diff options
| author | mboelen <michael@cisofy.com> | 2015-12-21 23:17:15 +0300 |
|---|---|---|
| committer | mboelen <michael@cisofy.com> | 2015-12-21 23:17:15 +0300 |
| commit | d16b38eff83a8dca405e21e1c34205289f3d0832 (patch) | |
| tree | d9db1eac3d4ead003f0e1b4fbfbabf0ddeb66c1e /include/tests_shells | |
| parent | 83a44827e03543146e39c37c33f14ebca6f40a29 (diff) | |
Rename of logtext and report functions, upcoming year change
Diffstat (limited to 'include/tests_shells')
| -rw-r--r-- | include/tests_shells | 170 |
1 files changed, 85 insertions, 85 deletions
diff --git a/include/tests_shells b/include/tests_shells index 64de5921..024eb972 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -46,18 +46,18 @@ # Description : check all console TTYs in which root user can enter single user mode without password Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking console TTYs" + LogText "Test: Checking console TTYs" FIND=`egrep '^console' /etc/ttys | grep -v 'insecure'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking console TTYs" --result OK --color GREEN - logtext "Result: console is secured against single user mode without password." + LogText "Result: console is secured against single user mode without password." else Display --indent 2 --text "- Checking console TTYs" --result WARNING --color RED - logtext "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!" - logtext "Output /etc/ttys:" - logtext "${FIND}" + LogText "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!" + LogText "Output /etc/ttys:" + LogText "${FIND}" ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys" - logtext "Possible solution: Change the console line from 'secure' to 'insecure'." + LogText "Possible solution: Change the console line from 'secure' to 'insecure'." fi fi # @@ -67,27 +67,27 @@ # Description : which shells are available according /etc/shells Register --test-no SHLL-6211 --weight L --network NO --description "Checking available and valid shells" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for /etc/shells" + LogText "Test: Searching for /etc/shells" if [ -f /etc/shells ]; then - logtext "Result: Found /etc/shells file" - logtext "Test: Reading available shells from /etc/shells" + LogText "Result: Found /etc/shells file" + LogText "Test: Reading available shells from /etc/shells" SSHELLS=`grep "^/" /etc/shells` CSSHELLS=0; CSSHELLS_ALL=0 Display --indent 2 --text "- Checking shells from /etc/shells" for I in ${SSHELLS}; do CSSHELLS_ALL=`expr ${CSSHELLS_ALL} + 1` - report "available_shell[]=${I}" + Report "available_shell[]=${I}" # YYY add check for symlinked shells if [ -f ${I} ]; then - logtext "Found installed shell: ${I}" + LogText "Found installed shell: ${I}" CSSHELLS=`expr ${CSSHELLS} + 1` else - logtext "Shell ${I} not installed. Probably a dummy or non existing shell." + LogText "Shell ${I} not installed. Probably a dummy or non existing shell." fi done Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})." else - logtext "Result: /etc/shells not found, skipping test" + LogText "Result: /etc/shells not found, skipping test" fi fi # @@ -97,18 +97,18 @@ # Description : check for idle session killing tools or settings Register --test-no SHLL-6220 --weight L --network NO --description "Checking available and valid shells" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Search for session timeout tools or settings in shell" + LogText "Test: Search for session timeout tools or settings in shell" IsRunning timeoutd if [ ${RUNNING} -eq 1 ]; then IDLE_TIMEOUT=1 - logtext "Result: found timeoutd process to kill idle sesions" - report="session_timeout_method=timeout daemon" + LogText "Result: found timeoutd process to kill idle sesions" + Report="session_timeout_method=timeout daemon" fi IsRunning autolog if [ ${RUNNING} -eq 1 ]; then IDLE_TIMEOUT=1 - logtext "Result: found autolog process to kill idle sesions" - report="session_timeout_method[]=autolog" + LogText "Result: found autolog process to kill idle sesions" + Report="session_timeout_method[]=autolog" fi if [ -f /etc/profile ]; then @@ -119,40 +119,40 @@ if [ ! "${FIND}" = "" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do - logtext "Output: ${I}" - report "session_timeout_value[]=${I}" + LogText "Output: ${I}" + Report "session_timeout_value[]=${I}" N=`expr ${N} + 1` done if [ ${N} -eq 1 ]; then - logtext "Result: found TMOUT value configured in /etc/profile" + LogText "Result: found TMOUT value configured in /etc/profile" else - logtext "Result: found several TMOUT values configured in /etc/profile" + LogText "Result: found several TMOUT values configured in /etc/profile" fi - report "session_timeout_method[]=profile" + Report "session_timeout_method[]=profile" else - logtext "Result: could not find TMOUT setting in /etc/profile" + LogText "Result: could not find TMOUT setting in /etc/profile" fi if [ ! "${FIND2}" = "" ]; then N=0; for I in ${FIND2}; do - logtext "Output: ${I}" + LogText "Output: ${I}" if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then N=`expr ${N} + 1` fi done if [ ${N} -gt 0 ]; then - logtext "Result: found readonly setting in /etc/profile (readonly or typeset -r)" - report "session_timeout_set_readonly=1" + LogText "Result: found readonly setting in /etc/profile (readonly or typeset -r)" + Report "session_timeout_set_readonly=1" else - logtext "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)" - report "session_timeout_set_readonly=0" + LogText "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)" + Report "session_timeout_set_readonly=0" fi else - logtext "Result: could not find export, readonly or typeset -r in /etc/profile" + LogText "Result: could not find export, readonly or typeset -r in /etc/profile" fi else - logtext "Result: skip /etc/profile test, file not available on this system" + LogText "Result: skip /etc/profile test, file not available on this system" fi if [ -d /etc/profile.d ]; then @@ -166,41 +166,41 @@ if [ ! "${FIND}" = "" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do - logtext "Output: ${I}" - report "session_timeout_value[]=${I}" + LogText "Output: ${I}" + Report "session_timeout_value[]=${I}" N=`expr ${N} + 1` done if [ ${N} -eq 1 ]; then - logtext "Result: found TMOUT value configured in one of the files in /etc/profile.d directory" + LogText "Result: found TMOUT value configured in one of the files in /etc/profile.d directory" else - logtext "Result: found several TMOUT values configured in one of the files in /etc/profile.d directory" + LogText "Result: found several TMOUT values configured in one of the files in /etc/profile.d directory" fi - report "session_timeout_method[]=profile" + Report "session_timeout_method[]=profile" else - logtext "Result: could not find TMOUT setting in /etc/profile.d/*.sh" + LogText "Result: could not find TMOUT setting in /etc/profile.d/*.sh" fi # Check for readonly if [ ! "${FIND2}" = "" ]; then N=0; for I in ${FIND2}; do - logtext "Output: ${I}" + LogText "Output: ${I}" if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then N=`expr ${N} + 1` fi done if [ ${N} -gt 0 ]; then - logtext "Result: found readonly setting in /etc/profile (readonly or typeset -r)" - report "session_timeout_set_readonly=1" + LogText "Result: found readonly setting in /etc/profile (readonly or typeset -r)" + Report "session_timeout_set_readonly=1" else - logtext "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)" - report "session_timeout_set_readonly=0" + LogText "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)" + Report "session_timeout_set_readonly=0" fi else - logtext "Result: could not find export, readonly or typeset -r in /etc/profile" + LogText "Result: could not find export, readonly or typeset -r in /etc/profile" fi fi else - logtext "Result: skip /etc/profile.d directory test, directory not available on this system" + LogText "Result: skip /etc/profile.d directory test, directory not available on this system" fi if [ ${IDLE_TIMEOUT} -eq 1 ]; then @@ -225,21 +225,21 @@ for FILE in ${SHELL_CONFIG_FILES}; do FIND="" if [ -f ${FILE} ]; then - logtext "Result: file ${FILE} exists" + LogText "Result: file ${FILE} exists" FOUND=1 FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then - logtext "Result: did not find umask configured in ${FILE}" + LogText "Result: did not find umask configured in ${FILE}" Display --indent 4 --text "- Checking default umask in ${FILE}" --result NONE --color YELLOW else for UMASKVALUE in ${FIND}; do - logtext "Result: found umask ${UMASKVALUE} in ${FILE}" + LogText "Result: found umask ${UMASKVALUE} in ${FILE}" case ${UMASKVALUE} in 027|0027|077|0077) - logtext "Result: umask ${UMASKVALUE} is considered a properly hardened value" + LogText "Result: umask ${UMASKVALUE} is considered a properly hardened value" ;; *) - logtext "Result: umask ${UMASKVALUE} can be hardened " + LogText "Result: umask ${UMASKVALUE} can be hardened " HARDENING_POSSIBLE=1 ;; esac @@ -253,12 +253,12 @@ fi fi else - logtext "Result: file ${FILE} not found" + LogText "Result: file ${FILE} not found" fi done #if [ ${FOUND} -eq 1 ]; then # if [ ${HARDENING_POSSIBLE} -eq 0 ]; then - # logtext "Result: all shell files found, contain a proper umask" + # LogText "Result: all shell files found, contain a proper umask" # Display --indent 4 --text "- Default umask" --result OK --color GREEN # fi #fi @@ -272,117 +272,117 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 #Display --indent 2 --text "- Testing for Shellshock vulnerability" - logtext "Test: Check if bash is in the list of shells." + LogText "Test: Check if bash is in the list of shells." if [ -f /etc/shells ]; then - logtext "Test: checking for bash shell in /etc/shells" + LogText "Test: checking for bash shell in /etc/shells" FIND=`egrep '(/usr)?