diff options
| author | mboelen <michael@cisofy.com> | 2014-08-26 19:33:55 +0400 |
|---|---|---|
| committer | mboelen <michael@cisofy.com> | 2014-08-26 19:33:55 +0400 |
| commit | c0ae2e217b7f1fb0171017ce5afb8eb8898470db (patch) | |
| tree | 545aa150c35c5fb74d7bb4c2d3b0ae41cfa7b4e5 /include/tests_storage_nfs | |
Initial import
Diffstat (limited to 'include/tests_storage_nfs')
| -rw-r--r-- | include/tests_storage_nfs | 181 |
1 files changed, 181 insertions, 0 deletions
diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs new file mode 100644 index 00000000..defdf679 --- /dev/null +++ b/include/tests_storage_nfs @@ -0,0 +1,181 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands +# Web site: http://www.rootkit.nl +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# NFS +# +################################################################################# +# + InsertSection "NFS" +# +################################################################################# +# + NFS_DAEMON_RUNNING=0 + NFS_EXPORTS_EMPTY=0 +# +################################################################################# +# + + # Test : STRG-1902 + # Description : Check rpcinfo + if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check rpcinfo registered programs" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking rpcinfo registered programs" + FIND=`${RPCINFOBINARY} -p 2> /dev/null | tr -s ' ' ','` + for I in ${FIND}; do + logtext "rpcinfo: ${I}" + done + Display --indent 2 --text "- Query rpc registered programs..." --result "DONE" --color GREEN + fi +# +################################################################################# +# + # Test : STRG-1904 + # Description : Check nfs versions in rpcinfo + if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking NFS registered versions" + FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort` + for I in ${FIND}; do + logtext "Found version: ${I}" + done + Display --indent 2 --text "- Query NFS versions..." --result "DONE" --color GREEN + fi +# +################################################################################# +# + # Test : STRG-1906 + # Description : Check nfs protocols (TCP/UDP) and port in rpcinfo + if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking NFS registered protocols" + FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort` + for I in ${FIND}; do + logtext "Found protocol: ${I}" + done + if [ "${FIND}" = "" ]; then + logtext "Output: no NFS protocols found" + fi + + # Check port number + logtext "Test: Checking NFS registered ports" + FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort` + for I in ${FIND}; do + logtext "Found port: ${I}" + done + if [ "${FIND}" = "" ]; then + logtext "Output: no NFS port number found" + fi + Display --indent 2 --text "- Query NFS protocols..." --result "DONE" --color GREEN + fi +# +################################################################################# +# + # Test : STRG-1920 + # Description : Check for running NFS daemons + Register --test-no STRG-1920 --weight L --network NO --description "Checking NFS daemon" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking running NFS daemon" + FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"` + if [ "${FIND}" = "" ]; then + logtext "Output: NFS daemon is not running" + Display --indent 2 --text "- Check running NFS daemon..." --result "NOT FOUND" --color WHITE + else + logtext "Output: NFS daemon is running" + Display --indent 2 --text "- Check running NFS daemon.." --result "FOUND" --color GREEN + NFS_DAEMON_RUNNING=1 + fi + fi +# +################################################################################# +# + # Test : STRG-1924 + # Description : Check missing nfs in rpcinfo while NFS is running + #Register --test-no STRG-1924 --weight L --network NO --description "Checking NFS daemon" + #if [ ${SKIPTEST} -eq 0 ]; then +# +################################################################################# +# + # Test : STRG-1926 + # Description : Check NFS exports + if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: check /etc/exports" + if [ -f /etc/exports ]; then + logtext "Result: /etc/exports exists" + FIND=`cat /etc/exports | grep -v "^$" | grep -v "^#" | sed 's/ /!space!/g'` + if [ ! "${FIND}" = "" ]; then + for I in ${FIND}; do + I=`echo ${I} | sed 's/!space!/ /g'` + logtext "Found line: ${I}" + done + else + logtext "Result: /etc/exports does not contain exported file systems" + NFS_EXPORTS_EMPTY=1 + fi + Display --indent 4 --text "- Checking /etc/exports..." --result "FOUND" --color GREEN + else + logtext "Result: file /etc/exports does not exist" + Display --indent 4 --text "- Checking /etc/exports..." --result "NOT FOUND" --color WHITE + fi + fi +# +################################################################################# +# + # Test : STRG-1928 + # Description : Check for empty exports file while NFS is running + if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports" + if [ ${SKIPTEST} -eq 0 ]; then + if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then + Display --indent 6 --text "- Checking empty /etc/exports..." --result SUGGESTION --color YELLOW + logtext "Result: /etc/exports seems to have no exported file systems" + ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system" + fi + fi +# +################################################################################# +# + # Test : STRG-1930 + # Description : Check client access to nfs share + if [ ${NFS_DAEMON_RUNNING} -eq 1 -a ${NFS_EXPORTS_EMPTY} -eq 0 -a ! "${SHOWMOUNTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check client access to nfs share" + if [ ${SKIPTEST} -eq 0 ]; then + #logtext "Test: " + sFIND=`${SHOWMOUNTBINARY} -e | awk '{ print $2 }' | sed '1d'| grep "\*"` + if [ "${sFIND}" != "" ]; then + logtext "Result: all client are allowed to access a NFS share in /etc/exports" + Display --indent 4 --text "- Checking NFS client access..." --result "ALL CLIENTS" --color YELLOW + ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports" + AddHP 2 3 + else + logtext "Result: only some clients are allowed to access a NFS share" + Display --indent 4 --text "- Checking NFS client access..." --result OK --color GREEN + AddHP 3 3 + fi + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ +# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands |