diff options
| author | mboelen <michael@cisofy.com> | 2014-09-15 14:01:09 +0400 |
|---|---|---|
| committer | mboelen <michael@cisofy.com> | 2014-09-15 14:01:09 +0400 |
| commit | c9fde8c2d11744cc0875bc3e5dd0abf096211755 (patch) | |
| tree | 0997d08919db7ec4e2aa9065c3e9aaf1671c4d6f /include/tests_squid | |
| parent | 35d32fb5e40b86632677fd2256aebeddf926394a (diff) | |
Code cleanup and small enhancements
Diffstat (limited to 'include/tests_squid')
| -rw-r--r-- | include/tests_squid | 225 |
1 files changed, 113 insertions, 112 deletions
diff --git a/include/tests_squid b/include/tests_squid index eedd23e2..27b1af42 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -35,17 +35,17 @@ # programs. Register --test-no SQD-3602 --weight L --network NO --description "Check for running Squid daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for a Squid daemon..." + logtext "Test: Searching for a Squid daemon" FOUND=0 # Check running processes FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"` if [ ! "${FIND}" = "" ]; then SQUID_DAEMON_RUNNING=1 logtext "Result: Squid daemon is running" - Display --indent 2 --text "- Checking running Squid daemon..." --result FOUND --color GREEN + Display --indent 2 --text "- Checking running Squid daemon" --result FOUND --color GREEN else logtext "Result: No running Squid daemon found" - Display --indent 2 --text "- Checking running Squid daemon..." --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking running Squid daemon" --result "NOT FOUND" --color WHITE fi fi # @@ -71,10 +71,10 @@ done if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then logtext "Result: No Squid configuration file found" - Display --indent 4 --text "- Searching Squid configuration file..." --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Searching Squid configuration file" --result "NOT FOUND" --color YELLOW else logtext "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}" - Display --indent 4 --text "- Searching Squid configuration..." --result FOUND --color GREEN + Display --indent 4 --text "- Searching Squid configuration" --result FOUND --color GREEN fi fi # @@ -85,21 +85,21 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! "${SQUIDBINARY}" = "" ]; then - logtext "Result: Squid binary found (${SQUIDBINARY})" - # Skip check if a setuid/setgid bit is found - FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print` - if [ "${FIND}" = "" ]; then - FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'` - Display --indent 4 --text "- Checking Squid version..." --result "FOUND" --color GREEN - SQUID_VERSION="${FIND2}" - else - logtext "Result: test skipped for security reasons, setuid/setgid bit set" - Display --indent 4 --text "- Checking Squid version..." --result "SKIPPED" --color RED - fi - else - logtext "Result: no Squid binary found" - fi + if [ ! "${SQUIDBINARY}" = "" ]; then + logtext "Result: Squid binary found (${SQUIDBINARY})" + # Skip check if a setuid/setgid bit is found + FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print` + if [ "${FIND}" = "" ]; then + FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'` + Display --indent 4 --text "- Checking Squid version" --result "FOUND" --color GREEN + SQUID_VERSION="${FIND2}" + else + logtext "Result: test skipped for security reasons, setuid/setgid bit set" + Display --indent 4 --text "- Checking Squid version" --result "SKIPPED" --color RED + fi + else + logtext "Result: no Squid binary found" + fi fi # ################################################################################# @@ -119,12 +119,13 @@ Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" - FIND=`cat ${SQUID_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` - for I in ${FIND}; do - I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Found Squid option: ${I}" - done - Display --indent 4 --text "- Checking defined Squid options..." --result "DONE" --color GREEN + FIND=`cat ${SQUID_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` + for I in ${FIND}; do + I=`echo ${I} | sed 's/!space!/ /g'` + logtext "Found Squid option: ${I}" + report "squid_option=${I}" + done + Display --indent 4 --text "- Checking defined Squid options" --result "DONE" --color GREEN fi # ################################################################################# @@ -147,13 +148,13 @@ FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` if [ ! "${FIND}" = "" ]; then logtext "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" - Display --indent 4 --text "- Checking Squid configuration file permissions..." --result WARNING --color RED + Display --indent 4 --text "- Checking Squid configuration file permissions" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access" ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive" AddHP 0 2 else logtext "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions" - Display --indent 4 --text "- Checking Squid configuration file permissions..." --result OK --color GREEN + Display --indent 4 --text "- Checking Squid configuration file permissions" --result OK --color GREEN AddHP 2 2 fi fi @@ -161,7 +162,7 @@ ################################################################################# # if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then - Display --indent 4 --text "- Checking Squid access control..." + Display --indent 4 --text "- Checking Squid access control" fi # ################################################################################# @@ -171,18 +172,18 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid authentication methods" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check auth_param option for authentication methods" - FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'` - if [ "${FIND}" = "" ]; then - logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" - Display --indent 6 --text "- Checking Squid authentication methods..." --result "NONE" --color YELLOW - else - Display --indent 6 --text "- Checking Squid authentication methods..." --result "FOUND" --color GREEN - for I in ${FIND}; do - logtext "Result: found authentication method ${I}" - report "squid_auth_method=${I}" - done - fi + logtext "Test: check auth_param option for authentication methods" + FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'` + if [ "${FIND}" = "" ]; then + logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" + Display --indent 6 --text "- Checking Squid authentication methods" --result "NONE" --color YELLOW + else + Display --indent 6 --text "- Checking Squid authentication methods" --result "FOUND" --color GREEN + for I in ${FIND}; do + logtext "Result: found authentication method ${I}" + report "squid_auth_method=${I}" + done + fi fi # ################################################################################# @@ -192,19 +193,19 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check external Squid authentication" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check external_acl_type option for external authentication helpers" - FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}` - if [ "${FIND}" = "" ]; then - logtext "No external_acl_type found" - Display --indent 6 --text "- Checking Squid external authentication methods..." --result "NONE" --color YELLOW - else - Display --indent 6 --text "- Checking Squid external authentication methods..." --result "FOUND" --color GREEN - for I in ${FIND}; do - logtext "Result: found external authentication method helper" - logtext "Output: ${FIND}" - #report "squid_external_acl_type=TRUE" - done - fi + logtext "Test: check external_acl_type option for external authentication helpers" + FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}` + if [ "${FIND}" = "" ]; then + logtext "No external_acl_type found" + Display --indent 6 --text "- Checking Squid external authentication methods" --result "NONE" --color YELLOW + else + Display --indent 6 --text "- Checking Squid external authentication methods" --result "FOUND" --color GREEN + for I in ${FIND}; do + logtext "Result: found external authentication method helper" + logtext "Output: ${FIND}" + #report "squid_external_acl_type=TRUE" + done + fi fi # ################################################################################# @@ -214,22 +215,22 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid access control lists" if [ ${SKIPTEST} -eq 0 ]; then - N=0 - logtext "Test: checking ACLs" - FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` - if [ "${FIND}" = "" ]; then - logtext "Result: No ACLs found" - Display --indent 6 --text "- Checking Access Control Lists..." --result "NONE" --color RED - else - for I in ${FIND}; do - N=`expr ${N} + 1` - I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Found ACL: ${I}" - #report "squid_acl=${I}" - done - logtext "Result: Found ${N} ACLs" - Display --indent 6 --text "- Checking Access Control Lists..." --result "${N} ACLs FOUND" --color GREEN - fi + N=0 + logtext "Test: checking ACLs" + FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` + if [ "${FIND}" = "" ]; then + logtext "Result: No ACLs found" + Display --indent 6 --text "- Checking Access Control Lists" --result "NONE" --color RED + else + for I in ${FIND}; do + N=`expr ${N} + 1` + I=`echo ${I} | sed 's/!space!/ /g'` + logtext "Found ACL: ${I}" + #report "squid_acl=${I}" + done + logtext "Result: Found ${N} ACLs" + Display --indent 6 --text "- Checking Access Control Lists" --result "${N} ACLs FOUND" --color GREEN + fi fi # ################################################################################# @@ -239,48 +240,48 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid safe ports" if [ ${SKIPTEST} -eq 0 ]; then - N=0 - logtext "Test: checking ACL Safe_ports http_access option" - FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"` - if [ "${FIND}" = "" ]; then - logtext "Result: no Safe_ports found" - Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option..." --result "NOT FOUND" --color YELLOW - ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" - else - logtext "Result: checking ACL safe ports" - FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'` - if [ "${FIND2}" = "" ]; then - Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "NONE FOUND" --color YELLOW - ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" - AddHP 0 1 - else - logtext "Result: Safe_ports found" - for I in ${FIND}; do - logtext "Found safe port: ${I}" - done - Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "FOUND" --color GREEN - AddHP 1 1 - fi - #SQUID_DAEMON_UNSAFE_PORTS_LIST - for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do - logtext "Test: Checking port ${I} in Safe_ports list" - FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` - if [ "${FIND2}" = "" ]; then - Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "NOT FOUND" --color GREEN - AddHP 1 1 - else - Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "FOUND" --color RED - ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}" - AddHP 0 1 - fi - done - fi + N=0 + logtext "Test: checking ACL Safe_ports http_access option" + FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"` + if [ "${FIND}" = "" ]; then + logtext "Result: no Safe_ports found" + Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "NOT FOUND" --color YELLOW + ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" + else + logtext "Result: checking ACL safe ports" + FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'` + if [ "${FIND2}" = "" ]; then + Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW + ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" + AddHP 0 1 + else + logtext "Result: Safe_ports found" + for I in ${FIND}; do + logtext "Found safe port: ${I}" + done + Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "FOUND" --color GREEN + AddHP 1 1 + fi + #SQUID_DAEMON_UNSAFE_PORTS_LIST + for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do + logtext "Test: Checking port ${I} in Safe_ports list" + FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` + if [ "${FIND2}" = "" ]; then + Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN + AddHP 1 1 + else + Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "FOUND" --color RED + ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}" + AddHP 0 1 + fi + done + fi fi # ################################################################################# # if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then - Display --indent 4 --text "- Checking Squid Denial of Service tuning options..." + Display --indent 4 --text "- Checking Squid Denial of Service tuning options" fi # ################################################################################# @@ -309,7 +310,7 @@ ################################################################################# # if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then - Display --indent 4 --text "- Checking Squid general options..." + Display --indent 4 --text "- Checking Squid general options" fi # ################################################################################# @@ -340,10 +341,10 @@ # Squid #Hardening: -# $1 $3 -# acl snmp_community -# acl maxconn -# acl max_user_ip +# $1 $3 +# acl snmp_community +# acl maxconn +# acl max_user_ip # # follow_x_forwarded_for #Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well) |