diff options
Diffstat (limited to 'include/tests_authentication')
-rw-r--r-- | include/tests_authentication | 150 |
1 files changed, 75 insertions, 75 deletions
diff --git a/include/tests_authentication b/include/tests_authentication index c82a1fb9..4e13231a 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -42,7 +42,7 @@ LogText "Test: Searching accounts with UID 0" FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'` if [ ! "${FIND}" = "" ]; then - Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED + Display --indent 2 --text "- Search administrator accounts" --result "${STATUS_WARNING}" --color RED LogText "Result: Found more than one administrator accounts" ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file" for I in ${FIND}; do @@ -54,7 +54,7 @@ fi done else - Display --indent 2 --text "- Search administrator accounts" --result OK --color GREEN + Display --indent 2 --text "- Search administrator accounts" --result "${STATUS_OK}" --color GREEN LogText "Result: No accounts found with UID 0 other than root." fi fi @@ -75,16 +75,16 @@ if [ -f ${PASSWD_FILE} ]; then FIND=`grep -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking for non-unique UIDs" --result OK --color GREEN + Display --indent 2 --text "- Checking for non-unique UIDs" --result "${STATUS_OK}" --color GREEN LogText "Result: all accounts found in ${PASSWD_FILE} are unique" else - Display --indent 2 --text "- Checking for non-unique UIDs" --result WARNING --color RED + Display --indent 2 --text "- Checking for non-unique UIDs" --result "${STATUS_WARNING}" --color RED LogText "Result: found multiple accounts with same UID" LogText "Output (non-unique UIDs): ${FIND}" ReportWarning ${TEST_NO} "Multiple accounts found with same UID" fi else - Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE + Display --indent 2 --text "- Checking UIDs" --result "${STATUS_SKIPPED}" --color WHITE LogText "Result: test skipped, ${PASSWD_FILE} file not available" fi LogText "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake" @@ -97,15 +97,15 @@ if [ -f /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 2 --text "- Checking chkgrp tool" --result FOUND --color GREEN + Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." LogText "Test: Testing consistency of /etc/group file" FIND=`/usr/sbin/chkgrp | grep -v 'is fine'` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking consistency of /etc/group file" --result OK --color GREEN + Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_OK}" --color GREEN LogText "Result: chkgrp test performed, Group file seems to be ok." else - Display --indent 4 --text "- Checking consistency of /etc/group file" --result WARNING --color RED + Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_WARNING}" --color RED LogText "Result: chkgrp found some errors. Run the tool manually to see details." LogText "chkgrp output: ${FIND}" ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file" @@ -139,10 +139,10 @@ # Check exit-code if [ "${FIND}" = "0" ]; then - Display --indent 2 --text "- Checking consistency of group files (grpck)" --result OK --color GREEN + Display --indent 2 --text "- Checking consistency of group files (grpck)" --result "${STATUS_OK}" --color GREEN LogText "Result: grpck binary didn't find any errors in the group files" else - Display --indent 2 --text "- Checking consistency of group files (grpck)" --result WARNING --color RED + Display --indent 2 --text "- Checking consistency of group files (grpck)" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files" ReportSuggestion ${TEST_NO} "Run grpck manually and check your group files" fi @@ -161,9 +161,9 @@ # Check for all shells, except: (/usr)/sbin/nologin /nonexistent FIND=`grep "[a-z]:\*:" /etc/master.passwd | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking login shells" --result OK --color GREEN + Display --indent 2 --text "- Checking login shells" --result "${STATUS_OK}" --color GREEN else - Display --indent 2 --text "- Checking login shells" --result WARNING --color RED + Display --indent 2 --text "- Checking login shells" --result "${STATUS_WARNING}" --color RED for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` J=`echo ${I} | awk -F: '{ print $10 }'` @@ -186,7 +186,7 @@ fi fi else - Display --indent 2 --text "- Checking login shells" --result SKIPPED --color WHITE + Display --indent 2 --text "- Checking login shells" --result "${STATUS_SKIPPED}" --color WHITE LogText "Result: No /etc/master.passwd file found" fi fi @@ -200,10 +200,10 @@ LogText "Test: Checking for non unique group ID's in /etc/group" FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking non unique group ID's" --result OK --color GREEN + Display --indent 2 --text "- Checking non unique group ID's" --result "${STATUS_OK}" --color GREEN LogText "Result: All group ID's are unique" else - Display --indent 2 --text "- Checking non unique group ID's" --result WARNING --color RED + Display --indent 2 --text "- Checking non unique group ID's" --result "${STATUS_WARNING}" --color RED LogText "Result: Found the same group ID multiple times" LogText "Output: ${FIND}" ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID" @@ -221,10 +221,10 @@ LogText "Test: Checking for non unique group names in /etc/group" FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking non unique group names" --result OK --color GREEN + Display --indent 2 --text "- Checking non unique group names" --result "${STATUS_OK}" --color GREEN LogText "Result: All group names are unique" else - Display --indent 2 --text "- Checking non unique group names" --result WARNING --color WARNING + Display --indent 2 --text "- Checking non unique group names" --result "${STATUS_WARNING}" --color WARNING LogText "Result: Found the same group name multiple times" LogText "Output: ${FIND}" ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)" @@ -257,11 +257,11 @@ esac # Only display if this test has been executed if [ ${TESTED} -eq 1 -a "${FIND}" = "0" ]; then - Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN + Display --indent 2 --text "- Checking password file consistency" --result "${STATUS_OK}" --color GREEN LogText "Result: pwck check didn't find any problems" AddHP 2 2 else - Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED + Display --indent 2 --text "- Checking password file consistency" --result "${STATUS_WARNING}" --color RED LogText "Result: pwck found one or more errors/warnings in the password file." ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." @@ -318,9 +318,9 @@ if [ "${FIND}" = "" ]; then Display --indent 4 --text "Result: No users found/unknown result" LogText "Result: Querying of system users skipped" - Display --indent 2 --text "- Query system users (non daemons)" --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_UNKNOWN}" --color YELLOW else - Display --indent 2 --text "- Query system users (non daemons)" --result DONE --color GREEN + Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_DONE}" --color GREEN for I in ${FIND}; do LogText "Real user: ${I}" Report "real_user[]=${I}" @@ -344,7 +344,7 @@ FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"` if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then LogText "Result: NIS+ authentication enabled" - Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN + Display --indent 2 --text "- Checking NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: NIS+ authentication not enabled" Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE @@ -371,7 +371,7 @@ FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then LogText "Result: NIS authentication enabled" - Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN + Display --indent 2 --text "- Checking NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: NIS authentication not enabled" Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE @@ -401,10 +401,10 @@ done if [ ${FOUND} -eq 1 ]; then LogText "Result: sudoers file found (${SUDOERS_FILE})" - Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN + Display --indent 2 --text "- Checking sudoers file" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: sudoers file NOT found" - Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # @@ -420,10 +420,10 @@ LogText "Result: Found file permissions: ${FIND}" if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then LogText "Result: file ${SUDOERS_FILE} has correct permissions" - Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN + Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_OK}" --color GREEN else LogText "Result: file has possibly unsafe file permissions" - Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED + Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_WARNING}" --color RED fi fi # @@ -436,12 +436,12 @@ FIND=`logins -p | awk '{ print $1 }'` if [ "${FIND}" = "" ]; then LogText "Result: no passwordless accounts found" - Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN + Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN else for I in ${FIND}; do ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})" done - Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result WARNING --color RED + Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result "${STATUS_WARNING}" --color RED fi fi # @@ -504,12 +504,12 @@ fi if [ ${FOUND} -eq 0 ]; then - Display --indent 2 --text "- Checking PAM password strength tools" --result "SUGGESTION" --color YELLOW + Display --indent 2 --text "- Checking PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: no PAM modules for password strength testing found" ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc" AddHP 0 3 else - Display --indent 2 --text "- Checking PAM password strength tools" --result OK --color GREEN + Display --indent 2 --text "- Checking PAM password strength tools" --result "${STATUS_OK}" --color GREEN LogText "Result: found at least one PAM module for password strength testing" AddHP 3 3 fi @@ -524,7 +524,7 @@ LogText "Test: Checking file /etc/pam.conf" if [ -f /etc/pam.conf ]; then LogText "Result: file /etc/pam.conf exists" - Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN + Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: searching PAM configuration files" FIND=`grep -v "^#" /etc/pam.conf | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'` if [ "${FIND}" = "" ]; then @@ -538,7 +538,7 @@ fi else LogText "Result: file /etc/pam.conf could not be found" - Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -551,7 +551,7 @@ LogText "Test: Checking directory /etc/pam.d" if [ -d /etc/pam.d ]; then LogText "Result: directory /etc/pam.d exists" - Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN + Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: searching PAM configuration files" FIND=`find /etc/pam.d -type f -print | sort` for I in ${FIND}; do @@ -559,7 +559,7 @@ done else LogText "Result: directory /etc/pam.d could not be found" - Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -590,10 +590,10 @@ done # Check if we found at least one module if [ ${FOUND} -eq 0 ]; then - Display --indent 2 --text "- Checking PAM modules" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking PAM modules" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: no PAM modules found" else - Display --indent 2 --text "- Checking PAM modules" --result FOUND --color GREEN + Display --indent 2 --text "- Checking PAM modules" --result "${STATUS_FOUND}" --color GREEN fi fi # @@ -611,12 +611,12 @@ if [ ! "${FIND}" = "" ]; then LogText "Result: LDAP module present" LogText "Output: ${FIND}" - Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN + Display --indent 2 --text "- Checking LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN LDAP_AUTH_ENABLED=1 LDAP_PAM_ENABLED=1 else LogText "Result: LDAP module not found" - Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE fi else LogText "Result: file /etc/pam.d/common-auth not found, skipping test" @@ -660,13 +660,13 @@ LogText "Test: Checking Linux version and password expire date status" if [ "${FIND}" = "" ]; then LogText "Result: all accounts seem to have an expire date" - Display --indent 2 --text "- Checking accounts without expire date" --result OK --color GREEN + Display --indent 2 --text "- Checking accounts without expire date" --result "${STATUS_OK}" --color GREEN else LogText "Result: found one or more accounts with expire date set" for I in ${FIND}; do LogText "Account without expire date: ${I}" done - Display --indent 2 --text "- Checking accounts without expire date" --result SUGGESTION --color YELLOW + Display --indent 2 --text "- Checking accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts" fi fi @@ -677,14 +677,14 @@ LogText "Test: Checking passwordless accounts" if [ "${FIND2}" = "" ]; then LogText "Result: all accounts seem to have a password" - Display --indent 2 --text "- Checking accounts without password" --result OK --color GREEN + Display --indent 2 --text "- Checking accounts without password" --result "${STATUS_OK}" --color GREEN else LogText "Result: found one or more accounts without password" for I in ${FIND2}; do LogText "Account without password: ${I}" Report "account_without_password=${I}" done - Display --indent 2 --text "- Checking accounts without password" --result WARNING --color RED + Display --indent 2 --text "- Checking accounts without password" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "Found accounts without password" fi fi @@ -702,7 +702,7 @@ FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'` if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then LogText "Result: password minimum age is not configured" - Display --indent 2 --text "- Checking user password aging (minimum)" --result DISABLED --color YELLOW + Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs" AddHP 0 1 else @@ -716,7 +716,7 @@ FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then LogText "Result: password aging limits are not configured" - Display --indent 2 --text "- Checking user password aging (maximum)" --result DISABLED --color YELLOW + Display --indent 2 --text "- Checking user password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs" AddHP 0 1 else @@ -747,15 +747,15 @@ Report "account_password_expired[]=${ACCOUNT}" done AddHP 0 10 - Display --indent 2 --text "- Checking expired passwords" --result FOUND --color RED + Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_FOUND}" --color RED ReportSuggestion "${TEST_NO}" "Delete accounts which are no longer used" else LogText "Result: good, no passwords have been expired" - Display --indent 2 --text "- Checking expired passwords" --result OK --color GREEN + Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_OK}" --color GREEN AddHP 10 10 fi else - Display --indent 2 --text "- Checking expired passwords" --result SKIPPED --color YELLOW + Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_SKIPPED}" --color YELLOW fi fi # @@ -773,11 +773,11 @@ FIND=`grep "^PASSREQ=NO" /etc/default/sulogin` if [ "${FIND}" = "" ]; then LogText "Result: option not present or configured to request a password at single user mode login" - Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN + Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_OK}" --color GREEN AddHP 1 1 else LogText "Result: option present, no password needed at single user mode login" - Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED + Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "H" "No password needed for single user mode login" AddHP 0 1 fi @@ -803,11 +803,11 @@ FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default` if [ "${FIND}" = "" ]; then LogText "Result: option not set, password is needed at boot" - Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN + Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_OK}" --color GREEN AddHP 1 1 else LogText "Result: option present, no password needed at single user mode login" - Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW + Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Set password for system boot" AddHP 0 1 fi @@ -886,13 +886,13 @@ if [ ${TEST_PERFORMED} -eq 1 ]; then if [ ${FOUND} -eq 0 ]; then LogText "Result: option not set, no password needed at single user mode boot" - Display --indent 2 --text "- Checking Linux single user mode authentication" --result WARNING --color RED + Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "L" "No password set for single mode" ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface" AddHP 0 2 else LogText "Result: option set, password is needed at single user mode boot" - Display --indent 2 --text "- Checking Linux single user mode authentication" --result OK --color GREEN + Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_OK}" --color GREEN AddHP 2 2 fi else @@ -952,17 +952,17 @@ if [ ${FOUND_UMASK} -eq 1 ]; then if [ ${WEAK_UMASK} -eq 0 ]; then - Display --indent 4 --text "- Checking umask (/etc/profile)" --result OK --color GREEN + Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else - Display --indent 4 --text "- Checking umask (/etc/profile)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/profile could be more strict like 027" AddHP 0 2 fi else # Some operating systems don't have a default umask defined in /etc/profile (Debian) LogText "Result: found no umask. Please check if this is correct" - Display --indent 4 --text "- Checking umask (/etc/profile)" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_NOT_FOUND}" --color YELLOW fi else LogText "Result: file /etc/profile does not exist" @@ -989,16 +989,16 @@ FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: umask value is not configured (most likely it will have the default 022 value)" - Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then LogText "Result: umask is ${FIND}, which is fine" - Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result OK --color GREEN + Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else LogText "Result: found umask ${FIND}, which could be improved" - Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027" AddHP 0 2 fi @@ -1014,14 +1014,14 @@ FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: umask is not configured" - Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result NONE --color WHITE + Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then LogText "Result: umask is ${FIND}, which is fine" - Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result OK --color GREEN + Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else LogText "Result: found umask ${FIND}, which could be improved" - Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 0 2 fi else @@ -1036,16 +1036,16 @@ FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" - Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then LogText "Result: umask is ${FIND}, which is fine" - Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result OK --color GREEN + Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else LogText "Result: found umask ${FIND}, which could be improved" - Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027" AddHP 0 2 fi @@ -1078,14 +1078,14 @@ fi if [ ${FOUND} -eq 1 ]; then if [ ${WEAK_UMASK} -eq 0 ]; then - Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result OK --color GREEN + Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "${STATUS_OK}" --color GREEN else Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result WEAK --color YELLOW ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027" fi else LogText "Result: no umask setting found in /etc/login.conf, which is unexpected" - Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result NONE --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "${STATUS_NONE}" --color YELLOW fi fi @@ -1099,16 +1099,16 @@ FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'` if [ "${FIND2}" = "" ]; then LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" - Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then LogText "Result: umask is ${FIND2}, which is fine" - Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result OK --color GREEN + Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else LogText "Result: found umask ${FIND2}, which could be improved" - Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027" AddHP 0 2 fi @@ -1167,7 +1167,7 @@ fi fi if [ ${FOUND} -eq 1 ]; then - Display --indent 2 --text "- Checking account locking" --result "ENABLED" --color GREEN + Display --indent 2 --text "- Checking account locking" --result "${STATUS_ENABLED}" --color GREEN else Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW fi @@ -1186,7 +1186,7 @@ Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE else LogText "Result: LDAP authentication enabled" - Display --indent 2 --text "- Checking LDAP authentication support" --result "ENABLED" --color GREEN + Display --indent 2 --text "- Checking LDAP authentication support" --result "${STATUS_ENABLED}" --color GREEN LDAP_AUTH_ENABLED=1 fi else @@ -1233,11 +1233,11 @@ if [ "${FIND}" = "yes" ]; then AUTH_FAILED_LOGINS_LOGGED=1 LogText "Result: failed login attempts are logged in /var/log/faillog" - Display --indent 2 --text "- Logging failed login attempts" --result ENABLED --color GREEN + Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 else LogText "Result: failed login attempts are not logged" - Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW + Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_DISABLED}" --color YELLOW #ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog" AddHP 0 1 fi |