Extended nginx testing

author: Michael Boelen <michael.boelen@cisofy.com> 2016-08-16 09:08:15 +0300
committer: Michael Boelen <michael.boelen@cisofy.com> 2016-08-16 09:08:15 +0300
commit: 1b30f6e5585e3e7ddcb10b776d64508518154db5 (patch)
tree: 05a9044d16ef760bf1a4c3cc1c8b35615a25579b /include/tests_webservers
parent: 2bbc17868d508bbce92054caab2f23b81e0504ae (diff)
1 files changed, 40 insertions, 22 deletions
diff --git a/include/tests_webservers b/include/tests_webservers
index 336ea6dd..40b07e48 100644
--- a/include/tests_webservers
+++ b/include/tests_webservers
@@ -28,17 +28,18 @@
 #
     # Reset Apache status
     APACHE_INSTALLED=0
-    APACHE_MODULES_ENABLED_LOCS="/etc/apache2/mods-enabled"
-    APACHE_MODULES_LOCS="/etc/httpd/modules /opt/local/apache2/modules /usr/lib/apache2 /usr/lib/httpd/modules /usr/libexec/apache2 /usr/lib64/apache2 /usr/lib64/apache2/modules /usr/lib64/httpd/modules /usr/local/libexec/apache /usr/local/libexec/apache22"
+    APACHE_MODULES_ENABLED_LOCS="${ROOTDIR}etc/apache2/mods-enabled"
+    APACHE_MODULES_LOCS="${ROOTDIR}etc/httpd/modules ${ROOTDIR}opt/local/apache2/modules ${ROOTDIR}usr/lib/apache2 ${ROOTDIR}usr/lib/httpd/modules ${ROOTDIR}usr/libexec/apache2 ${ROOTDIR}usr/lib64/apache2 ${ROOTDIR}usr/lib64/apache2/modules ${ROOTDIR}usr/lib64/httpd/modules ${ROOTDIR}usr/local/libexec/apache ${ROOTDIR}usr/local/libexec/apache22"
     NGINX_RUNNING=0
-    NGINX_CONF_LOCS="/etc/nginx /usr/local/etc/nginx /usr/local/nginx/conf"
+    NGINX_CONF_LOCS="${ROOTDIR}etc/nginx ${ROOTDIR}usr/local/etc/nginx usr/local/nginx/conf"
     NGINX_CONF_LOCATION=""
+    NGINX_CONF_FILES=""
 #
 #################################################################################
 #
-    sTEST_APACHE_TARGETS="/etc/apache /etc/apache2 /etc/httpd /usr/local/apache /usr/local/apache2 \
-                          /usr/local/etc/apache /usr/local/etc/apache2 /usr/local/etc/apache22 \
-                          /usr/pkg/etc/httpd /etc/sysconfig/apache2"
+    sTEST_APACHE_TARGETS="${ROOTDIR}etc/apache ${ROOTDIR}etc/apache2 ${ROOTDIR}etc/httpd ${ROOTDIR}usr/local/apache ${ROOTDIR}usr/local/apache2 \
+                          ${ROOTDIR}usr/local/etc/apache ${ROOTDIR}usr/local/etc/apache2 ${ROOTDIR}usr/local/etc/apache22 \
+                          ${ROOTDIR}usr/pkg/etc/httpd ${ROOTDIR}etc/sysconfig/apache2"
 
     CreateTempFile || ExitFatal
     TMPFILE="${TEMP_FILE}"
@@ -383,6 +384,7 @@
             LogText "Result: found running nginx process(es)"
             Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN
             NGINX_RUNNING=1
+            Report "nginx_running=1"
           else
             LogText "Result: no running nginx process found"
             Display --indent 2 --text "- Checking nginx" --result "${STATUS_NOT_FOUND}" --color WHITE
@@ -401,6 +403,7 @@
             if [ -f ${I}/nginx.conf ]; then
                 NGINX_CONF_LOCATION="${I}/nginx.conf"
                 LogText "Found file ${NGINX_CONF_LOCATION}"
+                NGINX_CONF_FILES="${I}/nginx.conf"
             fi
         done
         if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then
@@ -430,18 +433,24 @@
         for I in ${FIND}; do
             FIND2=`${LSBINARY} ${I} 2>/dev/null`
             for J in ${FIND2}; do
-              # Ensure that we are parsing normal files
-              if [ -f ${J} ]; then
-                  N=$((N + 1))
-                  LogText "Result: found Nginx configuration file ${J}"
-                  Report "nginx_sub_conf_file=${J}"
-                  FileIsReadable ${J}
-                  if [ ${CANREAD} -eq 1 ]; then
-                      FIND3=`sed -e 's/^[ 	]*//' ${J} | grep -v "^#" | grep -v "^$" | sed 's/[	]/ /g' | sed 's/  / /g' | sed 's/  / /g' >> ${TMPFILE}`
+                # Ensure that we are parsing normal files
+                if [ -f ${J} ]; then
+                    N=$((N + 1))
+                    LogText "Result: found Nginx configuration file ${J}"
+                    Report "nginx_sub_conf_file[]=${J}"
+                    FILENAME=$(echo ${J} | awk -F/ '{print $NF}')
+                    if [ ! "${FILENAME}" = "mime.types" ]; then
+                        FileIsReadable ${J}
+                        if [ ${CANREAD} -eq 1 ]; then
+                            NGINX_CONF_FILES="${NGINX_CONF_FILES} ${J}"
+                            FIND3=`sed -e 's/^[ 	]*//' ${J} | grep -v "^#" | grep -v "^$" | sed 's/[	]/ /g' | sed 's/  / /g' | sed 's/  / /g' >> ${TMPFILE}`
+                        else
+                            ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
+                        fi
                     else
-                      ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
-                  fi
-              fi
+                        LogText "Result: this configuration file is skipped, as it contains usually no interesting details"
+                    fi
+                fi
             done
         done
 
@@ -449,7 +458,7 @@
         SORTFILE=`sort -u ${TMPFILE} | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
         for I in ${SORTFILE}; do
             I=`echo ${I} | sed 's/:space:/ /g'`
-            Report "nginx_config_option=${I}";
+            Report "nginx_config_option[]=${I}";
         done
 
         # Remove unsorted file for next tests
@@ -467,12 +476,21 @@
     # Test        : HTTP-6708
     # Description : Check discovered nginx configuration settings for further hardering
     # Notes       : Daemon of nginx should be running, nginx.conf should be found
-    if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_FILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings"
     if [ ${SKIPTEST} -eq 0 ]; then
+        CreateTempFile || ExitFatal "Could not create temporary file"
+        NGINX_FULL_CONFIG="${TEMP_FILE}"
         LogText "Test: start parsing all discovered nginx options"
         Display --indent 4 --text "- Parsing configuration options"
-        ParseNginx
+        for I in ${NGINX_CONF_FILES}; do
+            if FileIsReadable ${I}; then
+                Display --indent 8 --text "- ${I}"
+                ParseNginx ${I}
+            else
+                Display --indent 8 --text "- ${I}" --result "SKIPPED (NOT READABLE)" --color YELLOW
+            fi
+        done
     fi
 #
 #################################################################################
@@ -519,12 +537,12 @@
           else
             LogText "Result: No SSL configuration found"
             Display --indent 6 --text "- SSL configured" --result "${STATUS_NO}" --color RED
-            NGINX_SSL_SUGGESTION=1
+            ReportSuggestion ${TEST_NO} "Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy"
             AddHP 1 5
         fi
         if [ ${NGINX_SSL_SUGGESTION} -eq 1 ]; then
             LogText "Result: one or more parts of the nginx configuration could be enhanced regarding SSL"
-            ReportSuggestion ${TEST_NO} "Configure SSL in nginx for protection of sensitive data and privacy"
+            ReportSuggestion "${TEST_NO}" "Change the HTTPS and SSL settings for enhanced protection of sensitive data and privacy"
         fi
     fi
 #
author	Michael Boelen <michael.boelen@cisofy.com>	2016-08-16 09:08:15 +0300
committer	Michael Boelen <michael.boelen@cisofy.com>	2016-08-16 09:08:15 +0300
commit	1b30f6e5585e3e7ddcb10b776d64508518154db5 (patch)
tree	05a9044d16ef760bf1a4c3cc1c8b35615a25579b /include/tests_webservers
parent	2bbc17868d508bbce92054caab2f23b81e0504ae (diff)