy/lynis
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Printers and spools
+#
+#################################################################################
+#
+ CUPSD_CONFIG_LOCS="${ROOTDIR}etc/cups ${ROOTDIR}usr/local/etc/cups ${ROOTDIR}private/etc/cups"
+ CUPSD_CONFIG_FILE=""
+ CUPSD_RUNNING=0
+ CUPSD_FOUND=0
+ LPD_RUNNING=0
+ PRINTING_DAEMON=""
+ QDAEMON_CONFIG_ENABLED=0
+ QDAEMON_CONFIG_FILE=""
+ QDAEMON_RUNNING=0
+#
+#################################################################################
+#
+ InsertSection "Printers and Spools"
+#
+#################################################################################
+#
+ # Test : PRNT-2302
+ # Description : Check printcap file consistency
+ Register --test-no PRNT-2302 --os FreeBSD --weight L --network NO --category security --description "Check for printcap consistency"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Searching /usr/sbin/chkprintcap"
+ if [ ! -f ${ROOTDIR}usr/sbin/chkprintcap ]; then
+ Display --indent 2 --text "- Checking chkprintcap" --result "${STATUS_NOT_FOUND}" --color WHITE
+ LogText "Result: ${ROOTDIR}usr/sbin/chkprintcap NOT found, test skipped"
+ else
+ LogText "Result: ${ROOTDIR}usr/sbin/chkprintcap found"
+ FIND=$(${ROOTDIR}usr/sbin/chkprintcap > /dev/null ; echo $?)
+ # Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
+ if [ "${FIND}" = "0" ]; then
+ Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_OK}" --color GREEN
+ LogText "Result: chkprintcap did NOT gave any warnings"
+ else
+ Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_WARNING}" --color RED
+ ReportSuggestion "${TEST_NO}" "Run chkprintcap manually to test printcap file"
+ LogText "Output from chkprintcap: ${FIND}"
+ LogText "Run chkprintcap and check the ${ROOTDIR}etc/printcap file"
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2304
+ # Description : Check cupsd status
+ Register --test-no PRNT-2304 --weight L --network NO --category security --description "Check cupsd status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Checking cupsd status"
+ if IsRunning "cupsd"; then
+ Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN
+ LogText "Result: cups daemon running"
+ CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
+ else
+ Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
+ LogText "Result: cups daemon not running, cups daemon tests skipped"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2306
+ # Description : Check CUPSd configuration file
+ if [ ${CUPSD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Searching cupsd configuration file"
+ for DIR in ${CUPSD_CONFIG_LOCS}; do
+ if [ -f ${DIR}/cupsd.conf ]; then
+ if FileIsReadable ${DIR}/cupsd.conf; then
+ CUPSD_CONFIG_FILE="${DIR}/cupsd.conf"
+ LogText "Result: found ${CUPSD_CONFIG_FILE}"
+ fi
+ fi
+ done
+ if HasData "${CUPSD_CONFIG_FILE}"; then
+ Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_OK}" --color GREEN
+ LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})"
+ CUPSD_FOUND=1
+ else
+ Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_NOT_FOUND}" --color RED
+ LogText "Result: configuration file not found"
+ LogText "Development: no CUPS configuration file found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2307
+ # Description : Check CUPSd configuration file permissions
+ # TODO : Add function
+ if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Checking CUPS configuration file permissions"
+ FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
+ LogText "Result: found ${FIND}"
+ case "${FIND}" in
+ r[w-]-[r-][w-]---- )
+ Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
+ AddHP 1 1
+ ;;
+ * )
+ Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
+ ReportSuggestion "${TEST_NO}" "Access to CUPS configuration could be more strict."
+ AddHP 1 2
+ ;;
+ esac
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2308
+ # Description : Check CUPS daemon network configuration
+ # Notes : Listen and SSLListen can be used
+ if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd network configuration"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ # Checking network addresses
+ LogText "Test: Checking CUPS daemon listening network addresses"
+ FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
+ COUNT=0
+ for ITEM in ${FIND}; do
+ LogText "Found network address: ${ITEM}"
+ COUNT=$((COUNT + 1))
+ FOUND=1
+ done
+
+ # Check if daemon is only running on localhost
+ if [ ${FOUND} -eq 0 ]; then
+ LogText "Result: no listen statement found in CUPS configuration file"
+ elif [ ${COUNT} -eq 1 ]; then
+ if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
+ LogText "Result: CUPS daemon only running on localhost"
+ AddHP 2 2
+ else
+ LogText "Result: CUPS daemon running on one or more interfaces (not limited to localhost)"
+ ReportSuggestion "${TEST_NO}" "Check CUPS configuration if it really needs to listen on the network"
+ AddHP 1 2
+ fi
+ else
+ LogText "Result: CUPS daemon is running on several network addresses"
+ ReportSuggestion "${TEST_NO}" "Check CUPS configuration if it really needs to run on several network addresses"
+ AddHP 1 2
+ fi
+
+ # Checking sockets
+ LogText "Test: Checking cups daemon listening sockets"
+ FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }')
+ for ITEM in ${FIND}; do
+ LogText "Found socket address: ${ITEM}"
+ COUNT=$((COUNT + 1))
+ done
+
+ if [ ${COUNT} -eq 0 ]; then
+ Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_NONE}" --color WHITE
+ LogText "Result: no addresses found on which CUPS daemon is listening"
+ else
+ Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_FOUND}" --color GREEN
+ LogText "Result: CUPS daemon is listening on network/socket"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2314
+ # Description : Check lpd status
+ Register --test-no PRNT-2314 --weight L --network NO --category security --description "Check lpd status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Checking lpd status"
+ if IsRunning "lpd"; then
+ Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_RUNNING}" --color GREEN
+ LogText "Result: lp daemon running"
+ LPD_RUNNING=1; PRINTING_DAEMON="lp"
+ else
+ Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
+ LogText "Result: lp daemon not running"
+ AddHP 4 4
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2316
+ # Description : Check /etc/qconfig file
+ Register --test-no PRNT-2316 --os AIX --weight L --network NO --category security --description "Checking /etc/qconfig file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Checking ${ROOTDIR}etc/qconfig"
+ QDAEMON_CONFIG_FILE="${ROOTDIR}etc/qconfig"
+ FileIsReadable ${QDAEMON_CONFIG_FILE}
+ if [ ${CANREAD} -eq 1 ]; then
+ FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
+ if [ -n "${FIND}" ]; then
+ LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
+ Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
+ QDAEMON_CONFIG_ENABLED=1
+ else
+ LogText "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined"
+ Display --indent 2 --text "- Checking /etc/qconfig file" --result EMPTY --color WHITE
+ fi
+ else
+ LogText "Result: Can not read ${QDAEMON_CONFIG_FILE} (no permission)"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2418
+ # Description : Check qdaemon printer spooler status
+ Register --test-no PRNT-2418 --os AIX --weight L --network NO --category security --description "Checking qdaemon printer spooler status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Checking qdaemon status"
+ if IsRunning "qdaemon"; then
+ LogText "Result: qdaemon daemon running"
+ Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_RUNNING}" --color GREEN
+ QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon"
+ else
+ if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then
+ LogText "Result: qdaemon daemon not running"
+ Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED
+ ReportSuggestion "${TEST_NO}" "Activate print spooler daemon (qdaemon) in order to process print jobs"
+ else
+ LogText "Result: qdaemon daemon not running"
+ Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2420
+ # Description : Checking old print jobs
+ Register --test-no PRNT-2420 --os AIX --weight L --network NO --category security --description "Checking old print jobs"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Checking old print jobs"
+ DirectoryExists ${ROOTDIR}var/spool/lpd/qdir
+ if [ ${DIRECTORY_FOUND} -eq 1 ]; then
+ FIND=$(find ${ROOTDIR}var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
+ if HasData "${FIND}"; then
+ COUNT=0
+ for ITEM in ${FIND}; do
+ FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
+ LogText "Found old print job: ${FILE}"
+ COUNT=$((COUNT + 1))
+ done
+ LogText "Result: Found ${COUNT} old print jobs in /var/spool/lpd/qdir"
+ Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW
+ ReportSuggestion "${TEST_NO}" "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
+ LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
+ else
+ LogText "Result: Old print jobs not found in /var/spool/lpd/qdir"
+ Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_NONE}" --color GREEN
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+
+if [ -n "${PRINTING_DAEMON}" ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi
+
+WaitForKeyPress
+
+#
+#================================================================================
+# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-19 09:24:27 +0300