diff options
| -rw-r--r-- | include/tests_accounting | 103 | ||||
| -rw-r--r-- | include/tests_authentication | 22 | ||||
| -rw-r--r-- | include/tests_boot_services | 257 | ||||
| -rw-r--r-- | include/tests_containers | 43 | ||||
| -rw-r--r-- | include/tests_databases | 2 | ||||
| -rw-r--r-- | include/tests_file_integrity | 4 | ||||
| -rw-r--r-- | include/tests_file_permissions | 2 | ||||
| -rw-r--r-- | include/tests_filesystems | 18 | ||||
| -rw-r--r-- | include/tests_firewalls | 4 | ||||
| -rw-r--r-- | include/tests_kernel | 16 | ||||
| -rw-r--r-- | include/tests_kernel_hardening | 10 | ||||
| -rw-r--r-- | include/tests_logging | 4 | ||||
| -rw-r--r-- | include/tests_memory_processes | 4 | ||||
| -rw-r--r-- | include/tests_nameservices | 6 | ||||
| -rw-r--r-- | include/tests_networking | 32 | ||||
| -rw-r--r-- | include/tests_ports_packages | 64 | ||||
| -rw-r--r-- | include/tests_printers_spools | 6 | ||||
| -rw-r--r-- | include/tests_scheduling | 8 | ||||
| -rw-r--r-- | include/tests_shells | 10 | ||||
| -rw-r--r-- | include/tests_squid | 10 | ||||
| -rw-r--r-- | include/tests_ssh | 12 | ||||
| -rw-r--r-- | include/tests_storage_nfs | 8 | ||||
| -rw-r--r-- | include/tests_time | 8 | ||||
| -rw-r--r-- | include/tests_tooling | 2 | ||||
| -rw-r--r-- | include/tests_webservers | 28 |
25 files changed, 333 insertions, 350 deletions
diff --git a/include/tests_accounting b/include/tests_accounting index 0e522800..dac2630b 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -36,7 +36,7 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ -f ${ROOTDIR}var/account/acct ]; then Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN - LogText "Result: /var/account/acct available" + LogText "Result: ${ROOTDIR}var/account/acct available" AddHP 3 3 else Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW @@ -53,9 +53,9 @@ # Description : Check availability OpenBSD accounting data Register --test-no ACCT-2760 --os OpenBSD --weight L --network NO --category security --description "Check for available OpenBSD accounting information" if [ ${SKIPTEST} -eq 0 ]; then - if [ -f /var/account/acct ]; then + if [ -f ${ROOTDIR}var/account/acct ]; then Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN - LogText "Result: /var/account/acct available" + LogText "Result: ${ROOTDIR}var/account/acct available" AddHP 3 3 else Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW @@ -104,21 +104,21 @@ LogText "Test: check /etc/default/sysstat presence" if [ -f ${ROOTDIR}etc/default/sysstat ]; then LogText "Result: ${ROOTDIR}etc/default/sysstat found" - FIND=`${GREPBINARY} "^ENABLED" ${ROOTDIR}etc/default/sysstat | ${GREPBINARY} -i true` + FIND=$(${GREPBINARY} "^ENABLED" ${ROOTDIR}etc/default/sysstat | ${GREPBINARY} -i true) if [ ! "${FIND}" = "" ]; then LogText "Result: sysstat enabled via ${ROOTDIR}etc/default/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN - else + else LogText "Result: sysstat disabled via ${ROOTDIR}etc/default/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)" fi elif [ -f ${ROOTDIR}etc/cron.d/sysstat ]; then - FIND=`${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat` - if [ ! "${FIND}" = "" ]; then + FIND=$(${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat) + if [ ! -z "${FIND}" ]; then LogText "Result: sysstat enabled via ${ROOTDIR}etc/cron.d/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN - else + else LogText "Result: sysstat disabled via ${ROOTDIR}etc/cron.d/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)" @@ -148,7 +148,7 @@ Report "audit_trail_tool[]=auditd" Report "linux_auditd_running=1" AddHP 4 4 - else + else LogText "Result: auditd not active" Display --indent 2 --text "- Checking auditd" --result "${STATUS_NOT_FOUND}" --color WHITE if [ ! "${VMTYPE}" = "openvz" ]; then @@ -163,24 +163,24 @@ # # Test : ACCT-9630 # Description : Check auditd rules - if [ ! "${AUDITDBINARY}" = "" -a ! "${AUDITCTLBINARY}" = "" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! -z "${AUDITDBINARY}" -a ! -z "${AUDITCTLBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for auditd rules" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking auditd rules" - FIND=`${AUDITCTLBINARY} -l | ${GREPBINARY} -v "No rules"` - if [ "${FIND}" = "" ]; then + FIND=$(${AUDITCTLBINARY} -l | ${GREPBINARY} -v "No rules") + if [ -z "${FIND}" ]; then LogText "Result: auditd rules empty" Display --indent 4 --text "- Checking audit rules" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 0 2 ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules" - else + else LogText "Result: found auditd rules" Display --indent 4 --text "- Checking audit rules" --result "${STATUS_OK}" --color GREEN # Log audit daemon rules - FIND=`${AUDITCTLBINARY} -l | sed 's/ /!space!/g'` - for I in ${FIND}; do - I=`echo ${I} | sed 's/!space!/ /g'` - LogText "Output: ${I}" + FIND=$(${AUDITCTLBINARY} -l | ${SEDBINARY} 's/ /!space!/g') + for RULE in ${FIND}; do + RULE=$(echo ${RULE} | ${SEDBINARY} 's/!space!/ /g') + LogText "Output: ${RULE}" done fi fi @@ -193,18 +193,18 @@ Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking auditd configuration file" - for I in ${AUDITD_CONF_LOCS}; do - if [ -f ${I}/auditd.conf ]; then - AUDITD_CONF_FILE="${I}/auditd.conf" - LogText "Result: Found ${I}/auditd.conf" - else - LogText "Result: ${I}/auditd.conf not found" + for DIR in ${AUDITD_CONF_LOCS}; do + if [ -f ${DIR}/auditd.conf ]; then + AUDITD_CONF_FILE="${DIR}/auditd.conf" + LogText "Result: Found ${DIR}/auditd.conf" + else + LogText "Result: ${DIR}/auditd.conf not found" fi done # Check if we discovered the configuration file. It should be there is the binaries are available and process is running if [ ! "${AUDITD_CONF_FILE}" = "" ]; then Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN - else + else LogText "Result: could not find auditd configuration file" Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_WARNING}" --color RED ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file" @@ -215,24 +215,24 @@ # # Test : ACCT-9634 # Description : Check auditd log file - if [ ! "${AUDITDBINARY}" = "" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a ! "${AUDITD_CONF_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a ! -z "${AUDITD_CONF_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking auditd log file" - FIND=`${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }'` - if [ ! "${FIND}" = "" ]; then + FIND=$(${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }') + if [ ! -z "${FIND}" ]; then LogText "Result: log file is defined" LogText "Defined value: ${FIND}" if [ -f ${FIND} ]; then LogText "Result: log file ${FIND} exists on disk" Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_FOUND}" --color GREEN Report "logfile[]=${FIND}" - else + else LogText "Result: can't find log file ${FIND} on disk" Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Check auditd log file location" fi - else + else LogText "Result: no log file found" Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "Auditd log file is defined but can not be found on disk" @@ -251,18 +251,18 @@ Display --indent 2 --text "- Checking Snoopy" --result "${STATUS_FOUND}" --color GREEN if [ -f ${ROOTDIR}etc/ld.so.preload ]; then LogText "Result: found ${ROOTDIR}etc/ld.so.preload, testing if snoopy.so is listed" - FIND=`${GREPBINARY} ${FILE} ${ROOTDIR}etc/ld.so.preload` + FIND=$(${GREPBINARY} ${FILE} ${ROOTDIR}etc/ld.so.preload) if [ ! "${FIND}" = "" ]; then LogText "Result: found snoopy in ld.so.preload" LogText "Output: ${FIND}" Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN Report "audit_trail_tool[]=snoopy" - else + else Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via /etc/ld.so.preload" AddHP 3 3 fi - else + else LogText "Result: ${ROOTDIR}etc/ld.so.preload does not exist" Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_UNKNOWN}" --color PURPLE ReportException "${TEST_NO}:1" "Unsure how Snoopy might be loaded as ld.so.preload does not exist" @@ -283,7 +283,7 @@ SOLARIS_AUDITD_RUNNING=1 AUDIT_DAEMON_RUNNING=1 Display --indent 2 --text "- Checking Solaris audit daemon status" --result "${STATUS_RUNNING}" --color GREEN - else + else LogText "Result: Solaris audit daemon is not running" Display --indent 2 --text "- Checking Solaris audit daemon status" --result "${STATUS_NOT_RUNNING}" --color YELLOW fi @@ -297,11 +297,11 @@ Register --test-no ACCT-9652 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check auditd SMF status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check if auditd service is enabled and online" - FIND=`/usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online"` - if [ ! "${FIND}" = "" ]; then + FIND=$(/usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online") + if [ ! -z "${FIND}" ]; then LogText "Result: auditd service is online" Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN - else + else Display --indent 4 --text "- Checking Solaris audit daemon status" --result "NOT ONLINE" --color YELLOW ReportSuggestion "${TEST_NO}" "Check status of audit daemon" fi @@ -316,14 +316,14 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check if BSM is enabled in ${ROOTDIR}etc/system" if [ -f ${ROOTDIR}etc/system ]; then - FIND=`${GREPBINARY} 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system` - if [ ! "${FIND}" = "" ]; then + FIND=$(${GREPBINARY} 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system) + if [ ! -z "${FIND}" ]; then LogText "Result: BSM is enabled in ${ROOTDIR}etc/system" Display --indent 4 --text "- Checking Solaris BSM (${ROOTDIR}etc/system)" --result "${STATUS_ENABLED}" --color GREEN - else + else Display --indent 4 --text "- Checking Solaris BSM (${ROOTDIR}etc/system)" --result "${STATUS_NOT_FOUND}" --color YELLOW fi - else + else LogText "Result: ${ROOTDIR}etc/system does not exist" fi fi @@ -332,20 +332,21 @@ # # Test : ACCT-9656 # Description : Check Solaris BSM (c2audit) module status + # Notes : todo - replace direct binary call if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9656 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check BSM auditing in module list" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check if c2audit module is active" if [ -x /usr/sbin/modinfo ]; then - FIND=`/usr/sbin/modinfo | ${GREPBINARY} c2audit` + FIND=$(/usr/sbin/modinfo | ${GREPBINARY} c2audit) if [ ! "${FIND}" = "" ]; then LogText "Result: c2audit found in modinfo output" Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN - else + else LogText "Result: c2audit not found in modinfo output" Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_NOT_FOUND}" --color YELLOW fi - else + else LogText "Result: /usr/sbin/modinfo does not exist, skipping test" fi fi @@ -360,24 +361,24 @@ LogText "Test: check /etc/security/audit_control for event logging location" if [ -f ${ROOTDIR}etc/security/audit_control ]; then LogText "Result: file ${ROOTDIR}etc/security/audit_control found" - FIND=`${GREPBINARY} "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }'` + FIND=$(${GREPBINARY} "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }') if [ ! "${FIND}" = "" ]; then LogText "Result: found location ${FIND}" LogText "Test: Checking if location is a valid directory" if [ -d ${FIND} ]; then LogText "Result: location ${FIND} is valid" Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: location ${FIND} does not exist" Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available" fi - else + else LogText "Result: unknown event location" Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_UNKNOWN}" --color YELLOW ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured" fi - else + else LogText "Result: could not find ${ROOTDIR}etc/security/audit_control" Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_SKIPPED}" --color YELLOW fi @@ -392,12 +393,12 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check auditing statistics" if [ -x /usr/sbin/auditstat ]; then - FIND=`/usr/sbin/auditstat | tr -s ' ' ','` - for I in ${FIND}; do - LogText "Output: ${I}" + FIND=$(/usr/sbin/auditstat | ${TRBINARY} -s ' ' ',') + for ITEM in ${FIND}; do + LogText "Output: ${ITEM}" done Display --indent 4 --text "- Checking Solaris audit statistics" --result "${STATUS_DONE}" --color GREEN - else + else LogText "Result: /usr/sbin/auditstat not found, skipping test" Display --indent 4 --text "- Checking Solaris audit statistics" --result "${STATUS_SKIPPED}" --color YELLOW fi diff --git a/include/tests_authentication b/include/tests_authentication index 94b48a73..4e2e5bc6 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -40,7 +40,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Search accounts with UID 0 LogText "Test: Searching accounts with UID 0" - FIND=$(${GREPBINARY} ':0:' /etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | ${GREPBINARY} ':0') + FIND=$(${GREPBINARY} ':0:' /etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED LogText "Result: Found more than one administrator accounts" @@ -74,7 +74,7 @@ fi # Check password file if [ -f ${PASSWD_FILE} ]; then - FIND=$(${GREPBINARY} -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | ${SORTBINARY} | uniq -d) + FIND=$(${GREPBINARY} -v '^#' ${PASSWD_FILE} | ${CUTBINARY} -d ':' -f3 | ${SORTBINARY} | uniq -d) if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Unique UIDs" --result "${STATUS_OK}" --color GREEN LogText "Result: all accounts found in ${PASSWD_FILE} are unique" @@ -158,13 +158,13 @@ LogText "Test: Checking login shells" if [ -f /etc/master.passwd ]; then # Check for all shells, except: (/usr)/sbin/nologin /nonexistent - FIND=`${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'` + FIND=`${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN else Display --indent 2 --text "- Login shells" --result "${STATUS_WARNING}" --color RED for LINE in ${FIND}; do - LINE=$(echo ${LINE} | sed 's/!space!/ /g') + LINE=$(echo ${LINE} | ${SEDBINARY} 's/!space!/ /g') SHELL=$(echo ${LINE} | ${AWKBINARY} -F: '{ print $10 }') LogText "Output: ${LINE}" if [ -z "${SHELL}" ]; then @@ -420,7 +420,7 @@ Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions" - FIND=`ls -l ${SUDOERS_FILE} | cut -c 2-10` + FIND=`ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10` LogText "Result: Found file permissions: ${FIND}" if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then LogText "Result: file ${SUDOERS_FILE} has correct permissions" @@ -530,13 +530,13 @@ LogText "Result: file /etc/pam.conf exists" Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: searching PAM configuration files" - FIND=$(${EGREPBINARY} -v "^#" /etc/pam.conf | ${EGREPBINARY} -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g') + FIND=$(${EGREPBINARY} -v "^#" /etc/pam.conf | ${EGREPBINARY} -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g') if [ "${FIND}" = "" ]; then LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" else LogText "Result: found one or more configuration lines" for LINE in ${FIND}; do - LINE=$(echo ${LINE} | sed 's/:space:/ /g') + LINE=$(echo ${LINE} | ${SEDBINARY} 's/:space:/ /g') LogText "Found line: ${LINE}" done fi @@ -926,7 +926,7 @@ if [ ! -z "${FIND}" ]; then LogText "Result: found /etc/profile.d, with one or more files in it" for FILE in ${FIND}; do - HAS_MASK=$(${GREPBINARY} umask ${FILE} | sed 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }') + HAS_MASK=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }') for MASK in ${HAS_MASK}; do if [ "${MASK}" = "077" -o "${MASK}" = "027" ]; then LogText "Result: found a strong umask '${MASK}' set in ${FILE}" @@ -949,8 +949,8 @@ if [ -f /etc/profile -a ${GOOD_UMASK} -eq 0 ]; then LogText "Result: file /etc/profile exists" LogText "Test: Checking umask value in /etc/profile" - FIND=$(${GREPBINARY} "umask" /etc/profile | sed 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }') - FIND2=$(${GREPBINARY} "umask" /etc/profile | sed 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }' | wc -l) + FIND=$(${GREPBINARY} "umask" /etc/profile | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }') + FIND2=$(${GREPBINARY} "umask" /etc/profile | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }' | wc -l) FOUND_UMASK=0 if [ "${FIND2}" = "0" ]; then LogText "Result: did not find umask in /etc/profile" @@ -1092,7 +1092,7 @@ FOUND=0 WEAK_UMASK=0 LogText "Result: file /etc/login.conf exists" - FIND=`${GREPBINARY} "umask" /etc/login.conf | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $2}' | ${AWKBINARY} -F= '{ if ($1=="umask") { print $2 }}'` + FIND=`${GREPBINARY} "umask" /etc/login.conf | ${SEDBINARY} 's/#.*//' | ${SEDBINARY} -E 's/^[[:cntrl:]]//' | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $2}' | ${AWKBINARY} -F= '{ if ($1=="umask") { print $2 }}'` if [ ! "${FIND}" = "" ]; then for UMASK_VALUE in ${FIND}; do case ${UMASK_VALUE} in diff --git a/include/tests_boot_services b/include/tests_boot_services index c246e4ae..0484c70f 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -37,18 +37,19 @@ # Test : BOOT-5102 # Description : Check for AIX boot device # Notes : The AIX bootstrap is called as software ROS. Bootstrap contains IPL (Initial Program loader) + # TODO - binary detection of bootinfo and replace with variable Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --category security --description "Check for AIX boot device" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 LogText "Test: Query bootinfo for AIX boot device" if [ -x /usr/sbin/bootinfo ]; then - FIND=`/usr/sbin/bootinfo -b` - if [ ! "${FIND}" = "" ]; then + FIND=$(/usr/sbin/bootinfo -b) + if [ ! -z "${FIND}" ]; then LogText "Result: found boot device ${FIND}" Display --indent 2 --text "- Checking boot device (bootinfo)" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="ROS" BOOT_LOADER_FOUND=1 - else + else LogText "Result: no data received from bootinfo, most likely boot device not found" #Display --indent 4 --text "- Checking boot device (bootinfo)" --result "${STATUS_NOT_FOUND}" --color YELLOW #ReportSuggestion ${TEST_NO} "Only use root (not sudo account) to query properly boot device" @@ -117,7 +118,7 @@ fi ;; "DragonFly"|"NetBSD"|"FreeBSD") - if [ -x /sbin/init -a -d /etc/rc.d -a -f /etc/rc ]; then + if [ -x /sbin/init -a -d ${ROOTDIR}etc/rc.d -a -f ${ROOTDIR}etc/rc ]; then SERVICE_MANAGER="bsdrc" fi ;; @@ -127,7 +128,7 @@ LogText "Result: service manager found = ${SERVICE_MANAGER}" if [ "${SERVICE_MANAGER}" = "" -o "${SERVICE_MANAGER}" = "unknown" ]; then Display --indent 2 --text "- Service Manager" --result "${STATUS_UNKNOWN}" --color YELLOW - else + else Display --indent 2 --text "- Service Manager" --result "${SERVICE_MANAGER}" --color GREEN fi fi @@ -138,7 +139,7 @@ # Description : Check if boot.efi is found on Mac OS X Register --test-no BOOT-5106 --os "MacOS" --weight L --network NO --root-only YES --category security --description "Check EFI boot file on Mac OS X" if [ ${SKIPTEST} -eq 0 ]; then - FileExists /System/Library/CoreServices/boot.efi + FileExists ${ROOTDIR}System/Library/CoreServices/boot.efi if [ ${FILE_FOUND} -eq 1 ]; then LogText "Result: found Mac OS X boot.efi file" BOOT_LOADER="MacOS-boot-EFI" @@ -152,7 +153,7 @@ # Description : Check for Syslinux Register --test-no BOOT-5108 --os "Linux" --weight L --network NO --root-only YES --category security --description "Check Syslinux as bootloader" if [ ${SKIPTEST} -eq 0 ]; then - FileExists /boot/syslinux/syslinux.cfg + FileExists ${ROOTDIR}boot/syslinux/syslinux.cfg if [ ${FILE_FOUND} -eq 1 ]; then LogText "Result: found Syslinux" BOOT_LOADER="Syslinux" @@ -172,35 +173,36 @@ UEFI_TESTS_PERFORMED=1 # Check if UEFI is available in this boot LogText "Test: checking if UEFI is used" - if [ -d /sys/firmware/efi ]; then + if [ -d ${ROOTDIR}sys/firmware/efi ]; then LogText "Result: system booted in UEFI mode" UEFI_BOOTED=1 - else + else LogText "Result: UEFI not used, can't find /sys/firmware/efi directory" fi # Test if Secure Boot is enabled LogText "Test: determine if Secure Boot is used" - if [ -d /sys/firmware/efi/efivars ]; then - FIND=`ls /sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null` - if [ ! "${FIND}" = "" ]; then - for I in ${FIND}; do - LogText "Test: checking file ${I}" - J=`od -An -t u1 ${I} | ${AWKBINARY} '{ print $5 }'` + if [ -d ${ROOTDIR}sys/firmware/efi/efivars ]; then + FIND=$(${LSBINARY} ${ROOTDIR}sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null) + if [ ! -z "${FIND}" ]; then + for FILE in ${FIND}; do + LogText "Test: checking file ${FILE}" + # TODO: add detection for od + J=$(od -An -t u1 ${FILE} | ${AWKBINARY} '{ print $5 }') if [ "${J}" = "1" ]; then LogText "Result: found SecureBoot file with enabled status" UEFI_BOOTED_SECURE=1 - else - LogText "Result: system not booted with Secure Boot (status 0 in file ${I})" + else + LogText "Result: system not booted with Secure Boot (status 0 in file ${FILE})" fi done fi - else + else LogText "Result: system not booted with Secure Boot (no SecureBoot file found)" fi ;; #MacOS) - # Mac OS ioreg -l -p IODeviceTree | ${GREPBINARY} firmware-abi + # TODO: Mac OS ioreg -l -p IODeviceTree | ${GREPBINARY} firmware-abi #;; *) LogText "Result: no test implemented yet to test for UEFI on this platform" @@ -210,10 +212,10 @@ Display --indent 2 --text "- Checking UEFI boot" --result "${STATUS_ENABLED}" --color GREEN if [ ${UEFI_BOOTED_SECURE} -eq 1 ]; then Display --indent 2 --text "- Checking Secure Boot" --result "${STATUS_ENABLED}" --color GREEN - else + else Display --indent 2 --text "- Checking Secure Boot" --result "${STATUS_DISABLED}" --color YELLOW fi - else + else if [ ${UEFI_TESTS_PERFORMED} -eq 1 ]; then Display --indent 2 --text "- Checking UEFI boot" --result "${STATUS_DISABLED}" --color WHITE fi @@ -254,8 +256,9 @@ fi # Some OSes like Gentoo do not have /boot mounted by default + # TODO: root directory and rewrite ls statement if [ -d /boot ]; then - if [ "`ls /boot/* 2> /dev/null`" = "" -a ! "${GRUB2INSTALLBINARY}" = "" ]; then + if [ "`ls /boot/* 2> /dev/null`" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then BOOT_LOADER_FOUND=1 LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted" Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW @@ -279,30 +282,30 @@ LogText "Found file ${GRUBCONFFILE}, proceeding with tests." FileIsReadable ${GRUBCONFFILE} if [ ${CANREAD} -eq 1 ]; then - FIND=`${GREPBINARY} 'password --md5' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` - FIND2=`${GREPBINARY} 'password --encrypted' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` - FIND3=`${GREPBINARY} 'set superusers' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` - FIND4=`${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` - FIND5=`${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` + FIND=$(${GREPBINARY} 'password --md5' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') + FIND2=$(${GREPBINARY} 'password --encrypted' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') + FIND3=$(${GREPBINARY} 'set superusers' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') + FIND4=$(${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') + FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') # GRUB1: Password should be set (MD5 or SHA1) - if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then + if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then FOUND=1 # GRUB2: Superusers AND password should be defined - elif [ ! "${FIND3}" = "" ]; then + elif [ ! -z "${FIND3}" ]; then if [ ! -z "${FIND4}" -o ! -z "${FIND5}" ]; then FOUND=1; fi fi if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN LogText "Result: GRUB has password protection." AddHP 4 4 - else + else Display --indent 4 --text "- Checking for password protection" --result "${STATUS_WARNING}" --color RED LogText "Result: Didn't find hashed password line in GRUB boot file!" ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)" AddHP 0 2 fi - else - LogText "Result: Can not read ${GRUBCONFFILE} (no permission)" + else + LogText "Result: Can not read ${GRUBCONFFILE} (no permission)" fi fi # @@ -313,13 +316,13 @@ Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --category security --description "Check for FreeBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 - if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then - LogText "Result: found boot1, boot2 and loader files in /boot" + if [ -f ${ROOTDIR}boot/boot1 -a -f ${ROOTDIR}boot/boot2 -a -f ${ROOTDIR}boot/loader ]; then + LogText "Result: found boot1, boot2 and loader files in ${ROOTDIR}boot" Display --indent 2 --text "- Checking presence FreeBSD loader" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="FreeBSD" BOOT_LOADER_FOUND=1 - else - LogText "Result: Not all expected files found in /boot" + else + LogText "Result: Not all expected files found in ${ROOTDIR}boot" fi fi # @@ -330,12 +333,12 @@ Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --category security --description "Check for NetBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 - if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then + if [ -f ${ROOTDIR}boot.${HARDWARE} -o -f ${ROOTDIR}boot -o -f ${ROOTDIR}ofwboot ]; then LogText "Result: found NetBSD secondary bootstrap" Display --indent 2 --text "- Checking presence NetBSD loader" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="NetBSD" BOOT_LOADER_FOUND=1 - else + else LogText "Result: NetBSD secondary bootstrap not found" ReportException "${TEST_NO}:1" "No boot loader found on NetBSD" fi @@ -349,7 +352,7 @@ Register --test-no BOOT-5139 --weight L --network NO --category security --description "Check for LILO boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 - LILOCONFFILE="/etc/lilo.conf" + LILOCONFFILE="${ROOTDIR}etc/lilo.conf" LogText "Test: checking for presence LILO configuration file" if [ -f ${LILOCONFFILE} ]; then FileIsReadable ${LILOCONFFILE} @@ -358,23 +361,23 @@ BOOT_LOADER_FOUND=1 Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN LogText "Checking password option LILO" - FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#"` - if [ "${FIND}" = "" ]; then + FIND=$(${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#") + if [ -z "${FIND}" ]; then Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED LogText "Result: no password set for LILO. Bootloader is unprotected to" LogText "dropping to single user mode or unauthorized access to devices/data." ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>" ReportWarning ${TEST_NO} "No password set on LILO bootloader" AddHP 0 2 - else + else Display --indent 4 --text "- Password option presence " --result "${STATUS_OK}" --color GREEN LogText "Result: LILO password option set" AddHP 4 4 fi - else + else LogText "Result: can not read ${LILOCONFFILE} (no permission)" fi - else + else LogText "Result: LILO configuration file not found" fi fi @@ -398,26 +401,6 @@ # ################################################################################# # - # Test : BOOT-5144 - # Description : Check for SILO boot loader consistency - # Notes : To be tested on Gentoo -# Register --test-no BOOT-5144 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)" -# if [ ${SKIPTEST} -eq 0 ]; then -# if [ -f /etc/silo.conf -a -x /sbin/silo ]; then -# FIND=`/sbin/silo | ${GREPBINARY} "appears to be valid"` -# if [ ! "${FIND}" = "" ]; then -# LogText "Result: Found SILO configuration file (/etc/silo.conf)" -# Display --indent 6 --text "- Checking SILO consistency" --result "${STATUS_OK}" --color GREEN -# else -# LogText "Result: no positive result received from silo binary" -# ReportWarning ${TEST_NO} "Possible issue with boot loader (SILO)" -# Display --indent 6 --text "- Checking SILO consistency" --result "${STATUS_WARNING}" --color RED -# fi -# fi -# fi -# -################################################################################# -# # Test : BOOT-5155 # Description : Check for YABOOT boot loader Register --test-no BOOT-5155 --weight L --network NO --category security --description "Check for YABOOT boot loader configuration file" @@ -429,7 +412,7 @@ Display --indent 4 --text "- Checking boot loader YABOOT" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="YABOOT" BOOT_LOADER_FOUND=1 - else + else LogText "Result: no YABOOT configuration file found." fi fi @@ -446,35 +429,33 @@ # Boot files # /usr/mdec/biosboot: first stage bootstrap # /boot : second stage bootstrap - if [ -f /usr/mdec/biosboot -a -f /boot ]; then + if [ -f ${ROOTDIR}usr/mdec/biosboot -a -f ${ROOTDIR}boot ]; then FOUND=1 fi # Configuration file - if [ -f /etc/boot.conf ]; then + if [ -f ${ROOTDIR}etc/boot.conf ]; then FOUND=1 - Display --indent 2 --text "- Checking /etc/boot.conf" --result "${STATUS_FOUND}" --color GREEN - FIND=`${GREPBINARY} '^boot' /etc/boot.conf` - if [ "${FIND}" = "" ]; then + Display --indent 2 --text "- Checking ${ROOTDIR}etc/boot.conf" --result "${STATUS_FOUND}" --color GREEN + FIND=$(${GREPBINARY} '^boot' ${ROOTDIR}etc/boot.conf) + if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking boot option" --result "${STATUS_WARNING}" --color RED - #ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode." + #ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode." ReportWarning ${TEST_NO} "System can be booted into single user mode without password" - else + else Display --indent 4 --text "- Checking boot option" --result "${STATUS_OK}" --color GREEN LogText "Ok, boot option is enabled." fi - else - Display --indent 2 --text "- Checking /etc/boot.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW - LogText "Result: no /etc/boot.conf found. When using the default boot loader, physical" + else + Display --indent 2 --text "- Checking ${ROOTDIR}etc/boot.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW + LogText "Result: no ${ROOTDIR}etc/boot.conf found. When using the default boot loader, physical" LogText "access to the server can be used to possibly enter single user mode." - ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time." + ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time." fi if [ ${FOUND} -eq 1 ]; then LogText "Result: found OpenBSD boot loader" BOOT_LOADER="OpenBSD" BOOT_LOADER_FOUND=1 fi - - fi # ################################################################################# @@ -494,11 +475,11 @@ if [ ! "${SERVICEBINARY}" = "" ]; then # FreeBSD (Ask services(8) for enabled services) LogText "Searching for services at startup (service)" - FIND=`${SERVICEBINARY} -e | sed 's|^.*\/||' | sort` + FIND=$(${SERVICEBINARY} -e | ${SEDBINARY} 's|^.*\/||' | ${SORTBINARY}) else # FreeBSD (Read /etc/rc.conf file for enabled services) LogText "Searching for services at startup (rc.conf)" - FIND=`${EGREPBINARY} -v -i '^#|none' /etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | sed 's/_enable//'` + FIND=$(${EGREPBINARY} -v -i '^#|none' /etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//') fi N=0 for I in ${FIND}; do @@ -521,11 +502,11 @@ CHECKED=0 LogText "Test: checking presence systemctl binary" # Determine if we have systemctl on board - if [ ! "${SYSTEMCTLBINARY}" = "" ]; then + if [ ! -z "${SYSTEMCTLBINARY}" ]; then LogText "Result: systemctl binary found, trying that to discover information" # Running services LogText "Searching for running services (systemctl services only)" - FIND=`${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }'` + FIND=$(${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }') N=0 Report "running_service_tool=systemctl" for I in ${FIND}; do @@ -540,7 +521,7 @@ # Services at boot LogText "Searching for enabled services (systemctl services only)" - FIND=`${SYSTEMCTLBINARY} list-unit-files --type=service | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }'` + FIND=$(${SYSTEMCTLBINARY} list-unit-files --type=service | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }') N=0 Report "boot_service_tool=systemctl" for I in ${FIND}; do @@ -554,11 +535,12 @@ LogText "Result: Found $N running services" else + LogText "Result: systemctl binary not found, checking chkconfig binary" - if [ ! "${CHKCONFIGBINARY}" = "" ]; then + if [ ! -z "${CHKCONFIGBINARY}" ]; then LogText "Result: chkconfig binary found, trying that to discover information" LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)" - FIND=`${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }'` + FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }') N=0 Report "boot_service_tool=chkconfig" for I in ${FIND}; do @@ -570,7 +552,7 @@ Display --indent 2 --text "- Check services at startup (chkconfig)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found $N services" LogText "Result: Found $N services at startup" - else + else LogText "Result: both systemctl and chkconfig not found. Skipping this test" fi fi @@ -585,24 +567,24 @@ Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for Linux boot services (Debian style)" if [ ${SKIPTEST} -eq 0 ]; then # Runlevel check - sRUNLEVEL=`${RUNLEVELBINARY} | ${GREPBINARY} "N [0-9]" | ${AWKBINARY} '{ print $2} '` + sRUNLEVEL=$(${RUNLEVELBINARY} | ${GREPBINARY} "N [0-9]" | ${AWKBINARY} '{ print $2} ') LogText "Result: found runlevel ${sRUNLEVEL}" if [ "${sRUNLEVEL}" = "2" ]; then LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found" - FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort` + FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort) if [ ! "${FIND}" = "" ]; then N=0 - for I in ${FIND}; do - LogText "Found service (at boot, runlevel 2): ${I}" + for SERVICE in ${FIND}; do + LogText "Found service (at boot, runlevel 2): ${SERVICE}" N=$((N + 1)) done Display --indent 2 --text "- Check services at startup (rc2.d)" --result "${STATUS_DONE}" --color WHITE Display --indent 4 --text "Result: found $N services" LogText "Result: found $N services" fi - elif [ "${sRUNLEVEL}" = "" ]; then + elif [ -z "${sRUNLEVEL}" ]; then ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup" - else + else LogText "Result: skipping further actions" fi fi @@ -614,7 +596,7 @@ Register --test-no BOOT-5184 --os Linux --weight L --network NO --category security --description "Check permissions for boot files/scripts" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - CHECKDIRS="/etc/init.d /etc/rc.d /etc/rcS.d" + CHECKDIRS="${ROOTDIR}etc/init.d ${ROOTDIR}etc/rc.d ${ROOTDIR}etc/rcS.d" LogText "Result: checking /etc/init.d scripts for writable bit" for I in ${CHECKDIRS}; do @@ -622,22 +604,22 @@ if [ -d ${I} ]; then LogText "Result: directory ${I} found" LogText "Test: checking for available files in directory" - FIND=`find ${I} -type f -print` - if [ ! "${FIND}" = "" ]; then + FIND=$(${FINDBINARY} ${I} -type f -print) + if [ ! -z "${FIND}" ]; then LogText "Result: found files in directory, checking permissions now" for J in ${FIND}; do LogText "Test: checking permissions of file ${J}" if IsWorldWritable ${J}; then FOUND=1 LogText "Result: warning, file ${J} is world writable" - else + else LogText "Result: good, file ${J} not world writable" fi done - else + else LogText "Result: found no files in directory." fi - else + else LogText "Result: directory ${I} not found. Skipping.." fi done @@ -645,13 +627,13 @@ # /etc/rc[0-6].d for NO in 0 1 2 3 4 5 6; do LogText "Test: Checking /etc/rc${NO}.d scripts for writable bit" - if [ -d /etc/rc${NO}.d ]; then - FIND=`find /etc/rc${NO}.d -type f -print` + if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then + FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print) for I in ${FIND}; do if IsWorldWritable ${I}; then FOUND=1 LogText "Result: warning, file ${I} is world writable" - else + else LogText "Result: good, file ${I} not world writable" fi done @@ -659,14 +641,14 @@ done # Other files - CHECKFILES="/etc/rc /etc/rc.local /etc/rc.d/rc.sysinit" + CHECKFILES="${ROOTDIR}etc/rc ${ROOTDIR}etc/rc.local ${ROOTDIR}etc/rc.d/rc.sysinit" for I in ${CHECKFILES}; do if [ -f ${I} ]; then ShowSymlinkPath "${I}" if [ ${FOUNDPATH} -eq 1 ]; then CHECKFILE="${SYMLINK}" LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${I})" - else + else CHECKFILE="${I}" fi LogText "Test: Checking ${CHECKFILE} file for writable bit" @@ -674,7 +656,7 @@ FOUND=1 ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}" LogText "Result: warning, file ${CHECKFILE} is world writable" - else + else LogText "Result: good, file ${CHECKFILE} not world writable" fi fi @@ -686,7 +668,7 @@ ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-" LogText "Result: found one or more scripts which are possibly writable by other users" AddHP 0 3 - else + else Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_OK}" --color GREEN AddHP 3 3 fi @@ -704,17 +686,17 @@ Linux) # Idle time, not real uptime if [ -f /proc/uptime ]; then - FIND=`cat /proc/uptime | cut -d ' ' -f1 | cut -d '.' -f1` - else + FIND=$(cat /proc/uptime | ${CUTBINARY} -d ' ' -f1 | ${CUTBINARY} -d '.' -f1) + else Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:1" "No uptime test available for this operating system (/proc/uptime missing)" fi ;; DragonFly|FreeBSD|MacOS) - if [ ! "${SYSCTLBINARY}" = "" ]; then - FIND=`${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | sed -e 's/,//' | ${GREPBINARY} "[0-9]"` - else + if [ ! -z "${SYSCTLBINARY}" ]; then + FIND=$(${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | ${SEDBINARY} -e 's/,//' | ${GREPBINARY} "[0-9]") + else Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)" fi @@ -722,25 +704,25 @@ NetBSD|OpenBSD) if [ ! "${SYSCTLBINARY}" = "" ]; then - TIME_BOOT=`${SYSCTLBINARY} -n kern.boottime` - TIME_NOW=`date "+%s"` + TIME_BOOT=$(${SYSCTLBINARY} -n kern.boottime) + TIME_NOW=$(date "+%s") LogText "Boot time: ${TIME_BOOT}" LogText "Current time: ${TIME_NOW}" - if [ ! "${TIME_BOOT}" = "" -a ! "${TIME_NOW}" = "" ]; then + if [ ! -z "${TIME_BOOT}" -a ! -z "${TIME_NOW}" ]; then UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT)) - else + else ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime" fi - else + else Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)" fi ;; Solaris) - if [ ! "${KSTATBINARY}" = "" ]; then - FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | cut -d "." -f1` - else + if [ ! -z "${KSTATBINARY}" ]; then + FIND=$(${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | ${CUTBINARY} -d "." -f1) + else Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)" fi @@ -753,14 +735,14 @@ ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system" ;; esac - if [ ! "${FIND}" = "" ]; then + if [ ! -z "${FIND}" ]; then UPTIME_IN_SECS="${FIND}" UPTIME_IN_DAYS=$((UPTIME_IN_SECS / 60 / 60 / 24)) LogText "Uptime (in seconds): ${UPTIME_IN_SECS}" LogText "Uptime (in days): ${UPTIME_IN_DAYS}" Report "uptime_in_seconds=${UPTIME_IN_SECS}" Report "uptime_in_days=${UPTIME_IN_DAYS}" - else + else LogText "Result: no uptime information available" fi fi @@ -771,25 +753,24 @@ # Description : Check single user mode for systemd Register --test-no BOOT-5260 --weight L --network NO --category security --description "Check single user mode for systemd" if [ ${SKIPTEST} -eq 0 ]; then - # Check if file exists LogText "Test: Searching /usr/lib/systemd/system/rescue.service" - if [ -f /usr/lib/systemd/system/rescue.service ]; then - LogText "Result: file /usr/lib/systemd/system/rescue.service" - LogText "Test: checking presence sulogin for single user mode" - FIND=`${EGREPBINARY} "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service` - if [ ! "${FIND}" = "" ]; then - FOUND=1 - LogText "Result: found sulogin, so single user is protected" - AddHP 3 3 - else - LogText "Result: did not find sulogin in rescue.service" - AddHP 1 3 - Display --indent 2 --text "- Checking sulogin in rescue.service" --result "${STATUS_NOT_FOUND}" --color YELLOW - ReportSuggestion "${TEST_NO}" "Protect rescue.service by using sulogin" - fi - else - LogText "Result: file /usr/lib/systemd/system/rescue.service does not exist" - fi + if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then + LogText "Result: file /usr/lib/systemd/system/rescue.service" + LogText "Test: checking presence sulogin for single user mode" + FIND=$(${EGREPBINARY} "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service) + if [ ! -z "${FIND}" ]; then + FOUND=1 + LogText "Result: found sulogin, so single user is protected" + AddHP 3 3 + else + LogText "Result: did not find sulogin in rescue.service" + AddHP 1 3 + Display --indent 2 --text "- Checking sulogin in rescue.service" --result "${STATUS_NOT_FOUND}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Protect rescue.service by using sulogin" + fi + else + LogText "Result: file ${ROOTDIR}usr/lib/systemd/system/rescue.service does not exist" + fi fi # ################################################################################# diff --git a/include/tests_containers b/include/tests_containers index 432e3219..6e0b9145 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -39,19 +39,19 @@ Register --test-no CONT-8004 --os Solaris --weight L --network NO --category security --description "Query running Solaris zones" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: query zoneadm to list all running zones" - FIND=`/usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }'` - if [ ! "${FIND}" = "" ]; then + FIND=$(/usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }') + if [ ! -z "${FIND}" ]; then N=0 for I in ${FIND}; do N=$((N + 1)) - ZONEID=`echo ${I} | cut -d ':' -f1` - ZONENAME=`echo ${I} | cut -d ':' -f2` + ZONEID=$(echo ${I} | ${CUTBINARY} -d ':' -f1) + ZONENAME=$(echo ${I} | ${CUTBINARY} -d ':' -f2) LogText "Result: found zone ${ZONENAME} (running)" Report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]" done LogText "Result: total of ${N} running zones" Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN - else + else LogText "Result: no running zones found" Display --indent 2 --text "- Checking Solaris Zones" --result "${STATUS_NONE}" --color WHITE fi @@ -67,8 +67,8 @@ # Show Xen guests #FIND=`xm list | ${AWKBINARY} '$1 != "Name|Domain-0" {print $1","$2}'` #for I in ${FIND}; do - #XENGUESTNAME=`echo ${I} | cut -d ':' -f1` - #XENGUESTID=`echo ${I} | cut -d ':' -f2` + #XENGUESTNAME=`echo ${I} | ${CUTBINARY} -d ':' -f1` + #XENGUESTID=`echo ${I} | ${CUTBINARY} -d ':' -f2` #LogText "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})" #done #fi @@ -95,7 +95,7 @@ # Test : CONT-8104 # Description : Checking Docker info for any warnings # Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory - if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! -z "${DOCKERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Docker info for any warnings" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 @@ -106,18 +106,18 @@ LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)" RUN_DOCKER_TESTS=0 fi - FIND=`${DOCKERBINARY} info 2>&1 | ${GREPBINARY} "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'` + FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} "^WARNING:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g') if [ ! "${FIND}" = "" ]; then LogText "Result: found warning(s) in output" for I in ${FIND}; do - J=`echo ${I} | sed 's/:space:/ /g'` + J=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g') LogText "Output: ${J}" COUNT=$((COUNT + 1)) done Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color YELLOW ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon" AddHP 3 4 - else + else LogText "Result: no warnings found from 'docker info' output" Display --indent 8 --text "- Docker info output (warnings)" --result "${STATUS_NONE}" --color GREEN AddHP 1 1 @@ -129,7 +129,7 @@ # Test : CONT-8106 # Description : Checking Docker containers (basic stats) # Notes : Hardening points are awarded, if there aren't a lot of stopped containers - if [ ! "${DOCKERBINARY}" = "" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather basic stats from Docker" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 6 --text "- Containers" @@ -140,6 +140,7 @@ if [ "${DOCKER_CONTAINERS_TOTAL}" = "" ]; then DOCKER_CONTAINERS_TOTAL=0 fi + LogText "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers" DOCKER_CONTAINERS_TOTAL2=$(${DOCKERBINARY} ps -a 2> /dev/null | ${GREPBINARY} -c -v "CONTAINER") LogText "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers" @@ -195,23 +196,23 @@ Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check file permissions for Docker files" if [ ${SKIPTEST} -eq 0 ]; then NOT_WORLD_WRITABLE="/var/run/docker.sock" - for I in ${NOT_WORLD_WRITABLE}; do - LogText "Test: Check ${I}" - if [ -f ${I} ]; then - LogText "Result: file ${I} found, permissions will be tested" - if IsWorldWritable ${I}; then + for FILE in ${NOT_WORLD_WRITABLE}; do + LogText "Test: Check ${FILE}" + if [ -f ${FILE} ]; then + LogText "Result: file ${FILE} found, permissions will be tested" + if IsWorldWritable ${FILE}; then LogText "Result: file is writable by others, which is a security risk (e.g. privilege escalation)" - ReportWarning "${TEST_NO}" "Docker file is world writable" "${I}" "-" + ReportWarning "${TEST_NO}" "Docker file is world writable" "${FILE}" "-" DOCKER_FILE_PERMISSIONS_WARNINGS=$((DOCKER_FILE_PERMISSIONS_WARNINGS + 1)) - else - LogText "Result: file is not writable by others, which is fine" + else + LogText "Result: file ${FILE} is not writable by others, which is fine" fi fi done if [ ${DOCKER_FILE_PERMISSIONS_WARNINGS} -gt 0 ]; then Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}"S --color YELLOW AddHP 0 5 - else + else Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN AddHP 5 5 fi diff --git a/include/tests_databases b/include/tests_databases index 11ac7d7d..cbf1091e 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -222,7 +222,7 @@ fi done # Sort the list of discovered configuration files so we can make them unique - REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | sed 's/^ //' | tr ' ' '\n' | ${SORTBINARY} | uniq | tr '\n' ' ') + REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | ${SEDBINARY} 's/^ //' | ${TRBINARY} ' ' '\n' | ${SORTBINARY} | uniq | ${TRBINARY} '\n' ' ') for FILE in ${REDIS_CONFIGURATION_FILES}; do if IsWorldReadable ${FILE}; then LogText "Result: configuration file ${FILE} is world readable, this might leak sensitive information!" diff --git a/include/tests_file_integrity b/include/tests_file_integrity index b1cdf316..a90eb4fe 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -227,7 +227,7 @@ LogText "Result: lfd service is configured NOT to run" Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW fi - ENABLED=`${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | sed 's/\"//g'` + ENABLED=`${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g'` if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then LogText "Result: lfd directory watching is enabled (value: ${ENABLED})" Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN @@ -235,7 +235,7 @@ LogText "Result: lfd directory watching is disabled" Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW fi - ENABLED=`${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | sed 's/\"//g'` + ENABLED=`${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g'` if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN else diff --git a/include/tests_file_permissions b/include/tests_file_permissions index 8a3134c5..79f721b3 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -34,7 +34,7 @@ LogText "Test: Checking file permissions" for PROFILE in ${PROFILES}; do LogText "Using profile ${PROFILE} for baseline." - FIND=`${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | cut -d: -f2` + FIND=`${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | ${CUTBINARY} -d: -f2` for I in ${FIND}; do LogText "Checking ${I}" CheckFilePermissions ${I} diff --git a/include/tests_filesystems b/include/tests_filesystems index 9bca8c65..5d46f831 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -151,8 +151,8 @@ if [ ! "${FIND}" = "" ]; then LogText "Result: found one or more EXT file systems" for I in ${FIND}; do - FILESYSTEM=`echo ${I} | cut -d ',' -f1` - FILETYPE=`echo ${I} | cut -d ',' -f2` + FILESYSTEM=`echo ${I} | ${CUTBINARY} -d ',' -f1` + FILETYPE=`echo ${I} | ${CUTBINARY} -d ',' -f2` LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})" Report "file_systems_ext[]=${FILESYSTEM}|${FILETYPE}|" done @@ -231,7 +231,7 @@ UUID=`echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }'` LogText "Result: Using ${UUID} as UUID" if [ ! "${BLKIDBINARY}" = "" ]; then - FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//') + FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//') if [ ! "${FIND2}" = "" ]; then REAL="${FIND2}" fi @@ -335,7 +335,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for old files in /tmp" # Search for files only in /tmp, with an access time older than X days - FIND=`find /tmp -xdev -type f -atime +${TMP_OLD_DAYS} | sed 's/ /!space!/g'` + FIND=`find /tmp -xdev -type f -atime +${TMP_OLD_DAYS} | ${SEDBINARY} 's/ /!space!/g'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN LogText "Result: no files found in /tmp which are older than 3 months" @@ -343,7 +343,7 @@ Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED N=0 for I in ${FIND}; do - FILE=`echo ${I} | sed 's/!space!/ /g'` + FILE=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` LogText "Old temporary file: ${FILE}" N=$((N + 1)) done @@ -501,17 +501,17 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/fstab ]; then for I in ${FILESYSTEMS_TO_CHECK}; do - FILESYSTEM=$(echo ${I} | cut -d: -f1) - EXPECTED_FLAGS=$(echo ${I} | cut -d: -f2 | sed 's/,/ /g') + FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d: -f1) + EXPECTED_FLAGS=$(echo ${I} | ${CUTBINARY} -d: -f2 | ${SEDBINARY} 's/,/ /g') FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' /etc/fstab) if [ "${FS_FSTAB}" = "glusterfs" ]; then - EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | sed 's/\<\(nodev\|nosuid\)\> *//g') + EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | ${SEDBINARY} 's/\<\(nodev\|nosuid\)\> *//g') if [ "${EXPECTED_FLAGS}" = "" ]; then FS_FSTAB="" fi fi if [ ! "${FS_FSTAB}" = "" ]; then - FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | sed 's/,/ /g' | tr '\n' ' ') + FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') LogText "File system: ${FILESYSTEM}" LogText "Expected flags: ${EXPECTED_FLAGS}" LogText "Found flags: ${FOUND_FLAGS}" diff --git a/include/tests_firewalls b/include/tests_firewalls index b84a97db..76aff719 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -71,7 +71,7 @@ LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})" FIND=`${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1` if [ ! "${FIND}" = "" ]; then - HAVEMOD=`echo ${FIND} | cut -d '=' -f2` + HAVEMOD=`echo ${FIND} | ${CUTBINARY} -d '=' -f2` # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the # active list. if [ "${HAVEMOD}" = "y" ]; then @@ -148,7 +148,7 @@ if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | wc -l | tr -d ' '` + FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | wc -l | ${TRBINARY} -d ' '` if [ ! "${FIND}" = "" ]; then FIREWALL_ACTIVE=1 if [ ${FIND} -le 10 ]; then diff --git a/include/tests_kernel b/include/tests_kernel index 8421d81c..fca531a0 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -184,7 +184,7 @@ if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then LogText "Test: checking if kernel is monolithic or modular" # Checking if any modules are loaded - FIND=`${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | tr -s ' ' | tr -d ' '` + FIND=`${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' '` Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN if [ "${FIND}" = "0" ]; then LogText "Result: Found monolithic kernel" @@ -267,7 +267,7 @@ if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi if [ ! "${GREPTOOL}" = "" ]; then LogText "Test: Checking the default I/O kernel scheduler" - LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | sed s/\"//g` + LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g` if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'" Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN @@ -292,7 +292,7 @@ LogText "Description: View all active kernel modules (including kernel)" LogText "Test: Checking modules" if [ -f /sbin/kldstat ]; then - FIND=`kldstat | ${GREPBINARY} -v 'Name' | tr -s ' ' | cut -d ' ' -f6` + FIND=`kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6` if [ $? -eq 0 ]; then LogText "Loaded modules according kldstat:" N=0 @@ -358,8 +358,8 @@ ReportSuggestion ${TEST_NO} "Discover why /vmlinuz is missing. Consider manually re-linking." fi LogText "Test: Using apt-cache policy to determine if there is an update available" - FINDINST=`apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | cut -d ':' -f2 | tr -d ' '` - FINDCAND=`apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | cut -d ':' -f2 | tr -d ' '` + FINDINST=`apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' '` + FINDCAND=`apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' '` LogText "Kernel installed: ${FINDINST}" LogText "Kernel candidate: ${FINDCAND}" if [ "${FINDINST}" = "" ]; then @@ -527,7 +527,7 @@ LogText "Result: /boot/vmlinuz not on disk, trying to find /boot/vmlinuz*" fi # Extra current kernel version and replace dashes to allow numeric ${SORTBINARY} later on - MYKERNEL=`uname -r | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's/-/./g'` + MYKERNEL=`uname -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g'` LogText "Result: using ${MYKERNEL} as my kernel version (stripped)" FIND=$(ls /boot/vmlinuz* 2> /dev/null) if [ ! "${FIND}" = "" ]; then @@ -537,8 +537,8 @@ # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) # Ignore rescue images. Remove generic. and huge. for Slackware machines LogText "Action: checking relevant kernels" - KERNELS=`ls /boot/vmlinuz* | ${GREPBINARY} -v rescue | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` - KERNELS_ONE_LINE=$(echo ${KERNELS} | tr '\n' ' ') + KERNELS=`ls /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` + KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ') LogText "Output: ${KERNELS_ONE_LINE}" elif [ ! "$(ls /boot/kernel* 2> /dev/null)" = "" ]; then LogText "Output: Found a kernel file in /boot" diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 47163628..faf9bf07 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -41,14 +41,14 @@ for PROFILE in ${PROFILES}; do FILE=$(echo ${PROFILE} | ${AWKBINARY} -F/ '{print $NF}') if [ ! "${FILE}" = "default.prf" -a ! "${FILE}" = "custom.prf" ]; then - FIND=$(${GREPBINARY} "^config-data=sysctl;" ${PROFILE} | sed 's/ /-space-/g') + FIND=$(${GREPBINARY} "^config-data=sysctl;" ${PROFILE} | ${SEDBINARY} 's/ /-space-/g') DATA_TO_SCAN="${DATA_TO_SCAN} ${FIND}" fi done # Scan custom profile if [ ! -z "${CUSTOM_PROFILE}" ]; then - FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | sed 's/ /-space-/g') + FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | ${SEDBINARY} 's/ /-space-/g') for LINE in ${FIND}; do SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }') HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};") @@ -58,7 +58,7 @@ # Last, use data from default profile if [ ! -z "${DEFAULT_PROFILE}" ]; then - FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | sed 's/ /-space-/g') + FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | ${SEDBINARY} 's/ /-space-/g') for LINE in ${FIND}; do SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }') HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};") @@ -67,13 +67,13 @@ fi # Sort the results - DATA_TO_SCAN=$(echo ${DATA_TO_SCAN} | tr ' ' '\n' | sort) + DATA_TO_SCAN=$(echo ${DATA_TO_SCAN} | ${TRBINARY} ' ' '\n' | sort) for I in ${DATA_TO_SCAN}; do tFINDkey=$(echo ${I} | ${AWKBINARY} -F\; '{ print $2 }') tFINDexpvalue=$(echo ${I} | ${AWKBINARY} -F\; '{ print $3 }') tFINDhp=$(echo ${I} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]") - tFINDdesc=$(echo ${I} | ${AWKBINARY} -F\; '{ print $5 }' | sed 's/-space-/ /g') + tFINDdesc=$(echo ${I} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g') tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null) if [ ! "${tFINDcurvalue}" = "" ]; then if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then diff --git a/include/tests_logging b/include/tests_logging index 894d8d24..8b48d4dd 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -279,7 +279,7 @@ Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which directories can be found in logrotate configuration" - FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | ${SORTBINARY} -u` + FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u` if [ "${FIND}" = "" ]; then LogText "Result: nothing found" else @@ -399,7 +399,7 @@ Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking directories in /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: parsing directories from /etc/newsyslog.conf file" - FIND=`${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | sed 's/\/*[a-zA-Z_.-]*$//g' | ${SORTBINARY} -u` + FIND=`${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SEDBINARY} 's/\/*[a-zA-Z_.-]*$//g' | ${SORTBINARY} -u` for I in ${FIND}; do if [ -d ${I} ]; then LogText "Result: Directory ${I} found and exists" diff --git a/include/tests_memory_processes b/include/tests_memory_processes index f753a773..c767ddd0 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -53,8 +53,8 @@ LogText "Test: Searching /usr/sbin/prtconf" if [ -x /usr/sbin/prtconf ]; then Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_DONE}" --color GREEN - MEMORY_SIZE=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | cut -d ' ' -f3` - MEMORY_UNITS=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | cut -d ' ' -f4` + MEMORY_SIZE=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f3` + MEMORY_UNITS=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f4` LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" Report "memory_size=${MEMORY_SIZE}" Report "memory_units=${MEMORY_UNITS}" diff --git a/include/tests_nameservices b/include/tests_nameservices index 8f8fed96..4b4c2863 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -209,7 +209,7 @@ else LogText "Result: using domain name from FQDN hostname" #DOMAINNAME=${FQDN#${HOSTNAME}.} - DOMAINNAME=`echo ${FQDN} | cut -d . -f2-` + DOMAINNAME=`echo ${FQDN} | ${CUTBINARY} -d . -f2-` fi fi @@ -555,7 +555,7 @@ if [ -f /etc/sysconfig/network ]; then LogText "Result: file /etc/sysconfig/network exists" LogText "Test: checking NISDOMAIN value in file" - FIND3=`${GREPBINARY} "^NISDOMAIN" /etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | sed 's/"//g'` + FIND3=`${GREPBINARY} "^NISDOMAIN" /etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g'` if [ ! "${FIND3}" = "" ]; then LogText "Found NIS domain: ${FIND3}" NISDOMAIN="${FIND3}" @@ -569,7 +569,7 @@ if [ ! "${SYSCTLBINARY}" = "" ]; then # Check sysctl (e.g. FreeBSD) LogText "Test: checking sysctl for kern.domainname" - FIND=`${SYSCTLBINARY} -a 2>&1 | ${GREPBINARY} "^kern.domainname" | ${AWKBINARY} -F: '{ print $2 }' | sed 's/ //g' | ${GREPBINARY} -v "^$"` + FIND=`${SYSCTLBINARY} -a 2>&1 | ${GREPBINARY} "^kern.domainname" | ${AWKBINARY} -F: '{ print $2 }' | ${SEDBINARY} 's/ //g' | ${GREPBINARY} -v "^$"` if [ ! "${FIND}" = "" ]; then LogText "Result: found NIS domain via sysctl" NISDOMAIN="${FIND}" diff --git a/include/tests_networking b/include/tests_networking index a70d7d9b..608a28e3 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -46,7 +46,7 @@ IPV6_ONLY=255 IPV6_MISCONFIGURED=0 IPV6_MISCONFIGURED_MTU=0 - FIND=`sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | sed "s/ = /=/"` + FIND=`sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/"` if [ ! "${FIND}" = "" ]; then IPV6_CONFIGURED=1 for I in ${FIND}; do @@ -89,7 +89,7 @@ LogText "Result: IPV6 mode is ${IPV6_MODE}" if [ ${IPV6_CONFIGURED} -eq 1 ]; then Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE - STATUS=`echo ${IPV6_MODE} | tr '[:lower:]' '[:upper:]'` + STATUS=`echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]'` Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi LogText "Result: IPv6 only configuration: ${STATUS}" @@ -123,7 +123,7 @@ LogText "Test: Checking /etc/resolv.conf file" if [ -f /etc/resolv.conf ]; then LogText "Result: Found /etc/resolv.conf file" - FIND=`${GREPBINARY} '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g' | uniq` + FIND=`${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq` if [ ! "${FIND}" = "" ]; then Display --indent 4 --text "- Testing nameservers" LogText "Test: Querying nameservers" @@ -196,7 +196,7 @@ Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)" if [ $SKIPTEST -eq 0 ]; then LogText "Test: Searching default gateway(s)" - FIND=`${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2` + FIND=`${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do LogText "Result: Found default gateway ${I}" @@ -223,7 +223,7 @@ ;; Linux) if [ ! "${IPBINARY}" = "" ]; then - FIND=`${IPBINARY} link show | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{ print $2 }' | sed 's/://g'` + FIND=`${IPBINARY} link show | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} 's/://g'` elif [ ! "${IFCONFIGBINARY}" = "" ]; then FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ( $2 == "Link" ) { print $1 }}'` fi @@ -260,7 +260,7 @@ FIND="" case ${OS} in AIX) - FIND=`lscfg -vl ent* | f${GREPBINARY} "Network Address" | cut -d"." -f14 | ${AWKBINARY} '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }'` + FIND=`lscfg -vl ent* | f${GREPBINARY} "Network Address" | ${CUTBINARY} -d"." -f14 | ${AWKBINARY} '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }'` ;; DragonFly|FreeBSD) FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u` @@ -320,14 +320,14 @@ ;; Linux) if [ ! "${IFCONFIGBINARY}" = "" ]; then - FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | cut -d ':' -f2` + FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2` # Version which works for multiple types of ifconfig (e.g. Slackware) FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'` else if [ ! "${IPBINARY}" = "" ]; then LogText "Test: Using ip binary to gather IP addresses" - FIND=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | sed 's/\/.*//'` - FIND2=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | sed 's/\/.*//'` + FIND=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//'` + FIND2=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//'` else ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)" fi @@ -378,7 +378,7 @@ DragonFly|FreeBSD) if [ ! "${SOCKSTATBINARY}" = "" ]; then FIND=`${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u` - # To strip off IP's: sed 's/|.*:/|/' + # To strip off IP's: ${SEDBINARY} 's/|.*:/|/' else FIND="" fi @@ -387,9 +387,9 @@ Linux) if [ ! "${NETSTATBINARY}" = "" ]; then # UDP - FIND=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | sed 's:|[0-9]*/:|:'` + FIND=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:'` # TCP - FIND2=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | sed 's:|[0-9]*/:|:'` + FIND2=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:'` else if [ ! "${SSBINARY}" = "" ]; then # UDP @@ -405,7 +405,7 @@ MacOS) if [ ! "${LSOFBINARY}" = "" ]; then # UDP and TCP combined - FIND=`${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | sed 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | sed 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME"` + FIND=`${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME"` else FIND="" fi @@ -472,7 +472,7 @@ Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (BSD)" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking promiscuous interfaces (FreeBSD)" - FIND=`${IFCONFIGBINARY} | ${GREPBINARY} PROMISC | cut -d ':' -f1` + FIND=`${IFCONFIGBINARY} | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1` if [ ! "${FIND}" = "" ]; then LogText "Result: Promiscuous interfaces: ${FIND}" for I in ${FIND}; do @@ -514,7 +514,7 @@ Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking promiscuous interfaces (Linux)" - NETWORK=`${IFCONFIGBINARY} | ${GREPBINARY} Link | tr -s ' ' | cut -d ' ' -f1` + NETWORK=`${IFCONFIGBINARY} | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1` if [ ! "${NETWORK}" = "" ]; then for I in ${NETWORK}; do FIND=`${IFCONFIGBINARY} ${I} | ${GREPBINARY} PROMISC` @@ -552,7 +552,7 @@ # Description : Netstat/socktstat compare (FreeBSD) # echo -n " - Comparing output sockstat and netstat" # LogText "Comparing output of sockstat and netstat" - # NETSTATOUTPUT=`netstat -an | ${GREPBINARY} -v 'TIME_WAIT' | ${GREPBINARY} -v 'ESTABLISHED' | ${GREPBINARY} -v 'SYN_SENT' | ${GREPBINARY} -v 'CLOSE_WAIT' | ${GREPBINARY} -v 'LAST_ACK' | ${GREPBINARY} -v 'SYN_RECV' | ${GREPBINARY} -v 'CLOSING' | cut -c 1-44 | ${GREPBINARY} '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | ${GREPBINARY} -v '*' | ${SORTBINARY} -u` + # NETSTATOUTPUT=`netstat -an | ${GREPBINARY} -v 'TIME_WAIT' | ${GREPBINARY} -v 'ESTABLISHED' | ${GREPBINARY} -v 'SYN_SENT' | ${GREPBINARY} -v 'CLOSE_WAIT' | ${GREPBINARY} -v 'LAST_ACK' | ${GREPBINARY} -v 'SYN_RECV' | ${GREPBINARY} -v 'CLOSING' | ${CUTBINARY} -c 1-44 | ${GREPBINARY} '*.' | ${CUTBINARY} -c 24-32 | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v '*' | ${SORTBINARY} -u` # # if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then # ShowResult OK diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 4228a45d..8e9cd1ec 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -51,8 +51,8 @@ LogText "Output:"; LogText "-----" SPACKAGES=`/usr/sbin/pkg query %n,%v` for J in ${SPACKAGES}; do - sPKG_NAME=`echo ${J} | cut -d ',' -f1` - sPKG_VERSION=`echo ${J} | cut -d ',' -f2` + sPKG_NAME=`echo ${J} | ${CUTBINARY} -d ',' -f1` + sPKG_VERSION=`echo ${J} | ${CUTBINARY} -d ',' -f2` LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" done @@ -73,11 +73,11 @@ LogText "Test: Querying pkg_info to get package list" Display --indent 6 --text "- Querying pkg_info for installed packages" LogText "Output:"; LogText "-----" - SPACKAGES=`/usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'` + SPACKAGES=`/usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1 | ${SEDBINARY} -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'` for J in ${SPACKAGES}; do N=$((N + 1)) - sPKG_NAME=`echo ${J} | cut -d ',' -f1` - sPKG_VERSION=`echo ${J} | cut -d ',' -f2` + sPKG_NAME=`echo ${J} | ${CUTBINARY} -d ',' -f1` + sPKG_VERSION=`echo ${J} | ${CUTBINARY} -d ',' -f2` LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" done @@ -121,7 +121,7 @@ LogText "Test: Querying portage to get package list" Display --indent 4 --text "- Querying portage for installed packages" LogText "Output:"; LogText "-----" - GPACKAGES=`equery l '*' | sed -e 's/[.*]//g'` + GPACKAGES=`equery l '*' | ${SEDBINARY} -e 's/[.*]//g'` for J in ${GPACKAGES}; do LogText "Found package ${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," @@ -145,7 +145,7 @@ Display --indent 4 --text "- Querying pkginfo for installed packages" LogText "Output:"; LogText "-----" # Strip SUNW from strings - SPACKAGES=`/usr/bin/pkginfo -i | tr -s ' ' | cut -d ' ' -f2 | sed "s#^SUNW##"` + SPACKAGES=`/usr/bin/pkginfo -i | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2 | ${SEDBINARY} "s#^SUNW##"` for J in ${SPACKAGES}; do LogText "Found package ${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," @@ -201,7 +201,7 @@ LogText "Test: Querying 'pacman -Q' to get package list" Display --indent 6 --text "- Querying pacman package manager" LogText "Output:"; LogText "--------" - SPACKAGES=`${PACMANBINARY} -Q | ${SORTBINARY} | sed 's/ /,/g'` + SPACKAGES=`${PACMANBINARY} -Q | ${SORTBINARY} | ${SEDBINARY} 's/ /,/g'` if [ "${SPACKAGES}" = "" ]; then LogText "Result: pacman binary available, but package list seems to be empty" LogText "Info: looks like the pacman binary is installed, but not used for package installation" @@ -257,17 +257,17 @@ COUNT=0 # Check configuration options (options start with a capital) LogText "Test: searching configured options in ${PACMANCONF}" - FIND=`${GREPBINARY} "^[A-Z]" ${PACMANCONF} | ${SORTBINARY} -u | sed 's/ /:space:/g'` + FIND=`${GREPBINARY} "^[A-Z]" ${PACMANCONF} | ${SORTBINARY} -u | ${SEDBINARY} 's/ /:space:/g'` for I in ${FIND}; do - PMOPTION=`echo ${I} | sed 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }'` - PMVALUE=`echo ${I} | sed 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }'` + PMOPTION=`echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }'` + PMVALUE=`echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }'` LogText "Result: found option ${PMOPTION} configured with value ${PMVALUE}" Report "pacman_option[]=${PMOPTION}:${PMVALUE}:" done # Check software repositories LogText "Test: checking available repositories" - FIND=`${GREPBINARY} "^\[.*\]$" ${PACMANCONF} | tr -d '[]'` + FIND=`${GREPBINARY} "^\[.*\]$" ${PACMANCONF} | ${TRBINARY} -d '[]'` for I in ${FIND}; do COUNT=$((COUNT + 1)) Report "package_repository[]=${I}" @@ -315,7 +315,7 @@ LogText "Result: Zypper found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed" # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line - FIND=`${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | sed 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u` + FIND=`${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u` LogText "List of vulnerable packages/version:" for I in ${FIND}; do VULNERABLE_PACKAGES_FOUND=1 @@ -341,11 +341,11 @@ LogText "Test: Querying dpkg -l to get package list" Display --indent 6 --text "- Querying package manager" LogText "Output:" - SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | tr -s ' ' | tr ' ' ',' | sort` + SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort` for J in ${SPACKAGES}; do N=$((N + 1)) - PACKAGE_NAME=`echo ${J} | cut -d ',' -f2` - PACKAGE_VERSION=`echo ${J} | cut -d ',' -f3` + PACKAGE_NAME=`echo ${J} | ${CUTBINARY} -d ',' -f2` + PACKAGE_VERSION=`echo ${J} | ${CUTBINARY} -d ',' -f3` LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" done @@ -358,13 +358,13 @@ # # Test : PKGS-7346 # Description : Check packages which are removed, but still own configuration files, cron jobs etc - # Notes : Cleanup: for pkg in `dpkg -l | ${GREPBINARY} "^rc" | cut -d' ' -f3`; do aptitude purge ${pkg}; done + # Notes : Cleanup: for pkg in `dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3`; do aptitude purge ${pkg}; done if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: Querying dpkg -l to get unpurged packages" - SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | cut -d ' ' -f3 | sort` + SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort` if [ "${SPACKAGES}" = "" ]; then Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN LogText "Result: no packages found with left overs" @@ -392,7 +392,7 @@ Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles" if [ ${SKIPTEST} -eq 0 ]; then if [ -x /usr/local/sbin/portsclean ]; then - FIND=`/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | tr -d ' '` + FIND=`/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' '` if [ ${FIND} -eq 0 ]; then Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN LogText "Result: no unused distfiles found" @@ -422,8 +422,8 @@ SPACKAGES=`${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}'` for J in ${SPACKAGES}; do N=$((N + 1)) - PACKAGE_NAME=`echo ${J} | cut -d ',' -f1` - PACKAGE_VERSION=`echo ${J} | cut -d ',' -f2` + PACKAGE_NAME=`echo ${J} | ${CUTBINARY} -d ',' -f1` + PACKAGE_VERSION=`echo ${J} | ${CUTBINARY} -d ',' -f2` LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" done @@ -631,7 +631,7 @@ #ReportWarning ${TEST_NO} "Found one or more vulnerable packages." #ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" #LogText "List of vulnerable packages/version:" - #for I in `/usr/sbin/pkg audit -F | ${GREPBINARY} "Affected package" | cut -d ' ' -f3 | ${SORTBINARY} -u`; do + #for I in `/usr/sbin/pkg audit -F | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u`; do # Report "vulnerable_package[]=${I}" # LogText "Vulnerable package: ${I}" # # Decrease hardening points for every found vulnerable package @@ -663,7 +663,7 @@ ReportWarning ${TEST_NO} "Found one or more vulnerable packages." ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" LogText "List of vulnerable packages/version:" - for I in `/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | cut -d ' ' -f3 | ${SORTBINARY} -u`; do + for I in `/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u`; do VULNERABLE_PACKAGES_FOUND=1 Report "vulnerable_package[]=${I}" LogText "Vulnerable package: ${I}" @@ -682,7 +682,7 @@ Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: YUM package update management" - FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | sed 's/ //g' | sed 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$") + FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/ //g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$") if [ -z "${FIND}" -o "${FIND}" = "0" ]; then LogText "Result: YUM package update management failed" Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED @@ -845,26 +845,26 @@ if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then if [ -f /etc/apt/sources.list ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file" - FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | ${GREPBINARY} -v '#' | sed 's/ /!space!/g') + FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') if [ ! "${FIND}" = "" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN LogText "Result: Found security repository in /etc/apt/sources.list" for REPO in ${FIND}; do - REPO=$(echo ${REPO} | sed 's/!space!/ /g') + REPO=$(echo ${REPO} | ${SEDBINARY} 's/!space!/ /g') LogText "Output: ${REPO}" done fi fi if [ -d /etc/apt/sources.list.d ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory" - FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | sed 's/ /!space!/g') + FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') if [ ! -z "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d" for REPO in ${FIND}; do - REPO=$(echo ${REPO} | sed 's/!space!/ /g') + REPO=$(echo ${REPO} | ${SEDBINARY} 's/!space!/ /g') LogText "Output: ${REPO}" done fi @@ -949,7 +949,7 @@ # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates) # Show packages which would be upgraded and match 'security' in repository name - FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | cut -d ' ' -f2 | ${SORTBINARY} -u` + FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u` if [ ! "${FIND}" = "" ]; then VULNERABLE_PACKAGES_FOUND=1 SCAN_PERFORMED=1 @@ -1038,7 +1038,7 @@ if [ -x /usr/bin/apt-show-versions ]; then LogText "Result: found /usr/bin/apt-show-versions" LogText "Test: Checking packages which can be upgraded via apt-show-versions" - FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'` + FIND=`/usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g'` if [ "${FIND}" = "" ]; then LogText "Result: no packages found which can be upgraded" Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN @@ -1048,7 +1048,7 @@ Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_FOUND}" --color YELLOW # output: program/repository upgradeable from version X to Y for I in ${FIND}; do - I=`echo ${I} | sed 's/!space!/ /g'` + I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` LogText "${I}" done fi @@ -1086,7 +1086,7 @@ ################################################################################# # # Description : AIX patches - # Notes : /usr/sbin/instfix -c -i | cut -d":" -f1 + # Notes : /usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1 # ################################################################################# # diff --git a/include/tests_printers_spools b/include/tests_printers_spools index e57d51f4..b6225da3 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -117,7 +117,7 @@ Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking CUPS configuration file permissions" - FIND=`ls -l ${CUPSD_CONFIG_FILE} | cut -c 2-10` + FIND=`ls -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10` LogText "Result: found ${FIND}" if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN @@ -271,11 +271,11 @@ LogText "Test: Checking old print jobs" DirectoryExists /var/spool/lpd/qdir if [ ${DIRECTORY_FOUND} -eq 1 ]; then - FIND=`find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | sed 's/ /!space!/g'` + FIND=`find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then N=0 for I in ${FIND}; do - FILE=`echo ${I} | sed 's/!space!/ /g'` + FILE=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` LogText "Found old print job: ${FILE}" N=$((N + 1)) done diff --git a/include/tests_scheduling b/include/tests_scheduling index 9bc9f10f..60270917 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -55,7 +55,7 @@ BAD_FILE_PERMISSIONS=0 BAD_FILE_OWNERSHIP=0 FindCronJob() { - sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | tr '\t' ' ' | tr -s ' ' | tr ' ' ',') + sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',') } CRONTAB_FILE="/etc/crontab" @@ -155,7 +155,7 @@ if [ "${OS}" = "Linux" ]; then if [ -f /etc/anacrontab ]; then LogText "Test: checking anacrontab" - sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | tr '\t' ' ' | tr -s ' ' | tr ' ' ',') + sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',') if [ ! "${sANACRONJOBS}" = "" ]; then Report "scheduler[]=anacron" for J in ${sANACRONJOBS}; do @@ -273,11 +273,11 @@ Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check at jobs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check scheduled at jobs" - FIND=$(atq | ${GREPBINARY} -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g') + FIND=$(atq | ${GREPBINARY} -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g') if [ ! "${FIND}" = "" ]; then LogText "Result: found one or more jobs" for I in ${FIND}; do - VALUE=$(echo ${I} | sed 's/!space!/ /g') + VALUE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') LogText "Found at job: ${VALUE}" done Display --indent 4 --text "- Checking at jobs" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_shells b/include/tests_shells index d87d6c13..f8f71c2c 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -117,9 +117,9 @@ if [ -f /etc/profile ]; then # Determine if we can find a TMOUT value - FIND=`${GREPBINARY} 'TMOUT=' /etc/profile | tr -d ' ' | tr -d '\t' | ${GREPBINARY} -v "^#" | sed 's/export//' | sed 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'` + FIND=`${GREPBINARY} 'TMOUT=' /etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'` # Determine if the value is exported (with export, readonly, or typeset) - FIND2=`${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | ${GREPBINARY} -v "^#" | sed 's/#.*//' | ${AWKBINARY} '{ print $1 }'` + FIND2=`${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }'` if [ ! "${FIND}" = "" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do @@ -163,9 +163,9 @@ FIND=`ls /etc/profile.d/*.sh 2> /dev/null` if [ ! "${FIND}" = "" ]; then # Determine if we can find a TMOUT value - FIND=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} 'TMOUT=' | tr -d ' ' | tr -d '\t' | ${GREPBINARY} -v "^#" | sed 's/export//' | sed 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'` + FIND=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'` # Determine if the value is exported (with export, readonly, or typeset) - FIND2=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | sed 's/#.*//' | ${AWKBINARY} '{ print $1 }'` + FIND2=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }'` if [ ! "${FIND}" = "" ]; then N=0; IDLE_TIMEOUT=1 @@ -231,7 +231,7 @@ if [ -f ${FILE} ]; then LogText "Result: file ${FILE} exists" FOUND=1 - FIND=`${GREPBINARY} umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }'` + FIND=`${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: did not find umask configured in ${FILE}" Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW diff --git a/include/tests_squid b/include/tests_squid index ace3f288..f57837e1 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -114,9 +114,9 @@ Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" - FIND=`${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` + FIND=`${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g'` for I in ${FIND}; do - I=`echo ${I} | sed 's/!space!/ /g'` + I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` LogText "Found Squid option: ${I}" Report "squid_option=${I}" done @@ -203,14 +203,14 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: checking ACLs" - FIND=`${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` + FIND=`${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g'` if [ "${FIND}" = "" ]; then LogText "Result: No ACLs found" Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED else for I in ${FIND}; do N=$((N + 1)) - I=`echo ${I} | sed 's/!space!/ /g'` + I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` LogText "Found ACL: ${I}" #Report "squid_acl=${I}" done @@ -279,7 +279,7 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: checking option reply_body_max_size" - FIND=`${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` + FIND=`${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g'` if [ "${FIND}" = "" ]; then LogText "Result: option reply_body_max_size not configured" Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED diff --git a/include/tests_ssh b/include/tests_ssh index 5a048319..9d7e24b9 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -136,12 +136,12 @@ # Go through our list of options for I in ${SSHOPS}; do - OPTIONNAME=`echo ${I} | cut -d ':' -f1` - OPTIONNAME_LOWER=`echo ${I} | cut -d ':' -f1 | ${AWKBINARY} '{ print tolower($1) }'` - EXPECTEDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f1` - MEDIUMSCOREDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f2` - WEAKVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f3` - TESTTYPE=`echo ${I} | cut -d ':' -f3` + OPTIONNAME=`echo ${I} | ${CUTBINARY} -d ':' -f1` + OPTIONNAME_LOWER=`echo ${I} | ${CUTBINARY} -d ':' -f1 | ${AWKBINARY} '{ print tolower($1) }'` + EXPECTEDVALUE=`echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f1` + MEDIUMSCOREDVALUE=`echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f2` + WEAKVALUE=`echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f3` + TESTTYPE=`echo ${I} | ${CUTBINARY} -d ':' -f3` RESULT="NONE" if ! SkipAtomicTest "${TEST_NO}:${OPTIONNAME_LOWER}"; then diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index d2adb879..f5debe66 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -37,7 +37,7 @@ Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking rpcinfo registered programs" - FIND=`${RPCINFOBINARY} -p 2> /dev/null | tr -s ' ' ','` + FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${TRBINARY} -s ' ' ','` for I in ${FIND}; do LogText "rpcinfo: ${I}" done @@ -122,10 +122,10 @@ LogText "Test: check /etc/exports" if [ -f /etc/exports ]; then LogText "Result: /etc/exports exists" - FIND=`${GREPBINARY} -v "^$" /etc/exports | ${GREPBINARY} -v "^#" | sed 's/ /!space!/g'` + FIND=`${GREPBINARY} -v "^$" /etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do - I=`echo ${I} | sed 's/!space!/ /g'` + I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` LogText "Found line: ${I}" done else @@ -161,7 +161,7 @@ Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share" if [ ${SKIPTEST} -eq 0 ]; then #LogText "Test: " - sFIND=`${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | sed '1d'| ${GREPBINARY} "\*"` + sFIND=`${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d'| ${GREPBINARY} "\*"` if [ "${sFIND}" != "" ]; then LogText "Result: all client are allowed to access a NFS share in /etc/exports" Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW diff --git a/include/tests_time b/include/tests_time index 28a1b68c..097fc400 100644 --- a/include/tests_time +++ b/include/tests_time @@ -274,7 +274,7 @@ Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking unreliable ntp peers" - FIND=`${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | sed 's/^-//g'` + FIND=`${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN LogText "Result: No unreliable peers found" @@ -301,7 +301,7 @@ FIND2=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }') if [ -z "${FIND}" -a ! -z "${FIND2}" ]; then Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN - FIND2=`echo ${FIND2} | sed 's/*//g'` + FIND2=`echo ${FIND2} | ${SEDBINARY} 's/*//g'` LogText "Result: Found selected time source (value: ${FIND2})" else Display --indent 2 --text "- Checking selected time source" --result "${STATUS_WARNING}" --color RED @@ -328,7 +328,7 @@ Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_OK}" --color GREEN LogText "Result: Found one or more candidates to synchronize time with." for I in ${FIND}; do - I=$(echo ${I} | sed 's/+//g') + I=$(echo ${I} | ${SEDBINARY} 's/+//g') LogText "Candidate found: ${I}" done fi @@ -350,7 +350,7 @@ Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_NONE}" --color YELLOW LogText "Result: Found one or more falsetickers (items preceeding with an 'x')" for I in ${FIND}; do - I=$(echo ${I} | sed 's/x//g') + I=$(echo ${I} | ${SEDBINARY} 's/x//g') LogText "Falseticker found: ${I}" Report "ntp_falseticker[]=${I}" done diff --git a/include/tests_tooling b/include/tests_tooling index 3424b36a..a6c3a0ec 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -195,7 +195,7 @@ if [ ${PERFORM_FAIL2BAN_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${FAIL2BANCLIENT} -d | tr -d '[]' | tr -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | tr -d ' ') + FIND=$(${FAIL2BANCLIENT} -d | ${TRBINARY} -d '[]' | ${TRBINARY} -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | ${TRBINARY} -d ' ') if [ ! "${FIND}" = "" ]; then for F2BSERVICE in ${FIND}; do LogText "Result: service '${F2BSERVICE}' enabled" diff --git a/include/tests_webservers b/include/tests_webservers index 72972bf9..5132ee19 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -93,7 +93,7 @@ Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file" if [ ${SKIPTEST} -eq 0 ]; then APACHE_CONFIGFILE="" - APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | sed 's/[ ]-D SERVER_CONFIG_FILE=//' | tr -d '"' | tr -d ' ' | tr -d '[:cntrl:]'` + APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | ${SEDBINARY} 's/[ ]-D SERVER_CONFIG_FILE=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '[:cntrl:]'` if [ "${APACHE_TEST}" = "" ]; then LogText "Result: Can't find the configuration file, so skipping some Apache related tests" @@ -104,7 +104,7 @@ Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})" else # Probably the prefix is missing, so we are going to search that - APACHE_HTTPDROOT=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | sed 's/[ ]-D HTTPD_ROOT=//' | tr -d '"' | tr -d ' '` + APACHE_HTTPDROOT=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | ${SEDBINARY} 's/[ ]-D HTTPD_ROOT=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' '` #echo "Apache root prefix: ${APACHE_HTTPDROOT}" #echo "Complete path to configuration file: ${APACHE_HTTPDROOT}/${APACHE_TEST}" APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}" @@ -156,7 +156,7 @@ fi done # Search Server aliases - for J in `${GREPBINARY} "ServerAlias" ${I} | ${GREPBINARY} -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do + for J in `${GREPBINARY} "ServerAlias" ${I} | ${GREPBINARY} -v "^#" | ${SEDBINARY} "s/.* ServerAlias//g" | ${SEDBINARY} "s/#.*//g"`; do if [ ! -z ${J} ]; then tVHOSTS="${tVHOSTS} ${J}" cVHOSTS=$((cVHOSTS + 1)) @@ -208,9 +208,9 @@ # SERVERTOKENSTEST=`${GREPBINARY} ServerTokens ${APACHE_CONFIGFILE} | ${GREPBINARY} -v '^#'` # if [ ! "${SERVERTOKENSTEST}" = "" ]; then # Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_FOUND}" --color WHITE -# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '` +# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | ${SEDBINARY} 's/ServerTokens//' | ${TRBINARY} -d ' '` # LogText "Option ServerTokens found: ${SERVERTOKENSTEST}" -# SERVERTOKENSEXPECTED=`${GREPBINARY} 'apache' ${PROFILE} | ${GREPBINARY} 'ServerTokens' | cut -d ':' -f3` +# SERVERTOKENSEXPECTED=`${GREPBINARY} 'apache' ${PROFILE} | ${GREPBINARY} 'ServerTokens' | ${CUTBINARY} -d ':' -f3` # if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then # LogText "Result: Value from configuration file yielded the same output as in template" # SERVERTOKENSFOUND=1 @@ -250,7 +250,7 @@ #if [ ${SKIPTEST} -eq 0 ]; then # Testing Debian style #LogText "Test: searching loaded/enabled Apache modules" - #apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | sed 's/(\(shared\|static\))//' | sed 's/ //' + #apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //' #for I in ${APACHE_MODULES_ENABLED_LOCS}; do #LogText "Test: checking ${I}" #if [ -d ${I} ]; then @@ -428,9 +428,9 @@ # Remove temp file if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi N=0 - sed -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE} + ${SEDBINARY} -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE} # Search for included configuration files (may include directories and wild cards) - FIND=`${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'` + FIND=`${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g'` for I in ${FIND}; do FIND2=`${LSBINARY} ${I} 2>/dev/null` for J in ${FIND2}; do @@ -442,7 +442,7 @@ FileIsReadable ${J} if [ ${CANREAD} -eq 1 ]; then NGINX_CONF_FILES="${NGINX_CONF_FILES} ${J}" - FIND3=`sed -e 's/^[ ]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}` + FIND3=`sed -e 's/^[ ]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}` else ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable" fi @@ -451,9 +451,9 @@ done # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx - SORTFILE=`${SORTBINARY} -u ${TMPFILE} | sed 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})"` + SORTFILE=`${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})"` for I in ${SORTFILE}; do - I=`echo ${I} | sed 's/:space:/ /g'` + I=`echo ${I} | ${SEDBINARY} 's/:space:/ /g'` Report "nginx_config_option[]=${I}"; done @@ -651,7 +651,7 @@ # if [ ${SKIPTEST} -eq 0 ]; then # N=0 # LogText "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}" -# FIND=`${GREPBINARY} "proxy_pass" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | sed 's/proxy_pass//g' | tr -d ';'` +# FIND=`${GREPBINARY} "proxy_pass" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/proxy_pass//g' | ${TRBINARY} -d ';'` # for I in ${FIND}; do # LogText "Found reverse proxy configuration for: ${I}" # N=$((N + 1)) @@ -675,7 +675,7 @@ # if [ ${SKIPTEST} -eq 0 ]; then # N=0 # LogText "Test: searching nginx virtual hosts" -# FIND=`${GREPBINARY} "server_name" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | sed 's/server_name//g' | tr -d ';'` +# FIND=`${GREPBINARY} "server_name" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/server_name//g' | ${TRBINARY} -d ';'` # for I in ${FIND}; do # if [ "${I}" = "_" ]; then I="Default virtual host"; fi # LogText "Found virtual host: ${I}" @@ -703,7 +703,7 @@ LogText "Test: Checking ${DIR}" if [ -d ${DIR} ]; then LogText "Result: Directory ${DIR} exists, so will be used as search path" - FIND=$(find ${DIR} -type f -exec ${GREPBINARY} access_log \{\} \; | ${GREPBINARY} -v "#" | ${AWKBINARY} '{ if($1=="access_log") { print $2 } }' | sed 's/;$//g' | ${SORTBINARY} -u) + FIND=$(find ${DIR} -type f -exec ${GREPBINARY} access_log \{\} \; | ${GREPBINARY} -v "#" | ${AWKBINARY} '{ if($1=="access_log") { print $2 } }' | ${SEDBINARY} 's/;$//g' | ${SORTBINARY} -u) if [ -z "${FIND}" ]; then LogText "Result: no log files found" else |