Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'plugins')
-rw-r--r--plugins/plugin_pam_phase150
-rw-r--r--plugins/plugin_systemd_phase136
2 files changed, 43 insertions, 43 deletions
diff --git a/plugins/plugin_pam_phase1 b/plugins/plugin_pam_phase1
index e558031e..55583f0d 100644
--- a/plugins/plugin_pam_phase1
+++ b/plugins/plugin_pam_phase1
@@ -68,25 +68,25 @@
# Check if the PAM directory structure exists
if [ -d ${PAM_DIRECTORY} ]; then
LogText "Result: /etc/pam.d exists"
- FIND_FILES=`find ${PAM_DIRECTORY} -type f -print`
+ FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print)
# First check /etc/pam.conf if it exists.
#if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi
for PAM_FILE in ${FIND_FILES}; do
LogText "Now checking PAM file ${PAM_FILE}"
while read line; do
# Strip empty lines, commented lines, tabs, line breaks (\), then finally remove all double spaces
- LINE=`echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//'`
+ LINE=$(echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//')
if [ ! "${LINE}" = "" ]; then
- PAM_SERVICE=`echo ${PAM_FILE} | awk -F/ '{ print $NF }'`
+ PAM_SERVICE=$(echo ${PAM_FILE} | awk -F/ '{ print $NF }')
PAM_CONTROL_FLAG="-"
PAM_CONTROL_OPTIONS="-"
PAM_MODULE="-"
PAM_MODULE_OPTIONS="-"
- PAM_TYPE=`echo ${LINE} | awk '{ print $1 }'`
+ PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }')
PARSELINE=0
case ${PAM_TYPE} in
"@include")
- FILE=`echo ${LINE} | awk '{ print $2 }'`
+ FILE=$(echo ${LINE} | awk '{ print $2 }')
Debug "Result: Found @include in ${PAM_FILE}. Does include PAM settings from file ${FILE} (which is individually processed)"
;;
"account")
@@ -106,16 +106,16 @@
;;
esac
if [ ${PARSELINE} -eq 1 ]; then
- MULTIPLE_OPTIONS=`echo ${LINE} | awk '$2 ~ /^\[/'`
+ MULTIPLE_OPTIONS=$(echo ${LINE} | awk '$2 ~ /^\[/')
if [ ! "${MULTIPLE_OPTIONS}" = "" ]; then
# