diff options
Diffstat (limited to 'include/tests_authentication')
| -rw-r--r-- | include/tests_authentication | 448 |
1 files changed, 224 insertions, 224 deletions
diff --git a/include/tests_authentication b/include/tests_authentication index c31d4c2d..4201c962 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -35,23 +35,23 @@ Register --test-no AUTH-9204 --weight L --network NO --description "Check users with an UID of zero" if [ ${SKIPTEST} -eq 0 ]; then # Search accounts with UID 0 - logtext "Test: Searching accounts with UID 0" + LogText "Test: Searching accounts with UID 0" FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'` if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED - logtext "Result: Found more than one administrator accounts" + LogText "Result: Found more than one administrator accounts" ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file" for I in ${FIND}; do - logtext "Administrator account: ${I}" + LogText "Administrator account: ${I}" if [ "${I}" = "toor" ]; then - logtext "BSD note: default there is a user 'toor' installed. This account is considered useless unless it" - logtext "is assigned a password and used for daily operations or emergencies. ie: bad shell for root user." + LogText "BSD note: default there is a user 'toor' installed. This account is considered useless unless it" + LogText "is assigned a password and used for daily operations or emergencies. ie: bad shell for root user." ReportSuggestion ${TEST_NO} "Use vipw to delete the 'toor' user if not used." fi done else Display --indent 2 --text "- Search administrator accounts" --result OK --color GREEN - logtext "Result: No accounts found with UID 0 other than root." + LogText "Result: No accounts found with UID 0 other than root." fi fi # @@ -61,7 +61,7 @@ # Description : Check non-unique accounts Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts in passwd file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for non-unique accounts" + LogText "Test: Checking for non-unique accounts" if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" -o "${OS}" = "OpenBSD" ]; then PASSWD_FILE="/etc/master.passwd" else @@ -72,18 +72,18 @@ FIND=`grep -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking for non-unique UIDs" --result OK --color GREEN - logtext "Result: all accounts found in ${PASSWD_FILE} are unique" + LogText "Result: all accounts found in ${PASSWD_FILE} are unique" else Display --indent 2 --text "- Checking for non-unique UIDs" --result WARNING --color RED - logtext "Result: found multiple accounts with same UID" - logtext "Output (non-unique UIDs): ${FIND}" + LogText "Result: found multiple accounts with same UID" + LogText "Output (non-unique UIDs): ${FIND}" ReportWarning ${TEST_NO} "Multiple accounts found with same UID" fi else Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE - logtext "Result: test skipped, ${PASSWD_FILE} file not available" + LogText "Result: test skipped, ${PASSWD_FILE} file not available" fi - logtext "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake" + LogText "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake" fi # ################################################################################# @@ -94,16 +94,16 @@ Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking chkgrp tool" --result FOUND --color GREEN - logtext "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." - logtext "Test: Testing consistency of /etc/group file" + LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." + LogText "Test: Testing consistency of /etc/group file" FIND=`/usr/sbin/chkgrp | grep -v 'is fine'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking consistency of /etc/group file" --result OK --color GREEN - logtext "Result: chkgrp test performed, Group file seems to be ok." + LogText "Result: chkgrp test performed, Group file seems to be ok." else Display --indent 4 --text "- Checking consistency of /etc/group file" --result WARNING --color RED - logtext "Result: chkgrp found some errors. Run the tool manually to see details." - logtext "chkgrp output: ${FIND}" + LogText "Result: chkgrp found some errors. Run the tool manually to see details." + LogText "chkgrp output: ${FIND}" ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file" fi fi @@ -117,7 +117,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Test : run grpck to test group files (most likely /etc/group and shadow group files) # Expected result : 0 (exit code) - logtext "Test: Checking for grpck binary" + LogText "Test: Checking for grpck binary" if [ "${OS}" = "Linux" ]; then # Read only mode @@ -136,7 +136,7 @@ # Check exit-code if [ "${FIND}" = "0" ]; then Display --indent 2 --text "- Checking consistency of group files (grpck)" --result OK --color GREEN - logtext "Result: grpck binary didn't find any errors in the group files" + LogText "Result: grpck binary didn't find any errors in the group files" else Display --indent 2 --text "- Checking consistency of group files (grpck)" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files" @@ -152,7 +152,7 @@ Register --test-no AUTH-9218 --os FreeBSD --weight L --network NO --description "Check harmful login shells" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - logtext "Test: Checking login shells" + LogText "Test: Checking login shells" if [ -f /etc/master.passwd ]; then # Check for all shells, except: (/usr)/sbin/nologin /nonexistent FIND=`grep "[a-z]:\*:" /etc/master.passwd | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'` @@ -163,16 +163,16 @@ for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` J=`echo ${I} | awk -F: '{ print $10 }'` - logtext "Output: ${I}" + LogText "Output: ${I}" if [ "${J}" = "" ]; then - logtext "Result: found no shell on line" + LogText "Result: found no shell on line" else - logtext "Result: found possible harmful shell ${J}" + LogText "Result: found possible harmful shell ${J}" if [ -f ${J} ]; then - logtext "Result: shell ${J} does exist" + LogText "Result: shell ${J} does exist" FOUND=1 else - logtext "Result: shell ${J} does not exist" + LogText "Result: shell ${J} does not exist" ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${J} does not exist" fi fi @@ -183,7 +183,7 @@ fi else Display --indent 2 --text "- Checking login shells" --result SKIPPED --color WHITE - logtext "Result: No /etc/master.passwd file found" + LogText "Result: No /etc/master.passwd file found" fi fi # @@ -193,15 +193,15 @@ # Description : Check for non unique groups Register --test-no AUTH-9222 --weight L --network NO --description "Check for non unique groups" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for non unique group ID's in /etc/group" + LogText "Test: Checking for non unique group ID's in /etc/group" FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking non unique group ID's" --result OK --color GREEN - logtext "Result: All group ID's are unique" + LogText "Result: All group ID's are unique" else Display --indent 2 --text "- Checking non unique group ID's" --result WARNING --color RED - logtext "Result: Found the same group ID multiple times" - logtext "Output: ${FIND}" + LogText "Result: Found the same group ID multiple times" + LogText "Output: ${FIND}" ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID" #ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies" fi @@ -214,15 +214,15 @@ if [ -f /etc/group ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check non unique group names" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking for non unique group names in /etc/group" + LogText "Test: Checking for non unique group names in /etc/group" FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking non unique group names" --result OK --color GREEN - logtext "Result: All group names are unique" + LogText "Result: All group names are unique" else Display --indent 2 --text "- Checking non unique group names" --result WARNING --color WARNING - logtext "Result: Found the same group name multiple times" - logtext "Output: ${FIND}" + LogText "Result: Found the same group name multiple times" + LogText "Output: ${FIND}" ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)" ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies" fi @@ -236,7 +236,7 @@ if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9228 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency with pwck" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking password file consistency (pwck)" + LogText "Test: Checking password file consistency (pwck)" TESTED=0 case ${OS} in "Linux") @@ -248,17 +248,17 @@ TESTED=1 ;; *) - logtext "Dev: found /usr/sbin/pwck, but unsure how to call it on this operating system" + LogText "Dev: found /usr/sbin/pwck, but unsure how to call it on this operating system" ;; esac # Only display if this test has been executed if [ ${TESTED} -eq 1 -a "${FIND}" = "0" ]; then Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN - logtext "Result: pwck check didn't find any problems" + LogText "Result: pwck check didn't find any problems" AddHP 2 2 else Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED - logtext "Result: pwck found one or more errors/warnings in the password file." + LogText "Result: pwck found one or more errors/warnings in the password file." ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." AddHP 0 2 @@ -275,27 +275,27 @@ # Arch Linux / CentOS / Ubuntu: 1000+ Register --test-no AUTH-9234 --weight L --network NO --description "Query user accounts" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Read system users (including root user) from /etc/passwd" + LogText "Test: Read system users (including root user) from /etc/passwd" FIND="" case ${OS} in "FreeBSD") - logtext "FreeBSD real users output (ID = 0, or 1000+, but not 65534):" + LogText "FreeBSD real users output (ID = 0, or 1000+, but not 65534):" FIND=`awk -F: '($3 >= 1000) && ($3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; "Linux") - logtext "Linux real users output (ID = 0, or 500+, but not 65534):" + LogText "Linux real users output (ID = 0, or 500+, but not 65534):" FIND=`awk -F: '($3 >= 1000) && ($3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; "OpenBSD") - logtext "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):" + LogText "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):" FIND=`awk -F: '($3 >= 1000) && ($3 <= 60000) && ($3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; "Solaris") - logtext "Solaris real users output (ID =0, or 100+, but not 60001/65534):" + LogText "Solaris real users output (ID =0, or 100+, but not 60001/65534):" FIND=`awk -F: '($3 >= 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; *) @@ -307,13 +307,13 @@ # Check if we got any output if [ "${FIND}" = "" ]; then Display --indent 4 --text "Result: No users found/unknown result" - logtext "Result: Querying of system users skipped" + LogText "Result: Querying of system users skipped" Display --indent 2 --text "- Query system users (non daemons)" --result UNKNOWN --color YELLOW else Display --indent 2 --text "- Query system users (non daemons)" --result DONE --color GREEN for I in ${FIND}; do - logtext "Real user: ${I}" - report "real_user[]=${I}" + LogText "Real user: ${I}" + Report "real_user[]=${I}" done fi fi @@ -327,21 +327,21 @@ if [ -f /etc/nsswitch.conf ]; then FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"` if [ "${FIND}" = "" ]; then - logtext "Result: NIS+ authentication not enabled" + LogText "Result: NIS+ authentication not enabled" Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE else FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nisplus"` FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"` if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then - logtext "Result: NIS+ authentication enabled" + LogText "Result: NIS+ authentication enabled" Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN else - logtext "Result: NIS+ authentication not enabled" + LogText "Result: NIS+ authentication not enabled" Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE fi fi else - logtext "Result: /etc/nsswitch.conf not found" + LogText "Result: /etc/nsswitch.conf not found" fi fi # @@ -354,21 +354,21 @@ if [ -f /etc/nsswitch.conf ]; then FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"` if [ "${FIND}" = "" ]; then - logtext "Result: NIS authentication not enabled" + LogText "Result: NIS authentication not enabled" Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE else FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then - logtext "Result: NIS authentication enabled" + LogText "Result: NIS authentication enabled" Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN else - logtext "Result: NIS authentication not enabled" + LogText "Result: NIS authentication not enabled" Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE fi fi else - logtext "Result: /etc/nsswitch.conf not found" + LogText "Result: /etc/nsswitch.conf not found" fi fi # @@ -380,20 +380,20 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 for I in ${SUDOERS_LOCATIONS}; do - logtext "Test: checking presence ${I}" + LogText "Test: checking presence ${I}" if [ -f ${I} ]; then FOUND=1 SUDOERS_FILE="${I}" - logtext "Result: found file (${SUDOERS_FILE})" + LogText "Result: found file (${SUDOERS_FILE})" else - logtext "Result: file ${I} not found" + LogText "Result: file ${I} not found" fi done if [ ${FOUND} -eq 1 ]; then - logtext "Result: sudoers file found (${SUDOERS_FILE})" + LogText "Result: sudoers file found (${SUDOERS_FILE})" Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN else - logtext "Result: sudoers file NOT found" + LogText "Result: sudoers file NOT found" Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW fi fi @@ -405,14 +405,14 @@ if [ ! "${SUDOERS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sudoers file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking sudoers file (${SUDOERS_FILE}) permissions" + LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions" FIND=`ls -l ${SUDOERS_FILE} | cut -c 2-10` - logtext "Result: Found file permissions: ${FIND}" + LogText "Result: Found file permissions: ${FIND}" if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then - logtext "Result: file ${SUDOERS_FILE} has correct permissions" + LogText "Result: file ${SUDOERS_FILE} has correct permissions" Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN else - logtext "Result: file has possibly unsafe file permissions" + LogText "Result: file has possibly unsafe file permissions" Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED fi fi @@ -425,7 +425,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`logins -p | awk '{ print $1 }'` if [ "${FIND}" = "" ]; then - logtext "Result: no passwordless accounts found" + LogText "Result: no passwordless accounts found" Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN else for I in ${FIND}; do @@ -446,48 +446,48 @@ FOUND_PASSWDQC=0 # Cracklib - logtext "Searching cracklib PAM module" + LogText "Searching cracklib PAM module" for I in ${PAM_FILE_LOCATIONS}; do if [ -f ${I}/pam_cracklib.so ]; then FOUND_CRACKLIB=1 - logtext "Result: found pam_cracklib.so (crack library PAM) in ${I}" + LogText "Result: found pam_cracklib.so (crack library PAM) in ${I}" fi done if [ ${FOUND_CRACKLIB} -eq 1 ]; then - logtext "Result: pam_cracklib.so found" - report "pam_cracklib=1" + LogText "Result: pam_cracklib.so found" + Report "pam_cracklib=1" AddHP 3 3 FOUND=1 else - logtext "Result: pam_cracklib.so NOT found (crack library PAM)" + LogText "Result: pam_cracklib.so NOT found (crack library PAM)" AddHP 1 3 fi # Passwd quality control - logtext "Searching passwdqc PAM module" + LogText "Searching passwdqc PAM module" for I in ${PAM_FILE_LOCATIONS}; do if [ -f ${I}/pam_passwdqc.so ]; then FOUND_PASSWDQC=1 - logtext "Result: found pam_passwdqc.so (passwd quality control PAM) in ${I}" + LogText "Result: found pam_passwdqc.so (passwd quality control PAM) in ${I}" fi done if [ ${FOUND_PASSWDQC} -eq 1 ]; then - logtext "Result: pam_passwdqc.so found" - report "pam_passwdqc=1" + LogText "Result: pam_passwdqc.so found" + Report "pam_passwdqc=1" AddHP 3 3 FOUND=1 else - logtext "Result: pam_passwdqc.so NOT found (passwd quality control PAM)" + LogText "Result: pam_passwdqc.so NOT found (passwd quality control PAM)" AddHP 1 3 fi if [ ${FOUND} -eq 0 ]; then Display --indent 2 --text "- Checking PAM password strength tools" --result "SUGGESTION" --color YELLOW - logtext "Result: no PAM modules for password strength testing found" + LogText "Result: no PAM modules for password strength testing found" ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc" else Display --indent 2 --text "- Checking PAM password strength tools" --result OK --color GREEN - logtext "Result: found at least one PAM module for password strength testing" + LogText "Result: found at least one PAM module for password strength testing" fi fi # @@ -497,23 +497,23 @@ # Description : Scan /etc/pam.conf file Register --test-no AUTH-9264 --weight L --network NO --description "Checking presence pam.conf" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking file /etc/pam.conf" + LogText "Test: Checking file /etc/pam.conf" if [ -f /etc/pam.conf ]; then - logtext "Result: file /etc/pam.conf exists" + LogText "Result: file /etc/pam.conf exists" Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN - logtext "Test: searching PAM configuration files" + LogText "Test: searching PAM configuration files" FIND=`grep -v "^#" /etc/pam.conf | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'` if [ "${FIND}" = "" ]; then - logtext "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" + LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" else - logtext "Result: found one or more configuration lines" + LogText "Result: found one or more configuration lines" for I in ${FIND}; do I=`echo ${I} | sed 's/:space:/ /g'` - logtext "Found line: ${I}" + LogText "Found line: ${I}" done fi else - logtext "Result: file /etc/pam.conf could not be found" + LogText "Result: file /etc/pam.conf could not be found" Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE fi fi @@ -524,17 +524,17 @@ # Description : Searching available PAM configurations (/etc/pam.d) Register --test-no AUTH-9266 --weight L --network NO --description "Checking presence pam.d files" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking directory /etc/pam.d" + LogText "Test: Checking directory /etc/pam.d" if [ -d /etc/pam.d ]; then - logtext "Result: directory /etc/pam.d exists" + LogText "Result: directory /etc/pam.d exists" Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN - logtext "Test: searching PAM configuration files" + LogText "Test: searching PAM configuration files" FIND=`find /etc/pam.d -type f -print | sort` for I in ${FIND}; do - logtext "Found file: ${I}" + LogText "Found file: ${I}" done else - logtext "Result: directory /etc/pam.d could not be found" + LogText "Result: directory /etc/pam.d could not be found" Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE fi fi @@ -548,25 +548,25 @@ Register --test-no AUTH-9268 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking presence pam.d files" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - logtext "Test: Searching pam modules" + LogText "Test: Searching pam modules" for I in ${PAM_FILE_LOCATIONS}; do - logtext "Test: Checking ${I}" + LogText "Test: Checking ${I}" if [ -d ${I} -a ! -L ${I} ]; then - logtext "Result: directory ${I} exists" + LogText "Result: directory ${I} exists" FIND=`find ${I} -type f -name "*.so" -print | sort` if [ ! "${FIND}" = "" ]; then FOUND=1; fi for I in ${FIND}; do - logtext "Found file: ${I}" - report "pam_module[]=${I}" + LogText "Found file: ${I}" + Report "pam_module[]=${I}" done else - logtext "Result: directory ${I} could not be found or is a symlink to another directory" + LogText "Result: directory ${I} could not be found or is a symlink to another directory" fi done # Check if we found at least one module if [ ${FOUND} -eq 0 ]; then Display --indent 2 --text "- Checking PAM modules" --result "NOT FOUND" --color WHITE - logtext "Result: no PAM modules found" + LogText "Result: no PAM modules found" else Display --indent 2 --text "- Checking PAM modules" --result FOUND --color GREEN fi @@ -578,23 +578,23 @@ # Description : Search LDAP support in PAM files Register --test-no AUTH-9278 --weight L --network NO --description "Checking LDAP pam status" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking presence /etc/pam.d/common-auth" + LogText "Test: checking presence /etc/pam.d/common-auth" if [ -f /etc/pam.d/common-auth ]; then - logtext "Result: file /etc/pam.d/common-auth exists" - logtext "Test: checking presence LDAP module" + LogText "Result: file /etc/pam.d/common-auth exists" + LogText "Test: checking presence LDAP module" FIND=`grep "^auth.*ldap" /etc/pam.d/common-auth` if [ ! "${FIND}" = "" ]; then - logtext "Result: LDAP module present" - logtext "Output: ${FIND}" + LogText "Result: LDAP module present" + LogText "Output: ${FIND}" Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN LDAP_AUTH_ENABLED=1 LDAP_PAM_ENABLED=1 else - logtext "Result: LDAP module not found" + LogText "Result: LDAP module not found" Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE fi else - logtext "Result: file /etc/pam.d/common-auth not found, skipping test" + LogText "Result: file /etc/pam.d/common-auth not found, skipping test" fi fi # @@ -618,7 +618,7 @@ ;; esac else - logtext "Result: skipping test for this Linux version" + LogText "Result: skipping test for this Linux version" ReportManual "AUTH-9282:01" PREQS_MET="NO" FIND="" @@ -632,14 +632,14 @@ # Description : Search password protected accounts without expire (Linux) Register --test-no AUTH-9282 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking password protected account without expire date" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking Linux version and password expire date status" + LogText "Test: Checking Linux version and password expire date status" if [ "${FIND}" = "" ]; then - logtext "Result: all accounts seem to have an expire date" + LogText "Result: all accounts seem to have an expire date" Display --indent 2 --text "- Checking accounts without expire date" --result OK --color GREEN else - logtext "Result: found one or more accounts with expire date set" + LogText "Result: found one or more accounts with expire date set" for I in ${FIND}; do - logtext "Account without expire date: ${I}" + LogText "Account without expire date: ${I}" done Display --indent 2 --text "- Checking accounts without expire date" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts" @@ -649,15 +649,15 @@ # Description : Search passwordless accounts Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking accounts without password" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking passwordless accounts" + LogText "Test: Checking passwordless accounts" if [ "${FIND2}" = "" ]; then - logtext "Result: all accounts seem to have a password" + LogText "Result: all accounts seem to have a password" Display --indent 2 --text "- Checking accounts without password" --result OK --color GREEN else - logtext "Result: found one or more accounts without password" + LogText "Result: found one or more accounts without password" for I in ${FIND2}; do - logtext "Account without password: ${I}" - report "account_without_password=${I}" + LogText "Account without password: ${I}" + Report "account_without_password=${I}" done Display --indent 2 --text "- Checking accounts without password" --result WARNING --color RED ReportWarning ${TEST_NO} "Found accounts without password" @@ -673,29 +673,29 @@ if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking user password aging" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking PASS_MIN_DAYS option in /etc/login.defs " + LogText "Test: Checking PASS_MIN_DAYS option in /etc/login.defs " FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'` if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then - logtext "Result: password minimum age is not configured" + LogText "Result: password minimum age is not configured" Display --indent 2 --text "- Checking user password aging (minimum)" --result DISABLED --color YELLOW ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs" AddHP 0 1 else - logtext "Result: password needs to be at least ${FIND} days old" + LogText "Result: password needs to be at least ${FIND} days old" PASSWORD_MINIMUM_DAYS=${FIND} Display --indent 2 --text "- Checking user password aging (minimum)" --result CONFIGURED --color GREEN AddHP 3 3 fi - logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " + LogText "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then - logtext "Result: password aging limits are not configured" + LogText "Result: password aging limits are not configured" Display --indent 2 --text "- Checking user password aging (maximum)" --result DISABLED --color YELLOW ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs" AddHP 0 1 else - logtext "Result: max password age is ${FIND} days" + LogText "Result: max password age is ${FIND} days" PASSWORD_MAXIMUM_DAYS=${FIND} Display --indent 2 --text "- Checking user password aging (maximum)" --result CONFIGURED --color GREEN AddHP 3 3 @@ -711,21 +711,21 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if file exists (Solaris 10 does not have this file by default) if [ -f /etc/default/sulogin ]; then - logtext "Result: file /etc/default/sulogin exists" - logtext "Test: checking presence PASSREQ=NO" + LogText "Result: file /etc/default/sulogin exists" + LogText "Test: checking presence PASSREQ=NO" FIND=`grep "^PASSREQ=NO" /etc/default/sulogin` if [ "${FIND}" = "" ]; then - logtext "Result: option not present or configured to request a password at single user mode login" + LogText "Result: option not present or configured to request a password at single user mode login" Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN AddHP 1 1 else - logtext "Result: option present, no password needed at single user mode login" + LogText "Result: option present, no password needed at single user mode login" Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED ReportWarning ${TEST_NO} "H" "No password needed for single user mode login" AddHP 0 1 fi else - logtext "Result: file /etc/default/sulogin does not exist" + LogText "Result: file /etc/default/sulogin does not exist" fi fi # @@ -739,23 +739,23 @@ Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --description "Check single boot authentication" if [ ${SKIPTEST} -eq 0 ]; then # Check if file exists - logtext "Test: Searching /tcb/files/auth/system/default" + LogText "Test: Searching /tcb/files/auth/system/default" if [ -f /tcb/files/auth/system/default ]; then - logtext "Result: file /tcb/files/auth/system/default exists" - logtext "Test: checking presence :d_boot_authenticate@:" + LogText "Result: file /tcb/files/auth/system/default exists" + LogText "Test: checking presence :d_boot_authenticate@:" FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default` if [ "${FIND}" = "" ]; then - logtext "Result: option not set, password is needed at boot" + LogText "Result: option not set, password is needed at boot" Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN AddHP 1 1 else - logtext "Result: option present, no password needed at single user mode login" + LogText "Result: option present, no password needed at single user mode login" Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Set password for system boot" AddHP 0 1 fi else - logtext "Result: file /tcb/files/auth/system/default does not exist" + LogText "Result: file /tcb/files/auth/system/default does not exist" fi fi # @@ -767,47 +767,47 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 # Check if file exists - logtext "Test: Searching /etc/inittab" + LogText "Test: Searching /etc/inittab" if [ -f /etc/inittab ]; then - logtext "Result: file /etc/inittab exists" - logtext "Test: checking presence sulogin for single user mode" + LogText "Result: file /etc/inittab exists" + LogText "Test: checking presence sulogin for single user mode" FIND=`egrep "^~~:S:(respawn|wait):/sbin/sulogin" /etc/inittab` FIND2=`egrep "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab` if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 - logtext "Result: found sulogin, so single user is protected" + LogText "Result: found sulogin, so single user is protected" fi else - logtext "Result: file /etc/inittab does not exist" + LogText "Result: file /etc/inittab does not exist" fi # Check if file exists - logtext "Test: Searching /etc/sysconfig/init" + LogText "Test: Searching /etc/sysconfig/init" if [ -f /etc/sysconfig/init ]; then - logtext "Result: file /etc/sysconfig/init exists" - logtext "Test: checking presence sulogin for single user mode" + LogText "Result: file /etc/sysconfig/init exists" + LogText "Test: checking presence sulogin for single user mode" FIND=`grep "^SINGLE=/sbin/sulogin" /etc/sysconfig/init` if [ ! "${FIND}" = "" ]; then FOUND=1 - logtext "Result: found sulogin, so single user is protected" + LogText "Result: found sulogin, so single user is protected" fi else - logtext "Result: file /etc/inittab does not exist" + LogText "Result: file /etc/inittab does not exist" fi if [ -f /etc/inittab -o -f /etc/sysconfig/init ]; then if [ ${FOUND} -eq 0 ]; then - logtext "Result: option not set, no password needed at single user mode boot" + LogText "Result: option not set, no password needed at single user mode boot" Display --indent 2 --text "- Checking Linux single user mode authentication" --result WARNING --color RED ReportWarning ${TEST_NO} "L" "No password set for single mode" ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface" AddHP 0 2 else - logtext "Result: option set, password is needed at single user mode boot" + LogText "Result: option set, password is needed at single user mode boot" Display --indent 2 --text "- Checking Linux single user mode authentication" --result OK --color GREEN AddHP 2 2 fi else - logtext "Result: No inittab or init file found, unsure if system is protected" + LogText "Result: No inittab or init file found, unsure if system is protected" fi fi # @@ -823,39 +823,39 @@ Display --indent 2 --text "- Determining default umask" # /etc/profile - logtext "Test: Checking /etc/profile" + LogText "Test: Checking /etc/profile" if [ -f /etc/profile ]; then - logtext "Result: file /etc/profile exists" - logtext "Test: Checking umask value in /etc/profile" + LogText "Result: file /etc/profile exists" + LogText "Test: Checking umask value in /etc/profile" FIND=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }'` FIND2=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l` WEAK_UMASK=0 FOUND_UMASK=0 if [ "${FIND2}" = "0" ]; then - logtext "Result: did not find umask in /etc/profile" + LogText "Result: did not find umask in /etc/profile" #YYY possibly weak umask elif [ "${FIND2}" = "1" ]; then - logtext "Result: found umask (prefixed with spaces)" + LogText "Result: found umask (prefixed with spaces)" FOUND_UMASK=1 if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" ]; then - logtext "Result: found umask ${FIND}, which could be more strict" + LogText "Result: found umask ${FIND}, which could be more strict" WEAK_UMASK=1 AddHP 1 2 else - logtext "Result: found umask ${FIND}, which is fine" + LogText "Result: found umask ${FIND}, which is fine" AddHP 2 2 fi # Found more than 1 umask value in profile else - logtext "Result: found multiple umask values configured in /etc/profile" + LogText "Result: found multiple umask values configured in /etc/profile" FOUND_UMASK=1 for I in ${FIND}; do if [ ! "${I}" = "077" -a ! "${I}" = "027" ]; then - logtext "Result: umask ${I} could be more strict" + LogText "Result: umask ${I} could be more strict" WEAK_UMASK=1 AddHP 1 2 else - logtext "Result: Found umask ${I}, which is fine" + LogText "Result: Found umask ${I}, which is fine" AddHP 2 2 fi done @@ -871,112 +871,112 @@ AddHP 0 2 fi else - logtext "Result: found no umask. Please check if this is correct" + LogText "Result: found no umask. Please check if this is correct" Display --indent 4 --text "- Checking umask (/etc/profile)" --result "NOT FOUND" --color YELLOW ReportException "${TEST_NO}:01" ReportManual "AUTH-9328:01" AddHP 0 2 fi else - logtext "Result: file /etc/profile does not exist" + LogText "Result: file /etc/profile does not exist" fi # /etc/passwd - logtext "Test: Checking umask entries in /etc/passwd (pam_umask)" + LogText "Test: Checking umask entries in /etc/passwd (pam_umask)" if [ -f /etc/passwd ]; then - logtext "Result: file /etc/passwd exists" - logtext "Test: Checking umask value in /etc/passwd" + LogText "Result: file /etc/passwd exists" + LogText "Test: Checking umask value in /etc/passwd" FIND=`grep "umask=" /etc/passwd` if [ "${FIND}" = "" ]; then ReportManual "AUTH-9328:03" fi else - logtext "Result: file /etc/passwd does not exist" + LogText "Result: file /etc/passwd does not exist" fi # /etc/login.defs - logtext "Test: Checking /etc/login.defs" + LogText "Test: Checking /etc/login.defs" if [ -f /etc/login.defs ]; then - logtext "Result: file /etc/login.defs exists" - logtext "Test: Checking umask value in /etc/login.defs" + LogText "Result: file /etc/login.defs exists" + LogText "Test: Checking umask value in /etc/login.defs" FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then - logtext "Result: umask value is not configured (most likely it will have the default 022 value)" + LogText "Result: umask value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then - logtext "Result: umask is ${FIND}, which is fine" + LogText "Result: umask is ${FIND}, which is fine" Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result OK --color GREEN AddHP 2 2 else - logtext "Result: found umask ${FIND}, which could be improved" + LogText "Result: found umask ${FIND}, which could be improved" Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027" AddHP 0 2 fi else - logtext "Result: file /etc/login.defs does not exist" + LogText "Result: file /etc/login.defs does not exist" fi # Red Hat /etc/init.d/functions - logtext "Test: Checking /etc/init.d/functions" + LogText "Test: Checking /etc/init.d/functions" if [ -f /etc/init.d/functions ]; then - logtext "Result: file /etc/init.d/functions exists" - logtext "Test: Checking umask value in /etc/init.d/functions" + LogText "Result: file /etc/init.d/functions exists" + LogText "Test: Checking umask value in /etc/init.d/functions" FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then - logtext "Result: umask is not configured" + LogText "Result: umask is not configured" Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result NONE --color WHITE elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then - logtext "Result: umask is ${FIND}, which is fine" + LogText "Result: umask is ${FIND}, which is fine" Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result OK --color GREEN AddHP 2 2 else - logtext "Result: found umask ${FIND}, which could be improved" + LogText "Result: found umask ${FIND}, which could be improved" Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result SUGGESTION --color YELLOW AddHP 0 2 fi else - logtext "Result: file /etc/init.d/functions does not exist" + LogText "Result: file /etc/init.d/functions does not exist" fi # /etc/init.d/rc - logtext "Test: Checking /etc/init.d/rc" + LogText "Test: Checking /etc/init.d/rc" if [ -f /etc/init.d/rc ]; then - logtext "Result: file /etc/init.d/rc exists" - logtext "Test: Checking UMASK value in /etc/init.d/rc" + LogText "Result: file /etc/init.d/rc exists" + LogText "Test: Checking UMASK value in /etc/init.d/rc" FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then - logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)" + LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then - logtext "Result: umask is ${FIND}, which is fine" + LogText "Result: umask is ${FIND}, which is fine" Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result OK --color GREEN AddHP 2 2 else - logtext "Result: found umask ${FIND}, which could be improved" + LogText "Result: found umask ${FIND}, which could be improved" Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027" AddHP 0 2 fi else - logtext "Result: file /etc/init.d/rc does not exist" + LogText "Result: file /etc/init.d/rc does not exist" fi # FreeBSD if [ -f /etc/login.conf ]; then FOUND=0 WEAK_UMASK=0 - logtext "Result: file /etc/login.conf exists" + LogText "Result: file /etc/login.conf exists" FIND=`grep "umask" /etc/login.conf | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'` if [ ! "${FIND}" = "" ]; then for UMASK_VALUE in ${FIND}; do case ${UMASK_VALUE} in 027|0027|077|0077) - logtext "Result: found umask value ${UMASK_VALUE}, which is fine" + LogText "Result: found umask value ${UMASK_VALUE}, which is fine" AddHP 2 2 FOUND=1 ;; @@ -984,7 +984,7 @@ AddHP 0 2 FOUND=1 WEAK_UMASK=1 - logtext "Result: found umask value ${UMASK_VALUE}, which can be more strict" + LogText "Result: found umask value ${UMASK_VALUE}, which can be more strict" ;; esac done @@ -997,41 +997,41 @@ ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027" fi else - logtext "Result: no umask setting found in /etc/login.conf, which is unexpected" + LogText "Result: no umask setting found in /etc/login.conf, which is unexpected" Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result NONE --color YELLOW fi fi # /etc/init.d/rcS - logtext "Test: Checking /etc/init.d/rcS" + LogText "Test: Checking /etc/init.d/rcS" if [ -f /etc/init.d/rcS ]; then - logtext "Result: file /etc/init.d/rcS exists" - logtext "Test: Checking if script runs another script." + LogText "Result: file /etc/init.d/rcS exists" + LogText "Test: Checking if script runs another script." FIND=`grep -i "^exec " /etc/init.d/rcS | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'` if [ "${FIND2}" = "" ]; then - logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)" + LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then - logtext "Result: umask is ${FIND2}, which is fine" + LogText "Result: umask is ${FIND2}, which is fine" Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result OK --color GREEN AddHP 2 2 else - logtext "Result: found umask ${FIND2}, which could be improved" + LogText "Result: found umask ${FIND2}, which could be improved" Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027" AddHP 0 2 fi else # Improve check - logtext "Result: exec line present in file, setting of umask not needed in this script" - logtext "Output: ${FIND}" + LogText "Result: exec line present in file, setting of umask not needed in this script" + LogText "Output: ${FIND}" fi else - logtext "Result: file /etc/init.d/rcS does not exist" + LogText "Result: file /etc/init.d/rcS does not exist" fi fi @@ -1044,39 +1044,39 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 if [ -f /etc/security/policy.conf ]; then - logtext "Result: found /etc/security/policy.conf" + LogText "Result: found /etc/security/policy.conf" FIND=`grep "^LOCK_AFTER_RETRIES" /etc/security/policy.conf` if [ ! "${FIND}" = "" ]; then FOUND=1 - logtext "Result: account locking option set" - logtext "Output: ${FIND}" + LogText "Result: account locking option set" + LogText "Output: ${FIND}" AddHP 2 2 else - logtext "Result: option LOCK_AFTER_RETRIES not set" + LogText "Result: option LOCK_AFTER_RETRIES not set" AddHP 1 2 fi else - logtext "Result: /etc/security/policy.conf does not exist" + LogText "Result: /etc/security/policy.conf does not exist" fi # If policy.conf does not exist, we most likely deal with a Solaris version below 10 # and we proceed with checking the softer option RETRIES in /etc/default/login # which does not lock account, but discourages brute force password attacks. if [ ${FOUND} -eq 0 ]; then - logtext "Test: checking /etc/default/login" + LogText "Test: checking /etc/default/login" if [ -f /etc/default/login ]; then - logtext "Result: file /etc/default/login exists" + LogText "Result: file /etc/default/login exists" FIND=`grep "^RETRIES" /etc/default/login` if [ ! "${FIND}" = "" ]; then FOUND=1 - logtext "Result: retries option configured" - logtext "Output: ${FIND}" + LogText "Result: retries option configured" + LogText "Output: ${FIND}" AddHP 2 2 else - logtext "Result: retries option not configured" + LogText "Result: retries option not configured" AddHP 1 2 fi else - logtext "Result: file /etc/default/login does not exist" + LogText "Result: file /etc/default/login does not exist" fi fi if [ ${FOUND} -eq 1 ]; then @@ -1095,15 +1095,15 @@ if [ -f /etc/nsswitch.conf ]; then FIND=`egrep "^passwd" /etc/nsswitch.conf | grep "ldap"` if [ "${FIND}" = "" ]; then - logtext "Result: LDAP authentication not enabled" + LogText "Result: LDAP authentication not enabled" Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE else - logtext "Result: LDAP authentication enabled" + LogText "Result: LDAP authentication enabled" Display --indent 2 --text "- Checking LDAP authentication support" --result "ENABLED" --color GREEN LDAP_AUTH_ENABLED=1 fi else - logtext "Result: /etc/nsswitch.conf not found" + LogText "Result: /etc/nsswitch.conf not found" fi fi # @@ -1114,21 +1114,21 @@ if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking ldap.conf options" + LogText "Test: checking ldap.conf options" for I in ${LDAP_CONF_LOCATIONS}; do - logtext "Test: checking ${I}" + LogText "Test: checking ${I}" if [ -f ${I} ]; then - logtext "Result: file ${I} exists, LDAP being used" + LogText "Result: file ${I} exists, LDAP being used" LDAP_CLIENT_CONFIG_FILE="${I}" - logtext "Test: checking LDAP servers in file ${I}" + LogText "Test: checking LDAP servers in file ${I}" FIND2=`egrep "^host " ${I} | awk '{ print $2 }'` for I in ${FIND2}; do Display --indent 6 --text "LDAP server: ${I}" - logtext "Result: found LDAP server ${I}" - report "ldap_server[]=${I}" + LogText "Result: found LDAP server ${I}" + Report "ldap_server[]=${I}" done else - logtext "Result: ${I} does NOT exist" + LogText "Result: ${I} does NOT exist" fi done fi @@ -1140,16 +1140,16 @@ if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging of failed login attempts via /etc/login.defs" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking FAILLOG_ENAB option in /etc/login.defs " + LogText "Test: Checking FAILLOG_ENAB option in /etc/login.defs " FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'` # Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value) if [ "${FIND}" = "yes" ]; then AUTH_FAILED_LOGINS_LOGGED=1 - logtext "Result: failed login attempts are logged in /var/log/faillog" + LogText "Result: failed login attempts are logged in /var/log/faillog" Display --indent 2 --text "- Logging failed login attempts" --result ENABLED --color GREEN AddHP 3 3 else - logtext "Result: failed login attempts are not logged" + LogText "Result: failed login attempts are not logged" Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW #ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog" AddHP 0 1 @@ -1159,17 +1159,17 @@ ################################################################################# # -report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}" -report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" -report "ldap_pam_enabled=${LDAP_PAM_ENABLED}" +Report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}" +Report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" +Report "ldap_pam_enabled=${LDAP_PAM_ENABLED}" if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then - report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}" + Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}" fi -report "password_min_days=${PASSWORD_MINIMUM_DAYS}" -report "password_max_days=${PASSWORD_MAXIMUM_DAYS}" +Report "password_min_days=${PASSWORD_MINIMUM_DAYS}" +Report "password_max_days=${PASSWORD_MAXIMUM_DAYS}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com |