diff options
author | mboelen <michael@cisofy.com> | 2014-08-26 19:33:55 +0400 |
---|---|---|
committer | mboelen <michael@cisofy.com> | 2014-08-26 19:33:55 +0400 |
commit | c0ae2e217b7f1fb0171017ce5afb8eb8898470db (patch) | |
tree | 545aa150c35c5fb74d7bb4c2d3b0ae41cfa7b4e5 /include/tests_shells |
Initial import
Diffstat (limited to 'include/tests_shells')
-rw-r--r-- | include/tests_shells | 216 |
1 files changed, 216 insertions, 0 deletions
diff --git a/include/tests_shells b/include/tests_shells new file mode 100644 index 00000000..e1e1cdbe --- /dev/null +++ b/include/tests_shells @@ -0,0 +1,216 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands +# Web site: http://www.rootkit.nl +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Shells +# +################################################################################# +# + IDLE_TIMEOUT=0 + InsertSection "Shells" +# +################################################################################# +# + # bash + # Files (interactive login shells): /etc/profile $HOME/.bash_profile + # $HOME/.bash_login $HOME/.profile + # Files (interactive non-login shells): $HOME/.bash_rc + + # csh/tcsh + # Files: /etc/csh.cshrc /etc/csh.login + # zsh + # Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile + # /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc + # $ZDOTDIR/.zshrc /etc/zlogin /etc/zsh/zlogin + + SHELL_LOGIN_FILES="/etc/csh.cshrc /etc/csh.login /etc/zshenv /etc/zsh/zshenv + /etc/zprofile /etc/zsh/zprofile /etc/zshrc /etc/zsh/zshrc + /etc/zlogin /etc/zsh/zlogin" +# +################################################################################# +# + + # Test : SHLL-6202 + # Description : check all console TTYs in which root user can enter single user mode without password + Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking console TTYs..." + FIND=`cat /etc/ttys | egrep '^console' | grep -v 'insecure'` + if [ "${FIND}" = "" ]; then + Display --indent 2 --text "- Checking console TTYs... " --result OK --color GREEN + logtext "Result: console is secured against single user mode without password." + else + Display --indent 2 --text "- Checking console TTYs... " --result WARNING --color RED + logtext "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!" + logtext "Output /etc/ttys:" + logtext "${FIND}" + ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys" + #ReportSuggestion ${TEST_NO} "Change the console line from 'secure' to 'insecure'." + fi + fi +# +################################################################################# +# + # Test : SHLL-6214 + # Description : check for idle session killing tools (timeoutd) + + +# +################################################################################# +# + # Test : SHLL-6211 + # Description : which shells are available according /etc/shells + Register --test-no SHLL-6211 --weight L --network NO --description "Checking available and valid shells" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Searching for /etc/shells..." + if [ -f /etc/shells ]; then + logtext "Result: Found /etc/shells file" + logtext "Test: Reading available shells from /etc/shells" + SSHELLS=`cat /etc/shells | grep "^/"` + CSSHELLS=0; CSSHELLS_ALL=0 + Display --indent 2 --text "- Checking shells from /etc/shells..." + for I in ${SSHELLS}; do + CSSHELLS_ALL=`expr ${CSSHELLS_ALL} + 1` + report "available_shell[]=${I}" + # YYY add check for symlinked shells + if [ -f ${I} ]; then + logtext "Found installed shell: ${I}" + CSSHELLS=`expr ${CSSHELLS} + 1` + else + logtext "Shell ${I} not installed. Probably a dummy or non existing shell." + fi + done + Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})." + else + logtext "Result: /etc/shells not found, skipping test" + fi + fi +# +################################################################################# +# + # Test : SHLL-6220 + # Description : check for idle session killing tools or settings + Register --test-no SHLL-6220 --weight L --network NO --description "Checking available and valid shells" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Search for session timeout tools or settings in shell" + IsRunning timeoutd + if [ ${RUNNING} -eq 1 ]; then + IDLE_TIMEOUT=1 + logtext "Result: found timeoutd process to kill idle sesions" + report="session_timeout_method=timeout daemon" + fi + IsRunning autolog + if [ ${RUNNING} -eq 1 ]; then + IDLE_TIMEOUT=1 + logtext "Result: found autolog process to kill idle sesions" + report="session_timeout_method[]=autolog" + fi + + if [ -f /etc/profile ]; then + FIND=`cat /etc/profile | grep '\(export[ \t]*\)\?TMOUT=' | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//'` + if [ ! "${FIND}" = "" ]; then + N=0; IDLE_TIMEOUT=1 + for I in ${FIND}; do + logtext "Output: ${I}" + N=`expr ${N} + 1` + done + if [ ${N} -eq 1 ]; then + logtext "Result: found TMOUT value configured in /etc/profile" + else + logtext "Result: found several TMOUT values configured in /etc/profile" + fi + report "session_timeout_method[]=profile" + else + logtext "Result: could not find TMOUT setting in /etc/profile" + fi + else + logtext "Result: skip /etc/profile test, file not available on this system" + fi + + if [ -d /etc/profile.d ]; then + FIND=`cat /etc/profile.d/*.sh 2> /dev/null | grep '\(export[ \t]*\)\?TMOUT=' | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//'` + if [ ! "${FIND}" = "" ]; then + N=0; IDLE_TIMEOUT=1 + for I in ${FIND}; do + logtext "Output: ${I}" + N=`expr ${N} + 1` + done + if [ ${N} -eq 1 ]; then + logtext "Result: found TMOUT value configured in one of the files in /etc/profile.d directory" + else + logtext "Result: found several TMOUT values configured in one of the files in /etc/profile.d directory" + fi + report "session_timeout_method[]=profile" + else + logtext "Result: could not find TMOUT setting in /etc/profile.d/*.sh" + fi + else + logtext "Result: skip /etc/profile.d directory test, directory not available on this system" + fi + + if [ ${IDLE_TIMEOUT} -eq 1 ]; then + Display --indent 4 --text "- Session timeout settings/tools" --result "FOUND" --color GREEN + AddHP 3 3 + else + Display --indent 4 --text "- Session timeout settings/tools" --result "NONE" --color YELLOW + AddHP 1 3 + fi + fi +# +################################################################################# +# + # Test : SHLL-6236 + # Description : Check /etc/profile +# +################################################################################# +# + + # Test : SHLL-6240 + # Description : Check default umask +# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask" +# if [ ${SKIPTEST} -eq 0 ]; then +# logtext "Test: Checking /etc/profile..." +# if [ -f /etc/profile ]; then +# FIND=`grep "^umask" | awk '{ print $2 }'` +# if [ "${FIND}" = "" ]; then +# logtext "Result: xxx" +# Display --indent 2 --text "- Checking default umask... " --result OK --color GREEN +# else +# logtext "Result: xxx" +# Display --indent 2 --text "- Checking default umask... " --result WARNING --color RED +# #ReportWarning ${TEST_NO} "M" "xxx" +# #ReportSuggestion ${TEST_NO} "xxx" +# fi +# fi +# fi +# +################################################################################# +# + # Test : SHLL-6250 + # Description : Check /etc/bash.bashrc +# Register --test-no SHLL-6250 --weight L --network NO --description "Check default umask" +# if [ ${SKIPTEST} -eq 0 ]; then +# +################################################################################# +# + +report "session_timeout_enabled=${IDLE_TIMEOUT}" + + +wait_for_keypress + +# +#================================================================================ +# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands |