diff options
Diffstat (limited to 'include/tests_boot_services')
-rw-r--r-- | include/tests_boot_services | 257 |
1 files changed, 119 insertions, 138 deletions
diff --git a/include/tests_boot_services b/include/tests_boot_services index c246e4ae..0484c70f 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -37,18 +37,19 @@ # Test : BOOT-5102 # Description : Check for AIX boot device # Notes : The AIX bootstrap is called as software ROS. Bootstrap contains IPL (Initial Program loader) + # TODO - binary detection of bootinfo and replace with variable Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --category security --description "Check for AIX boot device" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 LogText "Test: Query bootinfo for AIX boot device" if [ -x /usr/sbin/bootinfo ]; then - FIND=`/usr/sbin/bootinfo -b` - if [ ! "${FIND}" = "" ]; then + FIND=$(/usr/sbin/bootinfo -b) + if [ ! -z "${FIND}" ]; then LogText "Result: found boot device ${FIND}" Display --indent 2 --text "- Checking boot device (bootinfo)" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="ROS" BOOT_LOADER_FOUND=1 - else + else LogText "Result: no data received from bootinfo, most likely boot device not found" #Display --indent 4 --text "- Checking boot device (bootinfo)" --result "${STATUS_NOT_FOUND}" --color YELLOW #ReportSuggestion ${TEST_NO} "Only use root (not sudo account) to query properly boot device" @@ -117,7 +118,7 @@ fi ;; "DragonFly"|"NetBSD"|"FreeBSD") - if [ -x /sbin/init -a -d /etc/rc.d -a -f /etc/rc ]; then + if [ -x /sbin/init -a -d ${ROOTDIR}etc/rc.d -a -f ${ROOTDIR}etc/rc ]; then SERVICE_MANAGER="bsdrc" fi ;; @@ -127,7 +128,7 @@ LogText "Result: service manager found = ${SERVICE_MANAGER}" if [ "${SERVICE_MANAGER}" = "" -o "${SERVICE_MANAGER}" = "unknown" ]; then Display --indent 2 --text "- Service Manager" --result "${STATUS_UNKNOWN}" --color YELLOW - else + else Display --indent 2 --text "- Service Manager" --result "${SERVICE_MANAGER}" --color GREEN fi fi @@ -138,7 +139,7 @@ # Description : Check if boot.efi is found on Mac OS X Register --test-no BOOT-5106 --os "MacOS" --weight L --network NO --root-only YES --category security --description "Check EFI boot file on Mac OS X" if [ ${SKIPTEST} -eq 0 ]; then - FileExists /System/Library/CoreServices/boot.efi + FileExists ${ROOTDIR}System/Library/CoreServices/boot.efi if [ ${FILE_FOUND} -eq 1 ]; then LogText "Result: found Mac OS X boot.efi file" BOOT_LOADER="MacOS-boot-EFI" @@ -152,7 +153,7 @@ # Description : Check for Syslinux Register --test-no BOOT-5108 --os "Linux" --weight L --network NO --root-only YES --category security --description "Check Syslinux as bootloader" if [ ${SKIPTEST} -eq 0 ]; then - FileExists /boot/syslinux/syslinux.cfg + FileExists ${ROOTDIR}boot/syslinux/syslinux.cfg if [ ${FILE_FOUND} -eq 1 ]; then LogText "Result: found Syslinux" BOOT_LOADER="Syslinux" @@ -172,35 +173,36 @@ UEFI_TESTS_PERFORMED=1 # Check if UEFI is available in this boot LogText "Test: checking if UEFI is used" - if [ -d /sys/firmware/efi ]; then + if [ -d ${ROOTDIR}sys/firmware/efi ]; then LogText "Result: system booted in UEFI mode" UEFI_BOOTED=1 - else + else LogText "Result: UEFI not used, can't find /sys/firmware/efi directory" fi # Test if Secure Boot is enabled LogText "Test: determine if Secure Boot is used" - if [ -d /sys/firmware/efi/efivars ]; then - FIND=`ls /sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null` - if [ ! "${FIND}" = "" ]; then - for I in ${FIND}; do - LogText "Test: checking file ${I}" - J=`od -An -t u1 ${I} | ${AWKBINARY} '{ print $5 }'` + if [ -d ${ROOTDIR}sys/firmware/efi/efivars ]; then + FIND=$(${LSBINARY} ${ROOTDIR}sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null) + if [ ! -z "${FIND}" ]; then + for FILE in ${FIND}; do + LogText "Test: checking file ${FILE}" + # TODO: add detection for od + J=$(od -An -t u1 ${FILE} | ${AWKBINARY} '{ print $5 }') if [ "${J}" = "1" ]; then LogText "Result: found SecureBoot file with enabled status" UEFI_BOOTED_SECURE=1 - else - LogText "Result: system not booted with Secure Boot (status 0 in file ${I})" + else + LogText "Result: system not booted with Secure Boot (status 0 in file ${FILE})" fi done fi - else + else LogText "Result: system not booted with Secure Boot (no SecureBoot file found)" fi ;; #MacOS) - # Mac OS ioreg -l -p IODeviceTree | ${GREPBINARY} firmware-abi + # TODO: Mac OS ioreg -l -p IODeviceTree | ${GREPBINARY} firmware-abi #;; *) LogText "Result: no test implemented yet to test for UEFI on this platform" @@ -210,10 +212,10 @@ Display --indent 2 --text "- Checking UEFI boot" --result "${STATUS_ENABLED}" --color GREEN if [ ${UEFI_BOOTED_SECURE} -eq 1 ]; then Display --indent 2 --text "- Checking Secure Boot" --result "${STATUS_ENABLED}" --color GREEN - else + else Display --indent 2 --text "- Checking Secure Boot" --result "${STATUS_DISABLED}" --color YELLOW fi - else + else if [ ${UEFI_TESTS_PERFORMED} -eq 1 ]; then Display --indent 2 --text "- Checking UEFI boot" --result "${STATUS_DISABLED}" --color WHITE fi @@ -254,8 +256,9 @@ fi # Some OSes like Gentoo do not have /boot mounted by default + # TODO: root directory and rewrite ls statement if [ -d /boot ]; then - if [ "`ls /boot/* 2> /dev/null`" = "" -a ! "${GRUB2INSTALLBINARY}" = "" ]; then + if [ "`ls /boot/* 2> /dev/null`" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then BOOT_LOADER_FOUND=1 LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted" Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW @@ -279,30 +282,30 @@ LogText "Found file ${GRUBCONFFILE}, proceeding with tests." FileIsReadable ${GRUBCONFFILE} if [ ${CANREAD} -eq 1 ]; then - FIND=`${GREPBINARY} 'password --md5' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` - FIND2=`${GREPBINARY} 'password --encrypted' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` - FIND3=`${GREPBINARY} 'set superusers' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` - FIND4=`${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` - FIND5=`${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` + FIND=$(${GREPBINARY} 'password --md5' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') + FIND2=$(${GREPBINARY} 'password --encrypted' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') + FIND3=$(${GREPBINARY} 'set superusers' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') + FIND4=$(${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') + FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') # GRUB1: Password should be set (MD5 or SHA1) - if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then + if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then FOUND=1 # GRUB2: Superusers AND password should be defined - elif [ ! "${FIND3}" = "" ]; then + elif [ ! -z "${FIND3}" ]; then if [ ! -z "${FIND4}" -o ! -z "${FIND5}" ]; then FOUND=1; fi fi if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN LogText "Result: GRUB has password protection." AddHP 4 4 - else + else Display --indent 4 --text "- Checking for password protection" --result "${STATUS_WARNING}" --color RED LogText "Result: Didn't find hashed password line in GRUB boot file!" ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)" AddHP 0 2 fi - else - LogText "Result: Can not read ${GRUBCONFFILE} (no permission)" + else + LogText "Result: Can not read ${GRUBCONFFILE} (no permission)" fi fi # @@ -313,13 +316,13 @@ Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --category security --description "Check for FreeBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 - if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then - LogText "Result: found boot1, boot2 and loader files in /boot" + if [ -f ${ROOTDIR}boot/boot1 -a -f ${ROOTDIR}boot/boot2 -a -f ${ROOTDIR}boot/loader ]; then + LogText "Result: found boot1, boot2 and loader files in ${ROOTDIR}boot" Display --indent 2 --text "- Checking presence FreeBSD loader" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="FreeBSD" BOOT_LOADER_FOUND=1 - else - LogText "Result: Not all expected files found in /boot" + else + LogText "Result: Not all expected files found in ${ROOTDIR}boot" fi fi # @@ -330,12 +333,12 @@ Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --category security --description "Check for NetBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 - if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then + if [ -f ${ROOTDIR}boot.${HARDWARE} -o -f ${ROOTDIR}boot -o -f ${ROOTDIR}ofwboot ]; then LogText "Result: found NetBSD secondary bootstrap" Display --indent 2 --text "- Checking presence NetBSD loader" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="NetBSD" BOOT_LOADER_FOUND=1 - else + else LogText "Result: NetBSD secondary bootstrap not found" ReportException "${TEST_NO}:1" "No boot loader found on NetBSD" fi @@ -349,7 +352,7 @@ Register --test-no BOOT-5139 --weight L --network NO --category security --description "Check for LILO boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 - LILOCONFFILE="/etc/lilo.conf" + LILOCONFFILE="${ROOTDIR}etc/lilo.conf" LogText "Test: checking for presence LILO configuration file" if [ -f ${LILOCONFFILE} ]; then FileIsReadable ${LILOCONFFILE} @@ -358,23 +361,23 @@ BOOT_LOADER_FOUND=1 Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN LogText "Checking password option LILO" - FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#"` - if [ "${FIND}" = "" ]; then + FIND=$(${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#") + if [ -z "${FIND}" ]; then Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED LogText "Result: no password set for LILO. Bootloader is unprotected to" LogText "dropping to single user mode or unauthorized access to devices/data." ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>" ReportWarning ${TEST_NO} "No password set on LILO bootloader" AddHP 0 2 - else + else Display --indent 4 --text "- Password option presence " --result "${STATUS_OK}" --color GREEN LogText "Result: LILO password option set" AddHP 4 4 fi - else + else LogText "Result: can not read ${LILOCONFFILE} (no permission)" fi - else + else LogText "Result: LILO configuration file not found" fi fi @@ -398,26 +401,6 @@ # ################################################################################# # - # Test : BOOT-5144 - # Description : Check for SILO boot loader consistency - # Notes : To be tested on Gentoo -# Register --test-no BOOT-5144 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)" -# if [ ${SKIPTEST} -eq 0 ]; then -# if [ -f /etc/silo.conf -a -x /sbin/silo ]; then -# FIND=`/sbin/silo | ${GREPBINARY} "appears to be valid"` -# if [ ! "${FIND}" = "" ]; then -# LogText "Result: Found SILO configuration file (/etc/silo.conf)" -# Display --indent 6 --text "- Checking SILO consistency" --result "${STATUS_OK}" --color GREEN -# else -# LogText "Result: no positive result received from silo binary" -# ReportWarning ${TEST_NO} "Possible issue with boot loader (SILO)" -# Display --indent 6 --text "- Checking SILO consistency" --result "${STATUS_WARNING}" --color RED -# fi -# fi -# fi -# -################################################################################# -# # Test : BOOT-5155 # Description : Check for YABOOT boot loader Register --test-no BOOT-5155 --weight L --network NO --category security --description "Check for YABOOT boot loader configuration file" @@ -429,7 +412,7 @@ Display --indent 4 --text "- Checking boot loader YABOOT" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="YABOOT" BOOT_LOADER_FOUND=1 - else + else LogText "Result: no YABOOT configuration file found." fi fi @@ -446,35 +429,33 @@ # Boot files # /usr/mdec/biosboot: first stage bootstrap # /boot : second stage bootstrap - if [ -f /usr/mdec/biosboot -a -f /boot ]; then + if [ -f ${ROOTDIR}usr/mdec/biosboot -a -f ${ROOTDIR}boot ]; then FOUND=1 fi # Configuration file - if [ -f /etc/boot.conf ]; then + if [ -f ${ROOTDIR}etc/boot.conf ]; then FOUND=1 - Display --indent 2 --text "- Checking /etc/boot.conf" --result "${STATUS_FOUND}" --color GREEN - FIND=`${GREPBINARY} '^boot' /etc/boot.conf` - if [ "${FIND}" = "" ]; then + Display --indent 2 --text "- Checking ${ROOTDIR}etc/boot.conf" --result "${STATUS_FOUND}" --color GREEN + FIND=$(${GREPBINARY} '^boot' ${ROOTDIR}etc/boot.conf) + if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking boot option" --result "${STATUS_WARNING}" --color RED - #ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode." + #ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode." ReportWarning ${TEST_NO} "System can be booted into single user mode without password" - else + else Display --indent 4 --text "- Checking boot option" --result "${STATUS_OK}" --color GREEN LogText "Ok, boot option is enabled." fi - else - Display --indent 2 --text "- Checking /etc/boot.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW - LogText "Result: no /etc/boot.conf found. When using the default boot loader, physical" + else + Display --indent 2 --text "- Checking ${ROOTDIR}etc/boot.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW + LogText "Result: no ${ROOTDIR}etc/boot.conf found. When using the default boot loader, physical" LogText "access to the server can be used to possibly enter single user mode." - ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time." + ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time." fi if [ ${FOUND} -eq 1 ]; then LogText "Result: found OpenBSD boot loader" BOOT_LOADER="OpenBSD" BOOT_LOADER_FOUND=1 fi - - fi # ################################################################################# @@ -494,11 +475,11 @@ if [ ! "${SERVICEBINARY}" = "" ]; then # FreeBSD (Ask services(8) for enabled services) LogText "Searching for services at startup (service)" - FIND=`${SERVICEBINARY} -e | sed 's|^.*\/||' | sort` + FIND=$(${SERVICEBINARY} -e | ${SEDBINARY} 's|^.*\/||' | ${SORTBINARY}) else # FreeBSD (Read /etc/rc.conf file for enabled services) LogText "Searching for services at startup (rc.conf)" - FIND=`${EGREPBINARY} -v -i '^#|none' /etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | sed 's/_enable//'` + FIND=$(${EGREPBINARY} -v -i '^#|none' /etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//') fi N=0 for I in ${FIND}; do @@ -521,11 +502,11 @@ CHECKED=0 LogText "Test: checking presence systemctl binary" # Determine if we have systemctl on board - if [ ! "${SYSTEMCTLBINARY}" = "" ]; then + if [ ! -z "${SYSTEMCTLBINARY}" ]; then LogText "Result: systemctl binary found, trying that to discover information" # Running services LogText "Searching for running services (systemctl services only)" - FIND=`${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }'` + FIND=$(${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }') N=0 Report "running_service_tool=systemctl" for I in ${FIND}; do @@ -540,7 +521,7 @@ # Services at boot LogText "Searching for enabled services (systemctl services only)" - FIND=`${SYSTEMCTLBINARY} list-unit-files --type=service | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }'` + FIND=$(${SYSTEMCTLBINARY} list-unit-files --type=service | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }') N=0 Report "boot_service_tool=systemctl" for I in ${FIND}; do @@ -554,11 +535,12 @@ LogText "Result: Found $N running services" else + LogText "Result: systemctl binary not found, checking chkconfig binary" - if [ ! "${CHKCONFIGBINARY}" = "" ]; then + if [ ! -z "${CHKCONFIGBINARY}" ]; then LogText "Result: chkconfig binary found, trying that to discover information" LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)" - FIND=`${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }'` + FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }') N=0 Report "boot_service_tool=chkconfig" for I in ${FIND}; do @@ -570,7 +552,7 @@ Display --indent 2 --text "- Check services at startup (chkconfig)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found $N services" LogText "Result: Found $N services at startup" - else + else LogText "Result: both systemctl and chkconfig not found. Skipping this test" fi fi @@ -585,24 +567,24 @@ Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for Linux boot services (Debian style)" if [ ${SKIPTEST} -eq 0 ]; then # Runlevel check - sRUNLEVEL=`${RUNLEVELBINARY} | ${GREPBINARY} "N [0-9]" | ${AWKBINARY} '{ print $2} '` + sRUNLEVEL=$(${RUNLEVELBINARY} | ${GREPBINARY} "N [0-9]" | ${AWKBINARY} '{ print $2} ') LogText "Result: found runlevel ${sRUNLEVEL}" if [ "${sRUNLEVEL}" = "2" ]; then LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found" - FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort` + FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort) if [ ! "${FIND}" = "" ]; then N=0 - for I in ${FIND}; do - LogText "Found service (at boot, runlevel 2): ${I}" + for SERVICE in ${FIND}; do + LogText "Found service (at boot, runlevel 2): ${SERVICE}" N=$((N + 1)) done Display --indent 2 --text "- Check services at startup (rc2.d)" --result "${STATUS_DONE}" --color WHITE Display --indent 4 --text "Result: found $N services" LogText "Result: found $N services" fi - elif [ "${sRUNLEVEL}" = "" ]; then + elif [ -z "${sRUNLEVEL}" ]; then ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup" - else + else LogText "Result: skipping further actions" fi fi @@ -614,7 +596,7 @@ Register --test-no BOOT-5184 --os Linux --weight L --network NO --category security --description "Check permissions for boot files/scripts" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - CHECKDIRS="/etc/init.d /etc/rc.d /etc/rcS.d" + CHECKDIRS="${ROOTDIR}etc/init.d ${ROOTDIR}etc/rc.d ${ROOTDIR}etc/rcS.d" LogText "Result: checking /etc/init.d scripts for writable bit" for I in ${CHECKDIRS}; do @@ -622,22 +604,22 @@ if [ -d ${I} ]; then LogText "Result: directory ${I} found" LogText "Test: checking for available files in directory" - FIND=`find ${I} -type f -print` - if [ ! "${FIND}" = "" ]; then + FIND=$(${FINDBINARY} ${I} -type f -print) + if [ ! -z "${FIND}" ]; then LogText "Result: found files in directory, checking permissions now" for J in ${FIND}; do LogText "Test: checking permissions of file ${J}" if IsWorldWritable ${J}; then FOUND=1 LogText "Result: warning, file ${J} is world writable" - else + else LogText "Result: good, file ${J} not world writable" fi done - else + else LogText "Result: found no files in directory." fi - else + else LogText "Result: directory ${I} not found. Skipping.." fi done @@ -645,13 +627,13 @@ # /etc/rc[0-6].d for NO in 0 1 2 3 4 5 6; do LogText "Test: Checking /etc/rc${NO}.d scripts for writable bit" - if [ -d /etc/rc${NO}.d ]; then - FIND=`find /etc/rc${NO}.d -type f -print` + if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then + FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print) for I in ${FIND}; do if IsWorldWritable ${I}; then FOUND=1 LogText "Result: warning, file ${I} is world writable" - else + else LogText "Result: good, file ${I} not world writable" fi done @@ -659,14 +641,14 @@ done # Other files - CHECKFILES="/etc/rc /etc/rc.local /etc/rc.d/rc.sysinit" + CHECKFILES="${ROOTDIR}etc/rc ${ROOTDIR}etc/rc.local ${ROOTDIR}etc/rc.d/rc.sysinit" for I in ${CHECKFILES}; do if [ -f ${I} ]; then ShowSymlinkPath "${I}" if [ ${FOUNDPATH} -eq 1 ]; then CHECKFILE="${SYMLINK}" LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${I})" - else + else CHECKFILE="${I}" fi LogText "Test: Checking ${CHECKFILE} file for writable bit" @@ -674,7 +656,7 @@ FOUND=1 ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}" LogText "Result: warning, file ${CHECKFILE} is world writable" - else + else LogText "Result: good, file ${CHECKFILE} not world writable" fi fi @@ -686,7 +668,7 @@ ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-" LogText "Result: found one or more scripts which are possibly writable by other users" AddHP 0 3 - else + else Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_OK}" --color GREEN AddHP 3 3 fi @@ -704,17 +686,17 @@ Linux) # Idle time, not real uptime if [ -f /proc/uptime ]; then - FIND=`cat /proc/uptime | cut -d ' ' -f1 | cut -d '.' -f1` - else + FIND=$(cat /proc/uptime | ${CUTBINARY} -d ' ' -f1 | ${CUTBINARY} -d '.' -f1) + else Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:1" "No uptime test available for this operating system (/proc/uptime missing)" fi ;; DragonFly|FreeBSD|MacOS) - if [ ! "${SYSCTLBINARY}" = "" ]; then - FIND=`${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | sed -e 's/,//' | ${GREPBINARY} "[0-9]"` - else + if [ ! -z "${SYSCTLBINARY}" ]; then + FIND=$(${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | ${SEDBINARY} -e 's/,//' | ${GREPBINARY} "[0-9]") + else Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)" fi @@ -722,25 +704,25 @@ NetBSD|OpenBSD) if [ ! "${SYSCTLBINARY}" = "" ]; then - TIME_BOOT=`${SYSCTLBINARY} -n kern.boottime` - TIME_NOW=`date "+%s"` + TIME_BOOT=$(${SYSCTLBINARY} -n kern.boottime) + TIME_NOW=$(date "+%s") LogText "Boot time: ${TIME_BOOT}" LogText "Current time: ${TIME_NOW}" - if [ ! "${TIME_BOOT}" = "" -a ! "${TIME_NOW}" = "" ]; then + if [ ! -z "${TIME_BOOT}" -a ! -z "${TIME_NOW}" ]; then UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT)) - else + else ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime" fi - else + else Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)" fi ;; Solaris) - if [ ! "${KSTATBINARY}" = "" ]; then - FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | cut -d "." -f1` - else + if [ ! -z "${KSTATBINARY}" ]; then + FIND=$(${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | ${CUTBINARY} -d "." -f1) + else Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)" fi @@ -753,14 +735,14 @@ ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system" ;; esac - if [ ! "${FIND}" = "" ]; then + if [ ! -z "${FIND}" ]; then UPTIME_IN_SECS="${FIND}" UPTIME_IN_DAYS=$((UPTIME_IN_SECS / 60 / 60 / 24)) LogText "Uptime (in seconds): ${UPTIME_IN_SECS}" LogText "Uptime (in days): ${UPTIME_IN_DAYS}" Report "uptime_in_seconds=${UPTIME_IN_SECS}" Report "uptime_in_days=${UPTIME_IN_DAYS}" - else + else LogText "Result: no uptime information available" fi fi @@ -771,25 +753,24 @@ # Description : Check single user mode for systemd Register --test-no BOOT-5260 --weight L --network NO --category security --description "Check single user mode for systemd" if [ ${SKIPTEST} -eq 0 ]; then - # Check if file exists LogText "Test: Searching /usr/lib/systemd/system/rescue.service" - if [ -f /usr/lib/systemd/system/rescue.service ]; then - LogText "Result: file /usr/lib/systemd/system/rescue.service" - LogText "Test: checking presence sulogin for single user mode" - FIND=`${EGREPBINARY} "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service` - if [ ! "${FIND}" = "" ]; then - FOUND=1 - LogText "Result: found sulogin, so single user is protected" - AddHP 3 3 - else - LogText "Result: did not find sulogin in rescue.service" - AddHP 1 3 - Display --indent 2 --text "- Checking sulogin in rescue.service" --result "${STATUS_NOT_FOUND}" --color YELLOW - ReportSuggestion "${TEST_NO}" "Protect rescue.service by using sulogin" - fi - else - LogText "Result: file /usr/lib/systemd/system/rescue.service does not exist" - fi + if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then + LogText "Result: file /usr/lib/systemd/system/rescue.service" + LogText "Test: checking presence sulogin for single user mode" + FIND=$(${EGREPBINARY} "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service) + if [ ! -z "${FIND}" ]; then + FOUND=1 + LogText "Result: found sulogin, so single user is protected" + AddHP 3 3 + else + LogText "Result: did not find sulogin in rescue.service" + AddHP 1 3 + Display --indent 2 --text "- Checking sulogin in rescue.service" --result "${STATUS_NOT_FOUND}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Protect rescue.service by using sulogin" + fi + else + LogText "Result: file ${ROOTDIR}usr/lib/systemd/system/rescue.service does not exist" + fi fi # ################################################################################# |