diff options
46 files changed, 2028 insertions, 1975 deletions
@@ -30,20 +30,22 @@ Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes checking for /etc/login.defs [AUTH-9408]. Merged password check on Solaris into AUTH-9228. - PAM settings are now analyzed, including: + New plugin is introduced to analyze PAM settings. It including items like: - Two-factor authentication methods - Minimum password length, password strength and protection status against brute force cracking + - Password history - report option: auth_failed_logins_logged + Report option: auth_failed_logins_logged * Compliance ------------ - Added new compliance_standards option to default.prf, to define if compliance testing should be performed, and for which standards. + Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards. - Right now these (partial) standards are included: + Right now these standards can be selected: + - CIS benchmarks - HIPAA - ISO27001/ISO27002 - - PCI-DSS + - PCI DSS * DNS and Name services ----------------------- @@ -53,23 +55,47 @@ * Firewalls ----------- - IPFW firewall on FreeBSD test improved - Don't show pflogd status on screen when pf is not available + Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available. + New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now. + + * Hardware + ---------- + Detection of firewire is enhanced (both ohci and core detected). * Malware --------- - ESET and LMD (Linux Malware Detect) is now recognized as a malware scanner. Discovered malware scanners are now also logged to the report. + ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report. * Mount points -------------- FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags. + * Networking + ------------ + NETW-3004 now collects network interface names from most common operating systems. + * Operating systems ------------------- - Improved support for Debian 8 systems. + Improved support for Debian 8 systems. Detection for VMware release has been added. Boot loader exception is not longer displayed when only a subset of tests is performed. FreeBSD systems can now use service command to gather information about enabled services. + Support for boot loader detection on Mac OS X + + * Passwords + ----------- + AUTH-9286 change has been extended to both capture minimum and password age. + + * Software + ---------- + Log when vulnerable software packages were found + + * SSH + ----- + Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition. + + Special thanks to: Kamil BoratyĆski + * UEFI and Secure Boot ---------------------- Initial support to test UEFI settings, including Secure Boot option @@ -86,10 +112,12 @@ [AUTH-9204] Exclude NIS entries to avoid false positives [AUTH-9230] Removed test as it was merged into AUTH-9228 [AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD. + [BOOT-5106] New test to test boot loader on Mac OS X [BOOT-5180] Only gets executed if runlevel 2 is found [CONT-8108] New test to test for Docker file permissions [FILE-6410] Added /var/lib/locatedb as search path [HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox + [PKGS-7308] Split package name and version for RPM based package manager [MALW-3278] New test to detect LMD (Linux Malware Detect) [SHLL-6230] Test for umask values in shell configuration files (e.g. rc files) [TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running @@ -99,22 +127,28 @@ [DigitsOnly] New function to extract only numbers from a text string [DisplayManual] New function to show text on screen without any markup [ExitCustom] New function to allow program to exit with a different exit code, depending on outcome + [GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier + [IsWordWritable] Changed return codes for easier usage of the function + [LogText] Replaces the older logtext function + [Report] Replaces the older report function [ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution) [ReportWarning] Like ReportSuggestion() has additional parameters [ShowComplianceFinding] Display compliance findings + [ShowSymlinkPath] Ensure readlink is available * General improvements ---------------------- - - When using pentest mode, it will continue without any delays (=quick mode) - - Data uploads: provide help when self-signed certificates are used - - Improved output for tests which before showed results as a warning, while actually are just suggestions - - Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any - custom scripting you want to apply - - Tool tips are displayed, to make Lynis even easier to use - - PID file has additional checks, including cleanups + - When using pentest mode, it will continue without any delays (=quick mode). + - Data uploads: provide help when self-signed certificates are used. + - Improved output for tests which before showed results as a warning, while actually are just suggestions. + - Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply. + - Preparations to allow compressing the Lynis report file and enhance uploads. + - Tool tips are displayed, to make Lynis even easier to use. + - PID file has additional checks, including cleanups. * Plugins --------- + [PAM] New plugin available in all versions of Lynis [PLGN-2804] Limit report output of EXT file systems to 1 item per line -------------------------------------------------------------- @@ -1937,4 +1971,4 @@ ================================================================================ - Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com + Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 53b83795..56887dff 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -37,4 +37,4 @@ ================================================================================ - Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com + Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com @@ -95,4 +95,4 @@ ================================================================================ - Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com + Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com @@ -45,4 +45,4 @@ ================================================================================ - Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com + Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com @@ -136,4 +136,4 @@ ================================================================================ - Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com + Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_accounting b/include/tests_accounting index 5c3bda3c..cfc1113d 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -31,12 +31,12 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ -f /var/account/acct ]; then Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN - logtext "Result: /var/account/acct available" + LogText "Result: /var/account/acct available" AddHP 3 3 else Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW - logtext "Result: No accounting information available" - logtext "Remark: Possibly there is another location where the accounting data is stored" + LogText "Result: No accounting information available" + LogText "Remark: Possibly there is another location where the accounting data is stored" ReportSuggestion ${TEST_NO} "Enable process accounting" AddHP 2 3 fi @@ -49,23 +49,23 @@ # Notes : /var/log/pacct (Slackware) Register --test-no ACCT-9622 --os Linux --weight L --network NO --description "Check for available Linux accounting information" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check accounting information" + LogText "Test: Check accounting information" if [ -f /var/account/pacct ]; then Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN - logtext "Result: /var/account/pacct available" + LogText "Result: /var/account/pacct available" AddHP 3 3 elif [ -f /var/log/account/pacct ]; then Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN - logtext "Result: /var/log/account/pacct available" + LogText "Result: /var/log/account/pacct available" AddHP 3 3 elif [ -f /var/log/pacct ]; then Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN - logtext "Result: /var/log/pacct available" + LogText "Result: /var/log/pacct available" AddHP 3 3 else Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW - logtext "Result: No accounting information available (/var/account/pacct, /var/log/account/pact nor /var/log/pact exist)" - logtext "Remark: Possibly there is another location where the accounting data is stored" + LogText "Result: No accounting information available (/var/account/pacct, /var/log/account/pact nor /var/log/pact exist)" + LogText "Remark: Possibly there is another location where the accounting data is stored" ReportSuggestion ${TEST_NO} "Enable process accounting" AddHP 2 3 fi @@ -77,30 +77,30 @@ # Description : Check sysstat accounting data Register --test-no ACCT-9626 --os Linux --weight L --network NO --description "Check for sysstat accounting data" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check /etc/default/sysstat presence" + LogText "Test: check /etc/default/sysstat presence" if [ -f /etc/default/sysstat ]; then - logtext "Result: /etc/default/sysstat found" + LogText "Result: /etc/default/sysstat found" FIND=`grep "^ENABLED" /etc/default/sysstat | grep -i true` if [ ! "${FIND}" = "" ]; then - logtext "Result: sysstat enabled via /etc/default/sysstat" + LogText "Result: sysstat enabled via /etc/default/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN else - logtext "Result: sysstat disabled via /etc/default/sysstat" + LogText "Result: sysstat disabled via /etc/default/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)" fi elif [ -f /etc/cron.d/sysstat ]; then FIND=`grep -v '^[[:space:]]*\(#\|$\)' /etc/cron.d/sysstat` if [ ! "${FIND}" = "" ]; then - logtext "Result: sysstat enabled via /etc/cron.d/sysstat" + LogText "Result: sysstat enabled via /etc/cron.d/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN else - logtext "Result: sysstat disabled via /etc/cron.d/sysstat" + LogText "Result: sysstat disabled via /etc/cron.d/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)" fi else - logtext "Result: sysstat not found via /etc/default/sysstat or /etc/cron.d/sysstat" + LogText "Result: sysstat not found via /etc/default/sysstat or /etc/cron.d/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "NOT FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)" fi @@ -113,24 +113,24 @@ if [ ! "${AUDITDBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9628 --os Linux --weight L --network NO --description "Check for auditd" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check auditd status" + LogText "Test: Check auditd status" # Should not get kauditd IsRunning auditd if [ ${RUNNING} -eq 1 ]; then - logtext "Result: auditd running" + LogText "Result: auditd running" Display --indent 2 --text "- Checking auditd" --result ENABLED --color GREEN AUDITD_RUNNING=1 - report "audit_daemon_running=1" - report "audit_trail_tool[]=auditd" + Report "audit_daemon_running=1" + Report "audit_trail_tool[]=auditd" AddHP 4 4 else - logtext "Result: auditd not active" + LogText "Result: auditd not active" Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE if [ ! "${VMTYPE}" = "openvz" ]; then ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information" fi AUDITD_RUNNING=0 - report "audit_daemon_running=0" + Report "audit_daemon_running=0" AddHP 0 1 fi fi @@ -142,21 +142,21 @@ if [ ! "${AUDITDBINARY}" = "" -a ! "${AUDITCTLBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --description "Check for auditd rules" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking auditd rules" + LogText "Test: Checking auditd rules" FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"` if [ "${FIND}" = "" ]; then - logtext "Result: auditd rules empty" + LogText "Result: auditd rules empty" Display --indent 4 --text "- Checking audit rules" --result SUGGESTION --color YELLOW AddHP 0 2 ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules" else - logtext "Result: found auditd rules" + LogText "Result: found auditd rules" Display --indent 4 --text "- Checking audit rules" --result OK --color GREEN # Log audit daemon rules FIND=`${AUDITCTLBINARY} -l | sed 's/ /!space!/g'` for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Output: ${I}" + LogText "Output: ${I}" done fi fi @@ -168,20 +168,20 @@ if [ ! "${AUDITDBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd configuration file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking auditd configuration file" + LogText "Test: Checking auditd configuration file" for I in ${AUDITD_CONF_LOCS}; do if [ -f ${I}/auditd.conf ]; then AUDITD_CONF_FILE="${I}/auditd.conf" - logtext "Result: Found ${I}/auditd.conf" + LogText "Result: Found ${I}/auditd.conf" else - logtext "Result: ${I}/auditd.conf not found" + LogText "Result: ${I}/auditd.conf not found" fi done # Check if we discovered the configuration file. It should be there is the binaries are available and process is running if [ ! "${AUDITD_CONF_FILE}" = "" ]; then Display --indent 4 --text "- Checking audit configuration file" --result OK --color GREEN else - logtext "Result: could not find auditd configuration file" + LogText "Result: could not find auditd configuration file" Display --indent 4 --text "- Checking audit configuration file" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file" fi @@ -194,22 +194,22 @@ if [ ! "${AUDITDBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 -a ! "${AUDITD_CONF_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd log file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking auditd log file" + LogText "Test: Checking auditd log file" FIND=`grep "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }'` if [ ! "${FIND}" = "" ]; then - logtext "Result: log file is defined" - logtext "Defined value: ${FIND}" + LogText "Result: log file is defined" + LogText "Defined value: ${FIND}" if [ -f ${FIND} ]; then - logtext "Result: log file ${FIND} exists on disk" + LogText "Result: log file ${FIND} exists on disk" Display --indent 4 --text "- Checking auditd log file" --result FOUND --color GREEN - report "logfile[]=${FIND}" + Report "logfile[]=${FIND}" else - logtext "Result: can't find log file ${FIND} on disk" + LogText "Result: can't find log file ${FIND} on disk" Display --indent 4 --text "- Checking auditd log file" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Check auditd log file location" fi else - logtext "Result: no log file found" + LogText "Result: no log file found" Display --indent 4 --text "- Checking auditd log file" --result WARNING --color RED ReportWarning ${TEST_NO} "L" "Auditd log file is defined but can not be found on disk" fi @@ -223,23 +223,23 @@ if [ ${SKIPTEST} -eq 0 ]; then FILE="/lib/snoopy.so" if [ -f ${FILE} ]; then - logtext "Result: found ${FILE}" + LogText "Result: found ${FILE}" Display --indent 2 --text "- Checking Snoopy" --result FOUND --color GREEN if [ -f /etc/ld.so.preload ]; then - logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed" + LogText "Result: found /etc/ld.so.preload, testing if snoopy.so is listed" FIND=`grep ${FILE} /etc/ld.so.preload` if [ ! "${FIND}" = "" ]; then - logtext "Result: found snoopy in ld.so.preload" - logtext "Output: ${FIND}" + LogText "Result: found snoopy in ld.so.preload" + LogText "Output: ${FIND}" Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN - report "audit_trail_tool[]=snoopy" + Report "audit_trail_tool[]=snoopy" else Display --indent 6 --text "- Library in ld.so.preload" --result "NOT FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via /etc/ld.so.preload" AddHP 3 3 fi else - logtext "Result: /etc/ld.so.preload does not exist" + LogText "Result: /etc/ld.so.preload does not exist" Display --indent 6 --text "- Library in ld.so.preload" --result "UNKNOWN" --color PURPLE ReportException "${TEST_NO}:1" "Unsure how Snoopy might be loaded as ld.so.preload does not exist" fi @@ -252,14 +252,14 @@ # Description : Check Solaris audit daemon presence Register --test-no ACCT-9650 --os Solaris --weight L --network NO --description "Check Solaris audit daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check if audit daemon is running" + LogText "Test: check if audit daemon is running" IsRunning auditd if [ ${RUNNING} -eq 1 ]; then - logtext "Result: Solaris audit daemon is running" + LogText "Result: Solaris audit daemon is running" SOLARIS_AUDITD_RUNNING=1 Display --indent 2 --text "- Checking Solaris audit daemon status" --result RUNNING --color GREEN else - logtext "Result: Solaris audit daemon is not running" + LogText "Result: Solaris audit daemon is not running" Display --indent 2 --text "- Checking Solaris audit daemon status" --result "NOT RUNNING" --color YELLOW fi fi @@ -271,10 +271,10 @@ if [ -x /usr/bin/svcs -a ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9652 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check auditd SMF status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check if auditd service is enabled and online" + LogText "Test: check if auditd service is enabled and online" FIND=`/usr/bin/svcs svc:/system/auditd:default | grep "^online"` if [ ! "${FIND}" = "" ]; then - logtext "Result: auditd service is online" + LogText "Result: auditd service is online" Display --indent 4 --text "- Checking Solaris audit daemon status" --result ONLINE --color GREEN else Display --indent 4 --text "- Checking Solaris audit daemon status" --result "NOT ONLINE" --color YELLOW @@ -289,17 +289,17 @@ if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9654 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in /etc/system" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check if BSM is enabled in /etc/system" + LogText "Test: check if BSM is enabled in /etc/system" if [ -f /etc/system ]; then FIND=`grep 'set c2audit:audit_load = 1' /etc/system` if [ ! "${FIND}" = "" ]; then - logtext "Result: BSM is enabled in /etc/system" + LogText "Result: BSM is enabled in /etc/system" Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result ENABLED --color GREEN else Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "NOT FOUND" --color YELLOW fi else - logtext "Result: /etc/system does not exist" + LogText "Result: /etc/system does not exist" fi fi # @@ -310,18 +310,18 @@ if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9656 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check if c2audit module is active" + LogText "Test: check if c2audit module is active" if [ -x /usr/sbin/modinfo ]; then FIND=`/usr/sbin/modinfo | grep c2audit` if [ ! "${FIND}" = "" ]; then - logtext "Result: c2audit found in modinfo output" + LogText "Result: c2audit found in modinfo output" Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result ENABLED --color GREEN else - logtext "Result: c2audit not found in modinfo output" + LogText "Result: c2audit not found in modinfo output" Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "NOT FOUND" --color YELLOW fi else - logtext "Result: /usr/sbin/modinfo does not exist, skipping test" + LogText "Result: /usr/sbin/modinfo does not exist, skipping test" fi fi # @@ -332,28 +332,28 @@ if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check location of audit events" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check /etc/security/audit_control for event logging location" + LogText "Test: check /etc/security/audit_control for event logging location" if [ -f /etc/security/audit_control ]; then - logtext "Result: file /etc/security/audit_control found" + LogText "Result: file /etc/security/audit_control found" FIND=`grep "^dir" /etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }'` if [ ! "${FIND}" = "" ]; then - logtext "Result: found location ${FIND}" - logtext "Test: Checking if location is a valid directory" + LogText "Result: found location ${FIND}" + LogText "Test: Checking if location is a valid directory" if [ -d ${FIND} ]; then - logtext "Result: location ${FIND} is valid" + LogText "Result: location ${FIND} is valid" Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN else - logtext "Result: location ${FIND} does not exist" + LogText "Result: location ${FIND} does not exist" Display --indent 4 --text "- Checking Solaris audit location" --result "NOT FOUND" --color YELLOW ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available" fi else - logtext "Result: unknown event location" + LogText "Result: unknown event location" Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured" fi else - logtext "Result: could not find /etc/security/audit_control" + LogText "Result: could not find /etc/security/audit_control" Display --indent 4 --text "- Checking Solaris audit location" --result SKIPPED --color YELLOW fi fi @@ -365,15 +365,15 @@ if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Solaris auditing stats" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check auditing statistics" + LogText "Test: Check auditing statistics" if [ -x /usr/sbin/auditstat ]; then FIND=`/usr/sbin/auditstat | tr -s ' ' ','` for I in ${FIND}; do - logtext "Output: ${I}" + LogText "Output: ${I}" done Display --indent 4 --text "- Checking Solaris audit statistics" --result DONE --color GREEN else - logtext "Result: /usr/sbin/auditstat not found, skipping test" + LogText "Result: /usr/sbin/auditstat not found, skipping test" Display --indent 4 --text "- Checking Solaris audit statistics" --result SKIPPED --color YELLOW fi fi @@ -385,4 +385,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen / CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen / CISOfy - https://cisofy.com diff --git a/include/tests_authentication b/include/tests_authentication index c31d4c2d..4201c962 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -35,23 +35,23 @@ Register --test-no AUTH-9204 --weight L --network NO --description "Check users with an UID of zero" if [ ${SKIPTEST} -eq 0 ]; then # Search accounts with UID 0 - logtext "Test: Searching accounts with UID 0" + LogText "Test: Searching accounts with UID 0" FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'` if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED - logtext "Result: Found more than one administrator accounts" + LogText "Result: Found more than one administrator accounts" ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file" for I in ${FIND}; do - logtext "Administrator account: ${I}" + LogText "Administrator account: ${I}" if [ "${I}" = "toor" ]; then - logtext "BSD note: default there is a user 'toor' installed. This account is considered useless unless it" - logtext "is assigned a password and used for daily operations or emergencies. ie: bad shell for root user." + LogText "BSD note: default there is a user 'toor' installed. This account is considered useless unless it" + LogText "is assigned a password and used for daily operations or emergencies. ie: bad shell for root user." ReportSuggestion ${TEST_NO} "Use vipw to delete the 'toor' user if not used." fi done else Display --indent 2 --text "- Search administrator accounts" --result OK --color GREEN - logtext "Result: No accounts found with UID 0 other than root." + LogText "Result: No accounts found with UID 0 other than root." fi fi # @@ -61,7 +61,7 @@ # Description : Check non-unique accounts Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts in passwd file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for non-unique accounts" + LogText "Test: Checking for non-unique accounts" if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" -o "${OS}" = "OpenBSD" ]; then PASSWD_FILE="/etc/master.passwd" else @@ -72,18 +72,18 @@ FIND=`grep -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking for non-unique UIDs" --result OK --color GREEN - logtext "Result: all accounts found in ${PASSWD_FILE} are unique" + LogText "Result: all accounts found in ${PASSWD_FILE} are unique" else Display --indent 2 --text "- Checking for non-unique UIDs" --result WARNING --color RED - logtext "Result: found multiple accounts with same UID" - logtext "Output (non-unique UIDs): ${FIND}" + LogText "Result: found multiple accounts with same UID" + LogText "Output (non-unique UIDs): ${FIND}" ReportWarning ${TEST_NO} "Multiple accounts found with same UID" fi else Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE - logtext "Result: test skipped, ${PASSWD_FILE} file not available" + LogText "Result: test skipped, ${PASSWD_FILE} file not available" fi - logtext "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake" + LogText "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake" fi # ################################################################################# @@ -94,16 +94,16 @@ Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking chkgrp tool" --result FOUND --color GREEN - logtext "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." - logtext "Test: Testing consistency of /etc/group file" + LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." + LogText "Test: Testing consistency of /etc/group file" FIND=`/usr/sbin/chkgrp | grep -v 'is fine'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking consistency of /etc/group file" --result OK --color GREEN - logtext "Result: chkgrp test performed, Group file seems to be ok." + LogText "Result: chkgrp test performed, Group file seems to be ok." else Display --indent 4 --text "- Checking consistency of /etc/group file" --result WARNING --color RED - logtext "Result: chkgrp found some errors. Run the tool manually to see details." - logtext "chkgrp output: ${FIND}" + LogText "Result: chkgrp found some errors. Run the tool manually to see details." + LogText "chkgrp output: ${FIND}" ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file" fi fi @@ -117,7 +117,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Test : run grpck to test group files (most likely /etc/group and shadow group files) # Expected result : 0 (exit code) - logtext "Test: Checking for grpck binary" + LogText "Test: Checking for grpck binary" if [ "${OS}" = "Linux" ]; then # Read only mode @@ -136,7 +136,7 @@ # Check exit-code if [ "${FIND}" = "0" ]; then Display --indent 2 --text "- Checking consistency of group files (grpck)" --result OK --color GREEN - logtext "Result: grpck binary didn't find any errors in the group files" + LogText "Result: grpck binary didn't find any errors in the group files" else Display --indent 2 --text "- Checking consistency of group files (grpck)" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files" @@ -152,7 +152,7 @@ Register --test-no AUTH-9218 --os FreeBSD --weight L --network NO --description "Check harmful login shells" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - logtext "Test: Checking login shells" + LogText "Test: Checking login shells" if [ -f /etc/master.passwd ]; then # Check for all shells, except: (/usr)/sbin/nologin /nonexistent FIND=`grep "[a-z]:\*:" /etc/master.passwd | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'` @@ -163,16 +163,16 @@ for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` J=`echo ${I} | awk -F: '{ print $10 }'` - logtext "Output: ${I}" + LogText "Output: ${I}" if [ "${J}" = "" ]; then - logtext "Result: found no shell on line" + LogText "Result: found no shell on line" else - logtext "Result: found possible harmful shell ${J}" + LogText "Result: found possible harmful shell ${J}" if [ -f ${J} ]; then - logtext "Result: shell ${J} does exist" + LogText "Result: shell ${J} does exist" FOUND=1 else - logtext "Result: shell ${J} does not exist" + LogText "Result: shell ${J} does not exist" ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${J} does not exist" fi fi @@ -183,7 +183,7 @@ fi else Display --indent 2 --text "- Checking login shells" --result SKIPPED --color WHITE - logtext "Result: No /etc/master.passwd file found" + LogText "Result: No /etc/master.passwd file found" fi fi # @@ -193,15 +193,15 @@ # Description : Check for non unique groups Register --test-no AUTH-9222 --weight L --network NO --description "Check for non unique groups" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for non unique group ID's in /etc/group" + LogText "Test: Checking for non unique group ID's in /etc/group" FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking non unique group ID's" --result OK --color GREEN - logtext "Result: All group ID's are unique" + LogText "Result: All group ID's are unique" else Display --indent 2 --text "- Checking non unique group ID's" --result WARNING --color RED - logtext "Result: Found the same group ID multiple times" - logtext "Output: ${FIND}" + LogText "Result: Found the same group ID multiple times" + LogText "Output: ${FIND}" ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID" #ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies" fi @@ -214,15 +214,15 @@ if [ -f /etc/group ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check non unique group names" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for non unique group names in /etc/group" + LogText "Test: Checking for non unique group names in /etc/group" FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking non unique group names" --result OK --color GREEN - logtext "Result: All group names are unique" + LogText "Result: All group names are unique" else Display --indent 2 --text "- Checking non unique group names" --result WARNING --color WARNING - logtext "Result: Found the same group name multiple times" - logtext "Output: ${FIND}" + LogText "Result: Found the same group name multiple times" + LogText "Output: ${FIND}" ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)" ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies" fi @@ -236,7 +236,7 @@ if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9228 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency with pwck" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking password file consistency (pwck)" + LogText "Test: Checking password file consistency (pwck)" TESTED=0 case ${OS} in "Linux") @@ -248,17 +248,17 @@ TESTED=1 ;; *) - logtext "Dev: found /usr/sbin/pwck, but unsure how to call it on this operating system" + LogText "Dev: found /usr/sbin/pwck, but unsure how to call it on this operating system" ;; esac # Only display if this test has been executed if [ ${TESTED} -eq 1 -a "${FIND}" = "0" ]; then Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN - logtext "Result: pwck check didn't find any problems" + LogText "Result: pwck check didn't find any problems" AddHP 2 2 else Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED - logtext "Result: pwck found one or more errors/warnings in the password file." + LogText "Result: pwck found one or more errors/warnings in the password file." ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." AddHP 0 2 @@ -275,27 +275,27 @@ # Arch Linux / CentOS / Ubuntu: 1000+ Register --test-no AUTH-9234 --weight L --network NO --description "Query user accounts" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Read system users (including root user) from /etc/passwd" + LogText "Test: Read system users (including root user) from /etc/passwd" FIND="" case ${OS} in "FreeBSD") - logtext "FreeBSD real users output (ID = 0, or 1000+, but not 65534):" + LogText "FreeBSD real users output (ID = 0, or 1000+, but not 65534):" FIND=`awk -F: '($3 >= 1000) && ($3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; "Linux") - logtext "Linux real users output (ID = 0, or 500+, but not 65534):" + LogText "Linux real users output (ID = 0, or 500+, but not 65534):" FIND=`awk -F: '($3 >= 1000) && ($3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; "OpenBSD") - logtext "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):" + LogText "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):" FIND=`awk -F: '($3 >= 1000) && ($3 <= 60000) && ($3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; "Solaris") - logtext "Solaris real users output (ID =0, or 100+, but not 60001/65534):" + LogText "Solaris real users output (ID =0, or 100+, but not 60001/65534):" FIND=`awk -F: '($3 >= 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; *) @@ -307,13 +307,13 @@ # Check if we got any output if [ "${FIND}" = "" ]; then Display --indent 4 --text "Result: No users found/unknown result" - logtext "Result: Querying of system users skipped" + LogText "Result: Querying of system users skipped" Display --indent 2 --text "- Query system users (non daemons)" --result UNKNOWN --color YELLOW else Display --indent 2 --text "- Query system users (non daemons)" --result DONE --color GREEN for I in ${FIND}; do - logtext "Real user: ${I}" - report "real_user[]=${I}" + LogText "Real user: ${I}" + Report "real_user[]=${I}" done fi fi @@ -327,21 +327,21 @@ if [ -f /etc/nsswitch.conf ]; then FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"` if [ "${FIND}" = "" ]; then - logtext "Result: NIS+ authentication not enabled" + LogText "Result: NIS+ authentication not enabled" Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE else FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nisplus"` FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"` if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then - logtext "Result: NIS+ authentication enabled" + LogText "Result: NIS+ authentication enabled" Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN else - logtext "Result: NIS+ authentication not enabled" + LogText "Result: NIS+ authentication not enabled" Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE fi fi else - logtext "Result: /etc/nsswitch.conf not found" + LogText "Result: /etc/nsswitch.conf not found" fi fi # @@ -354,21 +354,21 @@ if [ -f /etc/nsswitch.conf ]; then FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"` if [ "${FIND}" = "" ]; then - logtext "Result: NIS authentication not enabled" + LogText "Result: NIS authentication not enabled" Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE else FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then - logtext "Result: NIS authentication enabled" + LogText "Result: NIS authentication enabled" Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN else - logtext "Result: NIS authentication not enabled" + LogText "Result: NIS authentication not enabled" Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE fi fi else - logtext "Result: /etc/nsswitch.conf not found" + LogText "Result: /etc/nsswitch.conf not found" fi fi # @@ -380,20 +380,20 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 for I in ${SUDOERS_LOCATIONS}; do - logtext "Test: checking presence ${I}" + LogText "Test: checking presence ${I}" if [ -f ${I} ]; then FOUND=1 SUDOERS_FILE="${I}" - logtext "Result: found file (${SUDOERS_FILE})" + LogText "Result: found file (${SUDOERS_FILE})" else - logtext "Result: file ${I} not found" + LogText "Result: file ${I} not found" fi done if [ ${FOUND} -eq 1 ]; then - logtext "Result: sudoers file found (${SUDOERS_FILE})" + LogText "Result: sudoers file found (${SUDOERS_FILE})" Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN else - logtext "Result: sudoers file NOT found" + LogText "Result: sudoers file NOT found" Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW fi fi @@ -405,14 +405,14 @@ if [ ! "${SUDOERS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sudoers file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking sudoers file (${SUDOERS_FILE}) permissions" + LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions" FIND=`ls -l ${SUDOERS_FILE} | cut -c 2-10` - logtext "Result: Found file permissions: ${FIND}" + LogText "Result: Found file permissions: ${FIND}" if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then - logtext "Result: file ${SUDOERS_FILE} has correct permissions" + LogText "Result: file ${SUDOERS_FILE} has correct permissions" Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN else - logtext "Result: file has possibly unsafe file permissions" + LogText "Result: file has possibly unsafe file permissions" Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED fi fi @@ -425,7 +425,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`logins -p | awk '{ print $1 }'` if [ "${FIND}" = "" ]; then - logtext "Result: no passwordless accounts found" + LogText "Result: no passwordless accounts found" Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN else for I in ${FIND}; do @@ -446,48 +446,48 @@ FOUND_PASSWDQC=0 # Cracklib - logtext "Searching cracklib PAM module" + LogText "Searching cracklib PAM module" for I in ${PAM_FILE_LOCATIONS}; do if [ -f ${I}/pam_cracklib.so ]; then FOUND_CRACKLIB=1 - logtext "Result: found pam_cracklib.so (crack library PAM) in ${I}" + LogText "Result: found pam_cracklib.so (crack library PAM) in ${I}" fi done if [ ${FOUND_CRACKLIB} -eq 1 ]; then - logtext "Result: pam_cracklib.so found" - report "pam_cracklib=1" + LogText "Result: pam_cracklib.so found" + Report "pam_cracklib=1" AddHP 3 3 FOUND=1 else - logtext "Result: pam_cracklib.so NOT found (crack library PAM)" + LogText "Result: pam_cracklib.so NOT found (crack library PAM)" AddHP 1 3 fi # Passwd quality control - logtext "Searching passwdqc PAM module" + LogText "Searching passwdqc PAM module" for I in ${PAM_FILE_LOCATIONS}; do if [ -f ${I}/pam_passwdqc.so ]; then FOUND_PASSWDQC=1 - logtext "Result: found pam_passwdqc.so (passwd quality control PAM) in ${I}" + LogText "Result: found pam_passwdqc.so (passwd quality control PAM) in ${I}" fi done if [ ${FOUND_PASSWDQC} -eq 1 ]; then - logtext "Result: pam_passwdqc.so found" - report "pam_passwdqc=1" + LogText "Result: pam_passwdqc.so found" + Report "pam_passwdqc=1" AddHP 3 3 FOUND=1 else - logtext "Result: pam_passwdqc.so NOT found (passwd quality control PAM)" + LogText "Result: pam_passwdqc.so NOT found (passwd quality control PAM)" AddHP 1 3 fi if [ ${FOUND} -eq 0 ]; then Display --indent 2 --text "- Checking PAM password strength tools" --result "SUGGESTION" --color YELLOW - logtext "Result: no PAM modules for password strength testing found" + LogText "Result: no PAM modules for password strength testing found" ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc" else Display --indent 2 --text "- Checking PAM password strength tools" --result OK --color GREEN - logtext "Result: found at least one PAM module for password strength testing" + LogText "Result: found at least one PAM module for password strength testing" fi fi # @@ -497,23 +497,23 @@ # Description : Scan /etc/pam.conf file Register --test-no AUTH-9264 --weight L --network NO --description "Checking presence pam.conf" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking file /etc/pam.conf" + LogText "Test: Checking file /etc/pam.conf" if [ -f /etc/pam.conf ]; then - logtext "Result: file /etc/pam.conf exists" + LogText "Result: file /etc/pam.conf exists" Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN - logtext "Test: searching PAM configuration files" + LogText "Test: searching PAM configuration files" FIND=`grep -v "^#" /etc/pam.conf | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'` if [ "${FIND}" = "" ]; then - logtext "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" + LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" else - logtext "Result: found one or more configuration lines" + LogText "Result: found one or more configuration lines" for I in ${FIND}; do I=`echo ${I} | sed 's/:space:/ /g'` - logtext "Found line: ${I}" + LogText "Found line: ${I}" done fi else - logtext "Result: file /etc/pam.conf could not be found" + LogText "Result: file /etc/pam.conf could not be found" Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE fi fi @@ -524,17 +524,17 @@ # Description : Searching available PAM configurations (/etc/pam.d) Register --test-no AUTH-9266 --weight L --network NO --description "Checking presence pam.d files" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking directory /etc/pam.d" + LogText "Test: Checking directory /etc/pam.d" if [ -d /etc/pam.d ]; then - logtext "Result: directory /etc/pam.d exists" + LogText "Result: directory /etc/pam.d exists" Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN - logtext "Test: searching PAM configuration files" + LogText "Test: searching PAM configuration files" FIND=`find /etc/pam.d -type f -print | sort` for I in ${FIND}; do - logtext "Found file: ${I}" + LogText "Found file: ${I}" done else - logtext "Result: directory /etc/pam.d could not be found" + LogText "Result: directory /etc/pam.d could not be found" Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE fi fi @@ -548,25 +548,25 @@ Register --test-no AUTH-9268 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking presence pam.d files" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - logtext "Test: Searching pam modules" + LogText "Test: Searching pam modules" for I in ${PAM_FILE_LOCATIONS}; do - logtext "Test: Checking ${I}" + LogText "Test: Checking ${I}" if [ -d ${I} -a ! -L ${I} ]; then - logtext "Result: directory ${I} exists" + LogText "Result: directory ${I} exists" FIND=`find ${I} -type f -name "*.so" -print | sort` if [ ! "${FIND}" = "" ]; then FOUND=1; fi for I in ${FIND}; do - logtext "Found file: ${I}" - report "pam_module[]=${I}" + LogText "Found file: ${I}" + Report "pam_module[]=${I}" done else - logtext "Result: directory ${I} could not be found or is a symlink to another directory" + LogText "Result: directory ${I} could not be found or is a symlink to another directory" fi done # Check if we found at least one module if [ ${FOUND} -eq 0 ]; then Display --indent 2 --text "- Checking PAM modules" --result "NOT FOUND" --color WHITE - logtext "Result: no PAM modules found" + LogText "Result: no PAM modules found" else Display --indent 2 --text "- Checking PAM modules" --result FOUND --color GREEN fi @@ -578,23 +578,23 @@ # Description : Search LDAP support in PAM files Register --test-no AUTH-9278 --weight L --network NO --description "Checking LDAP pam status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking presence /etc/pam.d/common-auth" + LogText "Test: checking presence /etc/pam.d/common-auth" if [ -f /etc/pam.d/common-auth ]; then - logtext "Result: file /etc/pam.d/common-auth exists" - logtext "Test: checking presence LDAP module" + LogText "Result: file /etc/pam.d/common-auth exists" + LogText "Test: checking presence LDAP module" FIND=`grep "^auth.*ldap" /etc/pam.d/common-auth` if [ ! "${FIND}" = "" ]; then - logtext "Result: LDAP module present" - logtext "Output: ${FIND}" + LogText "Result: LDAP module present" + LogText "Output: ${FIND}" Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN LDAP_AUTH_ENABLED=1 LDAP_PAM_ENABLED=1 else - logtext "Result: LDAP module not found" + LogText "Result: LDAP module not found" Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE fi else - logtext "Result: file /etc/pam.d/common-auth not found, skipping test" + LogText "Result: file /etc/pam.d/common-auth not found, skipping test" fi fi # @@ -618,7 +618,7 @@ ;; esac else - logtext "Result: skipping test for this Linux version" + LogText "Result: skipping test for this Linux version" ReportManual "AUTH-9282:01" PREQS_MET="NO" FIND="" @@ -632,14 +632,14 @@ # Description : Search password protected accounts without expire (Linux) Register --test-no AUTH-9282 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking password protected account without expire date" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking Linux version and password expire date status" + LogText "Test: Checking Linux version and password expire date status" if [ "${FIND}" = "" ]; then - logtext "Result: all accounts seem to have an expire date" + LogText "Result: all accounts seem to have an expire date" Display --indent 2 --text "- Checking accounts without expire date" --result OK --color GREEN else - logtext "Result: found one or more accounts with expire date set" + LogText "Result: found one or more accounts with expire date set" for I in ${FIND}; do - logtext "Account without expire date: ${I}" + LogText "Account without expire date: ${I}" done Display --indent 2 --text "- Checking accounts without expire date" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts" @@ -649,15 +649,15 @@ # Description : Search passwordless accounts Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking accounts without password" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking passwordless accounts" + LogText "Test: Checking passwordless accounts" if [ "${FIND2}" = "" ]; then - logtext "Result: all accounts seem to have a password" + LogText "Result: all accounts seem to have a password" Display --indent 2 --text "- Checking accounts without password" --result OK --color GREEN else - logtext "Result: found one or more accounts without password" + LogText "Result: found one or more accounts without password" for I in ${FIND2}; do - logtext "Account without password: ${I}" - report "account_without_password=${I}" + LogText "Account without password: ${I}" + Report "account_without_password=${I}" done Display --indent 2 --text "- Checking accounts without password" --result WARNING --color RED ReportWarning ${TEST_NO} "Found accounts without password" @@ -673,29 +673,29 @@ if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking user password aging" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking PASS_MIN_DAYS option in /etc/login.defs " + LogText "Test: Checking PASS_MIN_DAYS option in /etc/login.defs " FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'` if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then - logtext "Result: password minimum age is not configured" + LogText "Result: password minimum age is not configured" Display --indent 2 --text "- Checking user password aging (minimum)" --result DISABLED --color YELLOW ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs" AddHP 0 1 else - logtext "Result: password needs to be at least ${FIND} days old" + LogText "Result: password needs to be at least ${FIND} days old" PASSWORD_MINIMUM_DAYS=${FIND} Display --indent 2 --text "- Checking user password aging (minimum)" --result CONFIGURED --color GREEN AddHP 3 3 fi - logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " + LogText "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then - logtext "Result: password aging limits are not configured" + LogText "Result: password aging limits are not configured" Display --indent 2 --text "- Checking user password aging (maximum)" --result DISABLED --color YELLOW ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs" AddHP 0 1 else - logtext "Result: max password age is ${FIND} days" + LogText "Result: max password age is ${FIND} days" PASSWORD_MAXIMUM_DAYS=${FIND} Display --indent 2 --text "- Checking user password aging (maximum)" --result CONFIGURED --color GREEN AddHP 3 3 @@ -711,21 +711,21 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if file exists (Solaris 10 does not have this file by default) if [ -f /etc/default/sulogin ]; then - logtext "Result: file /etc/default/sulogin exists" - logtext "Test: checking presence PASSREQ=NO" + LogText "Result: file /etc/default/sulogin exists" + LogText "Test: checking presence PASSREQ=NO" FIND=`grep "^PASSREQ=NO" /etc/default/sulogin` if [ "${FIND}" = "" ]; then - logtext "Result: option not present or configured to request a password at single user mode login" + LogText "Result: option not present or configured to request a password at single user mode login" Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN AddHP 1 1 else - logtext "Result: option present, no password needed at single user mode login" + LogText "Result: option present, no password needed at single user mode login" Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED ReportWarning ${TEST_NO} "H" "No password needed for single user mode login" AddHP 0 1 fi else - logtext "Result: file /etc/default/sulogin does not exist" + LogText "Result: file /etc/default/sulogin does not exist" fi fi # @@ -739,23 +739,23 @@ Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --description "Check single boot authentication" if [ ${SKIPTEST} -eq 0 ]; then # Check if file exists - logtext "Test: Searching /tcb/files/auth/system/default" + LogText "Test: Searching /tcb/files/auth/system/default" if [ -f /tcb/files/auth/system/default ]; then - logtext "Result: file /tcb/files/auth/system/default exists" - logtext "Test: checking presence :d_boot_authenticate@:" + LogText "Result: file /tcb/files/auth/system/default exists" + LogText "Test: checking presence :d_boot_authenticate@:" FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default` if [ "${FIND}" = "" ]; then - logtext "Result: option not set, password is needed at boot" + LogText "Result: option not set, password is needed at boot" Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN AddHP 1 1 else - logtext "Result: option present, no password needed at single user mode login" + LogText "Result: option present, no password needed at single user mode login" Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Set password for system boot" AddHP 0 1 fi else - logtext "Result: file /tcb/files/auth/system/default does not exist" + LogText "Result: file /tcb/files/auth/system/default does not exist" fi fi # @@ -767,47 +767,47 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 # Check if file exists - logtext "Test: Searching /etc/inittab" + LogText "Test: Searching /etc/inittab" if [ -f /etc/inittab ]; then - logtext "Result: file /etc/inittab exists" - logtext "Test: checking presence sulogin for single user mode" + LogText "Result: file /etc/inittab exists" + LogText "Test: checking presence sulogin for single user mode" FIND=`egrep "^~~:S:(respawn|wait):/sbin/sulogin" /etc/inittab` FIND2=`egrep "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab` if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 - logtext "Result: found sulogin, so single user is protected" + LogText "Result: found sulogin, so single user is protected" fi else - logtext "Result: file /etc/inittab does not exist" + LogText "Result: file /etc/inittab does not exist" fi # Check if file exists - logtext "Test: Searching /etc/sysconfig/init" + LogText "Test: Searching /etc/sysconfig/init" if [ -f /etc/sysconfig/init ]; then - logtext "Result: file /etc/sysconfig/init exists" - logtext "Test: checking presence sulogin for single user mode" + LogText "Result: file /etc/sysconfig/init exists" + LogText "Test: checking presence sulogin for single user mode" FIND=`grep "^SINGLE=/sbin/sulogin" /etc/sysconfig/init` if [ ! "${FIND}" = "" ]; then FOUND=1 - logtext "Result: found sulogin, so single user is protected" + LogText "Result: found sulogin, so single user is protected" fi else - logtext "Result: file /etc/inittab does not exist" + LogText "Result: file /etc/inittab does not exist" fi if [ -f /etc/inittab -o -f /etc/sysconfig/init ]; then if [ ${FOUND} -eq 0 ]; then - logtext "Result: option not set, no password needed at single user mode boot" + LogText "Result: option not set, no password needed at single user mode boot" Display --indent 2 --text "- Checking Linux single user mode authentication" --result WARNING --color RED ReportWarning ${TEST_NO} "L" "No password set for single mode" ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface" AddHP 0 2 else - logtext "Result: option set, password is needed at single user mode boot" + LogText "Result: option set, password is needed at single user mode boot" Display --indent 2 --text "- Checking Linux single user mode authentication" --result OK --color GREEN AddHP 2 2 fi else - logtext "Result: No inittab or init file found, unsure if system is protected" + LogText "Result: No inittab or init file found, unsure if system is protected" fi fi # @@ -823,39 +823,39 @@ Display --indent 2 --text "- Determining default umask" # /etc/profile - logtext "Test: Checking /etc/profile" + LogText "Test: Checking /etc/profile" if [ -f /etc/profile ]; then - logtext "Result: file /etc/profile exists" - logtext "Test: Checking umask value in /etc/profile" + LogText "Result: file /etc/profile exists" + LogText "Test: Checking umask value in /etc/profile" FIND=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }'` FIND2=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l` WEAK_UMASK=0 FOUND_UMASK=0 if [ "${FIND2}" = "0" ]; then - logtext "Result: did not find umask in /etc/profile" + LogText "Result: did not find umask in /etc/profile" #YYY possibly weak umask elif [ "${FIND2}" = "1" ]; then - logtext "Result: found umask (prefixed with spaces)" + LogText "Result: found umask (prefixed with spaces)" FOUND_UMASK=1 if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" ]; then - logtext "Result: found umask ${FIND}, which could be more strict" + LogText "Result: found umask ${FIND}, which could be more strict" WEAK_UMASK=1 AddHP 1 2 else - logtext "Result: found umask ${FIND}, which is fine" + LogText "Result: found umask ${FIND}, which is fine" AddHP 2 2 fi # Found more than 1 umask value in profile else - logtext "Result: found multiple umask values configured in /etc/profile" + LogText "Result: found multiple umask values configured in /etc/profile" FOUND_UMASK=1 for I in ${FIND}; do if [ ! "${I}" = "077" -a ! "${I}" = "027" ]; then - logtext "Result: umask ${I} could be more strict" + LogText "Result: umask ${I} could be more strict" WEAK_UMASK=1 AddHP 1 2 else - logtext "Result: Found umask ${I}, which is fine" + LogText "Result: Found umask ${I}, which is fine" AddHP 2 2 fi done @@ -871,112 +871,112 @@ AddHP 0 2 fi else - logtext "Result: found no umask. Please check if this is correct" + LogText "Result: found no umask. Please check if this is correct" Display --indent 4 --text "- Checking umask (/etc/profile)" --result "NOT FOUND" --color YELLOW ReportException "${TEST_NO}:01" ReportManual "AUTH-9328:01" AddHP 0 2 fi else - logtext "Result: file /etc/profile does not exist" + LogText "Result: file /etc/profile does not exist" fi # /etc/passwd - logtext "Test: Checking umask entries in /etc/passwd (pam_umask)" + LogText "Test: Checking umask entries in /etc/passwd (pam_umask)" if [ -f /etc/passwd ]; then - logtext "Result: file /etc/passwd exists" - logtext "Test: Checking umask value in /etc/passwd" + LogText "Result: file /etc/passwd exists" + LogText "Test: Checking umask value in /etc/passwd" FIND=`grep "umask=" /etc/passwd` if [ "${FIND}" = "" ]; then ReportManual "AUTH-9328:03" fi else - logtext "Result: file /etc/passwd does not exist" + LogText "Result: file /etc/passwd does not exist" fi # /etc/login.defs - logtext "Test: Checking /etc/login.defs" + LogText "Test: Checking /etc/login.defs" if [ -f /etc/login.defs ]; then - logtext "Result: file /etc/login.defs exists" - logtext "Test: Checking umask value in /etc/login.defs" + LogText "Result: file /etc/login.defs exists" + LogText "Test: Checking umask value in /etc/login.defs" FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then - logtext "Result: umask value is not configured (most likely it will have the default 022 value)" + LogText "Result: umask value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then - logtext "Result: umask is ${FIND}, which is fine" + LogText "Result: umask is ${FIND}, which is fine" Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result OK --color GREEN AddHP 2 2 else - logtext "Result: found umask ${FIND}, which could be improved" + LogText "Result: found umask ${FIND}, which could be improved" Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027" AddHP 0 2 fi else - logtext "Result: file /etc/login.defs does not exist" + LogText "Result: file /etc/login.defs does not exist" fi # Red Hat /etc/init.d/functions - logtext "Test: Checking /etc/init.d/functions" + LogText "Test: Checking /etc/init.d/functions" if [ -f /etc/init.d/functions ]; then - logtext "Result: file /etc/init.d/functions exists" - logtext "Test: Checking umask value in /etc/init.d/functions" + LogText "Result: file /etc/init.d/functions exists" + LogText "Test: Checking umask value in /etc/init.d/functions" FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then - logtext "Result: umask is not configured" + LogText "Result: umask is not configured" Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result NONE --color WHITE elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then - logtext "Result: umask is ${FIND}, which is fine" + LogText "Result: umask is ${FIND}, which is fine" Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result OK --color GREEN AddHP 2 2 else - logtext "Result: found umask ${FIND}, which could be improved" + LogText "Result: found umask ${FIND}, which could be improved" Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result SUGGESTION --color YELLOW AddHP 0 2 fi else - logtext "Result: file /etc/init.d/functions does not exist" + LogText "Result: file /etc/init.d/functions does not exist" fi # /etc/init.d/rc - logtext "Test: Checking /etc/init.d/rc" + LogText "Test: Checking /etc/init.d/rc" if [ -f /etc/init.d/rc ]; then - logtext "Result: file /etc/init.d/rc exists" - logtext "Test: Checking UMASK value in /etc/init.d/rc" + LogText "Result: file /etc/init.d/rc exists" + LogText "Test: Checking UMASK value in /etc/init.d/rc" FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then - logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)" + LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then - logtext "Result: umask is ${FIND}, which is fine" + LogText "Result: umask is ${FIND}, which is fine" Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result OK --color GREEN AddHP 2 2 else - logtext "Result: found umask ${FIND}, which could be improved" + LogText "Result: found umask ${FIND}, which could be improved" Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027" AddHP 0 2 fi else - logtext "Result: file /etc/init.d/rc does not exist" + LogText "Result: file /etc/init.d/rc does not exist" fi # FreeBSD if [ -f /etc/login.conf ]; then FOUND=0 WEAK_UMASK=0 - logtext "Result: file /etc/login.conf exists" + LogText "Result: file /etc/login.conf exists" FIND=`grep "umask" /etc/login.conf | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'` if [ ! "${FIND}" = "" ]; then for UMASK_VALUE in ${FIND}; do case ${UMASK_VALUE} in 027|0027|077|0077) - logtext "Result: found umask value ${UMASK_VALUE}, which is fine" + LogText "Result: found umask value ${UMASK_VALUE}, which is fine" AddHP 2 2 FOUND=1 ;; @@ -984,7 +984,7 @@ AddHP 0 2 FOUND=1 WEAK_UMASK=1 - logtext "Result: found umask value ${UMASK_VALUE}, which can be more strict" + LogText "Result: found umask value ${UMASK_VALUE}, which can be more strict" ;; esac done @@ -997,41 +997,41 @@ ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027" fi else - logtext "Result: no umask setting found in /etc/login.conf, which is unexpected" + LogText "Result: no umask setting found in /etc/login.conf, which is unexpected" Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result NONE --color YELLOW fi fi # /etc/init.d/rcS - logtext "Test: Checking /etc/init.d/rcS" + LogText "Test: Checking /etc/init.d/rcS" if [ -f /etc/init.d/rcS ]; then - logtext "Result: file /etc/init.d/rcS exists" - logtext "Test: Checking if script runs another script." + LogText "Result: file /etc/init.d/rcS exists" + LogText "Test: Checking if script runs another script." FIND=`grep -i "^exec " /etc/init.d/rcS | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'` if [ "${FIND2}" = "" ]; then - logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)" + LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then - logtext "Result: umask is ${FIND2}, which is fine" + LogText "Result: umask is ${FIND2}, which is fine" Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result OK --color GREEN AddHP 2 2 else - logtext "Result: found umask ${FIND2}, which could be improved" + LogText "Result: found umask ${FIND2}, which could be improved" Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027" AddHP 0 2 fi else # Improve check - logtext "Result: exec line present in file, setting of umask not needed in this script" - logtext "Output: ${FIND}" + LogText "Result: exec line present in file, setting of umask not needed in this script" + LogText "Output: ${FIND}" fi else - logtext "Result: file /etc/init.d/rcS does not exist" + LogText "Result: file /etc/init.d/rcS does not exist" fi fi @@ -1044,39 +1044,39 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 if [ -f /etc/security/policy.conf ]; then - logtext "Result: found /etc/security/policy.conf" + LogText "Result: found /etc/security/policy.conf" FIND=`grep "^LOCK_AFTER_RETRIES" /etc/security/policy.conf` if [ ! "${FIND}" = "" ]; then FOUND=1 - logtext "Result: account locking option set" - logtext "Output: ${FIND}" + LogText "Result: account locking option set" + LogText "Output: ${FIND}" AddHP 2 2 else - logtext "Result: option LOCK_AFTER_RETRIES not set" + LogText "Result: option LOCK_AFTER_RETRIES not set" AddHP 1 2 fi else - logtext "Result: /etc/security/policy.conf does not exist" + LogText "Result: /etc/security/policy.conf does not exist" fi # If policy.conf does not exist, we most likely deal with a Solaris version below 10 # and we proceed with checking the softer option RETRIES in /etc/default/login # which does not lock account, but discourages brute force password attacks. if [ ${FOUND} -eq 0 ]; then - logtext "Test: checking /etc/default/login" + LogText "Test: checking /etc/default/login" if [ -f /etc/default/login ]; then - logtext "Result: file /etc/default/login exists" + LogText "Result: file /etc/default/login exists" FIND=`grep "^RETRIES" /etc/default/login` if [ ! "${FIND}" = "" ]; then FOUND=1 - logtext "Result: retries option configured" - logtext "Output: ${FIND}" + LogText "Result: retries option configured" + LogText "Output: ${FIND}" AddHP 2 2 else - logtext "Result: retries option not configured" + LogText "Result: retries option not configured" AddHP 1 2 fi else - logtext "Result: file /etc/default/login does not exist" + LogText "Result: file /etc/default/login does not exist" fi fi if [ ${FOUND} -eq 1 ]; then @@ -1095,15 +1095,15 @@ if [ -f /etc/nsswitch.conf ]; then FIND=`egrep "^passwd" /etc/nsswitch.conf | grep "ldap"` if [ "${FIND}" = "" ]; then - logtext "Result: LDAP authentication not enabled" + LogText "Result: LDAP authentication not enabled" Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE else - logtext "Result: LDAP authentication enabled" + LogText "Result: LDAP authentication enabled" Display --indent 2 --text "- Checking LDAP authentication support" --result "ENABLED" --color GREEN LDAP_AUTH_ENABLED=1 fi else - logtext "Result: /etc/nsswitch.conf not found" + LogText "Result: /etc/nsswitch.conf not found" fi fi # @@ -1114,21 +1114,21 @@ if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking ldap.conf options" + LogText "Test: checking ldap.conf options" for I in ${LDAP_CONF_LOCATIONS}; do - logtext "Test: checking ${I}" + LogText "Test: checking ${I}" if [ -f ${I} ]; then - logtext "Result: file ${I} exists, LDAP being used" + LogText "Result: file ${I} exists, LDAP being used" LDAP_CLIENT_CONFIG_FILE="${I}" - logtext "Test: checking LDAP servers in file ${I}" + LogText "Test: checking LDAP servers in file ${I}" FIND2=`egrep "^host " ${I} | awk '{ print $2 }'` for I in ${FIND2}; do Display --indent 6 --text "LDAP server: ${I}" - logtext "Result: found LDAP server ${I}" - report "ldap_server[]=${I}" + LogText "Result: found LDAP server ${I}" + Report "ldap_server[]=${I}" done else - logtext "Result: ${I} does NOT exist" + LogText "Result: ${I} does NOT exist" fi done fi @@ -1140,16 +1140,16 @@ if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging of failed login attempts via /etc/login.defs" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking FAILLOG_ENAB option in /etc/login.defs " + LogText "Test: Checking FAILLOG_ENAB option in /etc/login.defs " FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'` # Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value) if [ "${FIND}" = "yes" ]; then AUTH_FAILED_LOGINS_LOGGED=1 - logtext "Result: failed login attempts are logged in /var/log/faillog" + LogText "Result: failed login attempts are logged in /var/log/faillog" Display --indent 2 --text "- Logging failed login attempts" --result ENABLED --color GREEN AddHP 3 3 else - logtext "Result: failed login attempts are not logged" + LogText "Result: failed login attempts are not logged" Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW #ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog" AddHP 0 1 @@ -1159,17 +1159,17 @@ ################################################################################# # -report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}" -report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" -report "ldap_pam_enabled=${LDAP_PAM_ENABLED}" +Report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}" +Report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" +Report "ldap_pam_enabled=${LDAP_PAM_ENABLED}" if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then - report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}" + Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}" fi -report "password_min_days=${PASSWORD_MINIMUM_DAYS}" -report "password_max_days=${PASSWORD_MAXIMUM_DAYS}" +Report "password_min_days=${PASSWORD_MINIMUM_DAYS}" +Report "password_max_days=${PASSWORD_MAXIMUM_DAYS}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_banners b/include/tests_banners index 96e3998e..05603476 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -31,29 +31,29 @@ # Description : Check FreeBSD COPYRIGHT banner file Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --description "Check COPYRIGHT banner file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT" + LogText "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT" if [ -f /COPYRIGHT ]; then Display --indent 2 --text "- /COPYRIGHT" --result FOUND --color GREEN if [ -s /COPYRIGHT ]; then - logtext "Result: /COPYRIGHT available and contains text" + LogText "Result: /COPYRIGHT available and contains text" else - logtext "Result: /COPYRIGHT available, but empty" + LogText "Result: /COPYRIGHT available, but empty" fi else Display --indent 2 --text "- /COPYRIGHT" --result "NOT FOUND" --color WHITE - logtext "Result: /COPYRIGHT not found" + LogText "Result: /COPYRIGHT not found" fi if [ -f /etc/COPYRIGHT ]; then Display --indent 2 --text "- /etc/COPYRIGHT" --result FOUND --color GREEN if [ -s /etc/COPYRIGHT ]; then - logtext "Result: /etc/COPYRIGHT available and contains text" + LogText "Result: /etc/COPYRIGHT available and contains text" else - logtext "Result: /etc/COPYRIGHT available, but empty" + LogText "Result: /etc/COPYRIGHT available, but empty" fi else Display --indent 2 --text "- /etc/COPYRIGHT" --result "NOT FOUND" --color WHITE - logtext "Result: /etc/COPYRIGHT not found" + LogText "Result: /etc/COPYRIGHT not found" fi fi # @@ -63,25 +63,24 @@ # Description : Check MOTD banner file Register --test-no BANN-7119 --weight L --network NO --description "Check MOTD banner file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Testing existence /etc/motd" + LogText "Test: Testing existence /etc/motd" if [ -f /etc/motd ]; then - logtext "Result: file /etc/motd exists" + LogText "Result: file /etc/motd exists" Display --indent 2 --text "- /etc/motd" --result FOUND --color GREEN if [ ! -L /etc/motd ]; then - IsWorldWritable /etc/motd - if [ $? -eq 1 ]; then + if IsWorldWritable /etc/motd; then Display --indent 4 --text "- /etc/motd permissions" --result WARNING --color RED - logtext "Result: /etc/motd is world writable. Users can change this file!" + LogText "Result: /etc/motd is world writable. Users can change this file!" ReportWarning ${TEST_NO} "H" "/etc/motd is world writable" else Display --indent 4 --text "- /etc/motd permissions" --result OK --color GREEN - logtext "Result: /etc/motd is not world writable." + LogText "Result: /etc/motd is not world writable." fi else - logtext "Result: file /etc/motd is symlink" + LogText "Result: file /etc/motd is symlink" fi else - logtext "Result: File /etc/motd not found" + LogText "Result: File /etc/motd not found" Display --indent 2 --text "- /etc/motd" --result "NOT FOUND" --color WHITE fi fi @@ -95,21 +94,21 @@ Register --test-no BANN-7122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check /etc/motd banner file contents" if [ ${SKIPTEST} -eq 0 ]; then N=0 - logtext "Test: Checking file /etc/motd contents for legal key words" + LogText "Test: Checking file /etc/motd contents for legal key words" for I in ${LEGAL_BANNER_STRINGS}; do FIND=`grep -i "${I}" /etc/motd` if [ ! "${FIND}" = "" ]; then - logtext "Result: found string '${I}'" + LogText "Result: found string '${I}'" N=`expr ${N} + 1` fi done # Check if we have 5 or more key words if [ ${N} -gt 4 ]; then - logtext "Result: Found ${N} key words, to warn unauthorized users" + LogText "Result: Found ${N} key words, to warn unauthorized users" Display --indent 4 --text "- /etc/motd contents" --result OK --color GREEN AddHP 2 2 else - logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased" + LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased" Display --indent 4 --text "- /etc/motd contents" --result WEAK --color YELLOW ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users" AddHP 0 1 @@ -122,17 +121,17 @@ # Description : Check issue banner file Register --test-no BANN-7124 --weight L --network NO --description "Check issue banner file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking file /etc/issue" + LogText "Test: Checking file /etc/issue" if [ -f /etc/issue ]; then # Check for symlink if [ -L /etc/issue ]; then - logtext "Result: file /etc/issue exists (symlink)" + LogText "Result: file /etc/issue exists (symlink)" Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN else Display --indent 2 --text "- /etc/issue" --result FOUND --color GREEN fi else - logtext "Result: file /etc/issue does not exist" + LogText "Result: file /etc/issue does not exist" Display --indent 2 --text "- /etc/issue" --result "NOT FOUND" --color WHITE fi fi @@ -146,21 +145,21 @@ Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check issue banner file contents" if [ ${SKIPTEST} -eq 0 ]; then N=0 - logtext "Test: Checking file /etc/issue contents for legal key words" + LogText "Test: Checking file /etc/issue contents for legal key words" for I in ${LEGAL_BANNER_STRINGS}; do FIND=`grep -i "${I}" /etc/issue` if [ ! "${FIND}" = "" ]; then - logtext "Result: found string '${I}'" + LogText "Result: found string '${I}'" N=`expr ${N} + 1` fi done # Check if we have 5 or more key words if [ ${N} -gt 4 ]; then - logtext "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users" + LogText "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users" Display --indent 4 --text "- /etc/issue contents" --result OK --color GREEN AddHP 2 2 else - logtext "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased" + LogText "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased" Display --indent 4 --text "- /etc/issue contents" --result WEAK --color YELLOW ReportSuggestion ${TEST_NO} "Add a legal banner to /etc/issue, to warn unauthorized users" AddHP 0 1 @@ -173,18 +172,18 @@ # Description : Check issue.net banner file Register --test-no BANN-7128 --weight L --network NO --description "Check issue.net banner file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking file /etc/issue.net" + LogText "Test: Checking file /etc/issue.net" if [ -f /etc/issue.net ]; then # Check for symlink if [ -L /etc/issue.net ]; then - logtext "Result: file /etc/issue.net exists (symlink)" + LogText "Result: file /etc/issue.net exists (symlink)" Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN else - logtext "Result: file /etc/issue.net exists" + LogText "Result: file /etc/issue.net exists" Display --indent 2 --text "- /etc/issue.net" --result FOUND --color GREEN fi else - logtext "Result: file /etc/issue.net does not exist" + LogText "Result: file /etc/issue.net does not exist" Display --indent 2 --text "- /etc/issue.net" --result "NOT FOUND" --color WHITE fi fi @@ -198,21 +197,21 @@ Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check issue.net banner file contents" if [ ${SKIPTEST} -eq 0 ]; then N=0 - logtext "Test: Checking file /etc/issue.net contents for legal key words" + LogText "Test: Checking file /etc/issue.net contents for legal key words" for I in ${LEGAL_BANNER_STRINGS}; do FIND=`grep -i "${I}" /etc/issue.net` if [ ! "${FIND}" = "" ]; then - logtext "Result: found string '${I}'" + LogText "Result: found string '${I}'" N=`expr ${N} + 1` fi done # Check if we have 5 or more key words if [ ${N} -gt 4 ]; then - logtext "Result: Found ${N} key words, to warn unauthorized users" + LogText "Result: Found ${N} key words, to warn unauthorized users" Display --indent 4 --text "- /etc/issue.net contents" --result OK --color GREEN AddHP 2 2 else - logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased" + LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased" Display --indent 4 --text "- /etc/issue.net contents" --result WEAK --color YELLOW ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users" AddHP 0 1 @@ -226,4 +225,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_boot_services b/include/tests_boot_services index 85532bcd..ad526381 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -36,16 +36,16 @@ Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --description "Check for AIX boot device" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 - logtext "Test: Query bootinfo for AIX boot device" + LogText "Test: Query bootinfo for AIX boot device" if [ -x /usr/sbin/bootinfo ]; then FIND=`/usr/sbin/bootinfo -b` if [ ! "${FIND}" = "" ]; then - logtext "Result: found boot device ${FIND}" + LogText "Result: found boot device ${FIND}" Display --indent 2 --text "- Checking boot device (bootinfo)" --result FOUND --color GREEN BOOT_LOADER="ROS" BOOT_LOADER_FOUND=1 else - logtext "Result: no data received from bootinfo, most likely boot device not found" + LogText "Result: no data received from bootinfo, most likely boot device not found" #Display --indent 4 --text "- Checking boot device (bootinfo)" --result "NOT FOUND" --color YELLOW #ReportSuggestion ${TEST_NO} "Only use root (not sudo account) to query properly boot device" fi @@ -80,11 +80,11 @@ SERVICE_MANAGER="systemd" ;; *) - logtext "Found ${SHORTNAME} but unclear what service manager this is" + LogText "Found ${SHORTNAME} but unclear what service manager this is" ;; esac else - logtext "Result: Could not find linked file ${sFILE}" + LogText "Result: Could not find linked file ${sFILE}" fi else FIND=`echo ${FILE} | grep "/systemd"` @@ -93,7 +93,7 @@ fi fi else - logtext "Result: /proc/1/cmdline does not link to a binary on disk" + LogText "Result: /proc/1/cmdline does not link to a binary on disk" fi fi # Continue testing if we didn't find it yet @@ -107,7 +107,7 @@ fi ;; *) - logtext "Result: unknown service manager" + LogText "Result: unknown service manager" esac if [ "${SERVICE_MANAGER}" = "unknown" ]; then Display --indent 2 --text "- Service Manager" --result "UNKNOWN" --color YELLOW @@ -124,7 +124,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FileExists /System/Library/CoreServices/boot.efi if [ ${FILE_FOUND} -eq 1 ]; then - logtext "Result: found Mac OS X boot.efi file" + LogText "Result: found Mac OS X boot.efi file" BOOT_LOADER="MacOS-boot-EFI" BOOT_LOADER_FOUND=1 fi @@ -141,39 +141,39 @@ Linux) UEFI_TESTS_PERFORMED=1 # Check if UEFI is available in this boot - logtext "Test: checking if UEFI is used" + LogText "Test: checking if UEFI is used" if [ -d /sys/firmware/efi ]; then - logtext "Result: system booted in UEFI mode" + LogText "Result: system booted in UEFI mode" UEFI_BOOTED=1 else - logtext "Result: UEFI not used, can't find /sys/firmware/efi directory" + LogText "Result: UEFI not used, can't find /sys/firmware/efi directory" fi # Test if Secure Boot is enabled - logtext "Test: determine if Secure Boot is used" + LogText "Test: determine if Secure Boot is used" if [ -d /sys/firmware/efi/efivars ]; then FIND=`ls /sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do - logtext "Test: checking file ${I}" + LogText "Test: checking file ${I}" J=`od -An -t u1 ${I} | awk '{ print $5 }'` if [ "${J}" = "1" ]; then - logtext "Result: found SecureBoot file with enabled status" + LogText "Result: found SecureBoot file with enabled status" UEFI_BOOTED_SECURE=1 else - logtext "Result: system not booted with Secure Boot (status 0 in file ${I})" + LogText "Result: system not booted with Secure Boot (status 0 in file ${I})" fi done fi else - logtext "Result: system not booted with Secure Boot (no SecureBoot file found)" + LogText "Result: system not booted with Secure Boot (no SecureBoot file found)" fi ;; #MacOS) # Mac OS ioreg -l -p IODeviceTree | grep firmware-abi #;; *) - logtext "Result: no test implemented yet to test for UEFI on this platform" + LogText "Result: no test implemented yet to test for UEFI on this platform" ;; esac if [ ${UEFI_BOOTED} -eq 1 ]; then @@ -198,7 +198,7 @@ if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 FOUND=0 - logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)" + LogText "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)" if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then FOUND=1 BOOT_LOADER="GRUB" @@ -220,21 +220,21 @@ elif [ -f /boot/grub2/grub.cfg ]; then GRUBCONFFILE="/boot/grub2/grub.cfg" fi - logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})" + LogText "Result: found GRUB2 configuration file (${GRUBCONFFILE})" fi # Some OSes like Gentoo do not have /boot mounted by default if [ -d /boot ]; then if [ "`ls /boot/* 2> /dev/null`" = "" -a ! "${GRUB2INSTALLBINARY}" = "" ]; then BOOT_LOADER_FOUND=1 - logtext "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted" + LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted" Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW ReportManual "${TEST_NO}:01" fi fi if [ ${FOUND} -eq 0 ]; then - logtext "Result: no GRUB configuration file found." + LogText "Result: no GRUB configuration file found." fi fi # @@ -246,7 +246,7 @@ Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for GRUB boot password" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - logtext "Found file ${GRUBCONFFILE}, proceeding with tests." + LogText "Found file ${GRUBCONFFILE}, proceeding with tests." FileIsReadable ${GRUBCONFFILE} if [ ${CANREAD} -eq 1 ]; then FIND=`grep 'password --md5' ${GRUBCONFFILE} | grep -v '^#'` @@ -262,16 +262,16 @@ fi if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Checking for password protection" --result OK --color GREEN - logtext "Result: GRUB has password protection." + LogText "Result: GRUB has password protection." AddHP 4 4 else Display --indent 4 --text "- Checking for password protection" --result WARNING --color RED - logtext "Result: Didn't find hashed password line in GRUB boot file!" + LogText "Result: Didn't find hashed password line in GRUB boot file!" ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)" AddHP 0 2 fi else - logtext "Result: Can not read ${GRUBCONFFILE} (no permission)" + LogText "Result: Can not read ${GRUBCONFFILE} (no permission)" fi fi # @@ -283,12 +283,12 @@ if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then - logtext "Result: found boot1, boot2 and loader files in /boot" + LogText "Result: found boot1, boot2 and loader files in /boot" Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN BOOT_LOADER="FreeBSD" BOOT_LOADER_FOUND=1 else - logtext "Result: Not all expected files found in /boot" + LogText "Result: Not all expected files found in /boot" fi fi # @@ -300,12 +300,12 @@ if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then - logtext "Result: found NetBSD secondary bootstrap" + LogText "Result: found NetBSD secondary bootstrap" Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN BOOT_LOADER="NetBSD" BOOT_LOADER_FOUND=1 else - logtext "Result: NetBSD secondary bootstrap not found" + LogText "Result: NetBSD secondary bootstrap not found" ReportException "${TEST_NO}:1" "No boot loader found on NetBSD" fi fi @@ -319,32 +319,32 @@ if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 LILOCONFFILE="/etc/lilo.conf" - logtext "Test: checking for presence LILO configuration file" + LogText "Test: checking for presence LILO configuration file" if [ -f ${LILOCONFFILE} ]; then FileIsReadable ${LILOCONFFILE} if [ ${CANREAD} -eq 1 ]; then BOOT_LOADER="LILO" BOOT_LOADER_FOUND=1 Display --indent 2 --text "- Checking presence LILO" --result "OK" --color GREEN - logtext "Checking password option LILO" + LogText "Checking password option LILO" FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | grep -v "^#"` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Password option presence " --result "WARNING" --color RED - logtext "Result: no password set for LILO. Bootloader is unprotected to" - logtext "dropping to single user mode or unauthorized access to devices/data." + LogText "Result: no password set for LILO. Bootloader is unprotected to" + LogText "dropping to single user mode or unauthorized access to devices/data." ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>" ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader" AddHP 0 2 else Display --indent 4 --text "- Password option presence " --result "OK" --color GREEN - logtext "Result: LILO password option set" + LogText "Result: LILO password option set" AddHP 4 4 fi else - logtext "Result: can not read ${LILOCONFFILE} (no permission)" + LogText "Result: can not read ${LILOCONFFILE} (no permission)" fi else - logtext "Result: LILO configuration file not found" + LogText "Result: LILO configuration file not found" fi fi # @@ -356,12 +356,12 @@ if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 if [ -f /etc/silo.conf ]; then - logtext "Result: Found SILO configuration file (/etc/silo.conf)" + LogText "Result: Found SILO configuration file (/etc/silo.conf)" Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN BOOT_LOADER="SILO" BOOT_LOADER_FOUND=1 else - logtext "Result: no SILO configuration file found." + LogText "Result: no SILO configuration file found." fi fi # @@ -375,10 +375,10 @@ # if [ -f /etc/silo.conf -a -x /sbin/silo ]; then # FIND=`/sbin/silo | grep "appears to be valid"` # if [ ! "${FIND}" = "" ]; then -# logtext "Result: Found SILO configuration file (/etc/silo.conf)" +# LogText "Result: Found SILO configuration file (/etc/silo.conf)" # Display --indent 6 --text "- Checking SILO consistency" --result OK --color GREEN # else -# logtext "Result: no positive result received from silo binary" +# LogText "Result: no positive result received from silo binary" # ReportWarning ${TEST_NO} "Possible issue with boot loader (SILO)" # Display --indent 6 --text "- Checking SILO consistency" --result WARNING --color RED # fi @@ -392,14 +392,14 @@ Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 - logtext "Test: Check for /etc/yaboot.conf" + LogText "Test: Check for /etc/yaboot.conf" if [ -f /etc/yaboot.conf ]; then - logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)" + LogText "Result: Found YABOOT configuration file (/etc/yaboot.conf)" Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN BOOT_LOADER="YABOOT" BOOT_LOADER_FOUND=1 else - logtext "Result: no YABOOT configuration file found." + LogText "Result: no YABOOT configuration file found." fi fi # @@ -429,16 +429,16 @@ ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password" else Display --indent 4 --text "- Checking boot option" --result OK --color GREEN - logtext "Ok, boot option is enabled." + LogText "Ok, boot option is enabled." fi else Display --indent 2 --text "- Checking /etc/boot.conf" --result "NOT FOUND" --color YELLOW - logtext "Result: no /etc/boot.conf found. When using the default boot loader, physical" - logtext "access to the server can be used to possibly enter single user mode." + LogText "Result: no /etc/boot.conf found. When using the default boot loader, physical" + LogText "access to the server can be used to possibly enter single user mode." ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time." fi if [ ${FOUND} -eq 1 ]; then - logtext "Result: found OpenBSD boot loader" + LogText "Result: found OpenBSD boot loader" BOOT_LOADER="OpenBSD" BOOT_LOADER_FOUND=1 fi @@ -462,22 +462,22 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${SERVICEBINARY}" = "" ]; then # FreeBSD (Ask services(8) for enabled services) - logtext "Searching for services at startup (service)" + LogText "Searching for services at startup (service)" FIND=`${SERVICEBINARY} -e | sed 's|^.*\/||' | sort` else # FreeBSD (Read /etc/rc.conf file for enabled services) - logtext "Searching for services at startup (rc.conf)" + LogText "Searching for services at startup (rc.conf)" FIND=`egrep -v -i '^#|none' /etc/rc.conf | egrep -i '_enable.*(yes|on|1)' | sort | awk -F= '{ print $1 }' | sed 's/_enable//'` fi N=0 for I in ${FIND}; do - logtext "Found service (service/rc.conf): ${I}" - report "boottask[]=${I}" + LogText "Found service (service/rc.conf): ${I}" + Report "boottask[]=${I}" N=`expr ${N} + 1` done Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "DONE" --color GREEN Display --indent 6 --text "Result: found $N services/options set" - logtext "Found $N services/options to run at startup" + LogText "Found $N services/options to run at startup" fi # ################################################################################# @@ -488,59 +488,59 @@ Register --test-no BOOT-5177 --os Linux --weight L --network NO --description "Check for Linux boot and running services" if [ ${SKIPTEST} -eq 0 ]; then CHECKED=0 - logtext "Test: checking presence systemctl binary" + LogText "Test: checking presence systemctl binary" # Determine if we have systemctl on board if [ ! "${SYSTEMCTLBINARY}" = "" ]; then - logtext "Result: systemctl binary found, trying that to discover information" + LogText "Result: systemctl binary found, trying that to discover information" # Running services - logtext "Searching for running services (systemctl services only)" + LogText "Searching for running services (systemctl services only)" FIND=`${SYSTEMCTLBINARY} --full --type=service | awk '{ if ($4=="running") { print $1 } }' | awk -F. '{ print $1 }'` N=0 - report "running_service_tool=systemctl" + Report "running_service_tool=systemctl" for I in ${FIND}; do - logtext "Found running service: ${I}" - report "running_service[]=${I}" + LogText "Found running service: ${I}" + Report "running_service[]=${I}" N=`expr ${N} + 1` done - logtext "Note: Run systemctl --full --type=service to see all services" + LogText "Note: Run systemctl --full --type=service to see all services" Display --indent 2 --text "- Check running services (systemctl)" --result "DONE" --color GREEN Display --indent 8 --text "Result: found $N running services" - logtext "Result: Found $N enabled services" + LogText "Result: Found $N enabled services" # Services at boot - logtext "Searching for enabled services (systemctl services only)" + LogText "Searching for enabled services (systemctl services only)" FIND=`${SYSTEMCTLBINARY} list-unit-files --type=service | awk '{ if ($2=="enabled") { print $1 } }' | awk -F. '{ print $1 }'` N=0 - report "boot_service_tool=systemctl" + Report "boot_service_tool=systemctl" for I in ${FIND}; do - logtext "Found enabled service at boot: ${I}" - report "boot_service[]=${I}" + LogText "Found enabled service at boot: ${I}" + Report "boot_service[]=${I}" N=`expr ${N} + 1` done - logtext "Note: Run systemctl list-unit-files --type=service to see all services" + LogText "Note: Run systemctl list-unit-files --type=service to see all services" Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "DONE" --color GREEN Display --indent 8 --text "Result: found $N enabled services" - logtext "Result: Found $N running services" + LogText "Result: Found $N running services" else - logtext "Result: systemctl binary not found, checking chkconfig binary" + LogText "Result: systemctl binary not found, checking chkconfig binary" if [ ! "${CHKCONFIGBINARY}" = "" ]; then - logtext "Result: chkconfig binary found, trying that to discover information" - logtext "Searching for services at startup (chkconfig, runlevel 3 and 5)" + LogText "Result: chkconfig binary found, trying that to discover information" + LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)" FIND=`${CHKCONFIGBINARY} --list | egrep '3:on|5:on' | awk '{ print $1 }'` N=0 - report "boot_service_tool=chkconfig" + Report "boot_service_tool=chkconfig" for I in ${FIND}; do - logtext "Found service (at boot, runlevel 3 or 5): ${I}" - report "boot_service[]=${I}" + LogText "Found service (at boot, runlevel 3 or 5): ${I}" + Report "boot_service[]=${I}" N=`expr ${N} + 1` done - logtext "Suggestion: Run chkconfig --list to see all services and disable unneeded services" + LogText "Suggestion: Run chkconfig --list to see all services and disable unneeded services" Display --indent 2 --text "- Check services at startup (chkconfig)" --result "DONE" --color GREEN Display --indent 8 --text "Result: found $N services" - logtext "Result: Found $N services at startup" + LogText "Result: Found $N services at startup" else - logtext "Result: both systemctl and chkconfig not found. Skipping this test" + LogText "Result: both systemctl and chkconfig not found. Skipping this test" fi fi fi @@ -555,24 +555,24 @@ if [ ${SKIPTEST} -eq 0 ]; then # Runlevel check sRUNLEVEL=`${RUNLEVELBINARY} | grep "N [0-9]" | awk '{ print $2} '` - logtext "Result: found runlevel ${sRUNLEVEL}" + LogText "Result: found runlevel ${sRUNLEVEL}" if [ "${sRUNLEVEL}" = "2" ]; then - logtext "Result: performing find in /etc/rc2.d as runlevel 2 is found" + LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found" FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort` if [ ! "${FIND}" = "" ]; then N=0 for I in ${FIND}; do - logtext "Found service (at boot, runlevel 2): ${I}" + LogText "Found service (at boot, runlevel 2): ${I}" N=`expr ${N} + 1` done Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE Display --indent 4 --text "Result: found $N services" - logtext "Result: found $N services" + LogText "Result: found $N services" fi elif [ "${sRUNLEVEL}" = "" ]; then ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup" else - logtext "Result: skipping further actions" + LogText "Result: skipping further actions" fi fi # @@ -585,45 +585,43 @@ FOUND=0 CHECKDIRS="/etc/init.d /etc/rc.d /etc/rcS.d" - logtext "Result: checking /etc/init.d scripts for writable bit" + LogText "Result: checking /etc/init.d scripts for writable bit" for I in ${CHECKDIRS}; do - logtext "Test: checking if directory ${I} exists" + LogText "Test: checking if directory ${I} exists" if [ -d ${I} ]; then - logtext "Result: directory ${I} found" - logtext "Test: checking for available files in directory" + LogText "Result: directory ${I} found" + LogText "Test: checking for available files in directory" FIND=`find ${I} -type f -print` if [ ! "${FIND}" = "" ]; then - logtext "Result: found files in directory, checking permissions now" + LogText "Result: found files in directory, checking permissions now" for J in ${FIND}; do - logtext "Test: checking permissions of file ${J}" - IsWorldWritable ${J} - if [ $? -eq 1 ]; then - logtext "Result: warning, file ${J} is world writable" + LogText "Test: checking permissions of file ${J}" + if IsWorldWritable ${J}; then + LogText "Result: warning, file ${J} is world writable" FOUND=1 else - logtext "Result: good, file ${J} not world writable" + LogText "Result: good, file ${J} not world writable" fi done else - logtext "Result: found no files in directory." + LogText "Result: found no files in directory." fi else - logtext "Result: directory ${I} not found. Skipping.." + LogText "Result: directory ${I} not found. Skipping.." fi done # /etc/rc[0-6].d for NO in 0 1 2 3 4 5 6; do - logtext "Test: Checking /etc/rc${NO}.d scripts for writable bit" + LogText "Test: Checking /etc/rc${NO}.d scripts for writable bit" if [ -d /etc/rc${NO}.d ]; then FIND=`find /etc/rc${NO}.d -type f -print` for I in ${FIND}; do - IsWorldWritable ${I} - if [ $? -eq 1 ]; then - logtext "Result: warning, file ${I} is world writable" + if IsWorldWritable ${I}; then + LogText "Result: warning, file ${I} is world writable" FOUND=1 else - logtext "Result: good, file ${I} not world writable" + LogText "Result: good, file ${I} not world writable" fi done fi @@ -633,14 +631,13 @@ CHECKFILES="/etc/rc /etc/rc.local /etc/rc.d/rc.sysinit" for I in ${CHECKFILES}; do if [ -f ${I} ]; then - logtext "Test: Checking ${I} file for writable bit" - IsWorldWritable ${I} - if [ $? -eq 1 ]; then + LogText "Test: Checking ${I} file for writable bit" + if IsWorldWritable ${I}; then ReportWarning ${TEST_NO} "H" "Found writable startup script ${I}" FOUND=1 - logtext "Result: warning, file ${I} is world writable" + LogText "Result: warning, file ${I} is world writable" else - logtext "Result: good, file ${I} not world writable" + LogText "Result: good, file ${I} not world writable" fi fi done @@ -649,7 +646,7 @@ if [ ${FOUND} -eq 1 ]; then Display --indent 2 --text "- Check startup files (permissions)" --result "WARNING" --color RED ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-" - logtext "Result: found one or more scripts which are possibly writable by other users" + LogText "Result: found one or more scripts which are possibly writable by other users" AddHP 0 3 else Display --indent 2 --text "- Check startup files (permissions)" --result "OK" --color GREEN @@ -689,8 +686,8 @@ if [ ! "${SYSCTLBINARY}" = "" ]; then TIME_BOOT=`${SYSCTLBINARY} -n kern.boottime` TIME_NOW=`date "+%s"` - logtext "Boot time: ${TIME_BOOT}" - logtext "Current time: ${TIME_NOW}" + LogText "Boot time: ${TIME_BOOT}" + LogText "Current time: ${TIME_NOW}" if [ ! "${TIME_BOOT}" = "" -a ! "${TIME_NOW}" = "" ]; then UPTIME_IN_SECS=`expr ${TIME_NOW} - ${TIME_BOOT}` else @@ -721,12 +718,12 @@ if [ ! "${FIND}" = "" ]; then UPTIME_IN_SECS="${FIND}" UPTIME_IN_DAYS=`expr ${UPTIME_IN_SECS} / 60 / 60 / 24` - logtext "Uptime (in seconds): ${UPTIME_IN_SECS}" - logtext "Uptime (in days): ${UPTIME_IN_DAYS}" - report "uptime_in_seconds=${UPTIME_IN_SECS}" - report "uptime_in_days=${UPTIME_IN_DAYS}" + LogText "Uptime (in seconds): ${UPTIME_IN_SECS}" + LogText "Uptime (in days): ${UPTIME_IN_DAYS}" + Report "uptime_in_seconds=${UPTIME_IN_SECS}" + Report "uptime_in_days=${UPTIME_IN_DAYS}" else - logtext "Result: no uptime information available" + LogText "Result: no uptime information available" fi fi # @@ -737,36 +734,36 @@ Register --test-no BOOT-5260 --weight L --network NO --description "Check single user mode for systemd" if [ ${SKIPTEST} -eq 0 ]; then # Check if file exists - logtext "Test: Searching /usr/lib/systemd/system/rescue.service" + LogText "Test: Searching /usr/lib/systemd/system/rescue.service" if [ -f /usr/lib/systemd/system/rescue.service ]; then - logtext "Result: file /usr/lib/systemd/system/rescue.service" - logtext "Test: checking presence sulogin for single user mode" + LogText "Result: file /usr/lib/systemd/system/rescue.service" + LogText "Test: checking presence sulogin for single user mode" FIND=`egrep "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service` if [ ! "${FIND}" = "" ]; then FOUND=1 - logtext "Result: found sulogin, so single user is protected" + LogText "Result: found sulogin, so single user is protected" AddHP 3 3 else - logtext "Result: did not find sulogin in rescue.service" + LogText "Result: did not find sulogin in rescue.service" AddHP 1 3 Display --indent 2 --text "- Checking sulogin in rescue.service" --result "NOT FOUND" --color YELLOW ReportSuggestion "${TEST_NO}" "Protect rescue.service by using sulogin" fi else - logtext "Result: file /usr/lib/systemd/system/rescue.service does not exist" + LogText "Result: file /usr/lib/systemd/system/rescue.service does not exist" fi fi # ################################################################################# # -report "boot_loader=${BOOT_LOADER}" -report "boot_uefi_booted=${UEFI_BOOTED}" -report "boot_uefi_booted_secure=${UEFI_BOOTED_SECURE}" -report "service_manager=${SERVICE_MANAGER}" +Report "boot_loader=${BOOT_LOADER}" +Report "boot_uefi_booted=${UEFI_BOOTED}" +Report "boot_uefi_booted_secure=${UEFI_BOOTED_SECURE}" +Report "service_manager=${SERVICE_MANAGER}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_containers b/include/tests_containers index 33c67a0b..077f32c1 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -31,7 +31,7 @@ if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no CONT-8004 --os Solaris --weight L --network NO --description "Query running Solaris zones" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: query zoneadm to list all running zones" + LogText "Test: query zoneadm to list all running zones" FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'` if [ ! "${FIND}" = "" ]; then N=0 @@ -39,13 +39,13 @@ N=`expr ${N} + 1` ZONEID=`echo ${I} | cut -d ':' -f1` ZONENAME=`echo ${I} | cut -d ':' -f2` - logtext "Result: found zone ${ZONENAME} (running)" - report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]" + LogText "Result: found zone ${ZONENAME} (running)" + Report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]" done - logtext "Result: total of ${N} running zones" + LogText "Result: total of ${N} running zones" Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN else - logtext "Result: no running zones found" + LogText "Result: no running zones found" Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE fi fi @@ -62,7 +62,7 @@ #for I in ${FIND}; do #XENGUESTNAME=`echo ${I} | cut -d ':' -f1` #XENGUESTID=`echo ${I} | cut -d ':' -f2` - #logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})" + #LogText "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})" #done #fi # @@ -74,8 +74,8 @@ if [ ${SKIPTEST} -eq 0 ]; then IsRunning "docker -d" if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found Docker daemon running" - report "docker_daemon_running=1" + LogText "Result: found Docker daemon running" + Report "docker_daemon_running=1" DOCKER_DAEMON_RUNNING=1 Display --indent 4 --text "- Docker" Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN @@ -91,20 +91,20 @@ Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 - logtext "Test: Check for any warnings" + LogText "Test: Check for any warnings" FIND=`${DOCKERBINARY} info 2>&1 | grep "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'` if [ ! "${FIND}" = "" ]; then - logtext "Result: found warning(s) in output" + LogText "Result: found warning(s) in output" for I in ${FIND}; do J=`echo ${I} | sed 's/:space:/ /g'` - logtext "Output: ${J}" + LogText "Output: ${J}" COUNT=`expr ${COUNT} + 1` done Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color RED ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon" AddHP 3 4 else - logtext "Result: no warnings found from 'docker info' output" + LogText "Result: no warnings found from 'docker info' output" Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN AddHP 1 1 fi @@ -121,16 +121,16 @@ Display --indent 6 --text "- Containers" # Check total of containers - logtext "Test: checking total amount of Docker containers" + LogText "Test: checking total amount of Docker containers" DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'` if [ "${DOCKER_CONTAINERS_TOTAL}" = "" ]; then DOCKER_CONTAINERS_TOTAL=0 fi - logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers" + LogText "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers" DOCKER_CONTAINERS_TOTAL2=`${DOCKERBINARY} ps -a 2> /dev/null | grep -v "CONTAINER" | wc -l` - logtext "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers" + LogText "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers" if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then - logtext "Result: difference detected, which is unexpected" + LogText "Result: difference detected, which is unexpected" ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers" Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED else @@ -141,11 +141,11 @@ DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps 2> /dev/null | grep -v "CONTAINER" | wc -l` Display --indent 8 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then - logtext "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active" - report "docker_containers_running=${DOCKER_CONTAINERS_RUNNING}" + LogText "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active" + Report "docker_containers_running=${DOCKER_CONTAINERS_RUNNING}" else - logtext "Result: no active containers" - report "docker_containers_running=0" + LogText "Result: no active containers" + Report "docker_containers_running=0" fi # Check if there aren't too many unused containers on the system @@ -156,7 +156,7 @@ Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color RED AddHP 0 2 else - logtext "Result: found ${DOCKER_CONTAINERS_UNUSED} unused containers" + LogText "Result: found ${DOCKER_CONTAINERS_UNUSED} unused containers" Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color YELLOW AddHP 1 1 fi @@ -173,16 +173,15 @@ if [ ${SKIPTEST} -eq 0 ]; then NOT_WORLD_WRITABLE="/var/run/docker.sock" for I in ${NOT_WORLD_WRITABLE}; do - logtext "Test: Check ${I}" + LogText "Test: Check ${I}" if [ -f ${I} ]; then - logtext "Result: file ${I} found, permissions will be tested" - IsWorldWritable ${I} - if [ $? -eq 1 ]; then - logtext "Result: file is writable by others, which is a security risk (e.g. privilege escalation)" + LogText "Result: file ${I} found, permissions will be tested" + if IsWorldWritable ${I}; then + LogText "Result: file is writable by others, which is a security risk (e.g. privilege escalation)" ReportWarning "${TEST_NO}" "Docker file is world writable" "${I}" "-" DOCKER_FILE_PERMISSIONS_WARNINGS=`expr ${DOCKER_FILE_PERMISSIONS_WARNINGS} + 1` else - logtext "Result: file is not writable by others, which is fine" + LogText "Result: file is not writable by others, which is fine" fi fi done @@ -202,4 +201,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, CISOfy - https://cisofy.com diff --git a/include/tests_crypto b/include/tests_crypto index 7a08962b..84fa86c4 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), CISOfy +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com), CISOfy # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -34,32 +34,32 @@ if [ -d ${I} ]; then FileIsReadable ${I} if [ ${CANREAD} -eq 1 ]; then - logtext "Result: found directory ${I}" + LogText "Result: found directory ${I}" # Search for CRT files sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null` for J in ${sFINDCRTS}; do FileIsReadable ${J} if [ ${CANREAD} -eq 1 ]; then - logtext "Test: checking certificate ${J}" + LogText "Test: checking certificate ${J}" # Check certificate where 'end date' has been expired FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?` if [ "${FIND}" = "0" ]; then - logtext "Result: certificate ${J} seems to be correct and still valid" - report "valid_certificate[]=${J}|unknown entity|" + LogText "Result: certificate ${J} seems to be correct and still valid" + Report "valid_certificate[]=${J}|unknown entity|" else FOUNDPROBLEM=1 - logtext "Result: certificate ${J} has been expired" - report "expired_certificate[]=${J}|unknown entity|" + LogText "Result: certificate ${J} has been expired" + Report "expired_certificate[]=${J}|unknown entity|" fi else - logtext "Result: can not read file ${J} (no permission)" + LogText "Result: can not read file ${J} (no permission)" fi done else - logtext "Result: can not read path ${I} (no permission)" + LogText "Result: can not read path ${I} (no permission)" fi else - logtext "Result: SSL path ${I} does not exist" + LogText "Result: SSL path ${I} does not exist" fi done @@ -78,4 +78,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_custom.template b/include/tests_custom.template index 73cbc9ff..972bf017 100644 --- a/include/tests_custom.template +++ b/include/tests_custom.template @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -58,17 +58,17 @@ # If everything is fine, perform test if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - logtext "Test: checking something" + LogText "Test: checking something" if [ ${FOUND} -eq 0 ]; then Display --indent 4 --text "- Performing custom test" --result OK --color GREEN - logtext "Result: the test result looks great!" + LogText "Result: the test result looks great!" # Optional: create a suggestion after a specific finding #ReportSuggestion "${TEST_NO}" "This is my suggestion to improve the system even further." else Display --indent 4 --text "- Performing custom test" --result WARNING --color RED - logtext "Result: this test had a bad result :(" + LogText "Result: this test had a bad result :(" # Throw a warning to the screen and report ReportWarning ${TEST_NO} "M" "This is a warning message" fi @@ -82,4 +82,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_databases b/include/tests_databases index 98805879..16dae170 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands +# Copyright 2007-2016, Michael Boelen (michael@rootkit.nl), The Netherlands # Web site: http://www.rootkit.nl # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -38,10 +38,10 @@ FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- MySQL process status" --result "NOT FOUND" --color WHITE - logtext "Result: MySQL process not active" + LogText "Result: MySQL process not active" else Display --indent 2 --text "- MySQL process status" --result "FOUND" --color GREEN - logtext "Result: MySQL is active" + LogText "Result: MySQL is active" MYSQL_RUNNING=1 fi fi @@ -70,21 +70,21 @@ if [ ! "${MYSQLCLIENTBINARY}" = "" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking MySQL root password" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Trying to login to local MySQL server without password" + LogText "Test: Trying to login to local MySQL server without password" FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?` if [ "${FIND}" = "0" ]; then - logtext "Result: Login succeeded, no MySQL root password set!" + LogText "Result: Login succeeded, no MySQL root password set!" ReportWarning ${TEST_NO} "H" "No MySQL root password set" ReportSuggestion ${TEST_NO} "Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD)" Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED AddHP 0 5 else - logtext "Result: Login did not succeed, so a MySQL root password is set" + LogText "Result: Login did not succeed, so a MySQL root password is set" Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN AddHP 2 2 fi else - logtext "Test skipped, MySQL daemon not running or no MySQL client available" + LogText "Test skipped, MySQL daemon not running or no MySQL client available" fi # ################################################################################# @@ -96,10 +96,10 @@ FIND=`${PSBINARY} ax | grep "postgres:" | grep -v "grep"` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "NOT FOUND" --color WHITE - logtext "Result: PostgreSQL process not active" + LogText "Result: PostgreSQL process not active" else Display --indent 2 --text "- PostgreSQL processes status" --result "FOUND" --color GREEN - logtext "Result: PostgreSQL is active" + LogText "Result: PostgreSQL is active" POSTGRESQL_RUNNING=1 fi fi @@ -121,10 +121,10 @@ FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Oracle processes status" --result "NOT FOUND" --color WHITE - logtext "Result: Oracle process(es) not active" + LogText "Result: Oracle process(es) not active" else Display --indent 2 --text "- Oracle processes status" --result "FOUND" --color GREEN - logtext "Result: Oracle is active" + LogText "Result: Oracle is active" ORACLE_RUNNING=1 fi fi @@ -142,13 +142,13 @@ # ################################################################################# # -report "mysql_running=${MYSQL_RUNNING}" -report "oracle_running=${ORACLE_RUNNING}" -report "postgresql_running=${POSTGRESQL_RUNNING}" +Report "mysql_running=${MYSQL_RUNNING}" +Report "oracle_running=${ORACLE_RUNNING}" +Report "postgresql_running=${POSTGRESQL_RUNNING}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2016, Michael Boelen - www.rootkit.nl - The Netherlands diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 03fa0908..278f2d07 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -29,14 +29,14 @@ # Description : Check if AFICK is installed Register --test-no FINT-4310 --weight L --network NO --description "AFICK availability" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking AFICK binary" + LogText "Test: Checking AFICK binary" if [ ! "${AFICKBINARY}" = "" ]; then - logtext "Result: AFICK is installed (${AFICKBINARY})" + LogText "Result: AFICK is installed (${AFICKBINARY})" FILE_INT_TOOL="afick" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- AFICK" --result FOUND --color GREEN else - logtext "Result: AFICK is not installed" + LogText "Result: AFICK is not installed" fi fi # @@ -46,14 +46,14 @@ # Description : Check if AIDE is installed Register --test-no FINT-4314 --weight L --network NO --description "AIDE availability" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking AIDE binary" + LogText "Test: Checking AIDE binary" if [ ! "${AIDEBINARY}" = "" ]; then - logtext "Result: AIDE is installed (${AIDEBINARY})" + LogText "Result: AIDE is installed (${AIDEBINARY})" FILE_INT_TOOL="aide" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- AIDE" --result FOUND --color GREEN else - logtext "Result: AIDE is not installed" + LogText "Result: AIDE is not installed" fi fi # @@ -65,17 +65,17 @@ Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check AIDE configuration file" if [ ${SKIPTEST} -eq 0 ]; then AIDE_CONFIG_LOCS="/etc /etc/aide /usr/local/etc" - logtext "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}" + LogText "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}" for I in ${AIDE_CONFIG_LOCS}; do if [ -f ${I}/aide.conf ]; then - logtext "Result: found aide.conf in directory ${I}" + LogText "Result: found aide.conf in directory ${I}" AIDECONFIG="${I}/aide.conf" fi done if [ "${AIDECONFIG}" = "" ]; then Display --indent 6 --text "- AIDE config file" --result "NOT FOUND" --color YELLOW else - logtext "Checking configuration file ${AIDECONFIG} for errors" + LogText "Checking configuration file ${AIDECONFIG} for errors" FIND=`${AIDEBINARY} --config=${AIDECONFIG} -D; echo $?` if [ "${FIND}" = "0" ]; then Display --indent 6 --text "- AIDE config file" --result FOUND --color GREEN @@ -96,16 +96,16 @@ FIND=`${GREPBINARY} "^Checksums" ${AIDECONFIG}` FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"` if [ "${FIND}" = "" ]; then - logtext "Result: Unclear how AIDE is dealing with checksums" + LogText "Result: Unclear how AIDE is dealing with checksums" Display --indent 6 --text "- AIDE config (Checksums)" --result UNKNOWN --color YELLOW else if [ "${FIND2}" = "" ]; then - logtext "Result: No SHA256 or SHA512 found for creating checksums" + LogText "Result: No SHA256 or SHA512 found for creating checksums" Display --indent 6 --text "- AIDE config (Checksum)" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE" AddHP 1 3 else - logtext "Result: Found SHA256 or SHA512 found for creating checksums" + LogText "Result: Found SHA256 or SHA512 found for creating checksums" Display --indent 6 --text "- AIDE config (Checksum)" --result OK --color GREEN AddHP 2 2 fi @@ -118,14 +118,14 @@ # Description : Check if Osiris is installed Register --test-no FINT-4318 --weight L --network NO --description "Osiris availability" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking Osiris binary" + LogText "Test: Checking Osiris binary" if [ ! "${OSIRISBINARY}" = "" ]; then - logtext "Result: Osiris is installed (${OSIRISBINARY})" + LogText "Result: Osiris is installed (${OSIRISBINARY})" FILE_INT_TOOL="osiris" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Osiris" --result FOUND --color GREEN else - logtext "Result: Osiris is not installed" + LogText "Result: Osiris is not installed" fi fi # @@ -135,14 +135,14 @@ # Description : Check if Samhain is installed Register --test-no FINT-4322 --weight L --network NO --description "Samhain availability" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking Samhain binary" + LogText "Test: Checking Samhain binary" if [ ! "${SAMHAINBINARY}" = "" ]; then - logtext "Result: Samhain is installed (${SAMHAINBINARY})" + LogText "Result: Samhain is installed (${SAMHAINBINARY})" FILE_INT_TOOL="samhain" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Samhain" --result FOUND --color GREEN else - logtext "Result: Samhain is not installed" + LogText "Result: Samhain is not installed" fi fi # @@ -152,14 +152,14 @@ # Description : Check if Tripwire is installed Register --test-no FINT-4326 --weight L --network NO --description "Tripwire availability" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking Tripwire binary" + LogText "Test: Checking Tripwire binary" if [ ! "${TRIPWIREBINARY}" = "" ]; then - logtext "Result: Tripwire is installed (${TRIPWIREBINARY})" + LogText "Result: Tripwire is installed (${TRIPWIREBINARY})" FILE_INT_TOOL="tripwire" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN else - logtext "Result: Tripwire is not installed" + LogText "Result: Tripwire is not installed" fi fi # @@ -169,15 +169,15 @@ # Description : Check if OSSEC system integrity tool is running Register --test-no FINT-4328 --weight L --network NO --description "OSSEC syscheck daemon running" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking if OSSEC syscheck daemon is running" + LogText "Test: Checking if OSSEC syscheck daemon is running" IsRunning ossec-syscheckd if [ ${RUNNING} -eq 1 ]; then - logtext "Result: syscheck (OSSEC) installed" + LogText "Result: syscheck (OSSEC) installed" FILE_INT_TOOL="ossec-syscheck" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN else - logtext "Result: syscheck (OSSEC) not installed" + LogText "Result: syscheck (OSSEC) not installed" fi fi # @@ -188,14 +188,14 @@ # Note : Usually on BSD and similar Register --test-no FINT-4330 --weight L --network NO --description "mtree availability" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking mtree binary" + LogText "Test: Checking mtree binary" if [ ! "${MTREEBINARY}" = "" ]; then - logtext "Result: mtree is installed (${MTREEBINARY})" + LogText "Result: mtree is installed (${MTREEBINARY})" FILE_INT_TOOL="mtree" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- mtree" --result FOUND --color GREEN else - logtext "Result: mtree is not installed" + LogText "Result: mtree is not installed" fi fi # @@ -209,7 +209,7 @@ Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN IsRunning 'lfd ' if [ ${RUNNING} -eq 1 ]; then - logtext "Result: lfd daemon is running (CSF)" + LogText "Result: lfd daemon is running (CSF)" Display --indent 6 --text "- Daemon status" --result RUNNING --color GREEN FILE_INT_TOOL="csf-lfd" FILE_INT_TOOL_FOUND=1 @@ -225,18 +225,18 @@ # LFD configuration parameters ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}` if [ ! "${ENABLED}" = "" ]; then - logtext "Result: lfd service is configured to run" + LogText "Result: lfd service is configured to run" Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN else - logtext "Result: lfd service is configured NOT to run" + LogText "Result: lfd service is configured NOT to run" Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW fi ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then - logtext "Result: lfd directory watching is enabled (value: ${ENABLED})" + LogText "Result: lfd directory watching is enabled (value: ${ENABLED})" Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN else - logtext "Result: lfd directory watching is disabled" + LogText "Result: lfd directory watching is disabled" Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW fi ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` @@ -253,13 +253,13 @@ # Description : Check if at least one file integrity tool is installed Register --test-no FINT-4350 --weight L --network NO --description "File integrity software installed" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if at least on file integrity tool is available/installed" + LogText "Test: Check if at least on file integrity tool is available/installed" if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then - logtext "Result: found at least one file integrity tool" + LogText "Result: found at least one file integrity tool" Display --indent 2 --text "- Checking presence integrity tool" --result FOUND --color GREEN AddHP 5 5 else - logtext "Result: No file integrity tools found" + LogText "Result: No file integrity tools found" Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files" AddHP 0 5 @@ -269,10 +269,10 @@ ################################################################################# # -report "file_integrity_tool=${FILE_INT_TOOL}" -report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}" +Report "file_integrity_tool=${FILE_INT_TOOL}" +Report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016 Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_file_permissions b/include/tests_file_permissions index c702e64b..634c25d2 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -27,15 +27,15 @@ Register --test-no FILE-7524 --weight L --network NO --description "Perform file permissions check" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Starting file permissions check" - logtext "Test: Checking file permissions" - logtext "Using profile ${PROFILE} for baseline." + LogText "Test: Checking file permissions" + LogText "Using profile ${PROFILE} for baseline." FIND=`egrep '^permfile:|^permdir:' ${PROFILE} | cut -d: -f2` for I in ${FIND}; do - logtext "Checking ${I}" + LogText "Checking ${I}" CheckFilePermissions ${I} - logtext " Expected permissions: ${PROFILEVALUE}" - logtext " Actual permissions: ${FILEVALUE}" - logtext " Result: $PERMS" + LogText " Expected permissions: ${PROFILEVALUE}" + LogText " Actual permissions: ${FILEVALUE}" + LogText " Result: $PERMS" if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then Display --indent 4 --text "${I}" --result "NOT FOUND" --color WHITE elif [ "${PERMS}" = "OK" ]; then @@ -44,7 +44,7 @@ Display --indent 4 --text "${I}" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "Incorrect permissions for file ${I}" else - logtext "UNKNOWN status for file" + LogText "UNKNOWN status for file" fi done fi @@ -56,4 +56,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, CISOfy - https://cisofy.com diff --git a/include/tests_filesystems b/include/tests_filesystems index 50c7308c..caee554c 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -36,25 +36,25 @@ Display --indent 2 --text "- Checking mount points" SEPARATED_FILESYTEMS="/home /tmp /var" for I in ${SEPARATED_FILESYTEMS}; do - logtext "Test: Checking if ${I} is mounted separately or mounted on / file system" + LogText "Test: Checking if ${I} is mounted separately or mounted on / file system" if [ -L ${I} ]; then - logtext "Result: ${I} is a symlink. Manual check required to determine exact file system" + LogText "Result: ${I} is a symlink. Manual check required to determine exact file system" Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE elif [ -d ${I} ]; then - logtext "Result: directory ${I} exists" + LogText "Result: directory ${I} exists" FIND=`mount | grep "${I}"` if [ ! "${FIND}" = "" ]; then - logtext "Result: found ${I} as a separated mount point" + LogText "Result: found ${I} as a separated mount point" Display --indent 4 --text "- Checking ${I} mount point" --result OK --color GREEN AddHP 10 10 else - logtext "Result: ${I} not found in mount list. Directory most likely stored on / file system" + LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system" Display --indent 4 --text "- Checking ${I} mount point" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition" AddHP 9 10 fi else - logtext "Result: directory ${I} does not exist" + LogText "Result: directory ${I} does not exist" fi done fi @@ -67,7 +67,7 @@ if [ ! "${VGDISPLAYBINARY}" = "" -o ! "${LSVGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FILE-6311 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking LVM volume groups" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for LVM volume groups" + LogText "Test: Checking for LVM volume groups" case ${OS} in AIX) FIND=`${LSVGBINARY} -o` @@ -80,15 +80,15 @@ ;; esac if [ ! "${FIND}" = "" ]; then - logtext "Result: found one or more volume groups" + LogText "Result: found one or more volume groups" for I in ${FIND}; do - logtext "Found LVM volume group: ${I}" - report "lvm_volume_group[]=${I}" + LogText "Found LVM volume group: ${I}" + Report "lvm_volume_group[]=${I}" done LVM_VG_USED=1 Display --indent 2 --text "- Checking LVM volume groups" --result FOUND --color GREEN else - logtext "Result: no LVM volume groups found" + LogText "Result: no LVM volume groups found" Display --indent 2 --text "- Checking LVM volume groups" --result NONE --color WHITE fi fi @@ -100,7 +100,7 @@ if [ ${LVM_VG_USED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FILE-6312 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking LVM volumes" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for LVM volumes" + LogText "Test: Checking for LVM volumes" case ${OS} in AIX) ACTIVE_VG_LIST=`${LSVGBINARY} -o` @@ -114,14 +114,14 @@ ;; esac if [ ! "${FIND}" = "" ]; then - logtext "Result: found one or more volumes" + LogText "Result: found one or more volumes" for I in ${FIND}; do - logtext "Found LVM volume: ${I}" - report "lvm_volume[]=${I}" + LogText "Found LVM volume: ${I}" + Report "lvm_volume[]=${I}" done Display --indent 4 --text "- Checking LVM volumes" --result FOUND --color GREEN else - logtext "Result: no LVM volume groups found" + LogText "Result: no LVM volume groups found" Display --indent 4 --text "- Checking LVM volumes" --result NONE --color WHITE fi fi @@ -140,19 +140,19 @@ # Description : Checking Linux EXT2, EXT3, EXT4 file systems Register --test-no FILE-6323 --os Linux --weight L --network NO --description "Checking EXT file systems" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for Linux EXT file systems" + LogText "Test: Checking for Linux EXT file systems" FIND=`mount -t ext2,ext3,ext4 | awk '{ print $3","$5 }'` if [ ! "${FIND}" = "" ]; then - logtext "Result: found one or more EXT file systems" + LogText "Result: found one or more EXT file systems" for I in ${FIND}; do FILESYSTEM=`echo ${I} | cut -d ',' -f1` FILETYPE=`echo ${I} | cut -d ',' -f2` - logtext "File system: ${FILESYSTEM} (type: ${FILETYPE})" - report "file_systems_ext[]=${FILESYSTEM}|${FILETYPE}|" + LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})" + Report "file_systems_ext[]=${FILESYSTEM}|${FILETYPE}|" done else - logtext "Result: no EXT file systems found" - report "file_systems_ext[]=none" + LogText "Result: no EXT file systems found" + Report "file_systems_ext[]=none" fi fi # @@ -163,17 +163,17 @@ if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking FFS/UFS file systems" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Query /etc/fstab for available FFS/UFS mount points" + LogText "Test: Query /etc/fstab for available FFS/UFS mount points" FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result NONE --color WHITE - logtext "Result: unable to find any single mount point (FFS/UFS)" + LogText "Result: unable to find any single mount point (FFS/UFS)" else Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result FOUND --color GREEN - report "filesystem[]=ufs" + Report "filesystem[]=ufs" for I in ${FIND}; do - logtext "FFS/UFS mount found: ${I}" - report "mountpoint_ufs[]=${I}" + LogText "FFS/UFS mount found: ${I}" + Report "mountpoint_ufs[]=${I}" done fi fi @@ -184,17 +184,17 @@ # Description : Query all ZFS mounts from /etc/fstab Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --description "Checking ZFS file systems" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Query /etc/fstab for available ZFS mount points" + LogText "Test: Query /etc/fstab for available ZFS mount points" FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result NONE --color WHITE - logtext "Result: unable to find any single mount point (ZFS)" + LogText "Result: unable to find any single mount point (ZFS)" else Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result FOUND --color GREEN - report "filesystem[]=zfs" + Report "filesystem[]=zfs" for I in ${FIND}; do - logtext "ZFS mount found: ${I}" - report "mountpoint_zfs[]=${I}" + LogText "ZFS mount found: ${I}" + Report "mountpoint_zfs[]=${I}" done fi fi @@ -207,14 +207,14 @@ Register --test-no FILE-6332 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap partitions" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - logtext "Test: query swap partitions from /etc/fstab file" + LogText "Test: query swap partitions from /etc/fstab file" # Check if third field contains 'swap' FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"` for I in ${FIND}; do FOUND=1 REAL="" UUID="" - logtext "Swap partition found: ${I}" + LogText "Swap partition found: ${I}" # YYY Add a test if partition is not a normal partition (e.g. UUID=) # Can be ^/dev/mapper/vg-name_lv-name # Can be ^/dev/partition @@ -223,24 +223,24 @@ HAS_UUID=`echo ${I} | grep "^UUID="` if [ ! "${HAS_UUID}" = "" ]; then UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'` - logtext "Result: Using ${UUID} as UUID" + LogText "Result: Using ${UUID} as UUID" if [ ! "${BLKIDBINARYx}" = "" ]; then FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'` if [ ! "${FIND2}" = "" ]; then REAL="${FIND2}" fi else - logtext "Result: blkid binary not found, trying by checking device listing" + LogText "Result: blkid binary not found, trying by checking device listing" sFILE="" if [ -L /dev/disk/by-uuid/${UUID} ]; then - logtext "Result: found disk via /dev/disk/by-uuid listing" + LogText "Result: found disk via /dev/disk/by-uuid listing" ShowSymlinkPath /dev/disk/by-uuid/${UUID} if [ ! "${sFILE}" = "" ]; then REAL="${sFILE}" - logtext "Result: disk is ${REAL}" + LogText "Result: disk is ${REAL}" fi else - logtext "Result: no symlink found to /dev/disk/by-uuid/${UUID}" + LogText "Result: no symlink found to /dev/disk/by-uuid/${UUID}" fi fi fi @@ -248,13 +248,13 @@ if [ "${REAL}" = "" ]; then REAL="${I}" fi - report "swap_partition[]=${I},${REAL}," + Report "swap_partition[]=${I},${REAL}," done if [ ${FOUND} -eq 1 ]; then Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN else Display --indent 2 --text "- Query swap partitions (fstab)" --result NONE --color YELLOW - logtext "Result: no swap partitions found in /etc/fstab" + LogText "Result: no swap partitions found in /etc/fstab" fi fi # @@ -268,18 +268,18 @@ Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap mount options" if [ ${SKIPTEST} -eq 0 ]; then # Swap partitions should be mounted with 'sw' or 'swap' - logtext "Test: check swap partitions with incorrect mount options" + LogText "Test: check swap partitions with incorrect mount options" #FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab` if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN - logtext "Result: all swap partitions have correct options (sw or swap)" + LogText "Result: all swap partitions have correct options (sw or swap)" else Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW - logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})" + LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})" #ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})" ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" - logtext "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)" + LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)" fi fi # @@ -290,25 +290,25 @@ if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --description "Searching for old files in /tmp" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for old files in /tmp" + LogText "Test: Searching for old files in /tmp" # Search for files only in /tmp, with an access time older than X days FIND=`find /tmp -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN - logtext "Result: no files found in /tmp which are older than 3 months" + LogText "Result: no files found in /tmp which are older than 3 months" else Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED N=0 for I in ${FIND}; do FILE=`echo ${I} | sed 's/!space!/ /g'` - logtext "Old temporary file: ${FILE}" + LogText "Old temporary file: ${FILE}" N=`expr ${N} + 1` done - logtext "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days" - logtext "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain" - logtext "private information and should be deleted it not being used actively. Use a tool like lsof to" - logtext "see which programs possibly are using a particular file. Some systems can cleanup temporary" - logtext "directories by setting a boot option." + LogText "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days" + LogText "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain" + LogText "private information and should be deleted it not being used actively. Use a tool like lsof to" + LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary" + LogText "directories by setting a boot option." ReportSuggestion ${TEST_NO} "Check ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days" fi fi @@ -323,29 +323,29 @@ #for I in ${SKELDIRS}; do # - # logtext "Searching skel directory ${I}" + # LogText "Searching skel directory ${I}" # # if [ -d ${I} ]; then - # logtext "Result: Directory found, scanning for unsafe file permissions" + # LogText "Result: Directory found, scanning for unsafe file permissions" # FIND=`ls -A ${I} | wc -l | sed 's/ //g'` # if [ ! "${FIND}" = "0" ]; then # FIND=`find ${I} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` # if [ "${FIND}" = "" ]; then # Display --indent 2 --text "- Checking skel file permissions (${I})" --result OK --color GREEN - # logtext "Result: Directory seems to be ok, no files found with read/write/execute bit set." - # logtext "Status: OK" + # LogText "Result: Directory seems to be ok, no files found with read/write/execute bit set." + # LogText "Status: OK" # else # Display --indent 2 --text "- Checking skel file permissions (${I})" --result WARNING --color RED - # logtext "Result: The following files do have non restrictive permissions: ${FIND}" + # LogText "Result: The following files do have non restrictive permissions: ${FIND}" # ReportSuggestion ${TEST_NO} "Remove the read, write or execute bit from these files (chmod o-rwx)" # fi # else # Display --indent 2 --text "- Checking skel file permissions (${I})" --result EMPTY --color WHITE - # logtext "Directory ${I} is empty, no scan performed" + # LogText "Directory ${I} is empty, no scan performed" # fi # else # Display --indent 2 --text "- Checking skel file permissions (${I})" --result "NOT FOUND" --color WHITE - # logtext "Result: Skel directory (${I}) not found" + # LogText "Result: Skel directory (${I}) not found" # fi #done # @@ -360,7 +360,7 @@ FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10` if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then Display --indent 2 --text "- Checking /tmp sticky bit" --result OK --color GREEN - logtext "Result: Sticky bit (${FIND}) found on /tmp directory" + LogText "Result: Sticky bit (${FIND}) found on /tmp directory" AddHP 3 3 else Display --indent 2 --text "- Checking /tmp sticky bit" --result WARNING --color RED @@ -369,7 +369,7 @@ AddHP 0 3 fi else - logtext "Result: Sticky bit test (on /tmp) skipped. Possible reason: missing or symlinked directory, or test skipped." + LogText "Result: Sticky bit test (on /tmp) skipped. Possible reason: missing or symlinked directory, or test skipped." fi # ################################################################################# @@ -385,14 +385,14 @@ Register --test-no FILE-6368 --os Linux --weight L --network NO --root-only YES --description "Checking ACL support on root file system" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - logtext "Test: Checking acl option on root file system" + LogText "Test: Checking acl option on root file system" FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | grep acl` if [ ! "${FIND}" = "" ]; then - logtext "Result: found ACL option" + LogText "Result: found ACL option" FOUND=1 else - logtext "Result: mount point probably mounted with defaults" - logtext "Test: Checking device which holds root file system" + LogText "Result: mount point probably mounted with defaults" + LogText "Test: Checking device which holds root file system" # Get device on which root file system is mounted. Use /dev/root if it exists, or # else check output of mount if [ -b /dev/root ]; then @@ -404,28 +404,28 @@ fi # Trying to determine default mount options from EXT2/EXT3/EXT4 file systems if [ ! "${FIND1}" = "" ]; then - logtext "Result: found ${FIND1}" - logtext "Test: Checking default options on ${FIND1}" + LogText "Result: found ${FIND1}" + LogText "Test: Checking default options on ${FIND1}" FIND2=`${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | grep "^Default mount options" | grep "acl"` if [ ! "${FIND2}" = "" ]; then - logtext "Result: found ACL option in default mount options" + LogText "Result: found ACL option in default mount options" FOUND=1 else - logtext "Result: no ACL option found in default mount options list" + LogText "Result: no ACL option found in default mount options list" fi else - logtext "Result: No file system found with root file system" + LogText "Result: No file system found with root file system" fi fi if [ ${FOUND} -eq 0 ]; then - logtext "Result: ACL option NOT enabled on root file system" - logtext "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option" - logtext "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file" + LogText "Result: ACL option NOT enabled on root file system" + LogText "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option" + LogText "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file" Display --indent 2 --text "- ACL support root file system" --result DISABLED --color YELLOW AddHP 0 1 else - logtext "Result: ACL option enabled on root file system" + LogText "Result: ACL option enabled on root file system" Display --indent 2 --text "- ACL support root file system" --result ENABLED --color GREEN AddHP 3 3 fi @@ -445,14 +445,14 @@ NOSUID=`echo ${FIND} | awk '{ if ($1=="nosuid") { print "YES" } else { print "NO" } }'` if [ ! "${FIND}" = "" ]; then - logtext "Result: mount system / is configured with options: ${FIND}" + LogText "Result: mount system / is configured with options: ${FIND}" if [ "${FIND}" = "defaults" ]; then Display --indent 2 --text "- Mount options of /" --result OK --color GREEN else Display --indent 2 --text "- Mount options of /" --result "NON DEFAULT" --color YELLOW fi else - logtext "Result: no mount point / or expected options found" + LogText "Result: no mount point / or expected options found" fi fi fi @@ -487,42 +487,42 @@ IN_FSTAB=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print "FOUND" } }'` if [ ! "${IN_FSTAB}" = "" ]; then FOUND_FLAGS=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' | sed 's/,/ /g'` - logtext "File system: ${FILESYSTEM}" - logtext "Expected flags: ${EXPECTED_FLAGS}" - logtext "Found flags: ${FOUND_FLAGS}" + LogText "File system: ${FILESYSTEM}" + LogText "Expected flags: ${EXPECTED_FLAGS}" + LogText "Found flags: ${FOUND_FLAGS}" PARTIALLY_HARDENED=0 FULLY_HARDENED=1 for FLAG in ${EXPECTED_FLAGS}; do FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | grep ${FLAG}` if [ "${FLAG_AVAILABLE}" = "" ]; then - logtext "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}" + LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}" FULLY_HARDENED=0 else - logtext "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}" + LogText "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}" PARTIALLY_HARDENED=1 fi done if [ ${FULLY_HARDENED} -eq 1 ]; then - logtext "Result: marked ${FILESYSTEM} as fully hardenened" + LogText "Result: marked ${FILESYSTEM} as fully hardenened" Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN AddHP 5 5 elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then - logtext "Result: marked ${FILESYSTEM} as fully hardenened" + LogText "Result: marked ${FILESYSTEM} as fully hardenened" Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW AddHP 4 5 else if [ "${FOUND_FLAGS}" = "defaults" ]; then - logtext "Result: marked ${FILESYSTEM} options as default (non hardened)" + LogText "Result: marked ${FILESYSTEM} options as default (non hardened)" Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW AddHP 3 5 else - logtext "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)" + LogText "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)" Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW AddHP 4 5 fi fi else - logtext "Result: file system ${FILESYSTEM} not found in /etc/fstab" + LogText "Result: file system ${FILESYSTEM} not found in /etc/fstab" fi done fi @@ -564,23 +564,23 @@ if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FILE-6410 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Checking Locate database" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking locate database" + LogText "Test: Checking locate database" FOUND=0 LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database" for I in ${LOCATE_DBS}; do if [ -f ${I} ]; then - logtext "Result: locate database found (${I})" + LogText "Result: locate database found (${I})" FOUND=1 LOCATE_DB="${I}" else - logtext "Result: file ${I} not found" + LogText "Result: file ${I} not found" fi done if [ ${FOUND} -eq 1 ]; then Display --indent 2 --text "- Checking Locate database" --result FOUND --color GREEN - report "locate_db=${LOCATE_DB}" + Report "locate_db=${LOCATE_DB}" else - logtext "Result: database not found" + LogText "Result: database not found" Display --indent 2 --text "- Checking Locate database" --result "NOT FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file." fi @@ -622,4 +622,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_firewalls b/include/tests_firewalls index 6c8192eb..2a01e410 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -41,9 +41,9 @@ IPTABLES_ACTIVE=1 IPTABLES_MODULE_ACTIVE=1 Display --indent 2 --text "- Checking iptables kernel module" --result FOUND --color GREEN - logtext "Result: Found iptables in loaded kernel modules" + LogText "Result: Found iptables in loaded kernel modules" for I in ${FIND}; do - logtext "Found module: ${I}" + LogText "Found module: ${I}" done else Display --indent 2 --text "- Checking iptables kernel module" --result "NOT FOUND" --color WHITE @@ -62,24 +62,24 @@ # tests, when using iptables --list if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then - logtext "Result: found kernel configuration file (${LINUXCONFIGFILE})" + LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})" FIND=`${tCATCMD} ${LINUXCONFIGFILE} | grep -v '^#' | grep "CONFIG_IP_NF_IPTABLES" | head -n 1` if [ ! "${FIND}" = "" ]; then HAVEMOD=`echo ${FIND} | cut -d '=' -f2` # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the # active list. if [ "${HAVEMOD}" = "y" ]; then - logtext "Result: iptables available as a module in the configuration" + LogText "Result: iptables available as a module in the configuration" IPTABLES_ACTIVE=1 IPTABLES_INKERNEL_ACTIVE=1 FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="iptables" Display --indent 2 --text "- Checking iptables in config file" --result FOUND --color GREEN else - logtext "Result: no iptables found in Linux kernel config file" + LogText "Result: no iptables found in Linux kernel config file" fi else - logtext "Result: no Linux configuration file found" + LogText "Result: no Linux configuration file found" Display --indent 2 --text "- Checking iptables in config file" --result "NOT FOUND" --color WHITE fi fi @@ -99,11 +99,11 @@ FIREWALL_ACTIVE=1 if [ ${FIND} -le 10 ]; then # Firewall is active, but clearly needs configuration - logtext "Result: iptables ruleset seems to be empty (found ${FIND} rules)" + LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active" else - logtext "Result: one or more rules are available (${FIND} rules)" + LogText "Result: one or more rules are available (${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN fi fi @@ -119,16 +119,16 @@ FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN - logtext "Result: There are no unused rules present" + LogText "Result: There are no unused rules present" else Display --indent 4 --text "- Checking for unused rules" --result FOUND --color YELLOW - logtext "Result: Found one or more possible unused rules" - logtext "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" - logtext "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." - logtext "Output: iptables rule numbers: ${FIND}" + LogText "Result: Found one or more possible unused rules" + LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" + LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." + LogText "Output: iptables rule numbers: ${FIND}" #ReportWarning ${TEST_NO} "L" "Found possible unused iptables rules ($FIND)" ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used" - logtext "Tip: iptables --list --numeric --line-numbers --verbose" + LogText "Tip: iptables --list --numeric --line-numbers --verbose" fi fi # @@ -142,18 +142,18 @@ PFFOUND=0; PFLOGDFOUND=0 # Check status with pfctl - logtext "Test: checking pf status via pfctl" + LogText "Test: checking pf status via pfctl" if [ ! "${PFCTLBINARY}" = "" ]; then FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'` if [ "${FIND}" = "Enabled" ]; then Display --indent 2 --text "- Checking pf status (pfctl)" --result ENABLED --color GREEN - logtext "Result: pf is enabled" + LogText "Result: pf is enabled" PFFOUND=1 AddHP 3 3 else if [ "${FIND}" = "Disabled" ]; then Display --indent 2 --text "- Checking pf status (pfctl)" --result DISABLED --color RED - logtext "Result: pf is disabled" + LogText "Result: pf is disabled" AddHP 0 3 else Display --indent 2 --text "- Checking pf status (pfctl)" --result UNKNOWN --color YELLOW @@ -165,27 +165,27 @@ # If we didn't find the status to be enabled, stop searching if [ ${PFFOUND} -eq 0 ]; then # Check for pf kernel module (FreeBSD and similar) - logtext "Test: searching for pf kernel module" + LogText "Test: searching for pf kernel module" if [ ! "${KLDSTATBINARY}" = "" ]; then FIND=`${KLDSTATBINARY} | grep 'pf.ko'` if [ "${FIND}" = "" ]; then - logtext "Result: Can not find pf KLD" + LogText "Result: Can not find pf KLD" else - logtext "Result: pf KLD loaded" + LogText "Result: pf KLD loaded" PFFOUND=1 fi else - logtext "Result: no kldstat binary, skipping this part" + LogText "Result: no kldstat binary, skipping this part" fi IsRunning pflogd if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found pflog daemon in process list" + LogText "Result: found pflog daemon in process list" Display --indent 4 --text "- Checking pflogd status" --result ACTIVE --color GREEN PFFOUND=1 PFLOGDFOUND=1 else - logtext "Result: pflog daemon not found in process list" + LogText "Result: pflog daemon not found in process list" fi fi @@ -193,7 +193,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="pf" else - logtext "Result: pf not running on this system" + LogText "Result: pf not running on this system" fi fi # @@ -204,23 +204,23 @@ if [ ${PFFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4520 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check pf configuration consistency" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check /etc/pf.conf" + LogText "Test: check /etc/pf.conf" # Test for warnings (-n don't load the rules) if [ -f /etc/pf.conf ]; then - logtext "Result: /etc/pf.conf exists" + LogText "Result: /etc/pf.conf exists" # Check results from pfctl PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'` if [ "${PFWARNINGS}" = "" ]; then Display --indent 4 --text "- Checking pf configuration consistency" --result OK --color GREEN - logtext "Result: no pf filter warnings found" + LogText "Result: no pf filter warnings found" else Display --indent 4 --text "- Checking pf configuration consistency" --result WARNING --color RED - logtext "Result: found one or more warnings in the pf filter rules" + LogText "Result: found one or more warnings in the pf filter rules" ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file" ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" fi else - logtext "Result: /etc/pf.conf does NOT exist" + LogText "Result: /etc/pf.conf does NOT exist" fi fi # @@ -236,14 +236,14 @@ Register --test-no FIRE-4524 --weight L --network NO --description "Check for CSF presence" if [ ${SKIPTEST} -eq 0 ]; then FILE="/etc/csf/csf.conf" - logtext "Test: check ${FILE}" + LogText "Test: check ${FILE}" if [ -f ${FILE} ]; then - logtext "Result: ${FILE} exists" + LogText "Result: ${FILE} exists" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="csf" Display --indent 2 --text "- Checking CSF status (configuration file)" --result FOUND --color GREEN else - logtext "Result: ${FILE} does NOT exist" + LogText "Result: ${FILE} does NOT exist" fi fi # @@ -257,12 +257,12 @@ FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'` if [ "${FIND}" = "yes" ]; then Display --indent 4 --text "- Checking ipf status" --result RUNNING --color GREEN - logtext "Result: ipf is enabled and running" + LogText "Result: ipf is enabled and running" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipf" else Display --indent 4 --text "- Checking ipf status" --result "NOT RUNNING" --color YELLOW - logtext "Result: ipf is not running" + LogText "Result: ipf is not running" fi fi # @@ -277,20 +277,20 @@ FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` if [ "${FIND}" = "1" ]; then Display --indent 2 --text "- Checking IPFW status" --result RUNNING --color GREEN - logtext "Result: IPFW is running for IPv4" + LogText "Result: IPFW is running for IPv4" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipfw" IPFW_ENABLED=`service -e | grep -o ipfw` if [ "${IPFW_ENABLED}" = "ipfw" ]; then Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result YES --color GREEN - logtext "Result: IPFW is enabled at start-up for IPv4" + LogText "Result: IPFW is enabled at start-up for IPv4" else Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW - logtext "Result: IPFW is disabled at start-up for IPv4" + LogText "Result: IPFW is disabled at start-up for IPv4" fi else Display --indent 2 --text "- Checking IPFW status" --result "NOT RUNNING" --color YELLOW - logtext "Result: IPFW is not running for IPv4" + LogText "Result: IPFW is not running for IPv4" fi else Display --indent 2 --text "- Checking IPFW" --result SKIPPED --color YELLOW @@ -309,13 +309,13 @@ if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result ENABLED --color GREEN AddHP 3 3 - logtext "Result: application firewall of Mac OS X is enabled" + LogText "Result: application firewall of Mac OS X is enabled" APPLICATION_FIREWALL_ACTIVE=1 - report "app_fw[]=macosx-app-fw" + Report "app_fw[]=macosx-app-fw" else Display --indent 2 --text "- Checking IPFW" --result DISABLED --color YELLOW AddHP 1 3 - logtext "Result: application firewall of Mac OS X is disabled" + LogText "Result: application firewall of Mac OS X is disabled" fi fi # @@ -327,16 +327,16 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ${FIREWALL_ACTIVE} -eq 1 ]; then Display --indent 2 --text "- Checking host based firewall" --result ACTIVE --color GREEN - logtext "Result: host based firewall or packet filter is active" - report "manual[]=Verify if there is a formal process for testing and applying firewall rules" - report "manual[]=Verify all traffic is filtered the right way between the different security zones" - report "manual[]=Verify if a list is available with all required services" + LogText "Result: host based firewall or packet filter is active" + Report "manual[]=Verify if there is a formal process for testing and applying firewall rules" + Report "manual[]=Verify all traffic is filtered the right way between the different security zones" + Report "manual[]=Verify if a list is available with all required services" # YYY Solaris ipf (determine default policy) - report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" + Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" AddHP 5 5 else Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW - logtext "Result: no host based firewall/packet filter found or configured" + LogText "Result: no host based firewall/packet filter found or configured" ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic" AddHP 0 5 fi @@ -346,13 +346,13 @@ # # Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks. -report "firewall_installed=${FIREWALL_ACTIVE}" -report "firewall_active=${FIREWALL_ACTIVE}" -report "firewall_software=${FIREWALL_SOFTWARE}" +Report "firewall_installed=${FIREWALL_ACTIVE}" +Report "firewall_active=${FIREWALL_ACTIVE}" +Report "firewall_software=${FIREWALL_SOFTWARE}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_hardening b/include/tests_hardening index 69cca70c..d764999c 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -26,13 +26,13 @@ # Notes : No suggestion for hardening compilers, as HRDN-7222 will take care of that Register --test-no HRDN-7220 --weight L --network NO --description "Check if one or more compilers are installed" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if one or more compilers can be found on the system" + LogText "Test: Check if one or more compilers can be found on the system" if [ ${COMPILER_INSTALLED} -eq 0 ]; then - logtext "Result: no compilers found" + LogText "Result: no compilers found" Display --indent 4 --text "- Installed compiler(s)" --result "NOT FOUND" --color GREEN AddHP 3 3 else - logtext "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'" + LogText "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'" Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED AddHP 1 3 fi @@ -44,18 +44,17 @@ # Description : Check for permissions of installed compilers Register --test-no HRDN-7222 --weight L --network NO --description "Check compiler permissions" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if one or more compilers can be found on the system" + LogText "Test: Check if one or more compilers can be found on the system" HARDEN_COMPILERS_NEEDED=0 if [ ${COMPILER_INSTALLED} -eq 0 ]; then - logtext "Result: no compilers found" + LogText "Result: no compilers found" else # as if [ ! "${ASBINARY}" = "" ]; then - logtext "Test: Check file permissions for as (Assembler)" - IsWorldExecutable ${ASBINARY} - if [ $? -eq 1 ]; then - logtext "Binary: found ${ASBINARY} (world executable)" - report "compiler[]=${ASBINARY}" + LogText "Test: Check file permissions for as (Assembler)" + if IsWorldExecutable ${ASBINARY}; then + LogText "Binary: found ${ASBINARY} (world executable)" + Report "compiler[]=${ASBINARY}" AddHP 2 3 HARDEN_COMPILERS_NEEDED=1 else @@ -64,11 +63,10 @@ fi # gcc if [ ! "${GCCBINARY}" = "" ]; then - logtext "Test: Check file permissions for GCC compiler" - IsWorldExecutable ${GCCBINARY} - if [ $? -eq 1 ]; then - logtext "Binary: found ${GCCBINARY} (world executable)" - report "compiler[]=${GCCBINARY}" + LogText "Test: Check file permissions for GCC compiler" + if IsWorldExecutable ${GCCBINARY}; then + LogText "Binary: found ${GCCBINARY} (world executable)" + Report "compiler[]=${GCCBINARY}" AddHP 2 3 HARDEN_COMPILERS_NEEDED=1 else @@ -77,7 +75,7 @@ fi # Report suggestion is one or more compilers can be better hardened if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then - logtext "Result: at least one compiler could be better hardened by restricting executable access to root or group only" + LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only" ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only" fi @@ -96,13 +94,13 @@ # Description : Check for installed malware scanners Register --test-no HRDN-7230 --weight L --network NO --description "Check for malware scanner" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check if a malware scanner is installed" + LogText "Test: Check if a malware scanner is installed" if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then - logtext "Result: found at least one malware scanner" + LogText "Result: found at least one malware scanner" Display --indent 4 --text "- Installed malware scanner" --result "FOUND" --color GREEN AddHP 3 3 else - logtext "Result: no malware scanner found" + LogText "Result: no malware scanner found" Display --indent 4 --text "- Installed malware scanner" --result "NOT FOUND" --color RED ReportSuggestion ${TEST_NO} "Harden the system by installing at least one malware scanner, to perform periodic file system scans" AddHP 1 3 @@ -111,21 +109,21 @@ # ################################################################################# # -# logtext "--------------------------------------------------------------------" -# logtext "| System part | Preferred value | Actual value | Points |" -# logtext "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |" -# logtext "| [V] Malware scanner installed | 1 | [x] | x |" -# logtext "| [V] Packet filter enabled | 1 | [x] | x |" -# logtext "--------------------------------------------------------------------" -# logtext "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown " -# logtext "--------------------------------------------------------------------" +# LogText "--------------------------------------------------------------------" +# LogText "| System part | Preferred value | Actual value | Points |" +# LogText "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |" +# LogText "| [V] Malware scanner installed | 1 | [x] | x |" +# LogText "| [V] Packet filter enabled | 1 | [x] | x |" +# LogText "--------------------------------------------------------------------" +# LogText "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown " +# LogText "--------------------------------------------------------------------" # ################################################################################# # -report "compiler_installed=${COMPILER_INSTALLED}" +Report "compiler_installed=${COMPILER_INSTALLED}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_homedirs b/include/tests_homedirs index 595c2fff..b0f5c06b 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -33,14 +33,14 @@ Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories" if [ ${SKIPTEST} -eq 0 ]; then # Read sixth field of /etc/passwd - logtext "Test: query /etc/passwd to obtain home directories" + LogText "Test: query /etc/passwd to obtain home directories" FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | sort -u` for I in ${FIND}; do if [ -d ${I} ]; then - logtext "Result: found home directory: ${I} (directory exists)" - report "home_directory[]=${I}" + LogText "Result: found home directory: ${I} (directory exists)" + Report "home_directory[]=${I}" else - logtext "Result: found home directory: ${I} (directory does not exist)" + LogText "Result: found home directory: ${I} (directory does not exist)" fi done fi @@ -60,18 +60,18 @@ fi if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking shell history files" --result OK --color GREEN - logtext "Result: Ok, history files are type 'file'." + LogText "Result: Ok, history files are type 'file'." else Display --indent 2 --text "- Checking shell history files" --result WARNING --color RED - logtext "Result: the following files seem to be of the wrong file type:" - logtext "Output: ${FIND}" - logtext "Info: above files could be redirected files to avoid logging and should be investigated" + LogText "Result: the following files seem to be of the wrong file type:" + LogText "Output: ${FIND}" + LogText "Info: above files could be redirected files to avoid logging and should be investigated" ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file" fi - logtext "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful." + LogText "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful." else Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE - logtext "Result: Homedirs is empty, test will be skipped" + LogText "Result: Homedirs is empty, test will be skipped" fi fi # @@ -94,9 +94,9 @@ if [ ${SKIPTEST} -eq 0 ]; then IGNORE_HOME_DIRS=`grep "^config:ignore_home_dir:" ${PROFILE} | awk -F: '{ print $3 }'` if [ "${IGNORE_HOME_DIRS}" = "" ]; then - logtext "Result: IGNORE_HOME_DIRS empty, no paths excluded" + LogText "Result: IGNORE_HOME_DIRS empty, no paths excluded" else - logtext "Output: ${IGNORE_HOME_DIRS}" + LogText "Output: ${IGNORE_HOME_DIRS}" fi fi # @@ -107,4 +107,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_insecure_services b/include/tests_insecure_services index d529f959..a4feb52c 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -32,14 +32,14 @@ Register --test-no INSE-8002 --weight L --network NO --description "Check for enabled inet daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check running processes - logtext "Test: Searching for active inet daemon" + LogText "Test: Searching for active inet daemon" IsRunning inetd if [ ${RUNNING} -eq 1 ]; then - logtext "Result: inetd is running" + LogText "Result: inetd is running" Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN INETD_ACTIVE=1 else - logtext "Result: inetd is NOT running" + LogText "Result: inetd is NOT running" Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN fi fi @@ -52,12 +52,12 @@ Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for enabled inet daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check configuration file - logtext "Test: Searching for file ${INETD_CONFIG_FILE}" + LogText "Test: Searching for file ${INETD_CONFIG_FILE}" if [ -f ${INETD_CONFIG_FILE} ]; then - logtext "Result: ${INETD_CONFIG_FILE} exists" + LogText "Result: ${INETD_CONFIG_FILE} exists" Display --indent 4 --text "- Checking inetd.conf" --result FOUND --color WHITE else - logtext "Result: ${INETD_CONFIG_FILE} does not exist" + LogText "Result: ${INETD_CONFIG_FILE} does not exist" Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE fi fi @@ -70,7 +70,7 @@ Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check configuration of inetd when disabled" if [ ${SKIPTEST} -eq 0 ]; then # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002) - logtext "Test: check if all services are disabled if inetd is disabled" + LogText "Test: check if all services are disabled if inetd is disabled" FIND=`grep -v "^#" ${INETD_CONFIG_FILE} | grep -v "^$"` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking inetd.conf services" --result OK --color GREEN @@ -87,14 +87,14 @@ if [ ${INETD_ACTIVE} -eq 1 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no INSE-8016 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for telnet via inetd" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking telnet presence in inetd configuration" + LogText "Test: checking telnet presence in inetd configuration" FIND=`grep "^telnet" ${INETD_CONFIG_FILE}` if [ "${FIND}" = "" ]; then - logtext "Result: telnet not enabled in ${INETD_CONFIG_FILE}" + LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}" Display --indent 2 --text "- Checking inetd (telnet)" --result "NOT FOUND" --color GREEN AddHP 3 3 else - logtext "Result: telnet enabled in ${INETD_CONFIG_FILE}" + LogText "Result: telnet enabled in ${INETD_CONFIG_FILE}" Display --indent 2 --text "- Checking inetd (telnet)" --result WARNING --color RED ReportSuggestion "${TEST_NO}" "Disable telnet in inetd configuration and use SSH instead" AddHP 1 3 @@ -108,4 +108,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_kernel b/include/tests_kernel index 7cd49e12..28ae96fb 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -35,56 +35,56 @@ Register --test-no KRNL-5622 --os Linux --weight L --network NO --description "Determine Linux default run level" if [ ${SKIPTEST} -eq 0 ]; then # Checking if we can find the systemd default target - logtext "Test: Checking for systemd default.target" + LogText "Test: Checking for systemd default.target" if [ -L /etc/systemd/system/default.target ]; then - logtext "Result: symlink found" + LogText "Result: symlink found" if [ ! "${READLINKBINARY}" = "" ]; then FIND=`${READLINKBINARY} /etc/systemd/system/default.target` if [ "${FIND}" = "" ]; then - logtext "Exception: can't find the target of the symlink of /etc/systemd/system/default.target" + LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target" ReportException "${TEST_NO}:01" else FIND2=`echo ${FIND} | egrep "runlevel5|graphical"` if [ ! "${FIND2}" = "" ]; then - logtext "Result: Found match on runlevel5/graphical" + LogText "Result: Found match on runlevel5/graphical" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN - report "linux_default_runlevel=5" + Report "linux_default_runlevel=5" else - logtext "Result: No match found on runlevel, defaulting to runlevel 3" + LogText "Result: No match found on runlevel, defaulting to runlevel 3" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN - report "linux_default_runlevel=3" + Report "linux_default_runlevel=3" fi fi else - logtext "Result: No readlink binary, can't determine where symlink is pointing to" + LogText "Result: No readlink binary, can't determine where symlink is pointing to" Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW fi else - logtext "Result: no systemd found, so trying inittab" - logtext "Test: Checking /etc/inittab" + LogText "Result: no systemd found, so trying inittab" + LogText "Test: Checking /etc/inittab" if [ -f /etc/inittab ]; then - logtext "Result: file /etc/inittab found" - logtext "Test: Checking default Linux run level" + LogText "Result: file /etc/inittab found" + LogText "Test: Checking default Linux run level" FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW - logtext "Result: Can't determine default run level from /etc/inittab" + LogText "Result: Can't determine default run level from /etc/inittab" else Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN - logtext "Found default run level '${FIND}'" - report "linux_default_runlevel=${FIND}" + LogText "Found default run level '${FIND}'" + Report "linux_default_runlevel=${FIND}" fi else - logtext "Result: file /etc/inittab not found" + LogText "Result: file /etc/inittab not found" if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then - logtext "Test: Checking run level with who -r, for Debian based systems" + LogText "Test: Checking run level with who -r, for Debian based systems" FIND=`who -r | awk '{ if ($1=="run-level") { print $2 } }'` if [ ! "${FIND}" = "" ]; then - logtext "Result: Found default run level '${FIND}'" - report "linux_default_runlevel=${FIND}" + LogText "Result: Found default run level '${FIND}'" + Report "linux_default_runlevel=${FIND}" Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN else - logtext "Result: Can't determine default run level from who -r" + LogText "Result: Can't determine default run level from who -r" Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW fi fi @@ -101,37 +101,37 @@ Register --test-no KRNL-5677 --os Linux --weight L --network NO --description "Check CPU options and support" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking CPU support (NX/PAE)" - logtext "Test: Checking /proc/cpuinfo" + LogText "Test: Checking /proc/cpuinfo" if [ -f /proc/cpuinfo ]; then - logtext "Result: found /proc/cpuinfo" - logtext "Test: Checking CPU options (XD/NX/PAE)" + LogText "Result: found /proc/cpuinfo" + LogText "Test: Checking CPU options (XD/NX/PAE)" FIND_PAE_NX=`grep " pae " /proc/cpuinfo | grep " nx "` FIND_PAE=`grep " pae " /proc/cpuinfo` FIND_NX=`grep " nx " /proc/cpuinfo` FOUND=0 if [ ! "${FIND_PAE_NX}" = "" ]; then - logtext "PAE: Yes" - logtext "NX: Yes" + LogText "PAE: Yes" + LogText "NX: Yes" CPU_PAE=1 CPU_NX=1 - logtext "Result: PAE or No eXecute option(s) both found" - report "cpu_pae=1" - report "cpu_nx=1" + LogText "Result: PAE or No eXecute option(s) both found" + Report "cpu_pae=1" + Report "cpu_nx=1" FOUND=1 else if [ ! "${FIND_PAE}" = "" -a "${FIND_NX}" = "" ]; then - report "cpu_pae=1" - logtext "Result: found PAE" + Report "cpu_pae=1" + LogText "Result: found PAE" CPU_PAE=1 FOUND=1 else if [ ! "${FIND_NX}" = "" -a "${FIND_PAE}" = "" ]; then - report "cpu_nx=1" - logtext "Result: found No eXecute" + Report "cpu_nx=1" + LogText "Result: found No eXecute" CPU_NX=1 FOUND=1 else - logtext "Result: found no CPU options enabled (PAE or NX bit)" + LogText "Result: found no CPU options enabled (PAE or NX bit)" fi fi fi @@ -143,7 +143,7 @@ fi else Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result SKIPPED --color YELLOW - logtext "Result: /proc/cpuinfo not found" + LogText "Result: /proc/cpuinfo not found" fi fi # @@ -162,12 +162,12 @@ if [ ${SKIPTEST} -eq 0 ]; then # Kernel number (and suffix) LINUX_KERNEL_RELEASE=`uname -r` - report "linux_kernel_release=${LINUX_KERNEL_RELEASE}" - logtext "Result: found kernel release ${LINUX_KERNEL_RELEASE}" + Report "linux_kernel_release=${LINUX_KERNEL_RELEASE}" + LogText "Result: found kernel release ${LINUX_KERNEL_RELEASE}" # Type and build date LINUX_KERNEL_VERSION=`uname -v` - report "linux_kernel_version=${LINUX_KERNEL_VERSION}" - logtext "Result: found kernel version ${LINUX_KERNEL_VERSION}" + Report "linux_kernel_version=${LINUX_KERNEL_VERSION}" + LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}" Display --indent 2 --text "- Checking kernel version and release" --result DONE --color GREEN fi # @@ -178,21 +178,21 @@ Register --test-no KRNL-5723 --os Linux --weight L --network NO --description "Determining if Linux kernel is monolithic" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then - logtext "Test: checking if kernel is monolithic or modular" + LogText "Test: checking if kernel is monolithic or modular" # Checking if any modules are loaded FIND=`${LSMODBINARY} | grep -v "^Module" | wc -l | tr -s ' ' | tr -d ' '` Display --indent 2 --text "- Checking kernel type" --result DONE --color GREEN if [ "${FIND}" = "0" ]; then - logtext "Result: Found monolithic kernel" - report "linux_kernel_type=monolithic" + LogText "Result: Found monolithic kernel" + Report "linux_kernel_type=monolithic" MONOLITHIC_KERNEL=1 else - logtext "Result: Found modular kernel" - report "linux_kernel_type=modular" + LogText "Result: Found modular kernel" + Report "linux_kernel_type=modular" MONOLITHIC_KERNEL=0 fi else - logtext "Test skipped, lsmod binary not found or /proc/modules can not be opened" + LogText "Test skipped, lsmod binary not found or /proc/modules can not be opened" fi fi # @@ -206,20 +206,20 @@ FIND=`lsmod | awk '{ if ($1!="Module") print $1 }' | sort` Display --indent 2 --text "- Checking loaded kernel modules" --result DONE --color GREEN if [ ! "${FIND}" = "" ]; then - logtext "Loaded modules according lsmod:" + LogText "Loaded modules according lsmod:" N=0 for I in ${FIND}; do - logtext "Loaded module: ${I}" - report "loaded_kernel_module[]=${I}" + LogText "Loaded module: ${I}" + Report "loaded_kernel_module[]=${I}" N=`expr ${N} + 1` done Display --indent 6 --text "Found ${N} active modules" else - logtext "Result: no loaded modules found" - logtext "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel" + LogText "Result: no loaded modules found" + LogText "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel" fi else - logtext "Test skipped, lsmod binary not found or /proc/modules can not be opened" + LogText "Test skipped, lsmod binary not found or /proc/modules can not be opened" fi fi # @@ -232,19 +232,19 @@ CHECKFILE="/boot/config-`uname -r`" if [ -f ${CHECKFILE} ]; then LINUXCONFIGFILE="${CHECKFILE}" - logtext "Result: found config (${LINUXCONFIGFILE})" + LogText "Result: found config (${LINUXCONFIGFILE})" Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN elif [ -f /proc/config.gz ]; then LINUXCONFIGFILE="${CHECKFILE}" LINUXCONFIGFILE_ZIPPED=1 - logtext "Result: found config: /proc/config.gz (compressed)" + LogText "Result: found config: /proc/config.gz (compressed)" Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN else - logtext "Result: no Linux kernel configuration file found in /boot" + LogText "Result: no Linux kernel configuration file found in /boot" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "NOT FOUND" --color WHITE fi if [ ! "${LINUXCONFIGFILE}" = "" ]; then - report "linux_config_file=${LINUXCONFIGFILE}" + Report "linux_config_file=${LINUXCONFIGFILE}" fi fi # @@ -262,14 +262,14 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi if [ ! "${GREPTOOL}" = "" ]; then - logtext "Test: Checking the default I/O kernel scheduler" + LogText "Test: Checking the default I/O kernel scheduler" LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | awk -F= '{ print $2 }' | sed s/\"//g` if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then - logtext "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'" + LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'" Display --indent 2 --text "- Checking default I/O kernel scheduler" --result FOUND --color GREEN - report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}" + Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}" else - logtext "Result: no default i/o kernel scheduler found" + LogText "Result: no default i/o kernel scheduler found" Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "NOT FOUND" --color WHITE fi else @@ -284,27 +284,27 @@ Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking active kernel modules" - logtext "Test: Active kernel modules (KLDs)" - logtext "Description: View all active kernel modules (including kernel)" - logtext "Test: Checking modules" + LogText "Test: Active kernel modules (KLDs)" + LogText "Description: View all active kernel modules (including kernel)" + LogText "Test: Checking modules" if [ -f /sbin/kldstat ]; then FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6` if [ $? -eq 0 ]; then - logtext "Loaded modules according kldstat:" + LogText "Loaded modules according kldstat:" N=0 for I in ${FIND}; do - logtext "Loaded module: ${I}" - report "loaded_kernel_module[]=${I}" + LogText "Loaded module: ${I}" + Report "loaded_kernel_module[]=${I}" N=`expr ${N} + 1` done Display --indent 4 --text "Found ${N} kernel modules" --result DONE --color GREEN else Display --indent 4 --text "Test failed" --result WARNING --color RED - logtext "Result: Problem with executing kldstat" + LogText "Result: Problem with executing kldstat" fi else echo "[ ${WHITE}SKIPPED${NORMAL} ]" - logtext "Result: no results, can't find /sbin/kldstat" + LogText "Result: no results, can't find /sbin/kldstat" fi fi # @@ -314,16 +314,16 @@ # Description : Checking Solaris load modules Register --test-no KRNL-5770 --os Solaris --weight L --network NO --description "Checking active kernel modules" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: searching loaded kernel modules" + LogText "Test: searching loaded kernel modules" FIND=`modinfo -c -w | grep -v "UNLOADED" | grep LOADED | awk '{ print $3 }' | sort` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do - logtext "Found module: ${I}" - report "loaded_kernel_module[]=${I}" + LogText "Found module: ${I}" + Report "loaded_kernel_module[]=${I}" done Display --indent 2 --text "- Checking Solaris active kernel modules" --result DONE --color GREEN else - logtext "Result: no output" + LogText "Result: no output" Display --indent 2 --text "- Checking Solaris active kernel modules" --result UNKNOWN --color YELLOW fi fi @@ -335,38 +335,38 @@ if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking availability new Linux kernel" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching apt-cache, to determine if a newer kernel is available" + LogText "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x /usr/bin/apt-cache ]; then - logtext "Result: found /usr/bin/apt-cache" - logtext "Test: checking readlink location of /vmlinuz" + LogText "Result: found /usr/bin/apt-cache" + LogText "Test: checking readlink location of /vmlinuz" FINDKERNFILE=`readlink -f /vmlinuz` - logtext "Output: readlink reported file ${FINDKERNFILE}" - logtext "Test: checking package from dpkg -S" + LogText "Output: readlink reported file ${FINDKERNFILE}" + LogText "Test: checking package from dpkg -S" FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | awk -F : '{print $1}'` - logtext "Output: dpkg -S reported package ${FINDKERNEL}" - logtext "Test: Using apt-cache policy to determine if there is an update available" + LogText "Output: dpkg -S reported package ${FINDKERNEL}" + LogText "Test: Using apt-cache policy to determine if there is an update available" FINDINST=`apt-cache policy ${FINDKERNEL} | egrep 'Installed' | cut -d ':' -f2 | tr -d ' '` FINDCAND=`apt-cache policy ${FINDKERNEL} | egrep 'Candidate' | cut -d ':' -f2 | tr -d ' '` - logtext "Kernel installed: ${FINDINST}" - logtext "Kernel candidate: ${FINDCAND}" + LogText "Kernel installed: ${FINDINST}" + LogText "Kernel candidate: ${FINDCAND}" if [ "${FINDINST}" = "" ]; then Display --indent 2 --text "- Checking for available kernel update" --result UNKNOWN --color YELLOW - logtext "Result: Exception occured, no output from apt-cache policy" + LogText "Result: Exception occured, no output from apt-cache policy" ReportException "${TEST_NO}:01" - logtext "Exception: apt-cache policy did not return an installed kernel version" + LogText "Exception: apt-cache policy did not return an installed kernel version" ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty" else if [ "${FINDINST}" = "${FINDCAND}" ]; then Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN - logtext "Result: no kernel update available" + LogText "Result: no kernel update available" else Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW - logtext "Result: kernel update available according 'apt-cache policy'." + LogText "Result: kernel update available according 'apt-cache policy'." ReportSuggestion ${TEST_NO} "Determine priority for available kernel update" fi fi else - logtext "Result: could NOT find /usr/bin/apt-cache, skipped other tests." + LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests." fi fi # @@ -376,50 +376,50 @@ # Description : Checking core dumps configuration (Linux) Register --test-no KRNL-5820 --os Linux --weight L --network NO --description "Checking core dumps configuration" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking presence /etc/security/limits.conf" + LogText "Test: Checking presence /etc/security/limits.conf" if [ -f /etc/security/limits.conf ]; then - logtext "Result: file /etc/security/limits.conf exists" - logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf" + LogText "Result: file /etc/security/limits.conf exists" + LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf" FIND1=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'` FIND2=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'` if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then - logtext "Result: core dumps (soft or hard) are enabled" + LogText "Result: core dumps (soft or hard) are enabled" Display --indent 2 --text "- Checking core dumps configuration" --result ENABLED --color YELLOW AddSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system" AddHP 1 2 else - logtext "Result: core dumps (soft and hard) are both disabled" + LogText "Result: core dumps (soft and hard) are both disabled" Display --indent 2 --text "- Checking core dumps configuration" --result DISABLED --color GREEN CORE_DUMPS_DISABLED=1 AddHP 3 3 fi # Sysctl option - logtext "Test: Checking sysctl value of fs.suid_dumpable" + LogText "Test: Checking sysctl value of fs.suid_dumpable" FIND=`${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | awk '{ if ($1=="fs.suid_dumpable") { print $3 } }'` if [ "${FIND}" = "" ]; then - logtext "Result: value ${FIND} found" + LogText "Result: value ${FIND} found" else - logtext "Result: sysctl key fs.suid_dumpable not found" + LogText "Result: sysctl key fs.suid_dumpable not found" fi if [ "${FIND}" = "2" ]; then - logtext "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" + LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN AddHP 1 1 elif [ "${FIND}" = "1" ]; then - logtext "Result: all programs can perform core dumps (value 1, for debugging)" + LogText "Result: all programs can perform core dumps (value 1, for debugging)" Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW ReportSuggestion ${TEST_NO} "Determine if really all binaries need to be able to core dump" AddHP 0 1 else - logtext "Result: found default option, some programs can dump (not processes which need to change credentials)" + LogText "Result: found default option, some programs can dump (not processes which need to change credentials)" Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW AddHP 1 1 fi # Check ulimit settings and harden it # echo 'ulimit -S -c 0 > /dev/null 2>&1' >> /etc/profile else - logtext "Result: file /etc/security/limits.conf does not exist, skipping test" + LogText "Result: file /etc/security/limits.conf does not exist, skipping test" fi fi # @@ -438,31 +438,31 @@ if [ ${SKIPTEST} -eq 0 ]; then REBOOT_NEEDED=2 FILE="/var/run/reboot-required.pkgs" - logtext "Test: Checking presence ${FILE}" + LogText "Test: Checking presence ${FILE}" if [ -f ${FILE} ]; then - logtext "Result: file ${FILE} exists" + LogText "Result: file ${FILE} exists" FIND=`cat ${FILE}` if [ "${FIND}" = "" ]; then - logtext "Result: No reboot needed (file empty)" + LogText "Result: No reboot needed (file empty)" REBOOT_NEEDED=0 else PKGSCOUNT=`cat ${FILE} | wc -l` - logtext "Result: reboot is needed, related to ${PKGSCOUNT} packages" + LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" for I in ${FIND}; do - logtext "Package: ${I}" + LogText "Package: ${I}" done REBOOT_NEEDED=1 fi else - logtext "Result: file ${FILE} not found" + LogText "Result: file ${FILE} not found" fi # Check if /boot exists if [ -d /boot ]; then - logtext "Result: /boot exists, performing more tests from here" + LogText "Result: /boot exists, performing more tests from here" FIND=`ls /boot/* 2> /dev/null` if [ ! "${FIND}" = "" ]; then if [ -f /boot/vmlinuz -a ! -L /boot/vmlinuz ]; then - logtext "Result: found /boot/vmlinuz (not symlinked)" + LogText "Result: found /boot/vmlinuz (not symlinked)" NEXTLINE=0 FINDVERSION="" for I in `file /boot/vmlinuz-linux`; do @@ -476,40 +476,40 @@ if [ ! "${FINDVERSION}" = "" ]; then CURRENT_KERNEL=`uname -r` if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then - logtext "Result: reboot needed, as current kernel is different than the one loaded" + LogText "Result: reboot needed, as current kernel is different than the one loaded" REBOOT_NEEDED=1 fi else ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" fi elif [ -f /boot/vmlinuz-linux ]; then - logtext "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)" - logtext "Test: checking kernel version on disk" + LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)" + LogText "Test: checking kernel version on disk" VERSION_ON_DISK=`file -b /boot/vmlinuz-linux | awk '{ if ($1=="Linux" && $7=="version") { print $8 }}'` if [ ! "${VERSION_ON_DISK}" = "" ]; then - logtext "Result: found version ${VERSION_ON_DISK}" + LogText "Result: found version ${VERSION_ON_DISK}" ACTIVE_KERNEL=`uname -r` - logtext "Result: active kernel version ${ACTIVE_KERNEL}" + LogText "Result: active kernel version ${ACTIVE_KERNEL}" if [ "${VERSION_ON_DISK}" = "${ACTIVE_KERNEL}" ]; then REBOOT_NEEDED=0 - logtext "Result: no reboot needed, active kernel is the same version as the one on disk" + LogText "Result: no reboot needed, active kernel is the same version as the one on disk" else REBOOT_NEEDED=1 - logtext "Result: reboot needed, as there is a difference between active kernel and the one on disk" + LogText "Result: reboot needed, as there is a difference between active kernel and the one on disk" fi else - logtext "Result: could not find the version on disk" + LogText "Result: could not find the version on disk" ReportException "${TEST_NO}:4" "Could not find the kernel version from /boot/vmlinux-linux" fi else if [ -L /boot/vmlinuz ]; then - logtext "Result: found symlink of /boot/vmlinuz, skipping file" + LogText "Result: found symlink of /boot/vmlinuz, skipping file" else - logtext "Result: /boot/vmlinuz not on disk, trying to find /boot/vmlinuz*" + LogText "Result: /boot/vmlinuz not on disk, trying to find /boot/vmlinuz*" fi # Extra current kernel version and replace dashes to allow numeric sort later on MYKERNEL=`uname -r | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's/-/./g'` - logtext "Result: using ${MYKERNEL} as my kernel version (stripped)" + LogText "Result: using ${MYKERNEL} as my kernel version (stripped)" FIND=`ls /boot/vmlinuz* 2> /dev/null` if [ ! "${FIND}" = "" ]; then # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) @@ -528,14 +528,14 @@ for I in ${KERNELS}; do # Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist) if [ ${FOUND_KERNEL} -eq 1 -a ! "${MYKERNEL}" = "${I}" ]; then - logtext "Result: found a kernel (${I}) later than running one (${MYKERNEL})" + LogText "Result: found a kernel (${I}) later than running one (${MYKERNEL})" REBOOT_NEEDED=1 fi if [ "${MYKERNEL}" = "${I}" ]; then FOUND_KERNEL=1 - logtext "Result: Found ${I} (= our kernel)" + LogText "Result: Found ${I} (= our kernel)" else - logtext "Result: Found ${I}" + LogText "Result: Found ${I}" fi done # Check if we at least found the kernel on disk @@ -544,7 +544,7 @@ else # If we are not sure yet reboot it needed, but we found running kernel as last one on disk, we run latest kernel if [ ${REBOOT_NEEDED} -eq 2 ]; then - logtext "Result: we found our kernel on disk as last entry, so seems to be up-to-date" + LogText "Result: we found our kernel on disk as last entry, so seems to be up-to-date" REBOOT_NEEDED=0 fi fi @@ -552,10 +552,10 @@ fi # No files in /boot else - logtext "Result: Skipping this test, as there are no files in /boot" + LogText "Result: Skipping this test, as there are no files in /boot" fi else - logtext "Result: /boot does not exist" + LogText "Result: /boot does not exist" fi # Display discovered status @@ -578,4 +578,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, CISOfy - https://cisofy.com diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index cc82eb47..55839c85 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -39,17 +39,17 @@ tFINDcurvalue=`${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null` if [ ! "${tFINDcurvalue}" = "" ]; then if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then - logtext "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})" + LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})" Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result OK --color GREEN AddHP ${tFINDhp} ${tFINDhp} else - logtext "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}" + LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}" Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED AddHP 0 ${tFINDhp} N=1 fi else - logtext "Result: key ${tFINDkey} does not exist on this machine" + LogText "Result: key ${tFINDkey} does not exist on this machine" fi done @@ -66,4 +66,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_ldap b/include/tests_ldap index 26c35c0b..d0d26d1c 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -36,10 +36,10 @@ IsRunning slapd if [ ${RUNNING} -eq 0 ]; then Display --indent 2 --text "- Checking OpenLDAP instance" --result "NOT FOUND" --color WHITE - logtext "Result: No running slapd process found." + LogText "Result: No running slapd process found." else Display --indent 2 --text "- Checking OpenLDAP instance" --result FOUND --color GREEN - logtext "Result: Found running slapd process" + LogText "Result: Found running slapd process" SLAPDFOUND=1 SLAPD_RUNNING=1 fi @@ -52,13 +52,13 @@ if [ ${SLAPD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LDAP-2224 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check presence slapd.conf" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching slapd.conf" + LogText "Test: Searching slapd.conf" for I in ${SLAPD_CONF_LOCS}; do if [ -f ${I}/slapd.conf ]; then - logtext "Result: found ${I}/slapd.conf" + LogText "Result: found ${I}/slapd.conf" SLAPD_CONF_LOCATION="${I}/slapd.conf" else - logtext "Result: ${I} does not contain slapd.conf" + LogText "Result: ${I} does not contain slapd.conf" fi done # Check if we found a valid location @@ -101,4 +101,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_logging b/include/tests_logging index 70eb42d2..a8c65e23 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -38,17 +38,17 @@ # Description : Check for a running syslog daemon Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for a logging daemon" + LogText "Test: Searching for a logging daemon" FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking for a running log daemon" --result WARNING --color RED - logtext "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" + LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured." ReportWarning ${TEST_NO} "H" "No syslog daemon found" AddHP 0 3 else Display --indent 2 --text "- Checking for a running log daemon" --result OK --color GREEN - logtext "Result: Found a logging daemon" + LogText "Result: Found a logging daemon" SYSLOG_DAEMON_PRESENT=1 SYSLOG_DAEMON_RUNNING=1 AddHP 3 3 @@ -61,15 +61,15 @@ # Description : Check for a running syslog-ng daemon Register --test-no LOGG-2132 --weight L --network NO --description "Check for running syslog-ng daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for syslog-ng daemon in process list" + LogText "Test: Searching for syslog-ng daemon in process list" IsRunning syslog-ng if [ ${RUNNING} -eq 1 ]; then - logtext "Result: Found syslog-ng in process list" + LogText "Result: Found syslog-ng in process list" Display --indent 4 --text "- Checking Syslog-NG status" --result FOUND --color GREEN SYSLOG_DAEMON_PRESENT=1 SYSLOG_NG_RUNNING=1 else - logtext "Result: Syslog-ng NOT found in process list" + LogText "Result: Syslog-ng NOT found in process list" Display --indent 4 --text "- Checking Syslog-NG status" --result "NOT FOUND" --color WHITE fi fi @@ -83,10 +83,10 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`${SYSLOGNGBINARY} -s; echo $?` if [ "${FIND}" = "0" ]; then - logtext "Result: Syslog-NG configuration file seems to be consistent" + LogText "Result: Syslog-NG configuration file seems to be consistent" Display --indent 6 --text "- Checking Syslog-NG consistency" --result OK --color GREEN else - logtext "Result: Syslog-NG configuration file seems NOT to be consistent" + LogText "Result: Syslog-NG configuration file seems NOT to be consistent" Display --indent 6 --text "- Checking Syslog-NG consistency" --result WARNING --color RED ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file" ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s" @@ -99,7 +99,7 @@ # Description : Check for a running systemd-journal daemon Register --test-no LOGG-2136 --weight L --network NO --description "Check for running systemd journal daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for systemd journal daemon in process list" + LogText "Test: Searching for systemd journal daemon in process list" IsRunning systemd-journal if [ ${RUNNING} -eq 1 ]; then Display --indent 4 --text "- Checking systemd journal status" --result FOUND --color GREEN @@ -115,15 +115,15 @@ # Description : Check for a running metalog daemon Register --test-no LOGG-2210 --weight L --network NO --description "Check for running metalog daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for metalog daemon in process list" + LogText "Test: Searching for metalog daemon in process list" IsRunning metalog if [ ${RUNNING} -eq 1 ]; then - logtext "Result: Found metalog in process list" + LogText "Result: Found metalog in process list" Display --indent 4 --text "- Checking Metalog status" --result FOUND --color GREEN SYSLOG_DAEMON_PRESENT=1 METALOG_RUNNING=1 else - logtext "Result: metalog NOT found in process list" + LogText "Result: metalog NOT found in process list" Display --indent 4 --text "- Checking Metalog status" --result "NOT FOUND" --color WHITE fi fi @@ -134,15 +134,15 @@ # Description : Check for a running rsyslog daemon Register --test-no LOGG-2230 --weight L --network NO --description "Check for running RSyslog daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for RSyslog daemon in process list" + LogText "Test: Searching for RSyslog daemon in process list" IsRunning rsyslogd if [ ${RUNNING} -eq 1 ]; then - logtext "Result: Found rsyslogd in process list" + LogText "Result: Found rsyslogd in process list" Display --indent 4 --text "- Checking RSyslog status" --result FOUND --color GREEN SYSLOG_DAEMON_PRESENT=1 RSYSLOG_RUNNING=1 else - logtext "Result: rsyslogd NOT found in process list" + LogText "Result: rsyslogd NOT found in process list" Display --indent 4 --text "- Checking RSyslog status" --result "NOT FOUND" --color WHITE fi fi @@ -153,15 +153,15 @@ # Description : Check for a running RFC 3195 compliant daemon (syslog via TCP) Register --test-no LOGG-2240 --weight L --network NO --description "Check for running RFC 3195 compliant daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list" + LogText "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list" IsRunning rfc3195d if [ ${RUNNING} -eq 1 ]; then - logtext "Result: Found rfc3195d in process list" + LogText "Result: Found rfc3195d in process list" Display --indent 4 --text "- Checking RFC 3195 daemon status" --result FOUND --color GREEN SYSLOG_DAEMON_PRESENT=1 RFC3195D_RUNNING=1 else - logtext "Result: rfc3195d NOT found in process list" + LogText "Result: rfc3195d NOT found in process list" Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "NOT FOUND" --color WHITE fi fi @@ -176,21 +176,21 @@ # * This test should be below all other logging daemons Register --test-no LOGG-2138 --os Linux --weight L --network NO --description "Checking kernel logger daemon on Linux" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching kernel logger daemon (klogd)" + LogText "Test: Searching kernel logger daemon (klogd)" if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then # Search for klogd, but ignore other lines related to klogd (like dd with input/output file) #FIND=`${PSBINARY} ax | grep "klogd" | grep -v "dd" | grep -v "grep"` IsRunning klogd if [ ${RUNNING} -eq 1 ]; then - logtext "Result: klogd running" + LogText "Result: klogd running" Display --indent 4 --text "- Checking klogd" --result FOUND --color GREEN else - logtext "Result: No klogd found" + LogText "Result: No klogd found" Display --indent 4 --text "- Checking klogd" --result "NOT FOUND" --color RED ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files" fi else - logtext "Result: test skipped, because other facility is being used to log kernel messages" + LogText "Result: test skipped, because other facility is being used to log kernel messages" fi fi # @@ -200,15 +200,15 @@ # Description : Check for minilogd presence on Linux systems Register --test-no LOGG-2142 --os Linux --weight L --network NO --description "Checking minilog daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Result: Checking for unkilled minilogd instances" + LogText "Result: Checking for unkilled minilogd instances" # Search for minilogd. It shouldn't be running normally, if another syslog daemon is started IsRunning minilogd if [ ${RUNNING} -eq 0 ]; then Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE - logtext "Result: No minilogd is running" + LogText "Result: No minilogd is running" else Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED - logtext "Result: minilogd found in process list" + LogText "Result: minilogd found in process list" # minilogd daemon seems to be running ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running" fi @@ -220,28 +220,28 @@ # Description : Check for logrotate (/etc/logrotate.conf and logrotate.d) Register --test-no LOGG-2146 --weight L --os Linux --network NO --description "Checking logrotate.conf and logrotate.d" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for /etc/logrotate.conf" + LogText "Test: Checking for /etc/logrotate.conf" if [ -f /etc/logrotate.conf ]; then LOGROTATE_CONFIG_FOUND=1 LOGROTATE_TOOL="logrotate" - logtext "Result: /etc/logrotate.conf found (file)" + LogText "Result: /etc/logrotate.conf found (file)" else - logtext "Result: /etc/logrotate.conf NOT found" + LogText "Result: /etc/logrotate.conf NOT found" fi - logtext "Test: Checking for /etc/logrotate.d (directory)" + LogText "Test: Checking for /etc/logrotate.d (directory)" if [ -d /etc/logrotate.d ]; then LOGROTATE_CONFIG_FOUND=1 LOGROTATE_TOOL="logrotate" - logtext "Result: /etc/logrotate.d found" + LogText "Result: /etc/logrotate.d found" else - logtext "Result: /etc/logrotate.conf found" + LogText "Result: /etc/logrotate.conf found" fi if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then Display --indent 2 --text "- Checking logrotate presence" --result OK --color GREEN - logtext "Result: logrotate configuration found" + LogText "Result: logrotate configuration found" else Display --indent 2 --text "- Checking logrotate presence" --result WARNING --color RED - logtext "Result: No logrotate configuration found" + LogText "Result: No logrotate configuration found" ReportSuggestion ${TEST_NO} "Check if files are properly rotated by a some tool instead of logrotate" fi fi @@ -253,14 +253,14 @@ if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking logrotated files" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking which files are rotated with logrotate and if they exist" + LogText "Test: Checking which files are rotated with logrotate and if they exist" FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort -u | awk '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'` if [ "${FIND}" = "" ]; then - logtext "Result: nothing found" + LogText "Result: nothing found" else - logtext "Result: found one or more files which are rotated via logrotate" + LogText "Result: found one or more files which are rotated via logrotate" for I in ${FIND}; do - logtext "Output: ${I}" + LogText "Output: ${I}" done fi fi @@ -272,18 +272,18 @@ if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking which directories can be found in logrotate configuration" + LogText "Test: Checking which directories can be found in logrotate configuration" FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort -u | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort -u` if [ "${FIND}" = "" ]; then - logtext "Result: nothing found" + LogText "Result: nothing found" else - logtext "Result: found one or more directories (via logrotate configuration)" + LogText "Result: found one or more directories (via logrotate configuration)" for I in ${FIND}; do if [ -d ${I} ]; then - logtext "Directory found: ${I}" - report "log_directory[]=${I}" + LogText "Directory found: ${I}" + Report "log_directory[]=${I}" else - logtext "Directory could not be found: ${I}" + LogText "Directory could not be found: ${I}" fi done fi @@ -297,32 +297,32 @@ Register --test-no LOGG-2152 --weight L --os Solaris --network NO --description "Checking loghost" if [ ${SKIPTEST} -eq 0 ]; then # Try local hosts file - logtext "Result: Checking for loghost in /etc/inet/hosts" + LogText "Result: Checking for loghost in /etc/inet/hosts" FIND=`grep loghost /etc/inet/hosts | grep -v "^#"` if [ ! "${FIND}" = "" ]; then SOLARIS_LOGHOST_FOUND=1 - logtext "Result: Found loghost entry in /etc/inet/hosts" + LogText "Result: Found loghost entry in /etc/inet/hosts" else - logtext "Result: No loghost entry found in /etc/inet/hosts" + LogText "Result: No loghost entry found in /etc/inet/hosts" # Try name resolving if no entry is present in local host file - logtext "Result: Checking for loghost via name resolving" + LogText "Result: Checking for loghost via name resolving" FIND=`getent hosts loghost | grep loghost` if [ ! "${FIND}" = "" ]; then SOLARIS_LOGHOST_FOUND=1 - logtext "Result: name resolving was succesful" - logtext "Output: ${FIND}" + LogText "Result: name resolving was succesful" + LogText "Output: ${FIND}" else - logtext "Result: name resolving didn't find results" + LogText "Result: name resolving didn't find results" fi fi if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then - logtext "Result: loghost entry found and most likely used to send syslog messages" + LogText "Result: loghost entry found and most likely used to send syslog messages" Display --indent 2 --text "- Checking loghost entry" --result OK --color GREEN else Display --indent 2 --text "- Checking loghost entry" --result WARNING --color RED - logtext "Result: No loghost entry found" + LogText "Result: No loghost entry found" ReportWarning ${TEST_NO} "L" "No loghost entry found" ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services" fi @@ -342,20 +342,20 @@ SYSLOGD_CONF="/etc/syslog.conf" fi if [ -f ${SYSLOGD_CONF} ]; then - logtext "Test: check if logs are also logged to a remote logging host" + LogText "Test: check if logs are also logged to a remote logging host" FIND=`egrep "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"` if [ ! "${FIND}" = "" ]; then - logtext "Result: remote logging enabled" + LogText "Result: remote logging enabled" AddHP 5 5 Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN else - logtext "Result: no remote logging found" + LogText "Result: no remote logging found" ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection" AddHP 1 3 Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW fi else - logtext "Result: test skipped, file ${SYSLOGD_CONF} not found" + LogText "Result: test skipped, file ${SYSLOGD_CONF} not found" fi fi # @@ -366,7 +366,7 @@ if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Result: /etc/newsyslog.conf found" + LogText "Result: /etc/newsyslog.conf found" Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result FOUND --color GREEN LOGROTATE_CONFIG_FOUND=1 LOGROTATE_TOOL="newsyslog" @@ -379,14 +379,14 @@ if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking directories in /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: parsing directories from /etc/newsyslog.conf file" + LogText "Test: parsing directories from /etc/newsyslog.conf file" FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sed 's/\/*[a-zA-Z_.-]*$//g' | sort -u` for I in ${FIND}; do if [ -d ${I} ]; then - logtext "Result: Directory ${I} found and exists" - report "log_directory[]=${I}" + LogText "Result: Directory ${I} found and exists" + Report "log_directory[]=${I}" else - logtext "Result: Item ${I} is not a directory" + LogText "Result: Item ${I} is not a directory" fi done Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result DONE --color GREEN @@ -399,13 +399,13 @@ if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking files specified /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: parsing files from /etc/newsyslog.conf file" + LogText "Test: parsing files from /etc/newsyslog.conf file" FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sort -u` for I in ${FIND}; do if [ -f ${I} ]; then - logtext "Result: File ${I} found and exists" + LogText "Result: File ${I} found and exists" else - logtext "Result: Item ${I} is not a file" + LogText "Result: Item ${I} is not a file" fi done Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result DONE --color GREEN @@ -417,13 +417,13 @@ # Description : Search available log paths Register --test-no LOGG-2170 --weight L --network NO --description "Checking log paths" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching log paths" + LogText "Test: Searching log paths" for I in ${LOG_FILES_LOCS}; do if [ -d ${I} ]; then - logtext "Result: directory ${I} exists" - report "log_directory[]=${I}" + LogText "Result: directory ${I} exists" + Report "log_directory[]=${I}" else - logtext "Result: directory ${I} can't be found" + LogText "Result: directory ${I} can't be found" fi done Display --indent 2 --text "- Checking log directories (static list)" --result DONE --color GREEN @@ -435,16 +435,16 @@ # Description : Search open log file Register --test-no LOGG-2180 --weight L --network NO --description "Checking open log files" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking open log files with lsof" + LogText "Test: checking open log files with lsof" if [ ! "${LSOFBINARY}" = "" ]; then FIND=`${LSOFBINARY} -n 2>&1 | grep "log$" | egrep -v "WARNING|Output information" | awk '{ if ($5=="REG") { print $9 } }' | sort -u | grep -v "^$"` for I in ${FIND}; do - logtext "Found logfile: ${I}" - report "open_logfile[]=${I}" + LogText "Found logfile: ${I}" + Report "open_logfile[]=${I}" done Display --indent 2 --text "- Checking open log files" --result DONE --color GREEN else - logtext "Result: lsof not installed, skipping test" + LogText "Result: lsof not installed, skipping test" Display --indent 2 --text "- Checking open log files" --result SKIPPED --color YELLOW # Add suggestion fi @@ -457,18 +457,18 @@ if [ ! "${LSOFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking deleted files in file table" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking deleted files but are still in use" + LogText "Test: checking deleted files but are still in use" FIND=`${LSOFBINARY} -n +L 1 2>&1 | egrep -v "WARNING|Output information" | awk '{ if ($5=="REG") { print $10 } }' | grep -v "^$" | sort -u` if [ ! "${FIND}" = "" ]; then - logtext "Result: found one or more files which are deleted, but still in use" + LogText "Result: found one or more files which are deleted, but still in use" for I in ${FIND}; do - logtext "Found deleted file: ${I}" - report "deleted_file[]=${I}" + LogText "Found deleted file: ${I}" + Report "deleted_file[]=${I}" done Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why." else - logtext "Result: no deleted files found" + LogText "Result: no deleted files found" Display --indent 2 --text "- Checking deleted files in use" --result DONE --color GREEN fi fi @@ -476,11 +476,11 @@ ################################################################################# # -report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}" -report "log_rotation_tool=${LOGROTATE_TOOL}" +Report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}" +Report "log_rotation_tool=${LOGROTATE_TOOL}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 9b7fa2c2..268b5d03 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -30,11 +30,11 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ "${AASTATUSBINARY}" = "" ]; then APPARMORFOUND=0 - logtext "Result: aa-status binary not found, AppArmor not installed" + LogText "Result: aa-status binary not found, AppArmor not installed" Display --indent 2 --text "- Checking presence AppArmor" --result "NOT FOUND" --color WHITE else APPARMORFOUND=1 - logtext "Result: aa-status binary found, AppArmor is installed" + LogText "Result: aa-status binary found, AppArmor is installed" Display --indent 2 --text "- Checking presence AppArmor" --result FOUND --color GREEN fi fi @@ -56,20 +56,20 @@ FIND=`${AASTATUSBINARY} > /dev/null; echo $?` if [ ${FIND} -eq 0 ]; then MAC_FRAMEWORK_ACTIVE=1 - logtext "Result: AppArmor is enabled and a policy is loaded" + LogText "Result: AppArmor is enabled and a policy is loaded" Display --indent 4 --text "- Checking AppArmor status" --result "ENABLED" --color GREEN elif [ ${FIND} -eq 4 ]; then - logtext "Result: Can not determine status, most likely due to lacking permissions" + LogText "Result: Can not determine status, most likely due to lacking permissions" Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED elif [ ${FIND} -eq 3 ]; then - logtext "Result: Can not check control files" + LogText "Result: Can not check control files" Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED elif [ ${FIND} -eq 2 ]; then - logtext "Result: AppArmor is enabled, but no policy is loaded" + LogText "Result: AppArmor is enabled, but no policy is loaded" ReportSuggestion ${TEST_NO} "Disable AppArmor or load a policy" Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN elif [ ${FIND} -eq 1 ]; then - logtext "Result: AppArmor is disabled" + LogText "Result: AppArmor is disabled" Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW else Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED @@ -84,12 +84,12 @@ # Description : Check SELINUX for installation Register --test-no MACF-6232 --weight L --network NO --description "Check SELINUX presence" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking if we have sestatus binary" + LogText "Test: checking if we have sestatus binary" if [ ! "${SESTATUSBINARY}" = "" ]; then - logtext "Result: found sestatus binary (${SESTATUSBINARY})" + LogText "Result: found sestatus binary (${SESTATUSBINARY})" Display --indent 2 --text "- Checking presence SELinux" --result "FOUND" --color GREEN else - logtext "Result: sestatus binary NOT found" + LogText "Result: sestatus binary NOT found" Display --indent 2 --text "- Checking presence SELinux" --result "NOT FOUND" --color WHITE fi fi @@ -105,26 +105,26 @@ FIND=`${SESTATUSBINARY} | grep "^SELinux status" | awk '{ print $3 }'` if [ "${FIND}" = "enabled" ]; then MAC_FRAMEWORK_ACTIVE=1 - logtext "Result: SELinux framework is enabled" - report "selinux_status=1" + LogText "Result: SELinux framework is enabled" + Report "selinux_status=1" SELINUXFOUND=1 Display --indent 4 --text "- Checking SELinux status" --result "ENABLED" --color GREEN FIND=`${SESTATUSBINARY} | grep "^Current mode" | awk '{ print $3 }'` - report "selinux_mode=${FIND}" + Report "selinux_mode=${FIND}" FIND2=`${SESTATUSBINARY} | grep "^Mode from config file" | awk '{ print $5 }'` - logtext "Result: current SELinux mode is ${FIND}" - logtext "Result: mode configured in config file is ${FIND2}" + LogText "Result: current SELinux mode is ${FIND}" + LogText "Result: mode configured in config file is ${FIND2}" if [ "${FIND}" = "${FIND2}" ]; then - logtext "Result: Current SELinux mode is the same as in config file." + LogText "Result: Current SELinux mode is the same as in config file." Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN else - logtext "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." + LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED fi Display --indent 8 --text "Current SELinux mode: ${FIND}" else - logtext "Result: SELinux framework is disabled" + LogText "Result: SELinux framework is disabled" Display --indent 4 --text "- Checking SELinux status" --result "DISABLED" --color YELLOW fi fi @@ -139,18 +139,18 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ -e /dev/grsec ]; then GRSECFOUND=1 - logtext "Result: grsecurity available (/dev/grsec found)" + LogText "Result: grsecurity available (/dev/grsec found)" else - logtext "Result: grsecurity not present (/dev/grsec not found)" + LogText "Result: grsecurity not present (/dev/grsec not found)" fi # Check Linux kernel configuration if [ ! "${LINUXCONFIGFILE}" = "" -a -f "${LINUXCONFIGFILE}" ]; then FIND=`${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE}` if [ ! "${FIND}" = "" ]; then - logtext "Result: grsecurity available (in kernel config)" + LogText "Result: grsecurity available (in kernel config)" GRSECFOUND=1 else - logtext "Result: no grsecurity found in kernel config" + LogText "Result: no grsecurity found in kernel config" fi fi # Found grsecurity? @@ -171,22 +171,22 @@ if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then Display --indent 2 --text "- Checking for implemented MAC framework" --result OK --color GREEN AddHP 3 3 - logtext "Result: found implemented MAC framework" + LogText "Result: found implemented MAC framework" else Display --indent 2 --text "- Checking for implemented MAC framework" --result NONE --color YELLOW AddHP 2 3 - logtext "Result: found no implemented MAC framework" + LogText "Result: found no implemented MAC framework" fi fi # ################################################################################# # -report "framework_grsecurity=${GRSECFOUND}" -report "framework_selinux=${SELINUXFOUND}" +Report "framework_grsecurity=${GRSECFOUND}" +Report "framework_selinux=${SELINUXFOUND}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index 3d33129e..5da30e47 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -36,15 +36,15 @@ # Description : Check Exim process status Register --test-no MAIL-8802 --weight L --network NO --description "Check Exim status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check Exim status" + LogText "Test: check Exim status" IsRunning exim if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found running Exim process" + LogText "Result: found running Exim process" Display --indent 2 --text "- Checking Exim status" --result RUNNING --color GREEN EXIM_RUNNING=1 SMTP_DAEMON="exim" else - logtext "Result: no running Exim processes found" + LogText "Result: no running Exim processes found" Display --indent 2 --text "- Checking Exim status" --result "NOT FOUND" --color WHITE fi fi @@ -56,18 +56,18 @@ # Notes : qmgr and pickup run under postfix uid, without full path to binary Register --test-no MAIL-8814 --weight L --network NO --description "Check postfix process status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check Postfix status" + LogText "Test: check Postfix status" # Some other processes also use master, therefore it should include both master and postfix FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"` #FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"` #FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"` if [ ! "${FIND1}" = "" ]; then - logtext "Result: found running Postfix process" + LogText "Result: found running Postfix process" Display --indent 2 --text "- Checking Postfix status" --result RUNNING --color GREEN POSTFIX_RUNNING=1 SMTP_DAEMON="postfix" else - logtext "Result: no running Postfix processes found" + LogText "Result: no running Postfix processes found" Display --indent 2 --text "- Checking Postfix status" --result "NOT FOUND" --color WHITE fi fi @@ -82,8 +82,8 @@ Display --indent 2 --text "- Checking Postfix configuration" --result FOUND --color GREEN POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | grep '^config_directory' | awk '{ print $3 }'` POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf" - logtext "Postfix configuration directory: ${POSTFIX_CONFIGDIR}" - logtext "Postfix configuration file: ${POSTFIX_CONFIGFILE}" + LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}" + LogText "Postfix configuration file: ${POSTFIX_CONFIGFILE}" fi # ################################################################################# @@ -93,7 +93,7 @@ if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MAIL-8818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration: banner" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking Postfix banner" + LogText "Test: Checking Postfix banner" FIND1=`${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | grep 'postfix'` FIND2=`${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | grep '$mail_name'` FIND3=`${POSTCONFBINARY} 2> /dev/null | grep '^mail_name' | grep -i 'postfix'` @@ -111,7 +111,7 @@ fi if [ ${SHOWWARNING} -eq 1 ]; then Display --indent 4 --text "- Checking Postfix banner" --result WARNING --color RED - logtext "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'." + LogText "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'." ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'" ReportSuggestion ${TEST_NO} "You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})" fi @@ -123,16 +123,16 @@ # Description : Check Dovecot process Register --test-no MAIL-8838 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot process" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check dovecot status" + LogText "Test: check dovecot status" IsRunning dovecot if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found running dovecot process" + LogText "Result: found running dovecot process" Display --indent 2 --text "- Checking Dovecot status" --result RUNNING --color GREEN DOVECOT_RUNNING=1 IMAP_DAEMON="dovecot" POP3_DAEMON="dovecot" else - logtext "Result: dovecot not found" + LogText "Result: dovecot not found" Display --indent 2 --text "- Checking Dovecot status" --result "NOT FOUND" --color WHITE fi fi @@ -143,15 +143,15 @@ # Description : Check Qmail process status Register --test-no MAIL-8860 --weight L --network NO --description "Check Qmail status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check Qmail status" + LogText "Test: check Qmail status" IsRunning qmail-smtpd if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found running Qmail process" + LogText "Result: found running Qmail process" Display --indent 2 --text "- Checking Qmail status" --result RUNNING --color GREEN QMAIL_RUNNING=1 SMTP_DAEMON="qmail" else - logtext "Result: no running Qmail processes found" + LogText "Result: no running Qmail processes found" Display --indent 2 --text "- Checking Qmail status" --result "NOT FOUND" --color WHITE fi fi @@ -162,15 +162,15 @@ # Description : Check Sendmail process status Register --test-no MAIL-8880 --weight L --network NO --description "Check Sendmail status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check sendmail status" + LogText "Test: check sendmail status" IsRunning sendmail if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found running Sendmail process" + LogText "Result: found running Sendmail process" Display --indent 2 --text "- Checking Sendmail status" --result RUNNING --color GREEN SENDMAIL_RUNNING=1 SMTP_DAEMON="sendmail" else - logtext "Result: no running Sendmail processes found" + LogText "Result: no running Sendmail processes found" Display --indent 2 --text "- Checking Sendmail status" --result "NOT FOUND" --color WHITE fi fi @@ -182,15 +182,15 @@ if [ ! "${SMTPCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check OpenSMTPD status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check smtpd status" + LogText "Test: check smtpd status" FIND=`${PSBINARY} ax | egrep "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then - logtext "Result: found running smtpd process" + LogText "Result: found running smtpd process" Display --indent 2 --text "- Checking OpenSMTPD status" --result RUNNING --color GREEN OPENSMTPD_RUNNING=1 SMTP_DAEMON="opensmtpd" else - logtext "Result: smtpd not found" + LogText "Result: smtpd not found" Display --indent 2 --text "- Checking OpenSMTPD status" --result "NOT FOUND" --color WHITE fi fi @@ -198,13 +198,13 @@ ################################################################################# # -report "imap_daemon=${IMAP_DAEMON}" -report "pop3_daemon=${POP3_DAEMON}" -report "smtp_daemon=${SMTP_DAEMON}" +Report "imap_daemon=${IMAP_DAEMON}" +Report "pop3_daemon=${POP3_DAEMON}" +Report "smtp_daemon=${SMTP_DAEMON}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_malware b/include/tests_malware index b9d4c0e8..d0d7d2c0 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -36,15 +36,15 @@ # Description : Check for installed tool (chkrootkit) Register --test-no MALW-3275 --weight L --network NO --description "Check for chkrootkit" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking presence chkrootkit" + LogText "Test: checking presence chkrootkit" if [ ! "${CHKROOTKITBINARY}" = "" ]; then Display --indent 2 --text "- Checking chkrootkit" --result "FOUND" --color GREEN - logtext "Result: Found ${CHKROOTKITBINARY}" + LogText "Result: Found ${CHKROOTKITBINARY}" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 - report "malware_scanner[]=chkrootkit" + Report "malware_scanner[]=chkrootkit" else - logtext "Result: chkrootkit not found" + LogText "Result: chkrootkit not found" fi fi # @@ -54,15 +54,15 @@ # Description : Check for installed tool (Rootkit Hunter) Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking presence Rootkit Hunter" + LogText "Test: checking presence Rootkit Hunter" if [ ! "${RKHUNTERBINARY}" = "" ]; then Display --indent 2 --text "- Checking Rootkit Hunter" --result "FOUND" --color GREEN - logtext "Result: Found ${RKHUNTERBINARY}" + LogText "Result: Found ${RKHUNTERBINARY}" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 - report "malware_scanner[]=rkhunter" + Report "malware_scanner[]=rkhunter" else - logtext "Result: Rootkit Hunter not found" + LogText "Result: Rootkit Hunter not found" fi fi # @@ -72,15 +72,15 @@ # Description : Check for installed tool (Linux Malware Detect or LMD) Register --test-no MALW-3278 --weight L --network NO --description "Check for LMD" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking presence LMD" + LogText "Test: checking presence LMD" if [ ! "${LMDBINARY}" = "" ]; then Display --indent 2 --text "- Checking LMD (Linux Malware Detect)" --result "FOUND" --color GREEN - logtext "Result: Found ${LMDBINARY}" + LogText "Result: Found ${LMDBINARY}" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 - report "malware_scanner[]=lmd" + Report "malware_scanner[]=lmd" else - logtext "Result: LMD not found" + LogText "Result: LMD not found" fi fi # @@ -93,20 +93,20 @@ FOUND=0 # ESET security products - logtext "Test: checking process esets_daemon" + LogText "Test: checking process esets_daemon" IsRunning esets_daemon if [ ${RUNNING} -eq 1 ]; then FOUND=1 Display --indent 2 --text "- Checking ESET daemon" --result "FOUND" --color GREEN - logtext "Result: found ESET security product" + LogText "Result: found ESET security product" ESET_DAEMON_RUNNING=1 MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 - report "malware_scanner[]=eset" + Report "malware_scanner[]=eset" fi # McAfee products - logtext "Test: checking process cma or cmdagent (McAfee)" + LogText "Test: checking process cma or cmdagent (McAfee)" # cma is too generic to match on, so we want to ensure that it is related to McAfee first if [ -x /opt/McAfee/cma/bin/cma ]; then IsRunning cma @@ -118,20 +118,20 @@ if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then FOUND=1 Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN - logtext "Result: Found McAfee" + LogText "Result: Found McAfee" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 - report "malware_scanner[]=mcafee" + Report "malware_scanner[]=mcafee" fi # Sophos savscand/SophosScanD - logtext "Test: checking process savscand" + LogText "Test: checking process savscand" IsRunning savscand if [ ${RUNNING} -eq 1 ]; then FOUND=1 SOPHOS_SCANNER_RUNNING=1 fi - logtext "Test: checking process SophosScanD" + LogText "Test: checking process SophosScanD" IsRunning SophosScanD if [ ${RUNNING} -eq 1 ]; then FOUND=1 @@ -139,13 +139,13 @@ fi if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN - logtext "Result: Found Sophos" + LogText "Result: Found Sophos" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 - report "malware_scanner[]=sophos" + Report "malware_scanner[]=sophos" fi if [ ${FOUND} -eq 0 ]; then - logtext "Result: no commercial anti-virus tools found" + LogText "Result: no commercial anti-virus tools found" AddHP 0 3 fi fi @@ -156,15 +156,15 @@ # Description : Check if clamscan is installed Register --test-no MALW-3282 --weight L --network NO --description "Check for clamscan" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking presence clamscan" + LogText "Test: checking presence clamscan" if [ ! "${CLAMSCANBINARY}" = "" ]; then Display --indent 2 --text "- Checking ClamAV scanner" --result "FOUND" --color GREEN - logtext "Result: Found ${CLAMSCANBINARY}" + LogText "Result: Found ${CLAMSCANBINARY}" MALWARE_SCANNER_INSTALLED=1 CLAMSCAN_INSTALLED=1 AddHP 2 2 else - logtext "Result: clamscan couldn't be found" + LogText "Result: clamscan couldn't be found" fi fi # @@ -174,15 +174,15 @@ # Description : Check running clamd process Register --test-no MALW-3284 --weight L --network NO --description "Check for clamd" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking running ClamAV daemon (clamd)" + LogText "Test: checking running ClamAV daemon (clamd)" IsRunning clamd if [ ${RUNNING} -eq 1 ]; then Display --indent 2 --text "- Checking ClamAV daemon" --result "FOUND" --color GREEN - logtext "Result: found running clamd process" + LogText "Result: found running clamd process" MALWARE_SCANNER_INSTALLED=1 CLAMD_RUNNING=1 else - logtext "Result: clamd not running" + LogText "Result: clamd not running" fi fi # @@ -193,16 +193,16 @@ if [ ${CLAMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for freshclam" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking running freshclam daemon" + LogText "Test: checking running freshclam daemon" IsRunning freshclam if [ ${RUNNING} -eq 1 ]; then FRESHCLAM_DAEMON_RUNNING=1 Display --indent 4 --text "- Checking freshclam" --result "FOUND" --color GREEN - logtext "Result: found running freshclam process" + LogText "Result: found running freshclam process" AddHP 2 2 else Display --indent 4 --text "- Checking freshclam" --result "SUGGESTION" --color YELLOW - logtext "Result: freshclam is not running" + LogText "Result: freshclam is not running" ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database" fi fi @@ -216,13 +216,13 @@ if [ ${SKIPTEST} -eq 0 ]; then CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'` if [ ! "${CLAMSCANBINARY}" = "" ]; then - logtext "Result: Found ClamXav clamscan installed" + LogText "Result: Found ClamXav clamscan installed" Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN MALWARE_SCANNER_INSTALLED=1 CLAMSCAN_INSTALLED=1 AddHP 3 3 else - logtext "Result: ClamXav malware scanner not found" + LogText "Result: ClamXav malware scanner not found" AddHP 0 3 fi fi @@ -231,17 +231,17 @@ # # Check if we found any of the ClamAV components if [ ${CLAMSCAN_INSTALLED} -eq 1 -o ${CLAMD_RUNNING} -eq 1 -o ${FRESHCLAM_DAEMON_RUNNING} -eq 1 ]; then - report "malware_scanner[]=clamav" + Report "malware_scanner[]=clamav" fi # ################################################################################# # -report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}" +Report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_memory_processes b/include/tests_memory_processes index ef48c4ef..b4bda314 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -27,16 +27,16 @@ Register --test-no PROC-3602 --os Linux --weight L --network NO --description "Checking /proc/meminfo for memory details" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /proc/meminfo ]; then - logtext "Result: found /proc/meminfo" + LogText "Result: found /proc/meminfo" Display --indent 2 --text "- Checking /proc/meminfo" --result FOUND --color GREEN FIND=`awk '/^MemTotal/ { print $2, $3 }' /proc/meminfo` MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'` MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'` - logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" - report "memory_size=${MEMORY_SIZE}" - report "memory_units=${MEMORY_UNITS}" + LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" + Report "memory_size=${MEMORY_SIZE}" + Report "memory_units=${MEMORY_UNITS}" else - logtext "Result: /proc/meminfo file not found on this system" + LogText "Result: /proc/meminfo file not found on this system" fi fi # @@ -46,17 +46,17 @@ # Description : Query /proc/meminfo Register --test-no PROC-3604 --os Solaris --weight L --network NO --description "Query prtconf for memory details" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching /usr/sbin/prtconf" + LogText "Test: Searching /usr/sbin/prtconf" if [ -x /usr/sbin/prtconf ]; then Display --indent 2 --text "- Querying prtconf for installed memory" --result DONE --color GREEN MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3` MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4` - logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" - report "memory_size=${MEMORY_SIZE}" - report "memory_units=${MEMORY_UNITS}" + LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" + Report "memory_size=${MEMORY_SIZE}" + Report "memory_units=${MEMORY_UNITS}" else Display --indent 2 --text "- Querying prtconf for installed memory" --result SKIPPED --color WHITE - logtext "Result: /usr/sbin/prtconf not found" + LogText "Result: /usr/sbin/prtconf not found" fi fi # @@ -74,11 +74,11 @@ FIND=`${PSBINARY} x -o pid,wchan,stat,comm | awk '{ if ($3 ~ /Z|X/) print $1 }' | xargs` fi if [ "${FIND}" = "" ]; then - logtext "Result: no zombie processes found" + LogText "Result: no zombie processes found" Display --indent 2 --text "- Searching for dead/zombie processes" --result OK --color GREEN else - logtext "Result: found one or more dead or zombie processes" - logtext "Output: PIDs ${FIND}" + LogText "Result: found one or more dead or zombie processes" + LogText "Output: PIDs ${FIND}" Display --indent 2 --text "- Searching for dead/zombie processes" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes" fi @@ -98,12 +98,12 @@ FIND=`${PSBINARY} x -o pid,wchan,stat,comm | awk '{ if ($3=="D") print $1 }' | xargs` fi if [ "${FIND}" = "" ]; then - logtext "Result: No processes were waiting for IO requests to be handled first" + LogText "Result: No processes were waiting for IO requests to be handled first" Display --indent 2 --text "- Searching for IO waiting processes" --result OK --color GREEN else - logtext "Result: found one or more processes which were waiting to get IO requests handled first" - logtext "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured." - logtext "Output: PIDs ${FIND}" + LogText "Result: found one or more processes which were waiting to get IO requests handled first" + LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured." + LogText "Output: PIDs ${FIND}" Display --indent 2 --text "- Searching for IO waiting processes" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests" fi @@ -116,4 +116,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_nameservices b/include/tests_nameservices index 14fac534..7f807618 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -39,17 +39,17 @@ # Description : Check main domain (domain <domain name> in /etc/resolv.conf) Register --test-no NAME-4016 --weight L --network NO --description "Check /etc/resolv.conf default domain" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check /etc/resolv.conf for default domain" + LogText "Test: check /etc/resolv.conf for default domain" if [ -f /etc/resolv.conf ]; then - logtext "Result: /etc/resolv.conf found" + LogText "Result: /etc/resolv.conf found" FIND=`awk '/^domain/ { print $2 }' /etc/resolv.conf` if [ "${FIND}" = "" ]; then - logtext "Result: no default domain found" + LogText "Result: no default domain found" Display --indent 2 --text "- Checking default DNS search domain" --result NONE --color WHITE else - logtext "Result: found default domain" - logtext "Output: ${FIND}" - report "resolv_conf_domain=${FIND}" + LogText "Result: found default domain" + LogText "Output: ${FIND}" + Report "resolv_conf_domain=${FIND}" Display --indent 2 --text "- Checking default DNS search domain" --result FOUND --color GREEN RESOLV_DOMAINNAME="${FIND}" fi @@ -64,41 +64,41 @@ Register --test-no NAME-4018 --weight L --network NO --description "Check /etc/resolv.conf search domains" if [ ${SKIPTEST} -eq 0 ]; then N=0 - logtext "Test: check /etc/resolv.conf for search domains" + LogText "Test: check /etc/resolv.conf for search domains" if [ -f /etc/resolv.conf ]; then - logtext "Result: /etc/resolv.conf found" + LogText "Result: /etc/resolv.conf found" FIND=`awk '/^search/ { print $2 }' /etc/resolv.conf` if [ "${FIND}" = "" ]; then - logtext "Result: no search domains found, default domain is being used" + LogText "Result: no search domains found, default domain is being used" else for I in ${FIND}; do - logtext "Found search domain: ${I}" - report "resolv_conf_search_domain[]=${I}" + LogText "Found search domain: ${I}" + Report "resolv_conf_search_domain[]=${I}" N=`expr ${N} + 1` done # Warn if we have more than 6 search domains, which is maximum in most resolvers if [ ${N} -gt 6 ]; then - logtext "Result: Found ${N} search domains" + LogText "Result: Found ${N} search domains" Display --indent 2 --text "- Checking search domains" --result WARNING --color YELLOW ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers" else - logtext "Result: Found ${N} search domains" + LogText "Result: Found ${N} search domains" Display --indent 2 --text "- Checking search domains" --result FOUND --color GREEN fi fi else - logtext "Result: /etc/resolv.conf does not exist, skipping test" + LogText "Result: /etc/resolv.conf does not exist, skipping test" Display --indent 2 --text "- Checking search domains" --result "NOT FOUND" --color YELLOW fi # Check amount of search domains (max 1) FIND=`grep -c "^search" /etc/resolv.conf` if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then - logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" + LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" else - logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" + LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" fi fi # @@ -108,24 +108,24 @@ # Description : Check non default resolv.conf options Register --test-no NAME-4020 --weight L --network NO --description "Check non default options" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check /etc/resolv.conf for non default options" + LogText "Test: check /etc/resolv.conf for non default options" if [ -f /etc/resolv.conf ]; then - logtext "Result: /etc/resolv.conf found" + LogText "Result: /etc/resolv.conf found" FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then - logtext "Result: no specific other options configured in /etc/resolv.conf" + LogText "Result: no specific other options configured in /etc/resolv.conf" Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NONE" --color WHITE else for I in ${FIND}; do - logtext "Found option: ${I}" - report "resolv_conf_option[]=${I}" + LogText "Found option: ${I}" + Report "resolv_conf_option[]=${I}" #rotate --> add performance tune point #timeout <3 --> add performe tune point done Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "FOUND" --color GREEN fi else - logtext "Result: /etc/resolv.conf not found, test skipped" + LogText "Result: /etc/resolv.conf not found, test skipped" Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NOT FOUND" --color YELLOW fi fi @@ -137,7 +137,7 @@ Register --test-no NAME-4024 --os Solaris --weight L --network NO --description "Solaris uname -n output" if [ ${SKIPTEST} -eq 0 ]; then FIND=`uname -n` - logtext "Result: 'uname -n' returned ${FIND}" + LogText "Result: 'uname -n' returned ${FIND}" Display --indent 2 --text "- Checking uname -n output" --result DONE --color GREEN fi # @@ -148,14 +148,14 @@ # Notes : If a system is standalone, /etc/nodename should contain a system name only, not FQDN Register --test-no NAME-4026 --os Solaris --weight L --network NO --description "Check /etc/nodename" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking /etc/nodename" + LogText "Test: checking /etc/nodename" if [ -f /etc/nodename ]; then - logtext "Result: file /etc/nodename exists" + LogText "Result: file /etc/nodename exists" FIND=`cat /etc/nodename` - logtext "Output: ${FIND}" + LogText "Output: ${FIND}" Display --indent 2 --text "- Checking /etc/nodename" --result "DONE" --color GREEN else - logtext "Result: file /etc/nodename could not be found" + LogText "Result: file /etc/nodename could not be found" Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW fi fi @@ -169,49 +169,49 @@ if [ ${SKIPTEST} -eq 0 ]; then DOMAINNAME="" # NIS - #logtext "Test: Checking file /etc/domainname" + #LogText "Test: Checking file /etc/domainname" #if [ -f /etc/domainname ]; then - # logtext "Result: file /etc/domainname exists" + # LogText "Result: file /etc/domainname exists" # FIND2=`cat /etc/domainname` # if [ ! "${FIND}" = "" ]; then - # logtext "Found domain name: ${FIND}" + # LogText "Found domain name: ${FIND}" # DOMAINNAME="${FIND}" # else - # logtext "Result: no domain name found in file" + # LogText "Result: no domain name found in file" # fi # else - # logtext "Result: file /etc/domainname does not exist" + # LogText "Result: file /etc/domainname does not exist" #fi - logtext "Test: Checking if dnsdomainname command is available" + LogText "Test: Checking if dnsdomainname command is available" if [ ! "${DNSDOMAINNAMEBINARY}" = "" ]; then FIND2=`${DNSDOMAINNAMEBINARY} 2> /dev/null` if [ ! "${FIND2}" = "" ]; then - logtext "Result: dnsdomainname command returned a value" - logtext "Found domain name: ${FIND2}" + LogText "Result: dnsdomainname command returned a value" + LogText "Found domain name: ${FIND2}" DOMAINNAME="${FIND2}" else - logtext "Result: dnsdomainname command returned no value" + LogText "Result: dnsdomainname command returned no value" fi else - logtext "Result: dnsdomainname binary not found, skip specific test" + LogText "Result: dnsdomainname binary not found, skip specific test" fi # If files and commands can't be found, use defined value from resolv.conf if [ "${DOMAINNAME}" = "" ]; then if [ ! "${RESOLV_DOMAINNAME}" = "" ]; then - logtext "Result: using domain name from /etc/resolv.conf" + LogText "Result: using domain name from /etc/resolv.conf" DOMAINNAME=${RESOLV_DOMAINNAME} else - logtext "Result: using domain name from FQDN hostname" + LogText "Result: using domain name from FQDN hostname" #DOMAINNAME=${FQDN#${HOSTNAME}.} DOMAINNAME=`echo ${FQDN} | cut -d . -f2-` fi fi if [ ! "${DOMAINNAME}" = "" ]; then - logtext "Result: found domain name" - report "domainname=${DOMAINNAME}" + LogText "Result: found domain name" + Report "domainname=${DOMAINNAME}" Display --indent 2 --text "- Searching DNS domain name" --result "FOUND" --color GREEN Display --indent 6 --text "Domain name: ${DOMAINNAME}" else @@ -226,14 +226,14 @@ # Description : Check name service caching daemon (NSCD) status Register --test-no NAME-4032 --weight L --network NO --description "Check nscd status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking nscd status" + LogText "Test: checking nscd status" IsRunning nscd if [ ${RUNNING} -eq 1 ]; then NAME_CACHE_USED=1 - logtext "Result: nscd is running" + LogText "Result: nscd is running" Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN else - logtext "Result: nscd is not running" + LogText "Result: nscd is not running" Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE fi fi @@ -244,15 +244,15 @@ # Description : Check name service caching daemon (Unbound) status Register --test-no NAME-4034 --weight L --network NO --description "Check Unbound status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking Unbound (unbound) status" + LogText "Test: checking Unbound (unbound) status" IsRunning unbound if [ ${RUNNING} -eq 1 ]; then UNBOUND_RUNNING=1 NAME_CACHE_USED=1 - logtext "Result: Unbound daemon is running" + LogText "Result: Unbound daemon is running" Display --indent 2 --text "- Checking Unbound status" --result RUNNING --color GREEN else - logtext "Result: Unbound daemon is not running" + LogText "Result: Unbound daemon is not running" Display --indent 2 --text "- Checking Unbound status" --result "NOT FOUND" --color WHITE fi fi @@ -266,20 +266,20 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`which unbound-checkconf` if [ ! "${FIND}" = "" ]; then - logtext "Test: running unbound-checkconf" + LogText "Test: running unbound-checkconf" # Don't capture any output, just gather exit code (0 is fine, otherwise bad) FIND=`unbound-checkconf > /dev/null 2>&1` if [ $? -eq 0 ]; then UNBOUND_CONFIG_OK=1 - logtext "Result: Configuration is fine" + LogText "Result: Configuration is fine" Display --indent 2 --text "- Checking configuration file" --result OK --color GREEN else - logtext "Result: Unbound daemon is not running" + LogText "Result: Unbound daemon is not running" Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW ReportWarning "${TEST_NO}" "L" "Found Unbound configuration file issues (run unbound-checkconf)" fi else - logtext "Result: skipped, can't find unbound-checkconf utility" + LogText "Result: skipped, can't find unbound-checkconf utility" fi fi # @@ -289,14 +289,14 @@ # Description : Check if BIND is running Register --test-no NAME-4202 --weight L --network NO --description "Check BIND status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for running BIND instance" + LogText "Test: Checking for running BIND instance" IsRunning named if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found BIND process" + LogText "Result: found BIND process" Display --indent 2 --text "- Checking BIND status" --result "FOUND" --color GREEN BIND_RUNNING=1 else - logtext "Result: BIND not running" + LogText "Result: BIND not running" Display --indent 2 --text "- Checking BIND status" --result "NOT FOUND" --color WHITE fi fi @@ -308,11 +308,11 @@ if [ ${BIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Search BIND configuration file" + LogText "Test: Search BIND configuration file" for I in ${BIND_CONFIG_LOCS}; do if [ -f ${I}/named.conf ]; then BIND_CONFIG_LOCATION="${I}/named.conf" - logtext "Result: found configuration file (${BIND_CONFIG_LOCATION})" + LogText "Result: found configuration file (${BIND_CONFIG_LOCATION})" fi done if [ ! "${BIND_CONFIG_LOCATION}" = "" ]; then @@ -329,20 +329,20 @@ if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4206 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BIND configuration consistency" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: searching for named-checkconf binary" + LogText "Test: searching for named-checkconf binary" if [ ! "${NAMEDCHECKCONFBINARY}" = "" ]; then - logtext "Result: named-checkconf is installed" + LogText "Result: named-checkconf is installed" FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?` if [ "${FIND}" = "0" ]; then - logtext "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine" + LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine" Display --indent 4 --text "- Checking BIND configuration consistency" --result "OK" --color GREEN else - logtext "Result: possible errors found in ${BIND_CONFIG_LOCATION}" + LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}" Display --indent 4 --text "- Checking BIND configuration consistency" --result WARNING --color RED ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file" fi else - logtext "Result: named-checkconf not found, skipping test" + LogText "Result: named-checkconf not found, skipping test" fi fi # @@ -360,14 +360,14 @@ if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check DNS banner" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Trying to determine version from banner" + LogText "Test: Trying to determine version from banner" FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"` if [ "${FIND}" = "" ]; then - logtext "Result: no useful information in banner found" + LogText "Result: no useful information in banner found" Display --indent 4 --text "- Checking BIND version in banner" --result "OK" --color GREEN AddHP 2 2 else - logtext "Result: possible BIND version available in version banner" + LogText "Result: possible BIND version available in version banner" Display --indent 4 --text "- Checking BIND version in banner" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "Found BIND version in banner" ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file" @@ -402,14 +402,14 @@ # Description : Check if PowerDNS is running Register --test-no NAME-4230 --weight L --network NO --description "Check PowerDNS status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for running PowerDNS instance" + LogText "Test: Checking for running PowerDNS instance" IsRunning pdns_server if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found PowerDNS process" + LogText "Result: found PowerDNS process" Display --indent 2 --text "- Checking PowerDNS status" --result "RUNNING" --color GREEN POWERDNS_RUNNING=1 else - logtext "Result: PowerDNS not running" + LogText "Result: PowerDNS not running" Display --indent 2 --text "- Checking PowerDNS status" --result "NOT FOUND" --color WHITE fi fi @@ -421,11 +421,11 @@ if [ ${POWERDNS_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Search PowerDNS configuration file" + LogText "Test: Search PowerDNS configuration file" for I in ${POWERDNS_CONFIG_LOCS}; do if [ -f ${I}/pdns.conf ]; then POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf" - logtext "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})" + LogText "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})" fi done if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then @@ -451,15 +451,15 @@ if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS backends" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for PowerDNS backends" + LogText "Test: Checking for PowerDNS backends" FIND=`awk -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do - logtext "Found backend: ${I}" + LogText "Found backend: ${I}" done Display --indent 4 --text "- Checking PowerDNS backends" --result "FOUND" --color GREEN else - logtext "Result: no PowerDNS backends found" + LogText "Result: no PowerDNS backends found" Display --indent 4 --text "- Checking PowerDNS backends" --result "NOT FOUND" --color YELLOW fi fi @@ -471,24 +471,24 @@ if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS authoritive status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for PowerDNS master status" + LogText "Test: Checking for PowerDNS master status" FIND=`grep "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` if [ ! "${FIND}" = "" ]; then - logtext "Found master=yes in configuration file" + LogText "Found master=yes in configuration file" Display --indent 4 --text "- PowerDNS authoritive master: YES" POWERDNS_AUTH_MASTER=1 else - logtext "Result: most likely not master (no master=yes)" + LogText "Result: most likely not master (no master=yes)" Display --indent 4 --text "- PowerDNS authoritive master: NO" fi - logtext "Test: Checking for PowerDNS slave status" + LogText "Test: Checking for PowerDNS slave status" FIND=`grep "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` if [ ! "${FIND}" = "" ]; then - logtext "Found slave=yes in configuration file" + LogText "Found slave=yes in configuration file" Display --indent 4 --text "- PowerDNS authoritive slave: YES" POWERDNS_AUTH_SLAVE=1 else - logtext "Result: most likely not slave (no slave=yes)" + LogText "Result: most likely not slave (no slave=yes)" Display --indent 4 --text "- PowerDNS authoritive slave: NO" fi fi @@ -499,21 +499,21 @@ # Description : Check NIS ypbind daemon status Register --test-no NAME-4304 --weight L --network NO --description "Check NIS ypbind status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking status of ypbind daemon" + LogText "Test: Checking status of ypbind daemon" IsRunning ypbind if [ ${RUNNING} -eq 1 ]; then - logtext "Result: ypbind is running" + LogText "Result: ypbind is running" Display --indent 2 --text "- Checking ypbind status" --result "FOUND" --color GREEN YPBIND_RUNNING=1 IsRunning ypldap if [ ${RUNNING} -eq 1 ]; then - logtext "Result: ypldap is running" + LogText "Result: ypldap is running" Display --indent 2 --text "- Checking ypldap status" --result "FOUND" --color GREEN else ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead" fi else - logtext "Result: ypbind is not active" + LogText "Result: ypbind is not active" Display --indent 2 --text "- Checking ypbind status" --result "NOT FOUND" --color WHITE fi fi @@ -526,58 +526,58 @@ if [ ${YPBIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NIS domain" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking `domainname` for NIS domain value" + LogText "Test: Checking `domainname` for NIS domain value" FIND=`${DOMAINNAMEBINARY} | grep -v "(none)"` if [ ! "${FIND}" = "" ]; then - logtext "Value: ${FIND}" + LogText "Value: ${FIND}" NISDOMAIN="${FIND}" else - logtext "Result: no NIS domain found in command output" + LogText "Result: no NIS domain found in command output" fi # Solaris / Linux style - logtext "Test: Checking file /etc/defaultdomain" + LogText "Test: Checking file /etc/defaultdomain" if [ -f /etc/defaultdomain ]; then - logtext "Result: file /etc/defaultdomain exists" + LogText "Result: file /etc/defaultdomain exists" FIND2=`cat /etc/defaultdomain` if [ ! "${FIND2}" = "" ]; then - logtext "Output: ${FIND2}" + LogText "Output: ${FIND2}" NISDOMAIN="${FIND2}" else - logtext "Result: no NIS domain found in file" + LogText "Result: no NIS domain found in file" fi fi # Red Hat style - logtext "Test: checking /etc/sysconfig/network" + LogText "Test: checking /etc/sysconfig/network" if [ -f /etc/sysconfig/network ]; then - logtext "Result: file /etc/sysconfig/network exists" - logtext "Test: checking NISDOMAIN value in file" + LogText "Result: file /etc/sysconfig/network exists" + LogText "Test: checking NISDOMAIN value in file" FIND3=`grep "^NISDOMAIN" /etc/sysconfig/network | awk -F= '{ print $2 }' | sed 's/"//g'` if [ ! "${FIND3}" = "" ]; then - logtext "Found NIS domain: ${FIND3}" + LogText "Found NIS domain: ${FIND3}" NISDOMAIN="${FIND3}" else - logtext "Result: No NIS domain found in file" + LogText "Result: No NIS domain found in file" fi else - logtext "Result: file /etc/sysconfig/network does not exist" + LogText "Result: file /etc/sysconfig/network does not exist" fi if [ ! "${SYSCTLBINARY}" = "" ]; then # Check sysctl (e.g. FreeBSD) - logtext "Test: checking sysctl for kern.domainname" + LogText "Test: checking sysctl for kern.domainname" FIND=`${SYSCTLBINARY} -a 2>&1 | grep "^kern.domainname" | awk -F: '{ print $2 }' | sed 's/ //g' | grep -v "^$"` if [ ! "${FIND}" = "" ]; then - logtext "Result: found NIS domain via sysctl" + LogText "Result: found NIS domain via sysctl" NISDOMAIN="${FIND}" fi fi # Check if we found any NIS domain if [ ! "${NISDOMAIN}" = "" ]; then - logtext "Found NIS domain: ${NISDOMAIN}" - report "nisdomain=${NISDOMAIN}" + LogText "Found NIS domain: ${NISDOMAIN}" + Report "nisdomain=${NISDOMAIN}" Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN else - logtext "Result: No NIS domain found" + LogText "Result: No NIS domain found" Display --indent 4 --text "- Checking NIS domain" --result "UNKNOWN" --color YELLOW fi fi @@ -592,20 +592,20 @@ # Description : Check /etc/hosts configuration Register --test-no NAME-4402 --weight L --network NO --description "Check duplicate line in /etc/hosts" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check duplicate line in /etc/hosts" + LogText "Test: check duplicate line in /etc/hosts" if [ -f /etc/hosts ]; then sFIND=`egrep -v '^(#|$)' /etc/hosts | awk '{ print $1, $2 }' | sort | uniq -d` if [ "${sFIND}" = "" ]; then - logtext "Result: OK, no duplicate lines found" + LogText "Result: OK, no duplicate lines found" Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result OK --color GREEN else - logtext "Found duplicate line: ${sFIND}" - logtext "Result: found duplicate line" + LogText "Found duplicate line: ${sFIND}" + LogText "Result: found duplicate line" Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result SUGGESTION --color YELLOW ReportSuggestion "${TEST_NO}" "Remove duplicate lines in /etc/hosts" fi else - logtext "Result: /etc/hosts not found, test skipped" + LogText "Result: /etc/hosts not found, test skipped" Display --indent 4 --text "Searching duplicate line" --result "SKIPPED" --color YELLOW fi fi @@ -617,17 +617,17 @@ if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check /etc/hosts contains an entry for this server name" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check /etc/hosts contains an entry for this server name" + LogText "Test: Check /etc/hosts contains an entry for this server name" if [ -f /etc/hosts ]; then sFIND=`egrep -v '^(#|$|^::1\s|localhost)' /etc/hosts | grep ${HOSTNAME}` if [ "${sFIND}" != "" ]; then - logtext "Result: Found entry for ${HOSTNAME} in /etc/hosts" + LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts" Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN else - logtext "Result: No entry found for ${HOSTNAME} in /etc/hosts" + LogText "Result: No entry found for ${HOSTNAME} in /etc/hosts" Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving" - logtext "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections" + LogText "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections" fi fi fi @@ -639,15 +639,15 @@ if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check server hostname not locally mapped in /etc/hosts" + LogText "Test: Check server hostname not locally mapped in /etc/hosts" sFIND=`egrep -v '^(#|$)' /etc/hosts | egrep '(localhost|^::1\s)' | grep -w ${HOSTNAME}` if [ ! "${sFIND}" = "" ]; then - logtext "Result: Found this server hostname mapped to a local address" + LogText "Result: Found this server hostname mapped to a local address" Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW - logtext "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface." + LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface." ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system" else - logtext "Result: this server hostname is not mapped to a local address" + LogText "Result: this server hostname is not mapped to a local address" Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result OK --color GREEN fi fi @@ -660,4 +660,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_networking b/include/tests_networking index 45bbbf3f..fc5535c7 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -34,16 +34,16 @@ Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking configured nameservers" - logtext "Test: Checking /etc/resolv.conf file" + LogText "Test: Checking /etc/resolv.conf file" if [ -f /etc/resolv.conf ]; then - logtext "Result: Found /etc/resolv.conf file" + LogText "Result: Found /etc/resolv.conf file" FIND=`grep '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g' | uniq` if [ ! "${FIND}" = "" ]; then Display --indent 4 --text "- Testing nameservers" - logtext "Test: Querying nameservers" + LogText "Test: Querying nameservers" for I in ${FIND}; do - logtext "Found nameserver: ${I}" - report "nameserver[]=${I}" + LogText "Found nameserver: ${I}" + Report "nameserver[]=${I}" # Check if a local resolver is available (like DNSMasq) if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then LOCAL_DNSRESOLVER_FOUND=1 @@ -54,18 +54,18 @@ DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?` if [ "${DNSRESPONSE}" = "0" ]; then Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN - logtext "Nameserver ${I} seems to respond to queries from this host." + LogText "Nameserver ${I} seems to respond to queries from this host." # Count responsive nameservers NUMBERACTIVENS=`expr ${NUMBERACTIVENS} + 1` else Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED - logtext "Result: nameserver ${I} does NOT respond" - logtext "Exit-code from dig: ${DNSRESPONSE}" + LogText "Result: nameserver ${I} does NOT respond" + LogText "Exit-code from dig: ${DNSRESPONSE}" ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)." ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond" fi else - logtext "Result: Nameserver test for ${I} skipped, 'dig' not installed" + LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed" Display --indent 6 --text "Nameserver: ${I}" --result SKIPPED --color YELLOW fi done @@ -83,22 +83,22 @@ if [ ! "${DIGBINARY}" = "" ]; then if [ ${NUMBERACTIVENS} -lt 2 ]; then Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result WARNING --color RED - logtext "Result: less than 2 responsive nameservers found" + LogText "Result: less than 2 responsive nameservers found" ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers" - logtext "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc." + LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc." ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible" AddHP 1 2 else Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result OK --color GREEN - logtext "Result: found at least 2 responsive nameservers" + LogText "Result: found at least 2 responsive nameservers" AddHP 3 3 fi else Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result SKIPPED --color YELLOW - logtext "Result: dig not installed, test can't be fully performed" + LogText "Result: dig not installed, test can't be fully performed" fi else - logtext "Result: Test most likely skipped due having local resolver in /etc/resolv.conf" + LogText "Result: Test most likely skipped due having local resolver in /etc/resolv.conf" fi # ################################################################################# @@ -109,16 +109,16 @@ if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Find default gateway (route)" if [ $SKIPTEST -eq 0 ]; then - logtext "Test: Searching default gateway(s)" + LogText "Test: Searching default gateway(s)" FIND=`${NETSTATBINARY} -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do - logtext "Result: Found default gateway ${I}" - report "default_gateway[]=${I}" + LogText "Result: Found default gateway ${I}" + Report "default_gateway[]=${I}" done Display --indent 2 --text "- Checking default gateway" --result DONE --color GREEN else - logtext "Result: No default gateway found" + LogText "Result: No default gateway found" Display --indent 2 --text "- Checking default gateway" --result "NONE FOUND" --color WHITE fi fi @@ -156,9 +156,9 @@ if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do NETWORK_INTERFACES="${NETWORK_INTERFACES}|${I}" - logtext "Found network interface: ${I}" + LogText "Found network interface: ${I}" N=`expr ${N} + 1` - report "network_interface[]=${I}" + Report "network_interface[]=${I}" done else ReportException "${TEST_NO}:1" "No interfaces found on this system (OS=${OS})" @@ -184,7 +184,7 @@ FIND=`${IFCONFIGBINARY} -a | ${GREPBINARY} "HWaddr" | awk '{ if ($4=="HWaddr") print $5 }' | sort -u` else if [ ! "${IPBINARY}" = "" ]; then - logtext "Test: Using ip binary to gather hardware addresses" + LogText "Test: Using ip binary to gather hardware addresses" FIND=`${IPBINARY} link | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }'` else ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)" @@ -210,9 +210,9 @@ esac N=0 for I in ${FIND}; do - logtext "Found MAC address: ${I}" + LogText "Found MAC address: ${I}" N=`expr ${N} + 1` - report "network_mac_address[]=${I}" + Report "network_mac_address[]=${I}" done fi # @@ -239,7 +239,7 @@ FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'` else if [ ! "${IPBINARY}" = "" ]; then - logtext "Test: Using ip binary to gather IP addresses" + LogText "Test: Using ip binary to gather IP addresses" FIND=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | sed 's/\/.*//'` FIND2=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | sed 's/\/.*//'` else @@ -260,22 +260,22 @@ FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'` ;; *) - logtext "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details." + LogText "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details." ReportException "${TEST_NO}:1" "IP address information test not implemented for this operating system" ;; esac N=0 # IPv4 for I in ${FIND}; do - logtext "Found IPv4 address: ${I}" + LogText "Found IPv4 address: ${I}" N=`expr ${N} + 1` - report "network_ipv4_address[]=${I}" + Report "network_ipv4_address[]=${I}" done # IPv6 for I in ${FIND2}; do - logtext "Found IPv6 address: ${I}" + LogText "Found IPv6 address: ${I}" N=`expr ${N} + 1` - report "network_ipv6_address[]=${I}" + Report "network_ipv6_address[]=${I}" done fi @@ -353,20 +353,20 @@ esac # Retrieve information from sockstat, when available - logtext "Test: Retrieving sockstat information to find listening ports" + LogText "Test: Retrieving sockstat information to find listening ports" if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do N=`expr ${N} + 1` - logtext "Found listening info: ${I}" - report "network_listen_port[]=${I}" + LogText "Found listening info: ${I}" + Report "network_listen_port[]=${I}" done fi if [ ! "${FIND2}" = "" ]; then for I in ${FIND2}; do N=`expr ${N} + 1` - logtext "Found listening info: ${I}" - report "network_listen_port[]=${I}" + LogText "Found listening info: ${I}" + Report "network_listen_port[]=${I}" done fi if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then @@ -385,18 +385,18 @@ if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking promiscuous interfaces (BSD)" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking promiscuous interfaces (FreeBSD)" + LogText "Test: Checking promiscuous interfaces (FreeBSD)" FIND=`${IFCONFIGBINARY} | grep PROMISC | cut -d ':' -f1` if [ ! "${FIND}" = "" ]; then - logtext "Result: Promiscuous interfaces: ${FIND}" + LogText "Result: Promiscuous interfaces: ${FIND}" for I in ${FIND}; do ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}` if [ "${ISWHITELISTED}" = "" ]; then FOUNDPROMISC=1 ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})" - logtext "Note: some tools put an interface into promiscuous mode, to capture/log network traffic" + LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic" else - logtext "Result: Found promiscuous interface ${I} (*whitelisted via profile*)" + LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)" fi done fi @@ -404,7 +404,7 @@ # Show result if [ ${FOUNDPROMISC} -eq 0 ]; then Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN - logtext "Result: No promiscuous interfaces found" + LogText "Result: No promiscuous interfaces found" else Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED fi @@ -418,20 +418,20 @@ if [ ! "${IFCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking promiscuous interfaces (Linux)" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking promiscuous interfaces (Linux)" + LogText "Test: Checking promiscuous interfaces (Linux)" NETWORK=`${IFCONFIGBINARY} | grep Link | tr -s ' ' | cut -d ' ' -f1` if [ ! "${NETWORK}" = "" ]; then for I in ${NETWORK}; do FIND=`${IFCONFIGBINARY} ${I} | grep PROMISC` if [ ! "${FIND}" = "" ]; then - logtext "Result: Promiscuous interface: ${I}" + LogText "Result: Promiscuous interface: ${I}" ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}` if [ "${ISWHITELISTED}" = "" ]; then FOUNDPROMISC=1 ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})" - logtext "Note: some tools put an interface into promiscuous mode, to capture/log network traffic" + LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic" else - logtext "Result: Found promiscuous interface ${I} (*whitelisted via profile*)" + LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)" fi fi done @@ -440,7 +440,7 @@ # Show result if [ ${FOUNDPROMISC} -eq 0 ]; then Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN - logtext "Result: No promiscuous interfaces found" + LogText "Result: No promiscuous interfaces found" else Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED fi @@ -456,16 +456,16 @@ # Test : NETW-3024 # Description : Netstat/socktstat compare (FreeBSD) # echo -n " - Comparing output sockstat and netstat" - # logtext "Comparing output of sockstat and netstat" + # LogText "Comparing output of sockstat and netstat" # NETSTATOUTPUT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort -u` # # if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then # ShowResult OK # else # echo "[ ${BAD}Warning!${NORMAL} ]" - # logtext "WARNING!" - # logtext "Sockstat tested output: ${SOCKSTAT}" - # logtext "Netstat tested output: ${NETSTAT}" + # LogText "WARNING!" + # LogText "Sockstat tested output: ${SOCKSTAT}" + # LogText "Netstat tested output: ${NETSTAT}" # fi # ################################################################################# @@ -477,16 +477,16 @@ if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Using netstat for check for connections in WAIT state" + LogText "Test: Using netstat for check for connections in WAIT state" FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'` if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi - logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." + LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})" else Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN - logtext "Result: ${FIND} connections are in WAIT state" + LogText "Result: ${FIND} connections are in WAIT state" fi fi # @@ -508,9 +508,9 @@ ################################################################################# # -report "dhcp_client_running=${DHCP_CLIENT_RUNNING}" +Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_php b/include/tests_php index 96eb63d0..0891bbf0 100644 --- a/include/tests_php +++ b/include/tests_php @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -42,18 +42,18 @@ # Description : Check php.ini presence Register --test-no PHP-2211 --weight L --network NO --description "Check php.ini presence" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for presence php.ini" + LogText "Test: Checking for presence php.ini" PHPINIFILE="" PHPINI_ALLFILES="" for I in ${PHPINILOCS}; do - logtext "Test: checking presence ${I}" + LogText "Test: checking presence ${I}" if [ -f ${I} ]; then PHPINIFILE=${I} - logtext "Result: Found php.ini file (${PHPINIFILE})" - logtext "Note: Adding file to php.ini array" + LogText "Result: Found php.ini file (${PHPINIFILE})" + LogText "Note: Adding file to php.ini array" PHPINI_ALLFILES="${PHPINI_ALLFILES} ${PHPINIFILE}" else - logtext "Result: file ${I} not found" + LogText "Result: file ${I} not found" fi done @@ -61,12 +61,12 @@ for I in ${PHPINIDIRS}; do tFILES=`ls ${I}/*.ini 2>/dev/null` if [ "${tFILES}" = "" ]; then - logtext "Result: no files found for ${I}" + LogText "Result: no files found for ${I}" else - logtext "Result: found files in location ${I}, checking" + LogText "Result: found files in location ${I}, checking" for I in ${tFILES}; do if [ -f ${I} ]; then - logtext "Result: file ${I} exists, adding to php.ini array" + LogText "Result: file ${I} exists, adding to php.ini array" PHPINI_ALLFILES="${PHPINI_ALLFILES} ${I}" fi done @@ -75,11 +75,11 @@ if [ ! "${PHPINIFILE}" = "" ]; then Display --indent 2 --text "- Checking PHP" --result "FOUND" --color GREEN - logtext "Result: using single file ${PHPINIFILE} for main php.ini tests" - logtext "Result: using php.ini array ${PHPINI_ALLFILES} for further tests" + LogText "Result: using single file ${PHPINIFILE} for main php.ini tests" + LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests" else Display --indent 2 --text "- Checking PHP" --result "NOT FOUND" --color WHITE - logtext "Result: no php.ini file found" + LogText "Result: no php.ini file found" fi fi # @@ -92,31 +92,31 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 for I in ${PHPINI_ALLFILES}; do - logtext "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}" + LogText "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}" FIND=`grep "^disable_functions.*=" ${I}` if [ "${FIND}" = "" ]; then - logtext "Result: ${I}: disabled_functions not found" + LogText "Result: ${I}: disabled_functions not found" else - logtext "Result: ${I}: found disabled_functions" + LogText "Result: ${I}: found disabled_functions" FOUND=1 fi FIND=`grep "^suhosin.executor.func.blacklist=" ${I}` if [ "${FIND}" = "" ]; then - logtext "Result: ${I}: suhosin.executor.func.blacklist not found" + LogText "Result: ${I}: suhosin.executor.func.blacklist not found" else - logtext "Result: ${I}: found suhosin.executor.func.blacklist" + LogText "Result: ${I}: found suhosin.executor.func.blacklist" FOUND=1 fi done if [ ${FOUND} -eq 0 ]; then - logtext "Result: all PHP functions can be executed" + LogText "Result: all PHP functions can be executed" Display --indent 4 --text "- Checking PHP disabled functions" --result "NONE" --color YELLOW ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions" - logtext "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)" + LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)" AddHP 0 1 else - logtext "Result: one or more PHP functions are disabled/blacklisted" + LogText "Result: one or more PHP functions are disabled/blacklisted" Display --indent 4 --text "- Checking PHP disabled functions" --result "FOUND" --color GREEN AddHP 3 3 fi @@ -146,17 +146,17 @@ fi Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking PHP register_globals option" + LogText "Test: Checking PHP register_globals option" FIND=`egrep -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;'` if [ ! "${FIND}" = "" ]; then Display --indent 4 --text "- Checking register_globals option" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off" - logtext "Result: register_globals option is turned on, which can be a risk for variable value overwriting." + LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting." AddHP 1 2 else Display --indent 4 --text "- Checking register_globals option" --result OK --color GREEN - logtext "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value." + LogText "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value." ReportManual ${TEST_NO}:01 AddHP 2 2 fi @@ -170,17 +170,17 @@ if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking expose_php option" + LogText "Test: Checking expose_php option" FIND=`egrep -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking expose_php option" --result ON --color RED ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers." ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off" - report "Result: expose_php option is turned on, which can expose useful information for an attacker" + Report "Result: expose_php option is turned on, which can expose useful information for an attacker" AddHP 1 2 else Display --indent 4 --text "- Checking expose_php option" --result OFF --color GREEN - logtext "Result: Found 'expose_php' in disabled state (0, no, or off)" + LogText "Result: Found 'expose_php' in disabled state (0, no, or off)" AddHP 2 2 fi #YYY Check through all files @@ -194,16 +194,16 @@ if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking PHP enable_dl option" + LogText "Test: Checking PHP enable_dl option" FIND=`egrep -i 'enable_dl.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking enable_dl option" --result ON --color YELLOW - report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP" + Report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP" AddHP 0 1 else Display --indent 4 --text "- Checking enable_dl option" --result OFF --color GREEN - logtext "Result: Found 'enable_dl' in disabled state (0, no, or off)" + LogText "Result: Found 'enable_dl' in disabled state (0, no, or off)" AddHP 2 2 fi #YYY Check through all files @@ -217,16 +217,16 @@ if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking PHP allow_url_fopen option" + LogText "Test: Checking PHP allow_url_fopen option" FIND=`egrep -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking allow_url_fopen option" --result ON --color YELLOW - report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP" + Report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP" AddHP 0 1 else Display --indent 4 --text "- Checking allow_url_fopen option" --result OFF --color GREEN - logtext "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)" + LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)" AddHP 2 2 fi #YYY Check through all files @@ -240,16 +240,16 @@ if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking PHP allow_url_include option" + LogText "Test: Checking PHP allow_url_include option" FIND=`egrep -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking allow_url_include option" --result ON --color YELLOW - report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP" + Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP" AddHP 0 1 else Display --indent 4 --text "- Checking allow_url_include option" --result OFF --color GREEN - logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)" + LogText "Result: Found 'allow_url_include' in disabled state (0, no, or off)" AddHP 2 2 fi fi @@ -261,4 +261,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 4306f3dc..3237f7e7 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -36,17 +36,17 @@ FIND=`pkg -N 2>&1; echo $?` if [ "${FIND}" = "0" ]; then Display --indent 4 --text "- Searching packages with pkg" --result FOUND --color GREEN - report "package_manager[]=pkg" + Report "package_manager[]=pkg" PACKAGE_MGR_PKG=1 - logtext "Result: Found pkg" - logtext "Test: Querying pkg to get package list" + LogText "Result: Found pkg" + LogText "Test: Querying pkg to get package list" Display --indent 6 --text "- Querying pkg for installed packages" - logtext "Output:"; logtext "-----" + LogText "Output:"; LogText "-----" SPACKAGES=`/usr/sbin/pkg query %n,%v` for J in ${SPACKAGES}; do sPKG_NAME=`echo ${J} | cut -d ',' -f1` sPKG_VERSION=`echo ${J} | cut -d ',' -f2` - logtext "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" + LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" done fi @@ -61,20 +61,20 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 Display --indent 4 --text "- Checking pkg_info" --result FOUND --color GREEN - logtext "Result: Found pkg_info" - report "package_manager[]=pkg_info" - logtext "Test: Querying pkg_info to get package list" + LogText "Result: Found pkg_info" + Report "package_manager[]=pkg_info" + LogText "Test: Querying pkg_info to get package list" Display --indent 6 --text "- Querying pkg_info for installed packages" - logtext "Output:"; logtext "-----" + LogText "Output:"; LogText "-----" SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'` for J in ${SPACKAGES}; do N=`expr ${N} + 1` sPKG_NAME=`echo ${J} | cut -d ',' -f1` sPKG_VERSION=`echo ${J} | cut -d ',' -f2` - logtext "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" + LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" done - report "installed_packages=${N}" + Report "installed_packages=${N}" fi # ################################################################################# @@ -85,18 +85,18 @@ Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Gentoo packages" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Searching emerge" --result FOUND --color GREEN - logtext "Result: Found Gentoo emerge" - report "package_manager[]=emerge" - logtext "Test: Querying portage to get package list" + LogText "Result: Found Gentoo emerge" + Report "package_manager[]=emerge" + LogText "Test: Querying portage to get package list" Display --indent 4 --text "- Querying portage for installed packages" - logtext "Output:"; logtext "-----" + LogText "Output:"; LogText "-----" GPACKAGES=`equery l '*' | sed -e 's/[.*]//g'` for J in ${GPACKAGES}; do - logtext "Found package ${J}" + LogText "Found package ${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," done else - logtext "Result: emerge can NOT be found on this system" + LogText "Result: emerge can NOT be found on this system" fi # # @@ -108,19 +108,19 @@ Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Searching pkginfo" --result FOUND --color GREEN - logtext "Result: Found Solaris pkginfo" - report "package_manager[]=pkginfo" - logtext "Test: Querying pkginfo to get package list" + LogText "Result: Found Solaris pkginfo" + Report "package_manager[]=pkginfo" + LogText "Test: Querying pkginfo to get package list" Display --indent 4 --text "- Querying pkginfo for installed packages" - logtext "Output:"; logtext "-----" + LogText "Output:"; LogText "-----" # Strip SUNW from strings SPACKAGES=`/usr/bin/pkginfo -i | tr -s ' ' | cut -d ' ' -f2 | sed "s#^SUNW##"` for J in ${SPACKAGES}; do - logtext "Found package ${J}" + LogText "Found package ${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," done else - logtext "Result: pkginfo can NOT be found on this system" + LogText "Result: pkginfo can NOT be found on this system" fi # ################################################################################# @@ -132,28 +132,28 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 Display --indent 4 --text "- Searching RPM package manager" --result FOUND --color GREEN - logtext "Result: Found rpm binary (${RPMBINARY})" - report "package_manager[]=rpm" - logtext "Test: Querying 'rpm -qa' to get package list" + LogText "Result: Found rpm binary (${RPMBINARY})" + Report "package_manager[]=rpm" + LogText "Test: Querying 'rpm -qa' to get package list" Display --indent 6 --text "- Querying RPM package manager" - logtext "Output:"; logtext "--------" + LogText "Output:"; LogText "--------" SPACKAGES=`${RPMBINARY} -qa --queryformat "%{NAME},%{VERSION}-%{RELEASE}.%{ARCH}\n" 2> /dev/null | sort` if [ "${SPACKAGES}" = "" ]; then - logtext "Result: RPM binary available, but package list seems to be empty" - logtext "Info: looks like the rpm binary is installed, but not used for package installation" + LogText "Result: RPM binary available, but package list seems to be empty" + LogText "Info: looks like the rpm binary is installed, but not used for package installation" ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages" else for J in ${SPACKAGES}; do N=`expr ${N} + 1` PACKAGE_NAME=`echo ${J} | awk -F, '{print $1}'` PACKAGE_VERSION=`echo ${J} | awk -F, '{print $2}'` - logtext "Found package: ${J}" + LogText "Found package: ${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}," done - report "installed_packages=${N}" + Report "installed_packages=${N}" fi else - logtext "Result: RPM binary NOT found on this system, test skipped" + LogText "Result: RPM binary NOT found on this system, test skipped" fi # ################################################################################# @@ -165,24 +165,24 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 Display --indent 4 --text "- Searching pacman package manager" --result FOUND --color GREEN - logtext "Result: Found pacman binary (${PACMANBINARY})" - report "package_manager[]=pacman" - logtext "Test: Querying 'pacman -Q' to get package list" + LogText "Result: Found pacman binary (${PACMANBINARY})" + Report "package_manager[]=pacman" + LogText "Test: Querying 'pacman -Q' to get package list" Display --indent 6 --text "- Querying pacman package manager" - logtext "Output:"; logtext "--------" + LogText "Output:"; LogText "--------" SPACKAGES=`${PACMANBINARY} -Q | sort | sed 's/ /,/g'` if [ "${SPACKAGES}" = "" ]; then - logtext "Result: pacman binary available, but package list seems to be empty" - logtext "Info: looks like the pacman binary is installed, but not used for package installation" + LogText "Result: pacman binary available, but package list seems to be empty" + LogText "Info: looks like the pacman binary is installed, but not used for package installation" else for J in ${SPACKAGES}; do N=`expr ${N} + 1` PACKAGE_NAME=`echo ${J} | awk -F, '{ print $1 }'` PACKAGE_VERSION=`echo ${J} | awk -F, '{ print $2 }'` - logtext "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" done - report "installed_packages=${N}" + Report "installed_packages=${N}" fi fi # @@ -198,8 +198,8 @@ if [ ! "${FIND}" = "" ]; then FIND=`checkupdates` for I in ${FIND}; do - logtext "Result: update available for ${I}" - report "available_update[]=${I}" + LogText "Result: update available for ${I}" + Report "available_update[]=${I}" FOUND=1 done if [ ${FOUND} -eq 1 ]; then @@ -209,10 +209,10 @@ Display --indent 4 --text "- Searching update status (checkupdates)" --result "UP-TO-DATE" --color GREEN fi else - logtext "Result: skipping this test, can't find checkupdates binary" + LogText "Result: skipping this test, can't find checkupdates binary" fi else - logtext "Result: pacman binary NOT found on this system, test skipped" + LogText "Result: pacman binary NOT found on this system, test skipped" fi # ################################################################################# @@ -225,23 +225,23 @@ if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 # Check configuration options (options start with a capital) - logtext "Test: searching configured options in ${PACMANCONF}" + LogText "Test: searching configured options in ${PACMANCONF}" FIND=`grep "^[A-Z]" ${PACMANCONF} | sort -u | sed 's/ /:space:/g'` for I in ${FIND}; do PMOPTION=`echo ${I} | sed 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }'` PMVALUE=`echo ${I} | sed 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }'` - logtext "Result: found option ${PMOPTION} configured with value ${PMVALUE}" - report "pacman_option[]=${PMOPTION}:${PMVALUE}:" + LogText "Result: found option ${PMOPTION} configured with value ${PMVALUE}" + Report "pacman_option[]=${PMOPTION}:${PMVALUE}:" done # Check software repositories - logtext "Test: checking available repositories" + LogText "Test: checking available repositories" FIND=`grep "^\[.*\]$" ${PACMANCONF} | tr -d '[]'` for I in ${FIND}; do COUNT=`expr ${COUNT} + 1` - report "package_repository[]=${I}" + Report "package_repository[]=${I}" done - logtext "Result: found ${COUNT} repositories" + LogText "Result: found ${COUNT} repositories" fi # ################################################################################# @@ -258,10 +258,10 @@ if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do N=`expr ${N} + 1` - logtext "Installed package: ${I}" + LogText "Installed package: ${I}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," done - report "installed_packages=${N}" + Report "installed_packages=${N}" else # Could not find any installed packages ReportException ${TEST_NO} "No installed packages found with Zypper" @@ -277,19 +277,19 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`${ZYPPERBINARY} pchk | grep "(0 security patches)"` if [ ! "${FIND}" = "" ]; then - logtext "Result: No security updates found with Zypper" + LogText "Result: No security updates found with Zypper" Display --indent 2 --text "- Using Zypper to obtain vulnerable packages" --result NONE --color GREEN else Display --indent 2 --text "- Using Zypper to obtain vulnerabilities" --result WARNING --color RED - logtext "Result: Zypper found one or more installed packages which are vulnerable." + LogText "Result: Zypper found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed" # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line FIND=`${ZYPPERBINARY} lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | sed 's/:$//' | grep -v "^$" | sort -u` - logtext "List of vulnerable packages/version:" + LogText "List of vulnerable packages/version:" for I in ${FIND}; do VULNERABLE_PACKAGES_FOUND=1 - report "vulnerable_package[]=${I}" - logtext "Vulnerable package: ${I}" + Report "vulnerable_package[]=${I}" + LogText "Vulnerable package: ${I}" # Decrease hardening points for every found vulnerable package AddHP 1 2 done @@ -305,22 +305,22 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 Display --indent 4 --text "- Searching dpkg package manager" --result FOUND --color GREEN - logtext "Result: Found dpkg binary" - report "package_manager[]=dpkg" - logtext "Test: Querying dpkg -l to get package list" + LogText "Result: Found dpkg binary" + Report "package_manager[]=dpkg" + LogText "Test: Querying dpkg -l to get package list" Display --indent 6 --text "- Querying package manager" - logtext "Output:" + LogText "Output:" SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' ',' | sort` for J in ${SPACKAGES}; do N=`expr ${N} + 1` PACKAGE_NAME=`echo ${J} | cut -d ',' -f2` PACKAGE_VERSION=`echo ${J} | cut -d ',' -f3` - logtext "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" done - report "installed_packages=${N}" + Report "installed_packages=${N}" else - logtext "Result: dpkg can NOT be found on this system, test skipped" + LogText "Result: dpkg can NOT be found on this system, test skipped" fi # ################################################################################# @@ -332,23 +332,23 @@ Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search unpurged packages on system" if [ ${SKIPTEST} -eq 0 ]; then N=0 - logtext "Test: Querying dpkg -l to get unpurged packages" + LogText "Test: Querying dpkg -l to get unpurged packages" SPACKAGES=`dpkg -l 2>/dev/null | grep "^rc" | cut -d ' ' -f3 | sort` if [ "${SPACKAGES}" = "" ]; then Display --indent 4 --text "- Query unpurged packages" --result NONE --color GREEN - logtext "Result: no packages found with left overs" + LogText "Result: no packages found with left overs" else Display --indent 4 --text "- Query unpurged packages" --result FOUND --color YELLOW - logtext "Result: found one or more packages with left over configuration files, cron jobs etc" - logtext "Output:" + LogText "Result: found one or more packages with left over configuration files, cron jobs etc" + LogText "Output:" for J in ${SPACKAGES}; do N=`expr ${N} + 1` - logtext "Found unpurged package: ${J}" + LogText "Found unpurged package: ${J}" done ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts." fi else - logtext "Result: dpkg can NOT be found on this system, test skipped" + LogText "Result: dpkg can NOT be found on this system, test skipped" fi # ################################################################################# @@ -364,10 +364,10 @@ FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '` if [ ${FIND} -eq 0 ]; then Display --indent 2 --text "- Checking presence old distfiles" --result OK --color GREEN - logtext "Result: no unused distfiles found" + LogText "Result: no unused distfiles found" else Display --indent 2 --text "- Checking presence old distfiles" --result WARNING --color YELLOW - logtext "Result: found ${FIND} unused distfiles" + LogText "Result: found ${FIND} unused distfiles" ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD." fi fi @@ -381,24 +381,24 @@ Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsecan utility" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DEBSECANBINARY}" = "" ]; then - logtext "Result: debsecan utility is installed" + LogText "Result: debsecan utility is installed" Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN AddHP 3 3 PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="debsecan" FIND=`find /etc/cron* -name debsecan` if [ ! ${FIND} = "" ]; then - logtext "Result: cron job is configured for debsecan" + LogText "Result: cron job is configured for debsecan" Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN AddHP 3 3 else - logtext "Result: no cron job is configured for debsecan" + LogText "Result: no cron job is configured for debsecan" Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW AddHP 1 3 ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled" fi else - logtext "Result: debsecan is not installed." + LogText "Result: debsecan is not installed." Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW AddHP 0 2 ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages." @@ -414,23 +414,23 @@ Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsums utility" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DEBSUMSBINARY}" = "" ]; then - logtext "Result: debsums utility is installed" + LogText "Result: debsums utility is installed" Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN AddHP 1 1 # Check in /etc/cron.hourly, daily, weekly, monthly etc COUNT=`find /etc/cron* -name debsums | wc -l` if [ ${COUNT} -gt 0 ]; then - logtext "Result: Cron job is configured for debsums utility." + LogText "Result: Cron job is configured for debsums utility." Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN AddHP 3 3 else - logtext "Result: Cron job is not configured for debsums utility." + LogText "Result: Cron job is not configured for debsums utility." Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW AddHP 1 3 ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job." fi else - logtext "Result: debsums utility is not installed." + LogText "Result: debsums utility is not installed." AddHP 0 2 ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database." fi @@ -444,16 +444,16 @@ Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query portmaster for port upgrades" if [ ${SKIPTEST} -eq 0 ]; then N=0 - logtext "Test: Querying portmaster for possible port upgrades" + LogText "Test: Querying portmaster for possible port upgrades" UPACKAGES=`/usr/local/sbin/portmaster -L | grep "version available" | awk '{ print $5 }'` for J in ${UPACKAGES}; do N=`expr ${N} + 1` - logtext "Upgrade available (new version): ${J}" - report "upgrade_available[]=${J}" + LogText "Upgrade available (new version): ${J}" + Report "upgrade_available[]=${J}" done - report "upgrade_available_count=${N}" + Report "upgrade_available_count=${N}" if [ ${N} -eq 0 ]; then - logtext "Result: no upgrades found" + LogText "Result: no upgrades found" Display --indent 2 --text "- Checking portmaster for updates" --result NONE --color GREEN else Display --indent 2 --text "- Checking portmaster for updates" --result FOUND --color YELLOW @@ -472,18 +472,18 @@ if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then FIND=`/usr/sbin/pkg_admin audit` if [ "${FIND}" = "" ]; then - logtext "Result: pkg audit results are clean" + LogText "Result: pkg audit results are clean" Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result NONE --color GREEN AddHP 2 2 else Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result WARNING --color RED - logtext "Result: pkg_admin audit found one or more installed packages which are vulnerable." + LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." - logtext "List of vulnerable packages/version:" + LogText "List of vulnerable packages/version:" for I in `/usr/sbin/pkg_admin audit | awk '{ print $2 }' | sort -u`; do VULNERABLE_PACKAGES_FOUND=1 - report "vulnerable_package[]=${I}" - logtext "Vulnerable package: ${I}" + Report "vulnerable_package[]=${I}" + LogText "Vulnerable package: ${I}" # Decrease hardening points for every found vulnerable package AddHP 1 2 done @@ -495,7 +495,7 @@ fi else Display --indent 2 --text "- pkg_admin audit not installed" --result "NOT FOUND" --color WHITE - logtext "Result: pkg_admin audit not installed, skipping this vulnerability test." + LogText "Result: pkg_admin audit not installed, skipping this vulnerability test." fi fi # @@ -511,28 +511,28 @@ PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="pkg audit" if [ "${FIND}" = "" ]; then - logtext "Result: pkg audit results are clean" + LogText "Result: pkg audit results are clean" Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN else - logtext "Result: ${FIND}" + LogText "Result: ${FIND}" VULNERABLE_PACKAGES_FOUND=1 Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result FOUND --color YELLOW ReportSuggestion ${TEST_NO} "Check output of pkg audit" #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED - #logtext "Result: pkg audit found one or more installed packages which are vulnerable." + #LogText "Result: pkg audit found one or more installed packages which are vulnerable." #ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." #ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" - #logtext "List of vulnerable packages/version:" + #LogText "List of vulnerable packages/version:" #for I in `/usr/sbin/pkg audit -F | grep "Affected package" | cut -d ' ' -f3 | sort -u`; do - # report "vulnerable_package[]=${I}" - # logtext "Vulnerable package: ${I}" + # Report "vulnerable_package[]=${I}" + # LogText "Vulnerable package: ${I}" # # Decrease hardening points for every found vulnerable package # AddHP 1 2 #done fi else Display --indent 2 --text "- pkg audit not installed" --result "NOT FOUND" --color WHITE - logtext "Result: pkg audit not installed, skipping this vulnerability test." + LogText "Result: pkg audit not installed, skipping this vulnerability test." fi fi # @@ -547,18 +547,18 @@ PACKAGE_AUDIT_TOOL_FOUND=1 FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'` if [ "${FIND}" = "" ]; then - logtext "Result: Portaudit results are clean" + LogText "Result: Portaudit results are clean" Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result NONE --color GREEN else Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result WARNING --color RED - logtext "Result: Portaudit found one or more installed packages which are vulnerable." + LogText "Result: Portaudit found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" - logtext "List of vulnerable packages/version:" + LogText "List of vulnerable packages/version:" for I in `/usr/local/sbin/portaudit | grep "Affected package" | cut -d ' ' -f3 | sort -u`; do VULNERABLE_PACKAGES_FOUND=1 - report "vulnerable_package[]=${I}" - logtext "Vulnerable package: ${I}" + Report "vulnerable_package[]=${I}" + LogText "Vulnerable package: ${I}" # Decrease hardening points for every found vulnerable package AddHP 1 2 done @@ -572,15 +572,15 @@ if [ ! "${YUMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --description "Check for YUM package Update management" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: YUM package update management" + LogText "Test: YUM package update management" sFIND=`${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}'` if [ "$(echo ${sFIND} | egrep "^[0-9]+$")" -a "${sFIND}" = "0" ]; then - logtext "Result: YUM package update management failed" + LogText "Result: YUM package update management failed" Display --indent 2 --text "- Checking YUM package management consistency" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "YUM is not properly configured or registered for this platform (no repolist found)" #ReportSuggestion ${TEST_NO} "Check YUM registration for repository configuration (repolist)" else - logtext "Result: YUM repository available (${sFIND})" + LogText "Result: YUM repository available (${sFIND})" Display --indent 2 --text "- Checking YUM package management consistency" --result OK --color GREEN fi fi @@ -593,35 +593,35 @@ Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM utils package" if [ ${SKIPTEST} -eq 0 ]; then if [ -x /usr/bin/package-cleanup ]; then - logtext "Result: found YUM utils package (/usr/bin/package-cleanup)" + LogText "Result: found YUM utils package (/usr/bin/package-cleanup)" # Check for duplicates - logtext "Test: Checking for duplicate packages" + LogText "Test: Checking for duplicate packages" FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?` if [ "${FIND}" = "0" ]; then - logtext "Result: No duplicate packages found" + LogText "Result: No duplicate packages found" Display --indent 2 --text "- Checking package database duplicates" --result OK --color GREEN else - logtext "Result: One or more duplicate packages found" + LogText "Result: One or more duplicate packages found" Display --indent 2 --text "- Checking package database duplicates" --result WARNING --color RED ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed" ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems" fi # Check for package database problems - logtext "Test: Checking for database problems" + LogText "Test: Checking for database problems" FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?` if [ "${FIND}" = "0" ]; then - logtext "Result: No package database problems found" + LogText "Result: No package database problems found" Display --indent 2 --text "- Checking package database for problems" --result OK --color GREEN else - logtext "Result: One or more problems found in package database" + LogText "Result: One or more problems found in package database" Display --indent 2 --text "- Checking package database for problems" --result WARNING --color RED ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database" ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems" fi else Display --indent 2 --text "- yum-utils package not installed" --result SUGGESTION --color YELLOW - logtext "Result: YUM utils package not found" + LogText "Result: YUM utils package not found" ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database" fi fi @@ -638,7 +638,7 @@ Register --test-no PKGS-7386 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM security package" if [ ${SKIPTEST} -eq 0 ]; then DO_TEST=0 - logtext "Test: Determining if yum-security package installed" + LogText "Test: Determining if yum-security package installed" # Check for built-in --security option if [ ${DO_TEST} -eq 0 ]; then @@ -647,9 +647,9 @@ SearchItem "\-\-security" "/usr/share/yum-cli/cli.py" if [ ${ITEM_FOUND} -eq 1 ]; then DO_TEST=1 - logtext "Result: found built-in security in yum" + LogText "Result: found built-in security in yum" else - logtext "Result: did not find --security in /usr/share/yum-cli/cli.py" + LogText "Result: did not find --security in /usr/share/yum-cli/cli.py" fi fi fi @@ -660,9 +660,9 @@ SearchItem "^enabled=1$" "/etc/yum/pluginconf.d/security.conf" if [ ${ITEM_FOUND} -eq 1 ]; then DO_TEST=1 - logtext "Result: found enabled plugin" + LogText "Result: found enabled plugin" else - logtext "Result: plugin NOT enabled in /etc/yum/pluginconf.d/security.conf" + LogText "Result: plugin NOT enabled in /etc/yum/pluginconf.d/security.conf" fi fi fi @@ -671,7 +671,7 @@ if [ ${DO_TEST} -eq 0 ]; then FIND=`rpm -q yum-security yum-plugin-security | grep -v "not installed"` if [ ! "${FIND}" = "" ]; then - logtext "Result: found yum-plugin-security package" + LogText "Result: found yum-plugin-security package" DO_TEST=1 fi fi @@ -680,25 +680,25 @@ if [ ${DO_TEST} -eq 1 ]; then PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="yum-security" - logtext "Test: Checking for vulnerable packages" + LogText "Test: Checking for vulnerable packages" FIND2=`/usr/bin/yum list-sec security | awk '{ if($2=="security" || $2~"Sec") print $3","$5 }'` if [ "${FIND2}" = "" ]; then - logtext "Result: no vulnerable packages found" + LogText "Result: no vulnerable packages found" Display --indent 2 --text "- Checking missing security packages" --result OK --color GREEN else - logtext "Result: found vulnerable package(s)" + LogText "Result: found vulnerable package(s)" Display --indent 2 --text "- Checking missing security packages" --result WARNING --color RED for I in ${FIND2}; do VULNERABLE_PACKAGES_FOUND=1 - report "vulnerable_package[]=${I}" - logtext "Vulnerable package: ${I}" + Report "vulnerable_package[]=${I}" + LogText "Vulnerable package: ${I}" AddHP 1 2 done ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." ReportSuggestion ${TEST_NO} "Use 'yum --security update' to update your system" fi else - logtext "Result: yum-security package not found" + LogText "Result: yum-security package not found" Display --indent 2 --text "- Checking missing security packages" --result SKIPPED --color YELLOW ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)" fi @@ -717,7 +717,7 @@ SearchItem "^gpgenabled=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi SearchItem "^gpgcheck=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi if [ ${FOUND} -eq 1 ]; then - logtext "Result: GPG check is enabled" + LogText "Result: GPG check is enabled" Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result OK --color GREEN else Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result DISABLED --color RED @@ -736,33 +736,33 @@ FOUND=0 if [ ! "${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY}" = "yes" ]; then if [ -f /etc/apt/sources.list ]; then - logtext "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file" + LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file" FIND=`egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | grep -v '#' | sed 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list file" --result OK --color GREEN - logtext "Result: Found security repository in /etc/apt/sources.list" + LogText "Result: Found security repository in /etc/apt/sources.list" for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Output: ${I}" + LogText "Output: ${I}" done fi fi if [ -d /etc/apt/sources.list.d ]; then - logtext "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory" + LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory" FIND=`egrep -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | grep -v '#' | sed 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result OK --color GREEN - logtext "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d" + LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d" for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Output: ${I}" + LogText "Output: ${I}" done fi fi if [ ${FOUND} -eq 1 ]; then - logtext "Result: security repository was found" + LogText "Result: security repository was found" AddHP 3 3 else Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result WARNING --color RED @@ -770,7 +770,7 @@ AddHP 0 3 fi else - logtext "Skipped as option is set to ignore security repository" + LogText "Skipped as option is set to ignore security repository" fi fi # @@ -781,13 +781,13 @@ if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Ubuntu database consistency" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Package database consistency by running apt-get check" + LogText "Test: Package database consistency by running apt-get check" FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?` if [ "${FIND}" = "0" ]; then Display --indent 2 --text "- Checking APT package database" --result OK --color GREEN - logtext "Result: package database seems to be consistent." + LogText "Result: package database seems to be consistent." else - logtext "Result: package database is most likely NOT consistent" + LogText "Result: package database is most likely NOT consistent" Display --indent 2 --text "- Checking APT package database" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code." ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check." @@ -804,35 +804,35 @@ VULNERABLE_PACKAGES_FOUND=0 SCAN_PERFORMED=0 # Update the repository, outdated repositories don't give much information - logtext "Action: updating repository with apt-get" + LogText "Action: updating repository with apt-get" /usr/bin/apt-get -q=2 update - logtext "Result: apt-get finished" - logtext "Test: Checking if /usr/lib/update-notifier/apt-check exists" + LogText "Result: apt-get finished" + LogText "Test: Checking if /usr/lib/update-notifier/apt-check exists" if [ -x /usr/lib/update-notifier/apt-check ]; then PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="apt-check" - logtext "Result: found /usr/lib/update-notifier/apt-check" - logtext "Test: checking if any of the updates contain security updates" + LogText "Result: found /usr/lib/update-notifier/apt-check" + LogText "Test: checking if any of the updates contain security updates" # apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only FIND=`/usr/lib/update-notifier/apt-check 2>&1 | awk -F\; '{ print $2 }'` # Check if we get the proper line back and amount of security patches available if [ "${FIND}" = "" ]; then - logtext "Result: did not find security updates line" + LogText "Result: did not find security updates line" ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result" ReportException "${TEST_NO}:1" "Apt-check did not provide any result" else if [ "${FIND}" = "0" ]; then - logtext "Result: no vulnerable packages found via apt-check" + LogText "Result: no vulnerable packages found via apt-check" SCAN_PERFORMED=1 else VULNERABLE_PACKAGES_FOUND=1 SCAN_PERFORMED=1 - logtext "Result: found ${FIND} security updates via apt-check" + LogText "Result: found ${FIND} security updates via apt-check" AddHP 0 25 fi fi else - logtext "Result: apt-check (update-notifier-common) not found" + LogText "Result: apt-check (update-notifier-common) not found" fi # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates) @@ -841,12 +841,12 @@ if [ ! "${FIND}" = "" ]; then VULNERABLE_PACKAGES_FOUND=1 SCAN_PERFORMED=1 - logtext "Result: found vulnerable package(s) via apt-get (-security channel)" + LogText "Result: found vulnerable package(s) via apt-get (-security channel)" PACKAGE_AUDIT_TOOL="apt-get" PACKAGE_AUDIT_TOOL_FOUND=1 for I in ${FIND}; do - logtext "Found vulnerable package: ${I}" - report "vulnerable_package[]=${I}" + LogText "Found vulnerable package: ${I}" + Report "vulnerable_package[]=${I}" done fi if [ ${SCAN_PERFORMED} -eq 1 ]; then @@ -856,11 +856,11 @@ Display --indent 2 --text "- Checking vulnerable packages" --result WARNING --color RED else Display --indent 2 --text "- Checking vulnerable packages" --result OK --color GREEN - logtext "Result: no vulnerable packages found" + LogText "Result: no vulnerable packages found" fi else Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result DONE --color GREEN - logtext "Result: test not fully executed (missing apt-check output)" + LogText "Result: test not fully executed (missing apt-check output)" fi fi # @@ -877,36 +877,36 @@ # Multiple ways to do this. Some require extra packages to be installed, # others require potential firewall ports to be open, outbound. This is the # "most friendly" way. - logtext "Action: updating portage with emerge-webrsync" + LogText "Action: updating portage with emerge-webrsync" /usr/bin/emerge-webrsync --quiet 2> /dev/null - logtext "Result: emerge-webrsync finished" - logtext "Test: checking if /usr/bin/glsa-check exists" + LogText "Result: emerge-webrsync finished" + LogText "Test: checking if /usr/bin/glsa-check exists" if [ -x /usr/bin/glsa-check ]; then PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="glsa-check" - logtext "Result: found /usr/bin/glsa-check" - logtext "Test: checking if there are any vulnerable packages" + LogText "Result: found /usr/bin/glsa-check" + LogText "Test: checking if there are any vulnerable packages" # glsa-check reports the GLSA date/ID string, not the vulnerable package. FIND=`/usr/bin/glsa-check -t all 2>&1 | grep -v "This system is affected by the following GLSAs:" | grep -v "This system is not affected by any of the listed GLSAs" | wc -l` if [ "${FIND}" = "" ]; then - logtext "Result: unexpected result: wc should report 0 if no vulnerable packages are found." - logtext "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result" + LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found." + LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result" ReportException "${TEST_NO}:1" "glsa-check did not provide any result, which is unexpected" else if [ "${FIND}" = "0" ]; then - logtext "Result; no vulnerable packages found via glsa-check" + LogText "Result; no vulnerable packages found via glsa-check" Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result OK --color GREEN else VULNERABLE_PACKAGES_FOUND=1 Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result FOUND --color RED - logtext "Result: found ${FIND} security updates with glsa-check" + LogText "Result: found ${FIND} security updates with glsa-check" ReportWarning "${TEST_NO}" "H" "Found ${FIND} security update(s) with glsa-check." - logtext "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified." + LogText "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified." AddHP 0 25 fi fi else - logtext "Result: glsa-check tool not found" + LogText "Result: glsa-check tool not found" ReportSuggestion ${TEST_NO} "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks." fi fi @@ -918,26 +918,26 @@ if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --description "Check for Ubuntu updates" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking /usr/bin/apt-show-versions" + LogText "Test: checking /usr/bin/apt-show-versions" if [ -x /usr/bin/apt-show-versions ]; then - logtext "Result: found /usr/bin/apt-show-versions" - logtext "Test: Checking packages which can be upgraded via apt-show-versions" + LogText "Result: found /usr/bin/apt-show-versions" + LogText "Test: Checking packages which can be upgraded via apt-show-versions" FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then - logtext "Result: no packages found which can be upgraded" + LogText "Result: no packages found which can be upgraded" Display --indent 2 --text "- Checking upgradeable packages" --result NONE --color GREEN AddHP 3 3 else - logtext "Result: found one or more packages which can be upgraded" + LogText "Result: found one or more packages which can be upgraded" Display --indent 2 --text "- Checking upgradeable packages" --result FOUND --color YELLOW # output: program/repository upgradeable from version X to Y for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` - logtext "${I}" + LogText "${I}" done fi else - logtext "Result: /usr/bin/apt-show-versions not found" + LogText "Result: /usr/bin/apt-show-versions not found" Display --indent 2 --text "- Checking upgradeable packages" --result SKIPPED --color WHITE ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes" fi @@ -950,15 +950,15 @@ # Description : Check package audit tool Register --test-no PKGS-7398 --weight L --network YES --description "Check for package audit tool" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking for package audit tool" + LogText "Test: checking for package audit tool" if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then Display --indent 2 --text "- Checking package audit tool" --result NONE --color RED ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages" - logtext "Result: no package audit tool found" + LogText "Result: no package audit tool found" else Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN Display --indent 4 --text "Found: ${PACKAGE_AUDIT_TOOL}" - logtext "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}" + LogText "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}" fi fi # @@ -980,17 +980,17 @@ if [ ${SKIPTEST} -eq 0 ]; then KERNELS=0 if [ ! "${RPMBINARY}" = "" ]; then - logtext "Test: Checking how many kernel packages are installed" + LogText "Test: Checking how many kernel packages are installed" KERNELS=`rpm -q kernel 2> /dev/null | wc -l` if [ ${KERNELS} -eq 0 ]; then - logtext "Result: found no kernels from rpm -q kernel output, which is unexpected" + LogText "Result: found no kernels from rpm -q kernel output, which is unexpected" ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output" elif [ ${KERNELS} -gt 5 ]; then - logtext "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" + LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)" AddHP 4 5 else - logtext "Result: found ${KERNELS} on the system, which is fine" + LogText "Result: found ${KERNELS} on the system, which is fine" AddHP 1 1 fi fi @@ -1000,16 +1000,16 @@ # if [ ! "${INSTALLED_PACKAGES}" = "" ]; then - report "installed_packages_array=${INSTALLED_PACKAGES}" + Report "installed_packages_array=${INSTALLED_PACKAGES}" fi -report "package_audit_tool=${PACKAGE_AUDIT_TOOL}" -report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}" -report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}" +Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}" +Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}" +Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_printers_spools b/include/tests_printers_spools index ec64bc11..cfb1a6f3 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -38,22 +38,22 @@ # Description : Check printcap file consistency Register --test-no PRNT-2302 --os FreeBSD --weight L --network NO --description "Check for available accounting information" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching /usr/sbin/chkprintcap" + LogText "Test: Searching /usr/sbin/chkprintcap" if [ ! -f /usr/sbin/chkprintcap ]; then Display --indent 2 --text "- Checking chkprintcap" --result "NOT FOUND" --color WHITE - logtext "Result: /usr/sbin/chkprintcap NOT found, test skipped." + LogText "Result: /usr/sbin/chkprintcap NOT found, test skipped." else - logtext "Result: /usr/sbin/chkprintcap found" + LogText "Result: /usr/sbin/chkprintcap found" FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?