diff options
author | mboelen <michael@cisofy.com> | 2014-09-19 02:35:24 +0400 |
---|---|---|
committer | mboelen <michael@cisofy.com> | 2014-09-19 02:35:24 +0400 |
commit | a145b0091abef438d1ae03fbe0830df9f514ca98 (patch) | |
tree | 20ac09e3998489577c56bd236614d08700ac68f2 /include | |
parent | 8a637d588bf462747011eb2ab450ae183f85cbbd (diff) |
Code cleanup
Diffstat (limited to 'include')
-rw-r--r-- | include/tests_authentication | 398 |
1 files changed, 198 insertions, 200 deletions
diff --git a/include/tests_authentication b/include/tests_authentication index de88de5f..7f74e6dc 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -257,17 +257,17 @@ # if [ -x /usr/bin/usrck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi # Register --test-no AUTH-9229 --os AIX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" # if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking password file consistency (usrck)" -# FIND=`/usr/bin/usrck -n ALL 2>; echo $?` -# if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN -# logtext "Result: usrck finished didn't find problems" -# else -# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED -# logtext "Result: usrck found one or more errors/warnings in the password file." -# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file" -# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues." -# fi +# logtext "Test: Checking password file consistency (usrck)" +# FIND=`/usr/bin/usrck -n ALL 2>; echo $?` +# if [ "${FIND}" = "0" ]; then +# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN +# logtext "Result: usrck finished didn't find problems" +# else +# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED +# logtext "Result: usrck found one or more errors/warnings in the password file." +# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file" +# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues." +# fi # fi # ################################################################################# @@ -298,17 +298,17 @@ # if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi # Register --test-no AUTH-9231 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" # if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking password file consistency (pwck)" -# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` -# if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN -# logtext "Result: pwck finished didn't find problems" -# else -# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED -# logtext "Result: pwck found one or more errors/warnings in the password file." -# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" -# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." -# fi +# logtext "Test: Checking password file consistency (pwck)" +# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` +# if [ "${FIND}" = "0" ]; then +# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN +# logtext "Result: pwck finished didn't find problems" +# else +# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED +# logtext "Result: pwck found one or more errors/warnings in the password file." +# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" +# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." +# fi # fi # ################################################################################# @@ -318,17 +318,17 @@ # if [ -x /usr/sbin/grpck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi # Register --test-no AUTH-9232 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" # if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking group file consistency (grpck)" -# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?` -# if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN -# logtext "Result: grpck finished didn't find problems" -# else -# Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED -# logtext "Result: grpck found one or more errors/warnings in the group file." -# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file" -# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues." -# fi +# logtext "Test: Checking group file consistency (grpck)" +# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?` +# if [ "${FIND}" = "0" ]; then +# Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN +# logtext "Result: grpck finished didn't find problems" +# else +# Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED +# logtext "Result: grpck found one or more errors/warnings in the group file." +# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file" +# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues." +# fi # fi # ################################################################################# @@ -1030,108 +1030,107 @@ logtext "Test: Checking /etc/login.defs" if [ -f /etc/login.defs ]; then logtext "Result: file /etc/profile exists" - logtext "Test: Checking UMASK value in /etc/login.defs" + logtext "Test: Checking umask value in /etc/login.defs" FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then - logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)" + logtext "Result: umask value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027" - AddHP 1 2 - elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then - logtext "Result: umask is ${FIND}, which is fine" - Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result OK --color GREEN - AddHP 2 2 - else - logtext "Result: found umask ${FIND}, which could be improved" - Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW - ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027" - AddHP 0 2 - fi - else - logtext "Result: file /etc/login.defs does not exist" - fi + AddHP 1 2 + elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then + logtext "Result: umask is ${FIND}, which is fine" + Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result OK --color GREEN + AddHP 2 2 + else + logtext "Result: found umask ${FIND}, which could be improved" + Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW + ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027" + AddHP 0 2 + fi + else + logtext "Result: file /etc/login.defs does not exist" + fi - # Red Hat /etc/init.d/functions - logtext "Test: Checking /etc/init.d/functions" - if [ -f /etc/init.d/functions ]; then - logtext "Result: file /etc/init.d/functions exists" - logtext "Test: Checking umask value in /etc/init.d/functions" - FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'` - if [ "${FIND}" = "" ]; then - logtext "Result: umask is not configured" - Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result NONE --color WHITE - elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then - logtext "Result: umask is ${FIND}, which is fine" - Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result OK --color GREEN - AddHP 2 2 - else - logtext "Result: found umask ${FIND}, which could be improved" - Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result SUGGESTION --color YELLOW - AddHP 0 2 - #YYY - fi - else - logtext "Result: file /etc/init.d/functions does not exist" - fi + # Red Hat /etc/init.d/functions + logtext "Test: Checking /etc/init.d/functions" + if [ -f /etc/init.d/functions ]; then + logtext "Result: file /etc/init.d/functions exists" + logtext "Test: Checking umask value in /etc/init.d/functions" + FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'` + if [ "${FIND}" = "" ]; then + logtext "Result: umask is not configured" + Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result NONE --color WHITE + elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then + logtext "Result: umask is ${FIND}, which is fine" + Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result OK --color GREEN + AddHP 2 2 + else + logtext "Result: found umask ${FIND}, which could be improved" + Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result SUGGESTION --color YELLOW + AddHP 0 2 + fi + else + logtext "Result: file /etc/init.d/functions does not exist" + fi - # /etc/init.d/rc [T] - # Always needed? (YYY) - logtext "Test: Checking /etc/init.d/rc" - if [ -f /etc/init.d/rc ]; then - logtext "Result: file /etc/init.d/rc exists" - logtext "Test: Checking UMASK value in /etc/init.d/rc" - FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'` - if [ "${FIND}" = "" ]; then - logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)" - Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW - ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027" - AddHP 1 2 - elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then - logtext "Result: umask is ${FIND}, which is fine" - Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result OK --color GREEN - AddHP 2 2 - else - logtext "Result: found umask ${FIND}, which could be improved" - Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW - ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027" - AddHP 0 2 - fi - else - logtext "Result: file /etc/init.d/rc does not exist" - fi + # /etc/init.d/rc [T] + # Always needed? (YYY) + logtext "Test: Checking /etc/init.d/rc" + if [ -f /etc/init.d/rc ]; then + logtext "Result: file /etc/init.d/rc exists" + logtext "Test: Checking UMASK value in /etc/init.d/rc" + FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'` + if [ "${FIND}" = "" ]; then + logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)" + Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW + ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027" + AddHP 1 2 + elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then + logtext "Result: umask is ${FIND}, which is fine" + Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result OK --color GREEN + AddHP 2 2 + else + logtext "Result: found umask ${FIND}, which could be improved" + Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW + ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027" + AddHP 0 2 + fi + else + logtext "Result: file /etc/init.d/rc does not exist" + fi - # /etc/init.d/rcS [T] - # Always needed? (YYY) - logtext "Test: Checking /etc/init.d/rcS" - if [ -f /etc/init.d/rcS ]; then - logtext "Result: file /etc/init.d/rcS exists" - logtext "Test: Checking if script runs another script." - FIND=`grep -i "^exec " /etc/init.d/rcS | awk '{ print $2 }'` - if [ "${FIND}" = "" ]; then - FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'` - if [ "${FIND2}" = "" ]; then - logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)" - Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW - ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027" - AddHP 1 2 - elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then - logtext "Result: umask is ${FIND2}, which is fine" - Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result OK --color GREEN - AddHP 2 2 - else - logtext "Result: found umask ${FIND2}, which could be improved" - Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW - ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027" - AddHP 0 2 - fi - else - # Improve check - logtext "Result: exec line present in file, setting of umask not needed in this script" - logtext "Output: ${FIND}" - fi - else - logtext "Result: file /etc/init.d/rcS does not exist" - fi + # /etc/init.d/rcS [T] + # Always needed? (YYY) + logtext "Test: Checking /etc/init.d/rcS" + if [ -f /etc/init.d/rcS ]; then + logtext "Result: file /etc/init.d/rcS exists" + logtext "Test: Checking if script runs another script." + FIND=`grep -i "^exec " /etc/init.d/rcS | awk '{ print $2 }'` + if [ "${FIND}" = "" ]; then + FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'` + if [ "${FIND2}" = "" ]; then + logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)" + Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW + ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027" + AddHP 1 2 + elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then + logtext "Result: umask is ${FIND2}, which is fine" + Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result OK --color GREEN + AddHP 2 2 + else + logtext "Result: found umask ${FIND2}, which could be improved" + Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW + ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027" + AddHP 0 2 + fi + else + # Improve check + logtext "Result: exec line present in file, setting of umask not needed in this script" + logtext "Output: ${FIND}" + fi + else + logtext "Result: file /etc/init.d/rcS does not exist" + fi fi # @@ -1141,49 +1140,48 @@ # Description : Solaris account locking Register --test-no AUTH-9340 --os Solaris --weight L --network NO --description "Solaris account locking" if [ ${SKIPTEST} -eq 0 ]; then - FOUND=0 - if [ -f /etc/security/policy.conf ]; then - logtext "Result: found /etc/security/policy.conf" - FIND=`grep "^LOCK_AFTER_RETRIES" /etc/security/policy.conf` - if [ ! "${FIND}" = "" ]; then - FOUND=1 - logtext "Result: account locking option set" - logtext "Output: ${FIND}" - AddHP 2 2 - else - logtext "Result: option LOCK_AFTER_RETRIES not set" - AddHP 1 2 - fi - else - logtext "Result: /etc/security/policy.conf does not exist" - fi - # If policy.conf does not exist, we most likely deal with a Solaris version below 10 - # and we proceed with checking the softer option RETRIES in /etc/default/login - # which does not lock account, but discourages brute force password attacks. - if [ ${FOUND} -eq 0 ]; then - logtext "Test: checking /etc/default/login" - if [ -f /etc/default/login ]; then - logtext "Result: file /etc/default/login exists" - FIND=`grep "^RETRIES" /etc/default/login` - if [ ! "${FIND}" = "" ]; then - FOUND=1 - logtext "Result: retries option configured" - logtext "Output: ${FIND}" - AddHP 2 2 - else - logtext "Result: retries option not configured" - AddHP 1 2 - fi - else - logtext "Result: file /etc/default/login does not exist" - fi - fi - if [ ${FOUND} -eq 1 ]; then - Display --indent 2 --text "- Checking account locking" --result "ENABLED" --color GREEN - else - Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW - fi - + FOUND=0 + if [ -f /etc/security/policy.conf ]; then + logtext "Result: found /etc/security/policy.conf" + FIND=`grep "^LOCK_AFTER_RETRIES" /etc/security/policy.conf` + if [ ! "${FIND}" = "" ]; then + FOUND=1 + logtext "Result: account locking option set" + logtext "Output: ${FIND}" + AddHP 2 2 + else + logtext "Result: option LOCK_AFTER_RETRIES not set" + AddHP 1 2 + fi + else + logtext "Result: /etc/security/policy.conf does not exist" + fi + # If policy.conf does not exist, we most likely deal with a Solaris version below 10 + # and we proceed with checking the softer option RETRIES in /etc/default/login + # which does not lock account, but discourages brute force password attacks. + if [ ${FOUND} -eq 0 ]; then + logtext "Test: checking /etc/default/login" + if [ -f /etc/default/login ]; then + logtext "Result: file /etc/default/login exists" + FIND=`grep "^RETRIES" /etc/default/login` + if [ ! "${FIND}" = "" ]; then + FOUND=1 + logtext "Result: retries option configured" + logtext "Output: ${FIND}" + AddHP 2 2 + else + logtext "Result: retries option not configured" + AddHP 1 2 + fi + else + logtext "Result: file /etc/default/login does not exist" + fi + fi + if [ ${FOUND} -eq 1 ]; then + Display --indent 2 --text "- Checking account locking" --result "ENABLED" --color GREEN + else + Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW + fi fi # ################################################################################# @@ -1222,19 +1220,19 @@ # Description : Query LDAP authentication support Register --test-no AUTH-9402 --weight L --network NO --description "Query LDAP authentication support" if [ ${SKIPTEST} -eq 0 ]; then - if [ -f /etc/nsswitch.conf ]; then - FIND=`egrep "^passwd" /etc/nsswitch.conf | grep "ldap"` - if [ "${FIND}" = "" ]; then - logtext "Result: LDAP authentication not enabled" - Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE - else - logtext "Result: LDAP authentication enabled" - Display --indent 2 --text "- Checking LDAP authentication support" --result "ENABLED" --color GREEN - LDAP_AUTH_ENABLED=1 - fi - else - logtext "Result: /etc/nsswitch.conf not found" - fi + if [ -f /etc/nsswitch.conf ]; then + FIND=`egrep "^passwd" /etc/nsswitch.conf | grep "ldap"` + if [ "${FIND}" = "" ]; then + logtext "Result: LDAP authentication not enabled" + Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE + else + logtext "Result: LDAP authentication enabled" + Display --indent 2 --text "- Checking LDAP authentication support" --result "ENABLED" --color GREEN + LDAP_AUTH_ENABLED=1 + fi + else + logtext "Result: /etc/nsswitch.conf not found" + fi fi # ################################################################################# @@ -1269,22 +1267,22 @@ if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking ldap.conf options" - for I in ${LDAP_CONF_LOCATIONS}; do - logtext "Test: checking ${I}" - if [ -f ${I} ]; then - logtext "Result: file ${I} exists" - logtext "Test: checking LDAP servers in file ${I}" - FIND2=`egrep "^host " ${I} | awk '{ print $2 }'` - for I in ${FIND2}; do - Display --indent 6 --text "LDAP server: ${I}" - logtext "Result: found LDAP server ${I}" - # YYY check if host(s) are reachable/respond to queries - done - else - logtext "Result: ${I} does NOT exist" - fi - done + logtext "Test: checking ldap.conf options" + for I in ${LDAP_CONF_LOCATIONS}; do + logtext "Test: checking ${I}" + if [ -f ${I} ]; then + logtext "Result: file ${I} exists" + logtext "Test: checking LDAP servers in file ${I}" + FIND2=`egrep "^host " ${I} | awk '{ print $2 }'` + for I in ${FIND2}; do + Display --indent 6 --text "LDAP server: ${I}" + logtext "Result: found LDAP server ${I}" + # YYY check if host(s) are reachable/respond to queries + done + else + logtext "Result: ${I} does NOT exist" + fi + done fi # ################################################################################# |