(/local)?/bin/bash' /etc/shells | grep -v "^#" | head -1` else - logtext "Test: checking if bash is available via which command" + LogText "Test: checking if bash is available via which command" FIND=`which bash 2> /dev/null | head -1` fi - logtext "Result: command revealed ${FIND} as output" + LogText "Result: command revealed ${FIND} as output" if [ ! "${FIND}" = "" ]; then if [ -x "${FIND}" -a ! -L "${FIND}" ]; then - logtext "Result: found ${FIND} as a valid shell" + LogText "Result: found ${FIND} as a valid shell" SHELLSHOCK_TMP=`mktemp /tmp/lynis-shellshock-test.XXXXXXXXXX` || exit 1 # CVE-2014-6271 - logtext "Test: Check for first exploit (CVE-2014-6271)" + LogText "Test: Check for first exploit (CVE-2014-6271)" echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | grep 'vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to original shellshock (CVE-2014-6271)" + LogText "Output: ${VULNERABLE}" + LogText "Result: Vulnerable to original shellshock (CVE-2014-6271)" Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED FOUND=1 else - logtext "Result: Not vulnerable to original shellshock (CVE-2014-6271)" + LogText "Result: Not vulnerable to original shellshock (CVE-2014-6271)" #Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN fi # CVE-2014-6277 (disabled, as this test was giving too much false positives) # CVE-2014-6278 - logtext "Test: Check for CVE-2014-6278" + LogText "Test: Check for CVE-2014-6278" echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to CVE-2014-6278" + LogText "Output: ${VULNERABLE}" + LogText "Result: Vulnerable to CVE-2014-6278" Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED FOUND=1 else - logtext "Result: Not vulnerable to CVE-2014-6278" + LogText "Result: Not vulnerable to CVE-2014-6278" #Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN fi # CVE-2014-7169 - logtext "Test: Check for taviso bug CVE-2014-7169" + LogText "Test: Check for taviso bug CVE-2014-7169" echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | grep ' vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to taviso bug (CVE-2014-7169)" + LogText "Output: ${VULNERABLE}" + LogText "Result: Vulnerable to taviso bug (CVE-2014-7169)" Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED FOUND=1 else - logtext "Result: Not vulnerable to taviso bug (CVE-2014-7169)" + LogText "Result: Not vulnerable to taviso bug (CVE-2014-7169)" #Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN fi # CVE-2014-7186 - logtext "Test: Check for CVE-2014-7186" + LogText "Test: Check for CVE-2014-7186" echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to CVE-2014-7186" + LogText "Output: ${VULNERABLE}" + LogText "Result: Vulnerable to CVE-2014-7186" Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED FOUND=1 else - logtext "Result: Not vulnerable to CVE-2014-7186" + LogText "Result: Not vulnerable to CVE-2014-7186" #Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN fi # CVE-2014-7187 - logtext "Test: Check for CVE-2014-7187" + LogText "Test: Check for CVE-2014-7187" echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to CVE-2014-7187" + LogText "Output: ${VULNERABLE}" + LogText "Result: Vulnerable to CVE-2014-7187" Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED FOUND=1 else - logtext "Result: Not vulnerable to CVE-2014-7187" + LogText "Result: Not vulnerable to CVE-2014-7187" #Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN fi # CVE-2014-//// - logtext "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)" + LogText "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)" echo "env X=' () { }; echo hello' bash -c 'date'| grep 'hello'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)" + LogText "Output: ${VULNERABLE}" + LogText "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)" Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED FOUND=1 else - logtext "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)" + LogText "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)" #Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "OK" --color GREEN fi else - logtext "Result: bash binary found, but not executable, or it is symlinked" + LogText "Result: bash binary found, but not executable, or it is symlinked" fi else - logtext "Result: could not find bash to be a valid shell" + LogText "Result: could not find bash to be a valid shell" fi if [ ${FOUND} -eq 1 ]; then @@ -396,11 +396,11 @@ ################################################################################# # -report "session_timeout_enabled=${IDLE_TIMEOUT}" +Report "session_timeout_enabled=${IDLE_TIMEOUT}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy - http://cisofy.com +# Lynis - Copyright 2007-2016, CISOfy - http://cisofy.com |