` # Only an exit code of zero should come back. Use string instead of integer, due unexpected trash if [ "${FIND}" = "0" ]; then Display --indent 2 --text "- Integrity check of printcap file" --result OK --color GREEN - logtext "Result: chkprintcap did NOT gave any warnings" + LogText "Result: chkprintcap did NOT gave any warnings" else Display --indent 2 --text "- Integrity check of printcap file" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file" - logtext "Output from chkprintcap: ${FIND}" - logtext "Run chkprintcap and check the /etc/printcap file." + LogText "Output from chkprintcap: ${FIND}" + LogText "Run chkprintcap and check the /etc/printcap file." fi fi fi @@ -64,16 +64,16 @@ # Description : Check cupsd status Register --test-no PRNT-2304 --weight L --network NO --description "Check cupsd status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking cupsd status" + LogText "Test: Checking cupsd status" #FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd` IsRunning cupsd if [ ${RUNNING} -eq 1 ]; then Display --indent 2 --text "- Checking cups daemon" --result RUNNING --color GREEN - logtext "Result: cups daemon running" + LogText "Result: cups daemon running" CUPSD_RUNNING=1; PRINTING_DAEMON="cups" else Display --indent 2 --text "- Checking cups daemon" --result "NOT FOUND" --color WHITE - logtext "Result: cups daemon not running, cups daemon tests skipped" + LogText "Result: cups daemon not running, cups daemon tests skipped" fi fi # @@ -84,21 +84,21 @@ if [ ${CUPSD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching cupsd configuration file" + LogText "Test: Searching cupsd configuration file" for I in ${CUPSD_CONFIG_LOCS}; do if [ -f ${I}/cupsd.conf ]; then CUPSD_CONFIG_FILE="${I}/cupsd.conf" - logtext "Result: found ${CUPSD_CONFIG_FILE}" + LogText "Result: found ${CUPSD_CONFIG_FILE}" fi done if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then Display --indent 2 --text "- Checking CUPS configuration file" --result OK --color GREEN - logtext "Result: configuration file found (${CUPSD_CONFIG_FILE})" + LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})" CUPSD_FOUND=1 else Display --indent 2 --text "- Checking CUPS configuration file" --result "NOT FOUND" --color RED - logtext "Result: configuration file not found" - logtext "Development: no CUPS configuration file found" + LogText "Result: configuration file not found" + LogText "Development: no CUPS configuration file found" fi fi # @@ -110,9 +110,9 @@ if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file permissions" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking CUPS configuration file permissions" + LogText "Test: Checking CUPS configuration file permissions" FIND=`ls -l ${CUPSD_CONFIG_FILE} | cut -c 2-10` - logtext "Result: found ${FIND}" + LogText "Result: found ${FIND}" if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then Display --indent 4 --text "- File permissions" --result "OK" --color GREEN AddHP 1 1 @@ -132,11 +132,11 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 # Checking network addresses - logtext "Test: Checking CUPS daemon listening network addresses" + LogText "Test: Checking CUPS daemon listening network addresses" FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep -v "/" | awk '{ print $2 }'` N=0 for I in ${FIND}; do - logtext "Found network address: ${I}" + LogText "Found network address: ${I}" N=`expr ${N} + 1` FOUND=1 done @@ -147,33 +147,33 @@ # Check if daemon is only running on localhost if [ ${N} -eq 1 ]; then if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then - logtext "Result: CUPS daemon only running on localhost" + LogText "Result: CUPS daemon only running on localhost" AddHP 2 2 else - logtext "Result: CUPS daemon running on one or more interfaces (not limited to localhost)" + LogText "Result: CUPS daemon running on one or more interfaces (not limited to localhost)" ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to listen on the network" AddHP 1 2 fi else - logtext "Result: CUPS daemon is running on several network addresses" + LogText "Result: CUPS daemon is running on several network addresses" ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to run on several network addresses" AddHP 1 2 fi # Checking sockets - logtext "Test: Checking cups daemon listening sockets" + LogText "Test: Checking cups daemon listening sockets" FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep "/" | awk '{ print $2 }'` for I in ${FIND}; do - logtext "Found socket address: ${I}" + LogText "Found socket address: ${I}" N=`expr ${N} + 1` done if [ ${N} -eq 0 ]; then Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "NONE" --color WHITE - logtext "Result: no addresses found on which CUPS daemon is listening" + LogText "Result: no addresses found on which CUPS daemon is listening" else Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "FOUND" --color GREEN - logtext "Result: CUPS daemon is listening on network/socket" + LogText "Result: CUPS daemon is listening on network/socket" fi fi # @@ -183,15 +183,15 @@ # Description : Check lpd status Register --test-no PRNT-2314 --weight L --network NO --description "Check lpd status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking lpd status" + LogText "Test: Checking lpd status" IsRunning lpd if [ ${RUNNING} -eq 1 ]; then Display --indent 2 --text "- Checking lp daemon" --result RUNNING --color GREEN - logtext "Result: lp daemon running" + LogText "Result: lp daemon running" LPD_RUNNING=1; PRINTING_DAEMON="lp" else Display --indent 2 --text "- Checking lp daemon" --result "NOT RUNNING" --color WHITE - logtext "Result: lp daemon not running" + LogText "Result: lp daemon not running" AddHP 4 4 fi fi @@ -214,21 +214,21 @@ # Description : Check /etc/qconfig file Register --test-no PRNT-2316 --os AIX --weight L --network NO --description "Checking /etc/qconfig file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking /etc/qconfig" + LogText "Test: Checking /etc/qconfig" QDAEMON_CONFIG_FILE="/etc/qconfig" FileIsReadable ${QDAEMON_CONFIG_FILE} if [ ${CANREAD} -eq 1 ]; then FIND=`grep -v "^\*" ${QDAEMON_CONFIG_FILE} | egrep "backend|device"` if [ ! "${FIND}" = "" ]; then - logtext "Result: printers are defined in ${QDAEMON_CONFIG_FILE}" + LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}" Display --indent 2 --text "- Checking /etc/qconfig file" --result FOUND --color GREEN QDAEMON_CONFIG_ENABLED=1 else - logtext "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined" + LogText "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined" Display --indent 2 --text "- Checking /etc/qconfig file" --result EMPTY --color WHITE fi else - logtext "Result: Can not read ${QDAEMON_CONFIG_FILE} (no permission)" + LogText "Result: Can not read ${QDAEMON_CONFIG_FILE} (no permission)" fi fi # @@ -238,19 +238,19 @@ # Description : Check qdaemon printer spooler status Register --test-no PRNT-2418 --os AIX --weight L --network NO --description "Checking qdaemon printer spooler status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking qdaemon status" + LogText "Test: Checking qdaemon status" IsRunning qdaemon if [ ${RUNNING} -eq 1 ]; then - logtext "Result: qdaemon daemon running" + LogText "Result: qdaemon daemon running" Display --indent 2 --text "- Checking qdaemon daemon" --result RUNNING --color GREEN QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon" else if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then - logtext "Result: qdaemon daemon not running" + LogText "Result: qdaemon daemon not running" Display --indent 2 --text "- Checking qdaemon daemon" --result "NOT RUNNING" --color RED ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs" else - logtext "Result: qdaemon daemon not running" + LogText "Result: qdaemon daemon not running" Display --indent 2 --text "- Checking qdaemon daemon" --result "NOT RUNNING" --color WHITE fi fi @@ -262,7 +262,7 @@ # Description : Checking old print jobs Register --test-no PRNT-2420 --os AIX --weight L --network NO --description "Checking old print jobs" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking old print jobs" + LogText "Test: Checking old print jobs" DirectoryExists /var/spool/lpd/qdir if [ ${DIRECTORY_FOUND} -eq 1 ]; then FIND=`find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | sed 's/ /!space!/g'` @@ -270,15 +270,15 @@ N=0 for I in ${FIND}; do FILE=`echo ${I} | sed 's/!space!/ /g'` - logtext "Found old print job: ${FILE}" + LogText "Found old print job: ${FILE}" N=`expr ${N} + 1` done - logtext "Result: Found ${N} old print jobs in /var/spool/lpd/qdir" + LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir" Display --indent 4 --text "- Checking old print jobs" --result FOUND --color YELLOW ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed" - logtext "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed" + LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed" else - logtext "Result: Old print jobs not found in /var/spool/lpd/qdir" + LogText "Result: Old print jobs not found in /var/spool/lpd/qdir" Display --indent 4 --text "- Checking old print jobs" --result "NONE" --color GREEN fi fi @@ -287,10 +287,10 @@ ################################################################################# # -report "printing_daemon=${PRINTING_DAEMON}" +Report "printing_daemon=${PRINTING_DAEMON}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_scheduling b/include/tests_scheduling index 1b5e23f0..83067dd2 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -38,59 +38,59 @@ if [ -f /etc/crontab ]; then FindCronJob /etc/crontab for I in ${sCRONJOBS}; do - logtext "Found cronjob (/etc/crontab): ${I}" - report "cronjob[]=${I}" + LogText "Found cronjob (/etc/crontab): ${I}" + Report "cronjob[]=${I}" done fi CRON_DIRS="/etc/cron.d" for I in ${CRON_DIRS}; do - logtext "Test: checking directory ${I}" + LogText "Test: checking directory ${I}" if [ -d ${I} ]; then FileIsReadable ${I} if [ ${CANREAD} -eq 1 ]; then - logtext "Result: found directory ${I}" - logtext "Test: searching files in ${I}" + LogText "Result: found directory ${I}" + LogText "Test: searching files in ${I}" FIND=`find ${I} -type f -print` if [ "${FIND}" = "" ]; then - logtext "Result: no files found in ${I}" + LogText "Result: no files found in ${I}" else - logtext "Result: found one or more files in ${I}. Analyzing files.." + LogText "Result: found one or more files in ${I}. Analyzing files.." for J in ${FIND}; do FindCronJob ${J} for K in ${sCRONJOBS}; do - logtext "Result: Found cronjob (${I}): ${K}" + LogText "Result: Found cronjob (${I}): ${K}" done done - logtext "Result: done with analyzing files in ${I}" + LogText "Result: done with analyzing files in ${I}" fi else - logtext "Result: can not read file or directory ${I}" + LogText "Result: can not read file or directory ${I}" fi else - logtext "Result: directory ${I} does not exist" + LogText "Result: directory ${I} does not exist" fi done CRON_DIRS="/etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly" for I in ${CRON_DIRS}; do - logtext "Test: checking directory ${I}" + LogText "Test: checking directory ${I}" if [ -d ${I} ]; then - logtext "Result: found directory ${I}" - logtext "Test: searching files in ${I}" + LogText "Result: found directory ${I}" + LogText "Test: searching files in ${I}" FIND=`find ${I} -type f -print | grep -v ".placeholder"` if [ "${FIND}" = "" ]; then - logtext "Result: no files found in ${I}" + LogText "Result: no files found in ${I}" else - logtext "Result: found one or more files in ${I}. Analyzing files.." + LogText "Result: found one or more files in ${I}. Analyzing files.." for J in ${FIND}; do - logtext "Result: Found cronjob (${I}): ${J}" - report "cronjob[]=${J}" + LogText "Result: Found cronjob (${I}): ${J}" + Report "cronjob[]=${J}" done - logtext "Result: done with analyzing files in ${I}" + LogText "Result: done with analyzing files in ${I}" fi else - logtext "Result: directory ${I} does not exist" + LogText "Result: directory ${I} does not exist" fi done @@ -101,8 +101,8 @@ for I in ${FIND}; do FindCronJob ${I} for J in ${sCRONJOBS}; do - logtext "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})" - report "cronjob[]=${I}" + LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})" + Report "cronjob[]=${I}" done done else @@ -111,8 +111,8 @@ for I in ${FIND}; do FindCronJob ${I} for J in ${sCRONJOBS}; do - logtext "Found cronjob (/var/spool/cron): ${I} (${J})" - logtext "cronjob[]=${I}" + LogText "Found cronjob (/var/spool/cron): ${I} (${J})" + LogText "cronjob[]=${I}" done done fi @@ -121,11 +121,11 @@ # Anacron if [ "${OS}" = "Linux" ]; then if [ -f /etc/anacrontab ]; then - logtext "Test: checking anacrontab" + LogText "Test: checking anacrontab" sANACRONJOBS=`egrep '^([0-9@])' /etc/anacrontab | tr '\t' ' ' | tr -s ' ' | tr ' ' ','` for J in ${sANACRONJOBS}; do - logtext "Found anacron job (/etc/anacrontab): ${J}" - report "cronjob[]=${J}" + LogText "Found anacron job (/etc/anacrontab): ${J}" + Report "cronjob[]=${J}" done fi fi @@ -139,14 +139,14 @@ # Description : Check atd status Register --test-no SCHD-7718 --weight L --network NO --description "Check at users" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking atd status" + LogText "Test: Checking atd status" FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then - logtext "Result: at daemon active" + LogText "Result: at daemon active" Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN ATD_RUNNING=1 else - logtext "Result: at daemon not active" + LogText "Result: at daemon not active" Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE fi fi @@ -169,46 +169,46 @@ Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;; OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;; SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;; - *) AT_UNKNOWN=1; logtext "Test skipped, files for at unknown" ;; + *) AT_UNKNOWN=1; LogText "Test skipped, files for at unknown" ;; esac if [ ${AT_UNKNOWN} -eq 0 ]; then - logtext "Test: checking for file ${AT_ALLOW}" + LogText "Test: checking for file ${AT_ALLOW}" if [ -f ${AT_ALLOW} ]; then FileIsReadable ${AT_ALLOW} if [ ${CANREAD} -eq 1 ]; then - logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs" + LogText "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs" FIND=`cat ${AT_ALLOW} | sort` if [ "${FIND}" = "" ]; then - logtext "Result: File empty, no users are allowed to schedule at jobs" + LogText "Result: File empty, no users are allowed to schedule at jobs" else for I in ${FIND}; do - logtext "Allowed at user: ${I}" + LogText "Allowed at user: ${I}" done fi else - logtext "Result: can not read ${AT_ALLOW} (no permission)" + LogText "Result: can not read ${AT_ALLOW} (no permission)" fi else - logtext "Result: file ${AT_ALLOW} does not exist" - logtext "Test: checking for file ${AT_DENY}" + LogText "Result: file ${AT_ALLOW} does not exist" + LogText "Test: checking for file ${AT_DENY}" if [ -f ${AT_DENY} ]; then FileIsReadable ${AT_DENY} if [ ${CANREAD} -eq 1 ]; then - logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs" + LogText "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs" FIND=`cat ${AT_DENY} | sort` if [ "${FIND}" = "" ]; then - logtext "Result: file is empty, no users are denied access to schedule jobs" + LogText "Result: file is empty, no users are denied access to schedule jobs" else for I in ${FIND}; do - logtext "Denied at user: ${I}" + LogText "Denied at user: ${I}" done fi else - logtext "Result: can not read ${AT_DENY} (no permission)" + LogText "Result: can not read ${AT_DENY} (no permission)" fi else - logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist" - logtext "Note: only root can schedule at jobs" + LogText "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist" + LogText "Note: only root can schedule at jobs" AddHP 1 1 fi fi @@ -225,17 +225,17 @@ if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at jobs" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check scheduled at jobs" + LogText "Test: Check scheduled at jobs" FIND=`atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then - logtext "Result: found one or more jobs" + LogText "Result: found one or more jobs" for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Found at job: ${I}" + LogText "Found at job: ${I}" done Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN else - logtext "Result: no pending at jobs" + LogText "Result: no pending at jobs" Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN fi fi @@ -247,4 +247,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_shells b/include/tests_shells index 64de5921..024eb972 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -46,18 +46,18 @@ # Description : check all console TTYs in which root user can enter single user mode without password Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking console TTYs" + LogText "Test: Checking console TTYs" FIND=`egrep '^console' /etc/ttys | grep -v 'insecure'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking console TTYs" --result OK --color GREEN - logtext "Result: console is secured against single user mode without password." + LogText "Result: console is secured against single user mode without password." else Display --indent 2 --text "- Checking console TTYs" --result WARNING --color RED - logtext "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!" - logtext "Output /etc/ttys:" - logtext "${FIND}" + LogText "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!" + LogText "Output /etc/ttys:" + LogText "${FIND}" ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys" - logtext "Possible solution: Change the console line from 'secure' to 'insecure'." + LogText "Possible solution: Change the console line from 'secure' to 'insecure'." fi fi # @@ -67,27 +67,27 @@ # Description : which shells are available according /etc/shells Register --test-no SHLL-6211 --weight L --network NO --description "Checking available and valid shells" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for /etc/shells" + LogText "Test: Searching for /etc/shells" if [ -f /etc/shells ]; then - logtext "Result: Found /etc/shells file" - logtext "Test: Reading available shells from /etc/shells" + LogText "Result: Found /etc/shells file" + LogText "Test: Reading available shells from /etc/shells" SSHELLS=`grep "^/" /etc/shells` CSSHELLS=0; CSSHELLS_ALL=0 Display --indent 2 --text "- Checking shells from /etc/shells" for I in ${SSHELLS}; do CSSHELLS_ALL=`expr ${CSSHELLS_ALL} + 1` - report "available_shell[]=${I}" + Report "available_shell[]=${I}" # YYY add check for symlinked shells if [ -f ${I} ]; then - logtext "Found installed shell: ${I}" + LogText "Found installed shell: ${I}" CSSHELLS=`expr ${CSSHELLS} + 1` else - logtext "Shell ${I} not installed. Probably a dummy or non existing shell." + LogText "Shell ${I} not installed. Probably a dummy or non existing shell." fi done Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})." else - logtext "Result: /etc/shells not found, skipping test" + LogText "Result: /etc/shells not found, skipping test" fi fi # @@ -97,18 +97,18 @@ # Description : check for idle session killing tools or settings Register --test-no SHLL-6220 --weight L --network NO --description "Checking available and valid shells" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Search for session timeout tools or settings in shell" + LogText "Test: Search for session timeout tools or settings in shell" IsRunning timeoutd if [ ${RUNNING} -eq 1 ]; then IDLE_TIMEOUT=1 - logtext "Result: found timeoutd process to kill idle sesions" - report="session_timeout_method=timeout daemon" + LogText "Result: found timeoutd process to kill idle sesions" + Report="session_timeout_method=timeout daemon" fi IsRunning autolog if [ ${RUNNING} -eq 1 ]; then IDLE_TIMEOUT=1 - logtext "Result: found autolog process to kill idle sesions" - report="session_timeout_method[]=autolog" + LogText "Result: found autolog process to kill idle sesions" + Report="session_timeout_method[]=autolog" fi if [ -f /etc/profile ]; then @@ -119,40 +119,40 @@ if [ ! "${FIND}" = "" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do - logtext "Output: ${I}" - report "session_timeout_value[]=${I}" + LogText "Output: ${I}" + Report "session_timeout_value[]=${I}" N=`expr ${N} + 1` done if [ ${N} -eq 1 ]; then - logtext "Result: found TMOUT value configured in /etc/profile" + LogText "Result: found TMOUT value configured in /etc/profile" else - logtext "Result: found several TMOUT values configured in /etc/profile" + LogText "Result: found several TMOUT values configured in /etc/profile" fi - report "session_timeout_method[]=profile" + Report "session_timeout_method[]=profile" else - logtext "Result: could not find TMOUT setting in /etc/profile" + LogText "Result: could not find TMOUT setting in /etc/profile" fi if [ ! "${FIND2}" = "" ]; then N=0; for I in ${FIND2}; do - logtext "Output: ${I}" + LogText "Output: ${I}" if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then N=`expr ${N} + 1` fi done if [ ${N} -gt 0 ]; then - logtext "Result: found readonly setting in /etc/profile (readonly or typeset -r)" - report "session_timeout_set_readonly=1" + LogText "Result: found readonly setting in /etc/profile (readonly or typeset -r)" + Report "session_timeout_set_readonly=1" else - logtext "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)" - report "session_timeout_set_readonly=0" + LogText "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)" + Report "session_timeout_set_readonly=0" fi else - logtext "Result: could not find export, readonly or typeset -r in /etc/profile" + LogText "Result: could not find export, readonly or typeset -r in /etc/profile" fi else - logtext "Result: skip /etc/profile test, file not available on this system" + LogText "Result: skip /etc/profile test, file not available on this system" fi if [ -d /etc/profile.d ]; then @@ -166,41 +166,41 @@ if [ ! "${FIND}" = "" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do - logtext "Output: ${I}" - report "session_timeout_value[]=${I}" + LogText "Output: ${I}" + Report "session_timeout_value[]=${I}" N=`expr ${N} + 1` done if [ ${N} -eq 1 ]; then - logtext "Result: found TMOUT value configured in one of the files in /etc/profile.d directory" + LogText "Result: found TMOUT value configured in one of the files in /etc/profile.d directory" else - logtext "Result: found several TMOUT values configured in one of the files in /etc/profile.d directory" + LogText "Result: found several TMOUT values configured in one of the files in /etc/profile.d directory" fi - report "session_timeout_method[]=profile" + Report "session_timeout_method[]=profile" else - logtext "Result: could not find TMOUT setting in /etc/profile.d/*.sh" + LogText "Result: could not find TMOUT setting in /etc/profile.d/*.sh" fi # Check for readonly if [ ! "${FIND2}" = "" ]; then N=0; for I in ${FIND2}; do - logtext "Output: ${I}" + LogText "Output: ${I}" if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then N=`expr ${N} + 1` fi done if [ ${N} -gt 0 ]; then - logtext "Result: found readonly setting in /etc/profile (readonly or typeset -r)" - report "session_timeout_set_readonly=1" + LogText "Result: found readonly setting in /etc/profile (readonly or typeset -r)" + Report "session_timeout_set_readonly=1" else - logtext "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)" - report "session_timeout_set_readonly=0" + LogText "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)" + Report "session_timeout_set_readonly=0" fi else - logtext "Result: could not find export, readonly or typeset -r in /etc/profile" + LogText "Result: could not find export, readonly or typeset -r in /etc/profile" fi fi else - logtext "Result: skip /etc/profile.d directory test, directory not available on this system" + LogText "Result: skip /etc/profile.d directory test, directory not available on this system" fi if [ ${IDLE_TIMEOUT} -eq 1 ]; then @@ -225,21 +225,21 @@ for FILE in ${SHELL_CONFIG_FILES}; do FIND="" if [ -f ${FILE} ]; then - logtext "Result: file ${FILE} exists" + LogText "Result: file ${FILE} exists" FOUND=1 FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then - logtext "Result: did not find umask configured in ${FILE}" + LogText "Result: did not find umask configured in ${FILE}" Display --indent 4 --text "- Checking default umask in ${FILE}" --result NONE --color YELLOW else for UMASKVALUE in ${FIND}; do - logtext "Result: found umask ${UMASKVALUE} in ${FILE}" + LogText "Result: found umask ${UMASKVALUE} in ${FILE}" case ${UMASKVALUE} in 027|0027|077|0077) - logtext "Result: umask ${UMASKVALUE} is considered a properly hardened value" + LogText "Result: umask ${UMASKVALUE} is considered a properly hardened value" ;; *) - logtext "Result: umask ${UMASKVALUE} can be hardened " + LogText "Result: umask ${UMASKVALUE} can be hardened " HARDENING_POSSIBLE=1 ;; esac @@ -253,12 +253,12 @@ fi fi else - logtext "Result: file ${FILE} not found" + LogText "Result: file ${FILE} not found" fi done #if [ ${FOUND} -eq 1 ]; then # if [ ${HARDENING_POSSIBLE} -eq 0 ]; then - # logtext "Result: all shell files found, contain a proper umask" + # LogText "Result: all shell files found, contain a proper umask" # Display --indent 4 --text "- Default umask" --result OK --color GREEN # fi #fi @@ -272,117 +272,117 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 #Display --indent 2 --text "- Testing for Shellshock vulnerability" - logtext "Test: Check if bash is in the list of shells." + LogText "Test: Check if bash is in the list of shells." if [ -f /etc/shells ]; then - logtext "Test: checking for bash shell in /etc/shells" + LogText "Test: checking for bash shell in /etc/shells" FIND=`egrep '(/usr)?(/local)?/bin/bash' /etc/shells | grep -v "^#" | head -1` else - logtext "Test: checking if bash is available via which command" + LogText "Test: checking if bash is available via which command" FIND=`which bash 2> /dev/null | head -1` fi - logtext "Result: command revealed ${FIND} as output" + LogText "Result: command revealed ${FIND} as output" if [ ! "${FIND}" = "" ]; then if [ -x "${FIND}" -a ! -L "${FIND}" ]; then - logtext "Result: found ${FIND} as a valid shell" + LogText "Result: found ${FIND} as a valid shell" SHELLSHOCK_TMP=`mktemp /tmp/lynis-shellshock-test.XXXXXXXXXX` || exit 1 # CVE-2014-6271 - logtext "Test: Check for first exploit (CVE-2014-6271)" + LogText "Test: Check for first exploit (CVE-2014-6271)" echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | grep 'vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to original shellshock (CVE-2014-6271)" + LogText "Output: ${VULNERABLE}" + LogText "Result: Vulnerable to original shellshock (CVE-2014-6271)" Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED FOUND=1 else - logtext "Result: Not vulnerable to original shellshock (CVE-2014-6271)" + LogText "Result: Not vulnerable to original shellshock (CVE-2014-6271)" #Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN fi # CVE-2014-6277 (disabled, as this test was giving too much false positives) # CVE-2014-6278 - logtext "Test: Check for CVE-2014-6278" + LogText "Test: Check for CVE-2014-6278" echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to CVE-2014-6278" + LogText "Output: ${VULNERABLE}" + LogText "Result: Vulnerable to CVE-2014-6278" Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED FOUND=1 else - logtext "Result: Not vulnerable to CVE-2014-6278" + LogText "Result: Not vulnerable to CVE-2014-6278" #Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN fi # CVE-2014-7169 - logtext "Test: Check for taviso bug CVE-2014-7169" + LogText "Test: Check for taviso bug CVE-2014-7169" echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | grep ' vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to taviso bug (CVE-2014-7169)" + LogText "Output: ${VULNERABLE}" + LogText "Result: Vulnerable to taviso bug (CVE-2014-7169)" Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED FOUND=1 else - logtext "Result: Not vulnerable to taviso bug (CVE-2014-7169)" + LogText "Result: Not vulnerable to taviso bug (CVE-2014-7169)" #Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN fi # CVE-2014-7186 - logtext "Test: Check for CVE-2014-7186" + LogText "Test: Check for CVE-2014-7186" echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to CVE-2014-7186" + LogText "Output: ${VULNERABLE}" + LogText "Result: Vulnerable to CVE-2014-7186" Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED FOUND=1 else - logtext "Result: Not vulnerable to CVE-2014-7186" + LogText "Result: Not vulnerable to CVE-2014-7186" #Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN fi # CVE-2014-7187 - logtext "Test: Check for CVE-2014-7187" + LogText "Test: Check for CVE-2014-7187" echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to CVE-2014-7187" + LogText "Output: ${VULNERABLE}" + LogText "Result: Vulnerable to CVE-2014-7187" Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED FOUND=1 else - logtext "Result: Not vulnerable to CVE-2014-7187" + LogText "Result: Not vulnerable to CVE-2014-7187" #Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN fi # CVE-2014-//// - logtext "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)" + LogText "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)" echo "env X=' () { }; echo hello' bash -c 'date'| grep 'hello'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then - logtext "Output: ${VULNERABLE}" - logtext "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)" + LogText "Output: ${VULNERABLE}" + LogText "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)" Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED FOUND=1 else - logtext "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)" + LogText "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)" #Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "OK" --color GREEN fi else - logtext "Result: bash binary found, but not executable, or it is symlinked" + LogText "Result: bash binary found, but not executable, or it is symlinked" fi else - logtext "Result: could not find bash to be a valid shell" + LogText "Result: could not find bash to be a valid shell" fi if [ ${FOUND} -eq 1 ]; then @@ -396,11 +396,11 @@ ################################################################################# # -report "session_timeout_enabled=${IDLE_TIMEOUT}" +Report "session_timeout_enabled=${IDLE_TIMEOUT}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy - http://cisofy.com +# Lynis - Copyright 2007-2016, CISOfy - http://cisofy.com diff --git a/include/tests_snmp b/include/tests_snmp index 5baba15a..2cab1d06 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -30,15 +30,15 @@ # Description : Check for a running SNMP daemon Register --test-no SNMP-3302 --weight L --network NO --description "Check for running SNMP daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for a SNMP daemon" + LogText "Test: Searching for a SNMP daemon" # Check running processes IsRunning snmpd if [ ${RUNNING} -eq 1 ]; then SNMP_DAEMON_RUNNING=1 - logtext "Result: SNMP daemon is running" + LogText "Result: SNMP daemon is running" Display --indent 2 --text "- Checking running SNMP daemon" --result FOUND --color GREEN else - logtext "Result: No running SNMP daemon found" + LogText "Result: No running SNMP daemon found" Display --indent 2 --text "- Checking running SNMP daemon" --result "NOT FOUND" --color WHITE fi fi @@ -50,18 +50,18 @@ if [ ${SNMP_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SNMP-3304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP daemon file location" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: searching for snmpd.conf file" + LogText "Test: searching for snmpd.conf file" for I in ${SNMP_DAEMON_CONFIG_LOCS}; do if [ -f "${I}/snmpd.conf" ]; then - logtext "Result: ${I}/snmpd.conf exists" + LogText "Result: ${I}/snmpd.conf exists" SNMPD_DAEMON_CONFIG="${I}/snmpd.conf" fi done if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then - logtext "Result: No snmpd configuration found" + LogText "Result: No snmpd configuration found" Display --indent 4 --text "- Checking SNMP configuration" --result "NOT FOUND" --color WHITE else - logtext "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}" + LogText "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}" Display --indent 4 --text "- Checking SNMP configuration" --result "FOUND" --color GREEN fi fi @@ -74,12 +74,12 @@ Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP communities" if [ ${SKIPTEST} -eq 0 ]; then WARN=0 - logtext "Test: reading active snmp communities" + LogText "Test: reading active snmp communities" FIND=`${AWKBINARY} '/^com2sec/ { print $4 }' ${SNMPD_DAEMON_CONFIG}` for I in ${FIND}; do - logtext "Output: ${I}" + LogText "Output: ${I}" if [ "${I}" = "public" -o "${I}" = "private" ]; then - logtext "Result: found easy guessable snmp community string (${I})" + LogText "Result: found easy guessable snmp community string (${I})" WARN=1 AddHP 1 3 fi @@ -102,4 +102,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016 Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_solaris b/include/tests_solaris index 109bee67..ac6297e6 100644 --- a/include/tests_solaris +++ b/include/tests_solaris @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -26,15 +26,15 @@ # Description : Check if Stop-A is disabled # Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon" # if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Searching for a SSH daemon" +# LogText "Test: Searching for a SSH daemon" # # Check running processes # FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"` # if [ ! "${FIND}" = "" ]; then # SSH_DAEMON_RUNNING=1 -# logtext "Result: Stop-A is disabled" +# LogText "Result: Stop-A is disabled" # Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN # else -# logtext "Result: Stop-A is NOT disabled" +# LogText "Result: Stop-A is NOT disabled" # Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE # fi # fi @@ -45,15 +45,15 @@ # Description : Check if vold is disabled, to disallow unaudited mounts # Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon" # if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Searching for a SSH daemon" +# LogText "Test: Searching for a SSH daemon" # # Check running processes # FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"` # if [ ! "${FIND}" = "" ]; then # SSH_DAEMON_RUNNING=1 -# logtext "Result: Stop-A is disabled" +# LogText "Result: Stop-A is disabled" # Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN # else -# logtext "Result: Stop-A is NOT disabled" +# LogText "Result: Stop-A is NOT disabled" # Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE # fi # fi @@ -66,4 +66,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_squid b/include/tests_squid index 59d63dd2..02285aed 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -35,16 +35,16 @@ # programs. Register --test-no SQD-3602 --weight L --network NO --description "Check for running Squid daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for a Squid daemon" + LogText "Test: Searching for a Squid daemon" FOUND=0 # Check running processes FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"` if [ ! "${FIND}" = "" ]; then SQUID_DAEMON_RUNNING=1 - logtext "Result: Squid daemon is running" + LogText "Result: Squid daemon is running" Display --indent 2 --text "- Checking running Squid daemon" --result FOUND --color GREEN else - logtext "Result: No running Squid daemon found" + LogText "Result: No running Squid daemon found" Display --indent 2 --text "- Checking running Squid daemon" --result "NOT FOUND" --color WHITE fi fi @@ -56,24 +56,24 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3604 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid daemon file location" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: searching for squid.conf or squid3.conf file" + LogText "Test: searching for squid.conf or squid3.conf file" for I in ${SQUID_DAEMON_CONFIG_LOCS}; do # Checking squid.conf if [ -f "${I}/squid.conf" ]; then - logtext "Result: ${I}/squid.conf exists" + LogText "Result: ${I}/squid.conf exists" SQUID_DAEMON_CONFIG="${I}/squid.conf" fi # Checking squid3.conf if [ -f "${I}/squid3.conf" ]; then - logtext "Result: ${I}/squid3.conf exists" + LogText "Result: ${I}/squid3.conf exists" SQUID_DAEMON_CONFIG="${I}/squid3.conf" fi done if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then - logtext "Result: No Squid configuration file found" + LogText "Result: No Squid configuration file found" Display --indent 4 --text "- Searching Squid configuration file" --result "NOT FOUND" --color YELLOW else - logtext "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}" + LogText "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}" Display --indent 4 --text "- Searching Squid configuration" --result FOUND --color GREEN fi fi @@ -86,7 +86,7 @@ Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${SQUIDBINARY}" = "" ]; then - logtext "Result: Squid binary found (${SQUIDBINARY})" + LogText "Result: Squid binary found (${SQUIDBINARY})" # Skip check if a setuid/setgid bit is found FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print` if [ "${FIND}" = "" ]; then @@ -94,11 +94,11 @@ Display --indent 4 --text "- Checking Squid version" --result "FOUND" --color GREEN SQUID_VERSION="${FIND2}" else - logtext "Result: test skipped for security reasons, setuid/setgid bit set" + LogText "Result: test skipped for security reasons, setuid/setgid bit set" Display --indent 4 --text "- Checking Squid version" --result "SKIPPED" --color RED fi else - logtext "Result: no Squid binary found" + LogText "Result: no Squid binary found" fi fi # @@ -109,12 +109,12 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" + LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" FIND=`grep -v "^#" ${SQUID_DAEMON_CONFIG} | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Found Squid option: ${I}" - report "squid_option=${I}" + LogText "Found Squid option: ${I}" + Report "squid_option=${I}" done Display --indent 4 --text "- Checking defined Squid options" --result "DONE" --color GREEN fi @@ -126,16 +126,16 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid file permissions" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}" + LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}" FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` if [ ! "${FIND}" = "" ]; then - logtext "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" + LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" Display --indent 4 --text "- Checking Squid configuration file permissions" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access" ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive" AddHP 0 2 else - logtext "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions" + LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions" Display --indent 4 --text "- Checking Squid configuration file permissions" --result OK --color GREEN AddHP 2 2 fi @@ -154,16 +154,16 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid authentication methods" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check auth_param option for authentication methods" + LogText "Test: check auth_param option for authentication methods" FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then - logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" + LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" Display --indent 6 --text "- Checking Squid authentication methods" --result "NONE" --color YELLOW else Display --indent 6 --text "- Checking Squid authentication methods" --result "FOUND" --color GREEN for I in ${FIND}; do - logtext "Result: found authentication method ${I}" - report "squid_auth_method=${I}" + LogText "Result: found authentication method ${I}" + Report "squid_auth_method=${I}" done fi fi @@ -175,17 +175,17 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check external Squid authentication" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check external_acl_type option for external authentication helpers" + LogText "Test: check external_acl_type option for external authentication helpers" FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}` if [ "${FIND}" = "" ]; then - logtext "No external_acl_type found" + LogText "No external_acl_type found" Display --indent 6 --text "- Checking Squid external authentication methods" --result "NONE" --color YELLOW else Display --indent 6 --text "- Checking Squid external authentication methods" --result "FOUND" --color GREEN for I in ${FIND}; do - logtext "Result: found external authentication method helper" - logtext "Output: ${FIND}" - #report "squid_external_acl_type=TRUE" + LogText "Result: found external authentication method helper" + LogText "Output: ${FIND}" + #Report "squid_external_acl_type=TRUE" done fi fi @@ -198,19 +198,19 @@ Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid access control lists" if [ ${SKIPTEST} -eq 0 ]; then N=0 - logtext "Test: checking ACLs" + LogText "Test: checking ACLs" FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then - logtext "Result: No ACLs found" + LogText "Result: No ACLs found" Display --indent 6 --text "- Checking Access Control Lists" --result "NONE" --color RED else for I in ${FIND}; do N=`expr ${N} + 1` I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Found ACL: ${I}" - #report "squid_acl=${I}" + LogText "Found ACL: ${I}" + #Report "squid_acl=${I}" done - logtext "Result: Found ${N} ACLs" + LogText "Result: Found ${N} ACLs" Display --indent 6 --text "- Checking Access Control Lists" --result "${N} ACLs FOUND" --color GREEN fi fi @@ -223,30 +223,30 @@ Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid safe ports" if [ ${SKIPTEST} -eq 0 ]; then N=0 - logtext "Test: checking ACL Safe_ports http_access option" + LogText "Test: checking ACL Safe_ports http_access option" FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"` if [ "${FIND}" = "" ]; then - logtext "Result: no Safe_ports found" + LogText "Result: no Safe_ports found" Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "NOT FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" else - logtext "Result: checking ACL safe ports" + LogText "Result: checking ACL safe ports" FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'` if [ "${FIND2}" = "" ]; then Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" AddHP 0 1 else - logtext "Result: Safe_ports found" + LogText "Result: Safe_ports found" for I in ${FIND}; do - logtext "Found safe port: ${I}" + LogText "Found safe port: ${I}" done Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "FOUND" --color GREEN AddHP 1 1 fi #SQUID_DAEMON_UNSAFE_PORTS_LIST for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do - logtext "Test: Checking port ${I} in Safe_ports list" + LogText "Test: Checking port ${I} in Safe_ports list" FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` if [ "${FIND2}" = "" ]; then Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN @@ -274,16 +274,16 @@ Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid reply_body_max_size option" if [ ${SKIPTEST} -eq 0 ]; then N=0 - logtext "Test: checking option reply_body_max_size" + LogText "Test: checking option reply_body_max_size" FIND=`grep "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then - logtext "Result: option reply_body_max_size not configured" + LogText "Result: option reply_body_max_size not configured" Display --indent 6 --text "- Checking option: reply_body_max_size" --result "NONE" --color RED AddHP 1 2 ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests." else - logtext "Result: option reply_body_max_size configured" - logtext "Output: ${FIND}" + LogText "Result: option reply_body_max_size configured" + LogText "Output: ${FIND}" Display --indent 6 --text "- Checking option: reply_body_max_size" --result "FOUND" --color GREEN AddHP 2 2 fi @@ -304,13 +304,13 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"` if [ "${FIND}" = "" ]; then - logtext "Result: option httpd_suppress_version_string not configured" + LogText "Result: option httpd_suppress_version_string not configured" Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "NOT FOUND" --color YELLOW AddHP 1 2 ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version." else - logtext "Result: option httpd_suppress_version_string configured" - logtext "Output: ${FIND}" + LogText "Result: option httpd_suppress_version_string configured" + LogText "Output: ${FIND}" Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "FOUND" --color GREEN AddHP 2 2 fi @@ -323,4 +323,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016 Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_ssh b/include/tests_ssh index da53b0b5..16354a7d 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -33,7 +33,7 @@ # Description : Check for a running SSH daemon Register --test-no SSH-7402 --weight L --network NO --description "Check for running SSH daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Searching for a SSH daemon" + LogText "Test: Searching for a SSH daemon" IsRunning sshd if [ ${RUNNING} -eq 1 ]; then SSH_DAEMON_RUNNING=1 @@ -51,29 +51,29 @@ Register --test-no SSH-7404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH daemon file location" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - logtext "Test: searching for sshd_config file" + LogText "Test: searching for sshd_config file" for I in ${SSH_DAEMON_CONFIG_LOCS}; do if [ -f "${I}/sshd_config" ]; then - logtext "Result: ${I}/sshd_config exists" + LogText "Result: ${I}/sshd_config exists" if [ ${FOUND} -eq 1 ]; then ReportException "${TEST_NO}:01" - logtext "Result: we already had found another sshd_config file. Using this new file then." + LogText "Result: we already had found another sshd_config file. Using this new file then." fi FileIsReadable ${I}/sshd_config if [ ${CANREAD} -eq 1 ]; then FOUND=1 SSH_DAEMON_CONFIG="${I}/sshd_config" else - logtext "Result: can not read ${I}/sshd_config file (no permission)" + LogText "Result: can not read ${I}/sshd_config file (no permission)" fi fi done if [ "${SSH_DAEMON_CONFIG}" = "" ]; then - logtext "Result: No sshd configuration found" + LogText "Result: No sshd configuration found" Display --indent 4 --text "- Searching SSH configuration" --result "NOT FOUND" --color YELLOW ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found" else - logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" + LogText "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" Display --indent 4 --text "- Searching SSH configuration" --result FOUND --color GREEN fi fi @@ -85,7 +85,7 @@ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH specific defined options" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking specific defined options in ${SSH_DAEMON_CONFIG}" + LogText "Test: Checking specific defined options in ${SSH_DAEMON_CONFIG}" ## SSHOPTIONS scheme: ## <OptionName>:<ExpectedValue>,<MediumScoreValue>,<WeakValue>:<TestType> ## @@ -130,11 +130,11 @@ TESTTYPE=`echo ${I} | cut -d ':' -f3` RESULT="NONE" FOUNDVALUE=`awk -v OPT="${OPTIONNAME}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_CONFIG}` - logtext "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_CONFIG}" + LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_CONFIG}" if [ ! "${FOUNDVALUE}" = "" ]; then - logtext "Result: Option ${OPTIONNAME} found in ${SSH_DAEMON_CONFIG}" - logtext "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}" + LogText "Result: Option ${OPTIONNAME} found in ${SSH_DAEMON_CONFIG}" + LogText "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}" if [ "${TESTTYPE}" = "=" ]; then if [ "${FOUNDVALUE}" = "${EXPECTEDVALUE}" ]; then @@ -185,27 +185,27 @@ if [ "${RESULT}" = "GOOD" ]; then - logtext "Result: SSH option ${OPTIONNAME} is configured very well" + LogText "Result: SSH option ${OPTIONNAME} is configured very well" Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result OK --color GREEN AddHP 3 3 elif [ "${RESULT}" = "MIDSCORED" ]; then - logtext "Result: SSH option ${OPTIONNAME} is configured reasonably" + LogText "Result: SSH option ${OPTIONNAME} is configured reasonably" ReportSuggestion ${TEST_NO} "Consider hardening of SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "MEDIUM" --color YELLOW AddHP 1 3 elif [ "${RESULT}" = "WEAK" ]; then - logtext "Result: SSH option ${OPTIONNAME} is in a weak configuruation state and should be fixed" + LogText "Result: SSH option ${OPTIONNAME} is in a weak configuruation state and should be fixed" #ReportWarning ${TEST_NO} "M" "Unsafe configured SSH option: ${OPTIONNAME}" ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result WARNING --color RED AddHP 0 3 elif [ "${RESULT}" = "UNKNOWN" ]; then - logtext "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)" + LogText "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)" Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE #ReportException "SSH-7408:01" "Unknown SSH option" - report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|" + Report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|" else - logtext "Result: Option ${OPTIONNAME} not found in ${SSH_DAEMON_CONFIG}" + LogText "Result: Option ${OPTIONNAME} not found in ${SSH_DAEMON_CONFIG}" Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "NOT FOUND" --color WHITE fi @@ -224,30 +224,30 @@ # AllowUsers FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` if [ ! "${FIND}" = "" ]; then - logtext "Result: AllowUsers set, with value ${FIND}" + LogText "Result: AllowUsers set, with value ${FIND}" Display --indent 4 --text "- SSH option: AllowUsers" --result FOUND --color GREEN FOUND=1 else - logtext "Result: AllowUsers is not set" + LogText "Result: AllowUsers is not set" Display --indent 4 --text "- SSH option: AllowUsers" --result "NOT FOUND" --color WHITE fi # AllowGroups FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` if [ ! "${FIND}" = "" ]; then - logtext "Result: AllowUsers set ${FIND}" + LogText "Result: AllowUsers set ${FIND}" Display --indent 4 --text "- SSH option: AllowGroups" --result FOUND --color GREEN FOUND=1 else - logtext "Result: AllowGroups is not set" + LogText "Result: AllowGroups is not set" Display --indent 4 --text "- SSH option: AllowGroups" --result "NOT FOUND" --color WHITE fi if [ ${FOUND} -eq 1 ]; then - logtext "Result: SSH is limited to a specific set of users, which is good" + LogText "Result: SSH is limited to a specific set of users, which is good" AddHP 2 2 else - logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine." + LogText "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine." AddHP 0 1 fi fi @@ -255,11 +255,11 @@ ################################################################################# # -report "ssh_daemon_running=${SSH_DAEMON_RUNNING}" -#report "ssh_daemon_port=${SSH_DAEMON_PORT}" +Report "ssh_daemon_running=${SSH_DAEMON_RUNNING}" +#Report "ssh_daemon_port=${SSH_DAEMON_PORT}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_storage b/include/tests_storage index e9235d65..06d08c61 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -29,7 +29,7 @@ Register --test-no STRG-1840 --os Linux --weight L --network NO --description "Check if USB storage is disabled" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - logtext "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" + LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" if [ -d /etc/modprobe.d ]; then FIND=`ls /etc/modprobe.d/* 2> /dev/null` if [ ! "${FIND}" = "" ]; then @@ -37,53 +37,53 @@ FIND2=`egrep -r "^blacklist usb[-_]storage" /etc/modprobe.d/*` if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 - logtext "Result: found usb-storage driver in disabled state (blacklisted)" + LogText "Result: found usb-storage driver in disabled state (blacklisted)" fi else - logtext "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it." + LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it." fi fi if [ -f /etc/modprobe.conf ]; then FIND=`egrep "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"` if [ ! "${FIND}" = "" ]; then FOUND=1 - logtext "Result: found usb-storage driver in disabled state" + LogText "Result: found usb-storage driver in disabled state" fi fi if [ ${FOUND} -eq 0 ]; then - logtext "Result: usb-storage driver is not explicitly disabled" + LogText "Result: usb-storage driver is not explicitly disabled" Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" AddHP 2 3 else - logtext "Result: usb-storage driver is disabled" + LogText "Result: usb-storage driver is disabled" Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "DISABLED" --color GREEN AddHP 3 3 fi - logtext "Test: Checking USB devices authorization to connect to the system" + LogText "Test: Checking USB devices authorization to connect to the system" FOUND=0 USBDEVICESPATH="/sys/bus/usb/devices/usb" for device in "${USBDEVICESPATH}"*; do if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then if [ `cat "${device}/authorized_default"` -eq 1 ]; then FOUND=1 - logtext "Test: ${device} is authorized by default" + LogText "Test: ${device} is authorized by default" elif [ `cat "${device}/authorized"` -eq 1 ]; then FOUND=1 - logtext "Test: ${device} is authorized for now" + LogText "Test: ${device} is authorized for now" fi fi done if [ ${FOUND} -eq 1 ]; then - logtext "Result: Some USB devices are authorized by default or temporary to connect to the system" + LogText "Result: Some USB devices are authorized by default or temporary to connect to the system" Display --indent 2 --text "- Checking USB devices authorization" --result "ENABLED" --color RED ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft" AddHP 0 3 else - logtext "Result: None USB devices are authorized by default or temporary to connect to the system" + LogText "Result: None USB devices are authorized by default or temporary to connect to the system" Display --indent 2 --text "- Checking USB devices authorization" --result "DISABLED" --color GREEN AddHP 3 3 fi @@ -98,7 +98,7 @@ Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - logtext "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" + LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" if [ -d /etc/modprobe.d ]; then FIND=`ls /etc/modprobe.d/* 2> /dev/null` if [ ! "${FIND}" = "" ]; then @@ -106,10 +106,10 @@ FIND2=`egrep "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | grep -v "#"` if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 - logtext "Result: found firewire ohci driver in disabled state" + LogText "Result: found firewire ohci driver in disabled state" fi else - logtext "Result: skipping /etc/modprobe.d, directory found but no files in it" + LogText "Result: skipping /etc/modprobe.d, directory found but no files in it" fi fi if [ -f /etc/modprobe.conf ]; then @@ -117,18 +117,18 @@ FIND2=`egrep -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | grep -v "#"` if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 - logtext "Result: found firewire ohci driver in disabled state" + LogText "Result: found firewire ohci driver in disabled state" fi fi if [ ${FOUND} -eq 0 ]; then - logtext "Result: firewire ohci driver is not explicitly disabled" + LogText "Result: firewire ohci driver is not explicitly disabled" Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "NOT DISABLED" --color WHITE ReportSuggestion ${TEST_NO} "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft" # after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u AddHP 2 3 else - logtext "Result: firewire ohci driver is disabled" + LogText "Result: firewire ohci driver is disabled" Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "DISABLED" --color GREEN AddHP 3 3 fi @@ -141,4 +141,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy, Michael Boelen - https://cisofy.com +# Lynis - Copyright 2007-2016, CISOfy, Michael Boelen - https://cisofy.com diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 9f245a9a..1327394d 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -32,10 +32,10 @@ if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check rpcinfo registered programs" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking rpcinfo registered programs" + LogText "Test: Checking rpcinfo registered programs" FIND=`${RPCINFOBINARY} -p 2> /dev/null | tr -s ' ' ','` for I in ${FIND}; do - logtext "rpcinfo: ${I}" + LogText "rpcinfo: ${I}" done Display --indent 2 --text "- Query rpc registered programs" --result "DONE" --color GREEN fi @@ -47,10 +47,10 @@ if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking NFS registered versions" + LogText "Test: Checking NFS registered versions" FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort` for I in ${FIND}; do - logtext "Found version: ${I}" + LogText "Found version: ${I}" done Display --indent 2 --text "- Query NFS versions" --result "DONE" --color GREEN fi @@ -62,23 +62,23 @@ if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking NFS registered protocols" + LogText "Test: Checking NFS registered protocols" FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort` for I in ${FIND}; do - logtext "Found protocol: ${I}" + LogText "Found protocol: ${I}" done if [ "${FIND}" = "" ]; then - logtext "Output: no NFS protocols found" + LogText "Output: no NFS protocols found" fi # Check port number - logtext "Test: Checking NFS registered ports" + LogText "Test: Checking NFS registered ports" FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort` for I in ${FIND}; do - logtext "Found port: ${I}" + LogText "Found port: ${I}" done if [ "${FIND}" = "" ]; then - logtext "Output: no NFS port number found" + LogText "Output: no NFS port number found" fi Display --indent 2 --text "- Query NFS protocols" --result "DONE" --color GREEN fi @@ -89,13 +89,13 @@ # Description : Check for running NFS daemons Register --test-no STRG-1920 --weight L --network NO --description "Checking NFS daemon" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking running NFS daemon" + LogText "Test: Checking running NFS daemon" FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"` if [ "${FIND}" = "" ]; then - logtext "Output: NFS daemon is not running" + LogText "Output: NFS daemon is not running" Display --indent 2 --text "- Check running NFS daemon" --result "NOT FOUND" --color WHITE else - logtext "Output: NFS daemon is running" + LogText "Output: NFS daemon is running" Display --indent 2 --text "- Check running NFS daemon" --result "FOUND" --color GREEN NFS_DAEMON_RUNNING=1 fi @@ -115,22 +115,22 @@ if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check /etc/exports" + LogText "Test: check /etc/exports" if [ -f /etc/exports ]; then - logtext "Result: /etc/exports exists" + LogText "Result: /etc/exports exists" FIND=`grep -v "^$" /etc/exports | grep -v "^#" | sed 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Found line: ${I}" + LogText "Found line: ${I}" done else - logtext "Result: /etc/exports does not contain exported file systems" + LogText "Result: /etc/exports does not contain exported file systems" NFS_EXPORTS_EMPTY=1 fi Display --indent 4 --text "- Checking /etc/exports" --result "FOUND" --color GREEN else - logtext "Result: file /etc/exports does not exist" + LogText "Result: file /etc/exports does not exist" Display --indent 4 --text "- Checking /etc/exports" --result "NOT FOUND" --color WHITE fi fi @@ -144,7 +144,7 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then Display --indent 6 --text "- Checking empty /etc/exports" --result SUGGESTION --color YELLOW - logtext "Result: /etc/exports seems to have no exported file systems" + LogText "Result: /etc/exports seems to have no exported file systems" ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system" fi fi @@ -156,15 +156,15 @@ if [ ${NFS_DAEMON_RUNNING} -eq 1 -a ${NFS_EXPORTS_EMPTY} -eq 0 -a ! "${SHOWMOUNTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check client access to nfs share" if [ ${SKIPTEST} -eq 0 ]; then - #logtext "Test: " + #LogText "Test: " sFIND=`${SHOWMOUNTBINARY} -e | awk '{ print $2 }' | sed '1d'| grep "\*"` if [ "${sFIND}" != "" ]; then - logtext "Result: all client are allowed to access a NFS share in /etc/exports" + LogText "Result: all client are allowed to access a NFS share in /etc/exports" Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports" AddHP 2 3 else - logtext "Result: only some clients are allowed to access a NFS share" + LogText "Result: only some clients are allowed to access a NFS share" Display --indent 4 --text "- Checking NFS client access" --result OK --color GREEN AddHP 3 3 fi @@ -177,4 +177,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_time b/include/tests_time index 34321bd0..93742236 100644 --- a/include/tests_time +++ b/include/tests_time @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -47,7 +47,7 @@ Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client" if [ ${SKIPTEST} -eq 0 ]; then # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate), Chrony, systemd-timesyncd - logtext "Test: Searching for a running NTP daemon or available client" + LogText "Test: Searching for a running NTP daemon or available client" FOUND=0 if [ -f /etc/chrony.conf ]; then @@ -70,7 +70,7 @@ if [ ! "${FIND}" = "" ]; then FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1 NTP_DAEMON="ntpd" - logtext "Result: found running NTP daemon in process list" + LogText "Result: found running NTP daemon in process list" Display --indent 2 --text "- NTP daemon found: ntpd" --result FOUND --color GREEN fi @@ -92,7 +92,7 @@ SYSTEMD_NTP_ENABLED=1 fi else - logtext "Result: time sychronization not performed according timedatectl command" + LogText "Result: time sychronization not performed according timedatectl command" fi fi @@ -101,18 +101,18 @@ CRONTAB_FILES="/etc/anacrontab /etc/crontab" for I in ${CRONTAB_FILES}; do if [ -f ${I} ]; then - logtext "Test: checking for ntpdate or rdate in crontab file ${I}" + LogText "Test: checking for ntpdate or rdate in crontab file ${I}" FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | grep -v '^#'` if [ ! "${FIND}" = "" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN - logtext "Result: found ntpdate or rdate reference in crontab file ${I}" + LogText "Result: found ntpdate or rdate reference in crontab file ${I}" else #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE - logtext "Result: no ntpdate or rdate reference found in crontab file ${I}" + LogText "Result: no ntpdate or rdate reference found in crontab file ${I}" fi else - logtext "Result: crontab file ${I} not found" + LogText "Result: crontab file ${I} not found" fi done @@ -126,44 +126,44 @@ FIND=`ls ${I} | grep -v FIFO` if [ ! "${FIND}" = "" ]; then for J in ${FIND}; do - logtext "Test: checking for ntpdate or rdate in ${I}/${J}" + LogText "Test: checking for ntpdate or rdate in ${I}/${J}" FIND2=`${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | grep -v "^#"` if [ ! "${FIND2}" = "" ]; then - logtext "Positive match found: ${FIND2}" + LogText "Positive match found: ${FIND2}" FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 fi done else - logtext "Result: ${I} is empty, skipping search in directory" + LogText "Result: ${I} is empty, skipping search in directory" fi fi done if [ ${FOUND_IN_CRON} -eq 1 ]; then Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN - logtext "Result: found ntpdate or rdate in cron directory" + LogText "Result: found ntpdate or rdate in cron directory" else #Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE - logtext "Result: no ntpdate or rdate found in cron directories" + LogText "Result: no ntpdate or rdate found in cron directories" fi # Checking if ntpdate is performed by event - logtext "Test: checking for file /etc/network/if-up.d/ntpdate" + LogText "Test: checking for file /etc/network/if-up.d/ntpdate" if [ -f /etc/network/if-up.d/ntpdate ]; then - logtext "Result: found ntpdate action when network interface comes up" + LogText "Result: found ntpdate action when network interface comes up" FOUND=1 NTP_CONFIG_TYPE_EVENTBASED=1 Display --indent 2 --text "- Checking event based ntpdate (if-up)" --result FOUND --color GREEN else - logtext "Result: file /etc/network/if-up.d/ntpdate does not exist" + LogText "Result: file /etc/network/if-up.d/ntpdate does not exist" fi # Configuration file for *BSD if [ -f /etc/rc.conf ]; then - logtext "Test: Checking if ntpdate is enabled at startup in *BSD" + LogText "Test: Checking if ntpdate is enabled at startup in *BSD" FIND=`grep 'ntpdate_enable="YES"' /etc/rc.conf` if [ ! "${FIND}" = "" ]; then - logtext "Result: ntpdate is enabled in rc.conf" + LogText "Result: ntpdate is enabled in rc.conf" FOUND=1 NTP_CONFIG_TYPE_STARTUP=1 # Only show suggestion when ntpdate is enabled, however ntpd is not running @@ -171,22 +171,22 @@ ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon" fi else - logtext "Result: ntpdate is not enabled in rc.conf" + LogText "Result: ntpdate is not enabled in rc.conf" fi fi if [ ${FOUND} -eq 0 ]; then if [ ${ISVIRTUALMACHINE} -eq 1 ]; then - logtext "Result: Skipping display warning, as virtual machines usually don't need time synchronization in the VM itself" + LogText "Result: Skipping display warning, as virtual machines usually don't need time synchronization in the VM itself" else Display --indent 2 --text "- Checking for a running NTP daemon or client" --result WARNING --color RED - logtext "Result: Could not find a NTP daemon or client" + LogText "Result: Could not find a NTP daemon or client" ReportSuggestion ${TEST_NO} "Use NTP daemon or NTP client to prevent time issues." AddHP 0 2 fi else Display --indent 2 --text "- Checking for a running NTP daemon or client" --result OK --color GREEN - logtext "Result: Found a time syncing daemon/client." + LogText "Result: Found a time syncing daemon/client." AddHP 3 3 fi fi @@ -198,10 +198,10 @@ if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check systemd NTP time synchronization status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check the status of time synchronization via timedatectl" + LogText "Test: Check the status of time synchronization via timedatectl" FIND=`${TIMEDATECTL} status | grep "NTP sychronized: yes"` if [ "${FIND}" = "" ]; then - logtext "Result: time not synchronized via NTP" + LogText "Result: time not synchronized via NTP" ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized" fi fi @@ -213,11 +213,11 @@ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check active NTP associations ID's" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for NTP association ID's from ntpq peers list" + LogText "Test: Checking for NTP association ID's from ntpq peers list" FIND=`${NTPQBINARY} -p -n | grep "No association ID's returned"` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking valid association ID's" --result FOUND --color GREEN - logtext "Result: Found one or more association ID's" + LogText "Result: Found one or more association ID's" else Display --indent 2 --text "- Checking valid association ID's" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Check ntp.conf for properly configured NTP servers and a correctly functioning name service." @@ -232,28 +232,28 @@ Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check peers with stratum value of 16" if [ ${SKIPTEST} -eq 0 ]; then N=0 - logtext "Test: Checking stratum 16 sources from ntpq peers list" + LogText "Test: Checking stratum 16 sources from ntpq peers list" FIND=`${NTPQBINARY} -p -n | awk '{ if ($3=="16") { print $1 } }'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN - logtext "Result: All peers are lower than stratum 16" + LogText "Result: All peers are lower than stratum 16" else for I in ${FIND}; do - logtext "Found stratum 16 peer: ${I}" + LogText "Found stratum 16 peer: ${I}" FIND2=`egrep "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE}` if [ "${FIND2}" = "" ]; then N=`expr ${N} + 1` else - logtext "Output: host ${I} ignored by profile" + LogText "Output: host ${I} ignored by profile" fi done # Check if one or more high stratum time servers are found if [ ${N} -eq 0 ]; then Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN - logtext "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile" + LogText "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile" else Display --indent 2 --text "- Checking high stratum ntp peers" --result WARNING --color RED - logtext "Result: Found one or more high stratum (16) peers)" + LogText "Result: Found one or more high stratum (16) peers)" ReportSuggestion ${TEST_NO} "Check ntpq peers output" ReportWarning ${TEST_NO} "L" "Found one or more stratum 16 peers" fi @@ -269,16 +269,16 @@ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check unreliable NTP peers" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking unreliable ntp peers" + LogText "Test: Checking unreliable ntp peers" FIND=`${NTPQBINARY} -p -n | egrep "^(-|#)" | awk '{ print $1 }' | sed 's/^-//g'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking unreliable ntp peers" --result NONE --color GREEN - logtext "Result: No unreliable peers found" + LogText "Result: No unreliable peers found" else Display --indent 2 --text "- Checking unreliable ntp peers" --result FOUND --color YELLOW - logtext "Result: Found one or more unreliable peers (marked with a minus or dash sign)" + LogText "Result: Found one or more unreliable peers (marked with a minus or dash sign)" for I in ${FIND}; do - logtext "Unreliable peer: ${I}" + LogText "Unreliable peer: ${I}" done ReportSuggestion ${TEST_NO} "Check ntpq peers output for unreliable ntp peers and correct/replace them" fi @@ -291,17 +291,17 @@ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check selected time source" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking selected time source" + LogText "Test: Checking selected time source" FIND=`${NTPQBINARY} -p -n | grep '^*' | awk '{ if ($4=="l") { print $1 } }'` FIND2=`${NTPQBINARY} -p -n | grep '^*' | awk '{ print $1 }'` if [ "${FIND}" = "" -a ! "${FIND2}" = "" ]; then Display --indent 2 --text "- Checking selected time source" --result OK --color GREEN FIND2=`echo ${FIND2} | sed 's/*//g'` - logtext "Result: Found selected time source (value: ${FIND2})" + LogText "Result: Found selected time source (value: ${FIND2})" else Display --indent 2 --text "- Checking selected time source" --result WARNING --color RED - logtext "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with." - logtext "Local source: ${FIND}" + LogText "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with." + LogText "Local source: ${FIND}" ReportSuggestion ${TEST_NO} "Check ntpq peers output for selected time source" fi fi @@ -313,18 +313,18 @@ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check preffered time source" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking preferred time source" + LogText "Test: Checking preferred time source" FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking time source candidates" --result NONE --color YELLOW - logtext "Result: No other time source candidates found" + LogText "Result: No other time source candidates found" ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates" else Display --indent 2 --text "- Checking time source candidates" --result OK --color GREEN - logtext "Result: Found one or more candidates to synchronize time with." + LogText "Result: Found one or more candidates to synchronize time with." for I in ${FIND}; do I=`echo ${I} | sed 's/+//g'` - logtext "Candidate found: ${I}" + LogText "Candidate found: ${I}" done fi fi @@ -336,18 +336,18 @@ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP falsetickers" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking preferred time source" + LogText "Test: Checking preferred time source" FIND=`${NTPQBINARY} -p -n | grep '^x'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking falsetickers" --result OK --color GREEN - logtext "Result: No falsetickers found (items preceeding with an 'x')" + LogText "Result: No falsetickers found (items preceeding with an 'x')" else Display --indent 2 --text "- Checking falsetickers" --result NONE --color YELLOW - logtext "Result: Found one or more falsetickers (items preceeding with an 'x')" + LogText "Result: Found one or more falsetickers (items preceeding with an 'x')" for I in ${FIND}; do I=`echo ${I} | sed 's/x//g'` - logtext "Falseticker found: ${I}" - report "ntp_falseticker=${I}" + LogText "Falseticker found: ${I}" + Report "ntp_falseticker=${I}" done ReportSuggestion ${TEST_NO} "Check ntpq peers output for falsetickers" fi @@ -360,16 +360,16 @@ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP protocol version" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking NTP protocol version (ntpq -c ntpversion)" + LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)" FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking NTP version" --result UNKNOWN --color YELLOW - logtext "Result: No NTP version found" + LogText "Result: No NTP version found" ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version" else Display --indent 2 --text "- Checking NTP version" --result FOUND --color GREEN - logtext "Result: Found NTP version ${FIND}" - report "ntp_version=${FIND}" + LogText "Result: Found NTP version ${FIND}" + Report "ntp_version=${FIND}" fi fi # @@ -394,19 +394,19 @@ FILE="/etc/ntp/step-tickers" if [ -f ${FILE} ]; then if [ -z ${FILE} ]; then - logtext "Result: ${FILE} is empty. The step-tickers contain no configured NTP servers" + LogText "Result: ${FILE} is empty. The step-tickers contain no configured NTP servers" Display --indent 2 --text "- Checking NTP step-tickers file" --result "EMPTY FILE" --color YELLOW ReportSuggestion ${TEST_NO} "Use step-rickers file for quicker time synchronization" else - logtext "Result: /etc/ntp/step-tickers is not empty, which is fine" + LogText "Result: /etc/ntp/step-tickers is not empty, which is fine" Display --indent 2 --text "- Checking NTP step-tickers file" --result "OK" --color GREEN sFIND=`${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0'` for I in ${sFIND}; do FIND=`${GREPBINARY} ^${I} ${FILE} | wc -l` if [ ${FIND} -gt 0 ]; then - logtext "Result: $I exist in ${FILE}" + LogText "Result: $I exist in ${FILE}" else - logtext "Result: ${I} does NOT exist in ${FILE}" + LogText "Result: ${I} does NOT exist in ${FILE}" FOUND=1 fi done @@ -416,14 +416,14 @@ AddHP 3 4 else Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result OK --color GREEN - logtext "Result: all time servers are in step-tickers file" + LogText "Result: all time servers are in step-tickers file" AddHP 4 4 fi fi - logtext "Information: step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec." - logtext "Risk: ntp will not run at boot if the time difference between the server and client by more then 1000 sec." + LogText "Information: step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec." + LogText "Risk: ntp will not run at boot if the time difference between the server and client by more then 1000 sec." else - logtext "Result: test skipped because ${FILE} not found" + LogText "Result: test skipped because ${FILE} not found" fi fi # @@ -437,23 +437,49 @@ wait_for_keypress # ################################################################################# # - report "ntp_config_found=${NTP_CONFIG_FOUND}" - report "ntp_config_type_daemon=${NTP_CONFIG_TYPE_DAEMON}" - report "ntp_config_type_eventbased=${NTP_CONFIG_TYPE_EVENTBASED}" - report "ntp_config_type_scheduled=${NTP_CONFIG_TYPE_SCHEDULED}" - report "ntp_config_type_startup=${NTP_CONFIG_TYPE_STARTUP}" - report "ntp_daemon=${NTP_DAEMON}" - report "ntp_daemon_running=${NTP_DAEMON_RUNNING}" + # Test : TIME-3170 + # Description : Check file permissions and ownership of configuration files + # Notes : Files should be owned by root, or the user running + # Group owner should have only read access + # Other should preferably have no access, or read-only at max + FILE_ARRAY="/etc/chrony.conf /etc/inet/ntp.conf /etc/ntp.conf /usr/local/etc/ntp.conf" + Register --test-no TIME-3170 --weight L --network NO --description "Check configuration files" + if [ ${SKIPTEST} -eq 0 ]; then + for FILE in ${FILE_ARRAY}; do + if [ -f ${FILE} ]; then + LogText "Result: found ${FILE}" + if IsWorldWritable ${FILE}; then + echo $? + echo "File ${FILE} is writable!!!!" + fi + Report "ntp_config_file[]=${FILE}" + fi + done + fi +# +################################################################################# +# + Report "ntp_config_found=${NTP_CONFIG_FOUND}" + Report "ntp_config_type_daemon=${NTP_CONFIG_TYPE_DAEMON}" + Report "ntp_config_type_eventbased=${NTP_CONFIG_TYPE_EVENTBASED}" + Report "ntp_config_type_scheduled=${NTP_CONFIG_TYPE_SCHEDULED}" + Report "ntp_config_type_startup=${NTP_CONFIG_TYPE_STARTUP}" + Report "ntp_daemon=${NTP_DAEMON}" + Report "ntp_daemon_running=${NTP_DAEMON_RUNNING}" +# +################################################################################# +# # OS Time daemons Configuration file # -------------------------------------------- # AIX xntpd /etc/ntp.conf # HP # Linux ntpd /etc/ntp.conf + # chrony /etc/chrony.conf # OpenBSD ntpd /etc/ntpd.conf # Solaris xntpd /etc/inet/ntp.conf # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_tooling b/include/tests_tooling index 0ae7f194..95f4f431 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -42,28 +42,28 @@ # Cfengine if [ ! "${CFAGENTBINARY}" = "" ]; then - logtext "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})" + LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})" AUTOMATION_TOOL_FOUND=1 CFENGINE_AGENT_FOUND=1 - report "automation_tool_running[]=cf-agent" + Report "automation_tool_running[]=cf-agent" Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN fi OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin" for I in ${OTHER_CFENGINE_LOCATIONS}; do if [ -d ${I} ]; then if [ -f ${I}/cf-agent ]; then - logtext "Result: found CFEngine agent (cf-agent) in ${I}" + LogText "Result: found CFEngine agent (cf-agent) in ${I}" AUTOMATION_TOOL_FOUND=1 CFENGINE_AGENT_FOUND=1 - report "automation_tool_running[]=cf-agent" + Report "automation_tool_running[]=cf-agent" Display --indent 4 --text "Found: CFEngine (cf-agent)" --result FOUND --color GREEN fi IsRunning "cf-server" if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found CFEngine server" + LogText "Result: found CFEngine server" AUTOMATION_TOOL_FOUND=1 CFENGINE_SERVER_RUNNING=1 - report "automation_tool_running[]=cf-server" + Report "automation_tool_running[]=cf-server" Display --indent 4 --text "Found: CFEngine (cf-server)" --result FOUND --color GREEN fi fi @@ -76,57 +76,57 @@ if [ -f ${I}/chef-client ]; then CHEFCLIENTBINARY="${I}/chef-client" AUTOMATION_TOOL_FOUND=1 - report "automation_tool_running[]=chef-client" + Report "automation_tool_running[]=chef-client" Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN - logtext "Result: found chef-client (chef client daemon) in ${I}" + LogText "Result: found chef-client (chef client daemon) in ${I}" fi if [ -f ${I}/erchef ]; then CHEFSERVERBINARY="${I}/erchef" - logtext "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})" + LogText "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})" AUTOMATION_TOOL_FOUND=1 - report "automation_tool_running[]=chef-server" + Report "automation_tool_running[]=chef-server" Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN - logtext "Result: found erchef (chef server daemon) in ${I}" + LogText "Result: found erchef (chef server daemon) in ${I}" fi fi done # Puppet if [ ! "${PUPPETBINARY}" = "" ]; then - logtext "Result: Puppet is installed (${PUPPETBINARY})" + LogText "Result: Puppet is installed (${PUPPETBINARY})" AUTOMATION_TOOL_FOUND=1 - report "automation_tool_running[]=puppet-agent" + Report "automation_tool_running[]=puppet-agent" Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN fi IsRunning "puppet master" if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found puppet master" + LogText "Result: found puppet master" PUPPET_MASTER_RUNNING=1 - report "automation_tool_running[]=puppet-master" + Report "automation_tool_running[]=puppet-master" Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN fi # SaltStack if [ ! "${SALTMINIONBINARY}" = "" ]; then - logtext "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})" + LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})" AUTOMATION_TOOL_FOUND=1 SALT_MINION_RUNNING=1 - report "automation_tool_running[]=saltstack-minion" + Report "automation_tool_running[]=saltstack-minion" Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result FOUND --color GREEN fi if [ ! "${SALTMASTERBINARY}" = "" ]; then - logtext "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})" + LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})" AUTOMATION_TOOL_FOUND=1 SALT_MASTER_RUNNING=1 - report "automation_tool_running[]=saltstack-minion" + Report "automation_tool_running[]=saltstack-minion" Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN else IsRunning "salt-master" if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found SaltStack (master)" + LogText "Result: found SaltStack (master)" AUTOMATION_TOOL_FOUND=1 SALT_MASTER_RUNNING=1 - report "automation_tool_running[]=saltstack-master" + Report "automation_tool_running[]=saltstack-master" Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN fi fi @@ -150,10 +150,10 @@ # ################################################################################# # - report "automation_tool_present=${AUTOMATION_TOOL_FOUND}" + Report "automation_tool_present=${AUTOMATION_TOOL_FOUND}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_virtualization b/include/tests_virtualization index 6c80e081..c2a6ca69 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -32,9 +32,9 @@ # # check memory driver file # # check LKM list # # check vmware tools -# logtext "Test: checking VMware tools daemon presence" +# LogText "Test: checking VMware tools daemon presence" # if [ ! "${VMWARETOOLSBINARY}" = "" ]; then -# logtext "Result: VMware tools binary found" +# LogText "Result: VMware tools binary found" # VMWARE_GUEST=1 # Display --indent 4 --text "- Checking VMware tools daemon" --result FOUND --color GREEN # else @@ -50,4 +50,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_webservers b/include/tests_webservers index 020c1420..7851cb4c 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -58,14 +58,14 @@ if [ "${HTTPDBINARY}" = "" ]; then Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE else - logtext "Test: Scanning for Apache binary" + LogText "Test: Scanning for Apache binary" IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | egrep '[aA]pache'` if [ "${IS_APACHE}" = "" ]; then - logtext "Result: ${HTTPDBINARY} is not Apache" + LogText "Result: ${HTTPDBINARY} is not Apache" Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE else Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "FOUND" --color GREEN - logtext "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon" + LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon" APACHE_INSTALLED=1 fi fi @@ -91,7 +91,7 @@ APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | grep "\-D SERVER_CONFIG_FILE=" | sed 's/[ ]-D SERVER_CONFIG_FILE=//' | tr -d '"' | tr -d ' ' | tr -d '[:cntrl:]'` if [ "${APACHE_TEST}" = "" ]; then - logtext "Result: Can't find the configuration file, so skipping some Apache related tests" + LogText "Result: Can't find the configuration file, so skipping some Apache related tests" else # We found a possible match. Checking if it's valid filename. If not, we need to add a prefix if [ -f ${APACHE_TEST} ]; then @@ -106,9 +106,9 @@ if [ -f ${APACHE_TESTFILE} ]; then APACHE_CONFIGFILE="${APACHE_TESTFILE}" Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})" - logtext "Result: Configuration file found (${APACHE_CONFIGFILE})" + LogText "Result: Configuration file found (${APACHE_CONFIGFILE})" else - logtext "Result: File or directory ${APACHE_CONFIGFILE} does not exist" + LogText "Result: File or directory ${APACHE_CONFIGFILE} does not exist" Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests" ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration" fi @@ -139,7 +139,7 @@ # Check every configuration file for I in `cat ${TMPFILE}`; do - logtext "Apache config file: ${I}" + LogText "Apache config file: ${I}" FileIsReadable ${I} if [ ${CANREAD} -eq 1 ]; then @@ -158,7 +158,7 @@ fi done else - logtext "Result: can not read configuration file with this user ID" + LogText "Result: can not read configuration file with this user ID" ReportException "${TEST_NO}:1" "Can not read configuration file $I" fi done @@ -166,13 +166,13 @@ # Log all virtual hosts we found for J in ${tVHOSTS}; do if [ ! -z ${J} ]; then - logtext "Virtual host: ${J}" - report "apache_vhost_name[]=${J}" + LogText "Virtual host: ${J}" + Report "apache_vhost_name[]=${J}" fi done # Show number of vhosts if we found any - logtext "Result: found ${cVHOSTS} virtual hosts" + LogText "Result: found ${cVHOSTS} virtual hosts" if [ ${cVHOSTS} -gt 0 ]; then Display --indent 6 --text "Info: Found ${cVHOSTS} virtual hosts" else @@ -204,15 +204,15 @@ # if [ ! "${SERVERTOKENSTEST}" = "" ]; then # Display --indent 4 --text "- Checking option ServerTokens" --result FOUND --color WHITE # SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '` -# logtext "Option ServerTokens found: ${SERVERTOKENSTEST}" +# LogText "Option ServerTokens found: ${SERVERTOKENSTEST}" # SERVERTOKENSEXPECTED=`grep 'apache' ${PROFILE} | grep 'ServerTokens' | cut -d ':' -f3` # if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then -# logtext "Result: Value from configuration file yielded the same output as in template" +# LogText "Result: Value from configuration file yielded the same output as in template" # SERVERTOKENSFOUND=1 # else -# logtext "Result: Value of ServerTokens within active configuration is different than from used template." -# logtext "Found: ${SERVERTOKENSTEST}" -# logtext "Expected: ${SERVERTOKENSEXPECTED}" +# LogText "Result: Value of ServerTokens within active configuration is different than from used template." +# LogText "Found: ${SERVERTOKENSTEST}" +# LogText "Expected: ${SERVERTOKENSEXPECTED}" # fi # else # Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE @@ -220,7 +220,7 @@ # # else # # File does not exist, skipping -# logtext "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file" +# LogText "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file" # fi # done # @@ -244,14 +244,14 @@ #Register --test-no HTTP-6630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining all loaded Apache modules" #if [ ${SKIPTEST} -eq 0 ]; then # Testing Debian style - #logtext "Test: searching loaded/enabled Apache modules" + #LogText "Test: searching loaded/enabled Apache modules" #apachectl -t -D DUMP_MODULES 2>&1 | egrep -v "(Loaded Modules|Syntax OK)" | sed 's/(\(shared\|static\))//' | sed 's/ //' #for I in ${APACHE_MODULES_ENABLED_LOCS}; do - #logtext "Test: checking ${I}" + #LogText "Test: checking ${I}" #if [ -d ${I} ]; then #FIND=`grep -r LoadModule ${I}/* | grep -v "^#" | awk '{ print $2":"$3 }'` #else - #logtext "Result: ${I} does not exist" + #LogText "Result: ${I} does not exist" #fi #done #fi @@ -263,15 +263,15 @@ if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining all available Apache modules" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: searching available Apache modules" + LogText "Test: searching available Apache modules" N=0 for I in ${APACHE_MODULES_LOCS}; do DirectoryExists ${I} if [ ${DIRECTORY_FOUND} -eq 1 ]; then FIND=`find ${I} -name mod_* -print | sort` for J in ${FIND}; do - report "apache_module[]=${J}" - logtext "Result: found Apache module ${J}" + Report "apache_module[]=${J}" + LogText "Result: found Apache module ${J}" N=`expr ${N} + 1` done fi @@ -373,14 +373,14 @@ # Description : Search for nginx process Register --test-no HTTP-6702 --weight L --network NO --description "Check nginx process" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: searching running nginx process" + LogText "Test: searching running nginx process" FIND=`${PSBINARY} ax | grep "/nginx" | grep "master" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then - logtext "Result: found running nginx process(es)" + LogText "Result: found running nginx process(es)" Display --indent 2 --text "- Checking nginx" --result FOUND --color GREEN NGINX_RUNNING=1 else - logtext "Result: no running nginx process found" + LogText "Result: no running nginx process found" Display --indent 2 --text "- Checking nginx" --result "NOT FOUND" --color WHITE fi fi @@ -392,19 +392,19 @@ if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx configuration file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: searching nginx configuration file" + LogText "Test: searching nginx configuration file" for I in ${NGINX_CONF_LOCS}; do if [ -f ${I}/nginx.conf ]; then NGINX_CONF_LOCATION="${I}/nginx.conf" - logtext "Found file ${NGINX_CONF_LOCATION}" + LogText "Found file ${NGINX_CONF_LOCATION}" fi done if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then - logtext "Result: found nginx configuration file" - report "nginx_main_conf_file=${NGINX_CONF_LOCATION}" + LogText "Result: found nginx configuration file" + Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}" Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN else - logtext "Result: no nginx configuration file found" + LogText "Result: no nginx configuration file found" Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE fi fi @@ -429,8 +429,8 @@ # Ensure that we are parsing normal files if [ -f ${J} ]; then N=`expr ${N} + 1` - logtext "Result: found Nginx configuration file ${J}" - report "nginx_sub_conf_file=${J}" + LogText "Result: found Nginx configuration file ${J}" + Report "nginx_sub_conf_file=${J}" FileIsReadable ${J} if [ ${CANREAD} -eq 1 ]; then FIND3=`sed -e 's/^[ ]*//' ${J} | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}` @@ -445,14 +445,14 @@ SORTFILE=`sort -u ${TMPFILE} | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"` for I in ${SORTFILE}; do I=`echo ${I} | sed 's/:space:/ /g'` - report "nginx_config_option=${I}"; + Report "nginx_config_option=${I}"; done # Remove unsorted file for next tests if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi if [ ${N} -eq 0 ]; then - logtext "Result: no nginx include statements found" + LogText "Result: no nginx include statements found" else Display --indent 6 --text "- Found nginx includes" --result "${N} FOUND" --color GREEN fi @@ -466,7 +466,7 @@ if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check discovered nginx configuration settings" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: start parsing all discovered nginx options" + LogText "Test: start parsing all discovered nginx options" Display --indent 4 --text "- Parsing configuration options" ParseNginx fi @@ -481,7 +481,7 @@ if [ ${SKIPTEST} -eq 0 ]; then NGINX_SSL_SUGGESTION=0 if [ ${NGINX_SSL_ON} -eq 1 ]; then - logtext "Result: SSL is configured in nginx on one or more virtual hosts" + LogText "Result: SSL is configured in nginx on one or more virtual hosts" Display --indent 6 --text "- SSL configured" --result "YES" --color GREEN AddHP 5 5 # Cipher tests @@ -513,13 +513,13 @@ fi else - logtext "Result: No SSL configuration found" + LogText "Result: No SSL configuration found" Display --indent 6 --text "- SSL configured" --result "NO" --color RED NGINX_SSL_SUGGESTION=1 AddHP 1 5 fi if [ ${NGINX_SSL_SUGGESTION} -eq 1 ]; then - logtext "Result: one or more parts of the nginx configuration could be enhanced regarding SSL" + LogText "Result: one or more parts of the nginx configuration could be enhanced regarding SSL" ReportSuggestion ${TEST_NO} "Configure SSL in nginx for protection of sensitive data and privacy" fi fi @@ -545,11 +545,11 @@ # Access log disabled if [ ${NGINX_ACCESS_LOG_DISABLED} -eq 1 ]; then NGINX_LOG_SUGGESTION=1 - logtext "Result: found one or more virtual hosts which have their access log disabled" + LogText "Result: found one or more virtual hosts which have their access log disabled" Display --indent 8 --text "- Disabled access logging" --result "YES" --color RED AddHP 2 3 else - logtext "Result: no virtual hosts found which have their access log disabled" + LogText "Result: no virtual hosts found which have their access log disabled" Display --indent 8 --text "- Disabled access logging" --result "NO" --color GREEN AddHP 3 3 fi @@ -591,11 +591,11 @@ # Access log in debug mode if [ ${NGINX_ERROR_LOG_DEBUG} -eq 1 ]; then NGINX_LOG_SUGGESTION=1 - logtext "Result: found one or more virtual hosts which have their error log in debug mode" + LogText "Result: found one or more virtual hosts which have their error log in debug mode" Display --indent 8 --text "- Debugging mode on error_log" --result "YES" --color RED AddHP 2 3 else - logtext "Result: no virtual hosts found which have their access log disabled" + LogText "Result: no virtual hosts found which have their access log disabled" Display --indent 8 --text "- Debugging mode on error_log" --result "NO" --color GREEN AddHP 3 3 fi @@ -614,17 +614,17 @@ # Register --test-no HTTP-67xx --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx virtual hosts" # if [ ${SKIPTEST} -eq 0 ]; then # N=0 -# logtext "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}" +# LogText "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}" # FIND=`grep "proxy_pass" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/proxy_pass//g' | tr -d ';'` # for I in ${FIND}; do -# logtext "Found reverse proxy configuration for: ${I}" +# LogText "Found reverse proxy configuration for: ${I}" # N=`expr ${N} + 1` # done # if [ ${N} -eq 0 ]; then -# logtext "Result: no reverse proxying functionality found" +# LogText "Result: no reverse proxying functionality found" # Display --indent 4 --text "- Searching reverse proxy functionality" --result "NOT FOUND" --color WHITE # else -# logtext "Result: found ${N} addresses for which nginx will be a reverse proxy" +# LogText "Result: found ${N} addresses for which nginx will be a reverse proxy" # Display --indent 4 --text "- Searching reverse proxy functionality" --result "${N} FOUND" --color GREEN # fi # fi @@ -638,19 +638,19 @@ # Register --test-no HTTP-67xx --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx virtual hosts" # if [ ${SKIPTEST} -eq 0 ]; then # N=0 -# logtext "Test: searching nginx virtual hosts" +# LogText "Test: searching nginx virtual hosts" # FIND=`grep "server_name" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/server_name//g' | tr -d ';'` # for I in ${FIND}; do # if [ "${I}" = "_" ]; then I="Default virtual host"; fi -# logtext "Found virtual host: ${I}" -# report "nginx_vhost_name[]=${I}" +# LogText "Found virtual host: ${I}" +# Report "nginx_vhost_name[]=${I}" # N=`expr ${N} + 1` # done # if [ ${N} -eq 0 ]; then -# logtext "Result: no virtual hosts found" +# LogText "Result: no virtual hosts found" # Display --indent 4 --text "- Searching virtual hosts" --result "NOT FOUND" --color WHITE # else -# logtext "Result: found ${N} virtual hosts" +# LogText "Result: found ${N} virtual hosts" # Display --indent 4 --text "- Searching virtual hosts" --result "${N} FOUND" --color GREEN # fi # fi @@ -662,27 +662,27 @@ if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6720 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Nginx log files" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking directories for files with log file definitions" + LogText "Test: Checking directories for files with log file definitions" for I in ${NGINX_CONF_LOCS}; do - logtext "Test: Checking ${I}" + LogText "Test: Checking ${I}" if [ -d ${I} ]; then - logtext "Result: Directory ${I} exists, so will be used as search path" + LogText "Result: Directory ${I} exists, so will be used as search path" FIND=`find ${I} -type f -exec grep access_log \{\} \; | grep -v "#" | awk '{ if($1=="access_log") { print $2 } }' | sed 's/;$//g' | sort -u` if [ "${FIND}" = "" ]; then - logtext "Result: no log files found" + LogText "Result: no log files found" else - logtext "Result: found one or more log files" + LogText "Result: found one or more log files" for I in ${FIND}; do if [ -f ${I} ]; then - logtext "Found log file: ${I}" - report "log_file=${I}" + LogText "Found log file: ${I}" + Report "log_file=${I}" else - logtext "Found non existing log file: ${I}" + LogText "Found non existing log file: ${I}" fi done fi else - logtext "Result: directory ${I} not found, skipping search in this directory." + LogText "Result: directory ${I} not found, skipping search in this directory." fi done fi @@ -704,4 +704,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015 Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016 Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -32,7 +32,7 @@ PROGRAM_author="Michael Boelen, CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" - PROGRAM_copyright="Copyright 2007-2015 - ${PROGRAM_author}, ${PROGRAM_website}" + PROGRAM_copyright="Copyright 2007-2016 - ${PROGRAM_author}, ${PROGRAM_website}" PROGRAM_license="${PROGRAM_name} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See the LICENSE file for details about using this software." @@ -897,4 +897,4 @@ # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com |