diff options
author | mboelen <michael@cisofy.com> | 2014-08-26 19:33:55 +0400 |
---|---|---|
committer | mboelen <michael@cisofy.com> | 2014-08-26 19:33:55 +0400 |
commit | c0ae2e217b7f1fb0171017ce5afb8eb8898470db (patch) | |
tree | 545aa150c35c5fb74d7bb4c2d3b0ae41cfa7b4e5 /include/tests_scheduling |
Initial import
Diffstat (limited to 'include/tests_scheduling')
-rw-r--r-- | include/tests_scheduling | 234 |
1 files changed, 234 insertions, 0 deletions
diff --git a/include/tests_scheduling b/include/tests_scheduling new file mode 100644 index 00000000..be3ced5d --- /dev/null +++ b/include/tests_scheduling @@ -0,0 +1,234 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands +# Web site: http://www.rootkit.nl +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Scheduled tasks +# +################################################################################# +# + InsertSection "Scheduled tasks" +# +################################################################################# +# + ATD_RUNNING=0 +# +################################################################################# +# + # Test : SCHD-7704 + # Description : Check crontab / cronjobs + Register --test-no SCHD-7704 --weight L --network NO --description "Check crontab/cronjobs" + if [ ${SKIPTEST} -eq 0 ]; then + FindCronJob() + { + sCRONJOBS=`egrep '^([0-9*])' $1 | tr '\t' ' ' | tr -s ' ' | tr ' ' ','` + } + + if [ -f /etc/crontab ]; then + FindCronJob /etc/crontab + for I in ${sCRONJOBS}; do + logtext "Found cronjob (/etc/crontab): ${I}" + report "cronjob[]=${I}" + done + fi + + CRON_DIRS="/etc/cron.d" + for I in ${CRON_DIRS}; do + logtext "Test: checking directory ${I}" + if [ -d ${I} ]; then + logtext "Result: found directory ${I}" + logtext "Test: searching files in ${I}" + FIND=`find ${I} -type f -print` + if [ "${FIND}" = "" ]; then + logtext "Result: no files found in ${I}" + else + logtext "Result: found one or more files in ${I}. Analyzing files.." + for J in ${FIND}; do + FindCronJob ${J} + for K in ${sCRONJOBS}; do + logtext "Result: Found cronjob (${I}): ${K}" + done + done + logtext "Result: done with analyzing files in ${I}" + fi + else + logtext "Result: directory ${I} does not exist" + fi + done + + CRON_DIRS="/etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly" + for I in ${CRON_DIRS}; do + logtext "Test: checking directory ${I}" + if [ -d ${I} ]; then + logtext "Result: found directory ${I}" + logtext "Test: searching files in ${I}" + FIND=`find ${I} -type f -print | grep -v ".placeholder"` + if [ "${FIND}" = "" ]; then + logtext "Result: no files found in ${I}" + else + logtext "Result: found one or more files in ${I}. Analyzing files.." + for J in ${FIND}; do + logtext "Result: Found cronjob (${I}): ${J}" + report "cronjob[]=${J}" + done + logtext "Result: done with analyzing files in ${I}" + fi + else + logtext "Result: directory ${I} does not exist" + fi + done + + # /var/spool/cron/* and /var/spool/cron/crontabs/* + # Search only in one tree, to avoid searching the tree twice + if [ -d /var/spool/cron/crontabs ]; then + FIND=`find /var/spool/cron/crontabs -type f -print` + for I in ${FIND}; do + FindCronJob ${I} + for J in ${sCRONJOBS}; do + logtext "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})" + report "cronjob[]=${I}" + done + done + else + if [ -d /var/spool/cron ]; then + FIND=`find /var/spool/cron -type f -print` + for I in ${FIND}; do + FindCronJob ${I} + for J in ${sCRONJOBS}; do + logtext "Found cronjob (/var/spool/cron): ${I} (${J})" + logtext "cronjob[]=${I}" + done + done + fi + fi + + # Anacron + if [ "${OS}" = "Linux" ]; then + if [ -f /etc/anacrontab ]; then + logtext "Test: checking anacrontab" + sANACRONJOBS=`egrep '^([0-9@])' /etc/anacrontab | tr '\t' ' ' | tr -s ' ' | tr ' ' ','` + for J in ${sANACRONJOBS}; do + logtext "Found anacron job (/etc/anacrontab): ${J}" + report "cronjob[]=${J}" + done + fi + fi + + Display --indent 2 --text "- Checking crontab/cronjob" --result DONE --color GREEN + fi +# +################################################################################# +# + # Test : SCHD-7718 + # Description : Check atd status + Register --test-no SCHD-7718 --weight L --network NO --description "Check at users" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking atd status" + FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"` + if [ ! "${FIND}" = "" ]; then + logtext "Result: at daemon active" + Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN + ATD_RUNNING=1 + else + logtext "Result: at daemon not active" + Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE + fi + fi +# +################################################################################# +# + # Test : SCHD-7720 + # Description : Check at users + # Notes : if at.allow exists, only users listed can schedule at jobs + # if at.allow does not exist, but at.deny does, everyone + # except the listed ones can schedule jobs. If both can't be + # found, only root can schedule jobs. + if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SCHD-7720 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at users" + if [ ${SKIPTEST} -eq 0 ]; then + AT_UNKNOWN=0 + case ${OS} in + FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;; + HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;; + Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;; + OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;; + SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;; + *) AT_UNKNOWN=1; logtext "Test skipped, files for at unknown" ;; + esac + if [ ${AT_UNKNOWN} -eq 0 ]; then + logtext "Test: checking for file ${AT_ALLOW}" + if [ -f ${AT_ALLOW} ]; then + logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs" + FIND=`cat ${AT_ALLOW} | sort` + if [ "${FIND}" = "" ]; then + logtext "Result: File empty, no users are allowed to schedule at jobs" + else + for I in ${FIND}; do + logtext "Allowed at user: ${I}" + done + fi + else + logtext "Result: file ${AT_ALLOW} does not exist" + logtext "Test: checking for file ${AT_DENY}" + if [ -f ${AT_DENY} ]; then + logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs" + FIND=`cat ${AT_DENY} | sort` + if [ "${FIND}" = "" ]; then + logtext "Result: file is empty, no users are denied access to schedule jobs" + else + for I in ${FIND}; do + logtext "Denied at user: ${I}" + done + fi + else + logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist" + logtext "Note: only root can schedule at jobs" + fi + fi + Display --indent 4 --text "- Checking at users" --result DONE --color GREEN + else + Display --indent 4 --text "- Checking at users" --result SKIPPED --color YELLOW + fi + fi +# +################################################################################# +# + # Test : SCHD-7724 + # Description : Check scheduled at jobs + if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at jobs" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Check scheduled at jobs" + FIND=`atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found one or more jobs" + for I in ${FIND}; do + I=`echo ${I} | sed 's/!space!/ /g'` + logtext "Found at job: ${I}" + done + Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN + else + logtext "Result: no pending at jobs" + Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN + fi + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ +# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands |