Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/include/tests_time
diff options
context:
space:
mode:
Diffstat (limited to 'include/tests_time')
-rw-r--r--include/tests_time115
1 files changed, 64 insertions, 51 deletions
diff --git a/include/tests_time b/include/tests_time
index 7c15d0a3..eda41a6f 100644
--- a/include/tests_time
+++ b/include/tests_time
@@ -86,9 +86,8 @@
# Reason: openntpd syncs only if large time corrections are not required or -s is passed.
# This might be not intended by the administrator (-s is NOT the default!)
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep")
- ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null
# Status code 0 is when communication over the socket is successfull
- if [ "$?" -eq 0 ]; then
+ if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd"
LogText "result: found openntpd (method: ntpctl)"
OPENNTPD_COMMUNICATION=1
@@ -101,7 +100,7 @@
LogText "result: running openntpd not found, but ntpctl is instaalled"
fi
- if [ "${NTP_DAEMON}" == "openntpd" ]; then
+ if [ "${NTP_DAEMON}" = "openntpd" ]; then
Display --indent 2 --text "- NTP daemon found: OpenNTPD" --result "${STATUS_FOUND}" --color GREEN
fi
fi
@@ -124,39 +123,30 @@
fi
# Check timedate daemon (systemd)
- if [ -n "${TIMEDATECTL}" ]; then
- FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
- if [ -n "${FIND}" ]; then
- # Check for systemd-timesyncd
- if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then
- LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf"
- FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
- Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN
- SYSTEMD_NTP_ENABLED=1
- else
- LogText "Result: ${ROOTDIR}etc/systemd/timesyncd.conf does not exist"
- fi
- else
- LogText "Result: time synchronization not performed according timedatectl command"
- fi
- else
- LogText "Result: timedatectl command not available on this system"
+ FIND=$(${PSBINARY} ax | ${GREPBINARY} "systemd-timesyncd" | ${GREPBINARY} -v "grep")
+ if [ -n "${FIND}" ]; then
+ FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
+ Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN
+ LogText "Result: Found running systemd-timesyncd in process list"
fi
# Check crontab for OpenBSD/FreeBSD
# Check anacrontab for Linux
CRONTAB_FILES="/etc/anacrontab /etc/crontab"
+ # Regex for matching multiple time synchronisation binaries
+ # Partial sanity check for sntp and ntpdig, but this does not consider all corner cases
+ CRONTAB_REGEX='ntpdate|rdate|sntp.+-(s|j|--adj)|ntpdig.+-(S|s)'
for I in ${CRONTAB_FILES}; do
if [ -f ${I} ]; then
- LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
- FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#')
+ LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}"
+ FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
if [ -n "${FIND}" ]; then
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
- LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
+ LogText "Result: found ntpdate, rdate, sntp or ntpdig reference in crontab file ${I}"
else
#Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE
- LogText "Result: no ntpdate or rdate reference found in crontab file ${I}"
+ LogText "Result: no ntpdate, rdate, sntp or ntpdig reference found in crontab file ${I}"
fi
else
LogText "Result: crontab file ${I} not found"
@@ -169,31 +159,18 @@
# Check cron jobs
for I in ${CRON_DIRS}; do
- if [ -d ${I} ]; then
- if FileIsReadable ${I}; then
- FIND=$(${FINDBINARY} ${I} -type f -a ! -name ".placeholder" -print 2> /dev/null | ${SEDBINARY} 's/ /__space__/g' | ${TRBINARY} '\n' '\0' | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} '\0' ' ')
+ for J in "${I}"/*; do # iterate over folders in a safe way
+ # Check: regular file, readable and not called .placeholder
+ FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$')
+ if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then
+ LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}"
+ FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
if [ -n "${FIND}" ]; then
- for J in ${FIND}; do
- # Place back spaces if needed
- J=$(echo ${J} | ${SEDBINARY} 's/__space__/ /g')
- LogText "Test: checking for ntpdate or rdate in ${J}"
- if FileIsReadable ${J}; then
- FIND2=$(${EGREPBINARY} "rdate|ntpdate" "${J}" | ${GREPBINARY} -v "^#")
- if [ -n "${FIND2}" ]; then
- LogText "Positive match found: ${FIND2}"
- FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
- fi
- else
- LogText "Result: could not test in file '${J}' as it is not readable"
- fi
- done
- else
- LogText "Result: ${I} is empty, skipping search in directory"
+ FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
+ LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}"
fi
- else
- LogText "Result: could not search in directory due to permissions"
fi
- fi
+ done
done
if [ ${FOUND_IN_CRON} -eq 1 ]; then
@@ -532,7 +509,7 @@
#
# Test : TIME-3180
# Description : Report if ntpctl cannot communicate with OpenNTPD
- if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ]; then
+ if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
@@ -548,7 +525,7 @@
#
# Test : TIME-3181
# Description : Check status of OpenNTPD time synchronisation
- if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
+ if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
@@ -567,7 +544,7 @@
# Test : TIME-3182
# Description : Check OpenNTPD has working peers
- if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
+ if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
@@ -576,11 +553,47 @@
Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers"
if [ ${SKIPTEST} -eq 0 ]; then
# Format is "xx/yy peers valid, ..."
- FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o "[0-9]{1,4}/" | ${EGREPBINARY} -o "[0-9]{1,4}" )
- if [ -n "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
+ FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
+ if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status"
fi
fi
+
+#
+#################################################################################
+#
+
+ # Test : TIME-3185
+ # Description : Check systemd-timesyncd synchronized time
+
+ if [ "${NTP_DAEMON}" = "systemd-timesyncd" ]; then
+ PREQS_MET="YES"
+ else
+ PREQS_MET="NO"
+ fi
+
+
+ Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time"
+ SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -e "${SYNCHRONIZED_FILE}" ]; then
+ FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") ))
+ # Check if last sync was more than 2048 seconds (= the default of systemd) ago
+ if [ "${FIND}" -ge 2048 ]; then
+ COLOR=RED
+ ReportWarning "${TEST_NO}" "systemd-timesyncd did not synchronized the time recently."
+ else
+ COLOR=GREEN
+ fi
+ Display --indent 2 --text "- Last time synchronization" --result "${FIND}s" --color "${COLOR}"
+ LogText "Result: systemd-timesyncd synchronized time ${FIND} seconds ago."
+ else
+ Display --indent 2 --text "- Last time synchronization" --result "${STATUS_NOT_FOUND}" --color RED
+ ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully synchronized time"
+ fi
+ fi
+ unset SYNCHRONIZED_FILE
+
#
#################################################################################
#
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-30 21:10:29 +0300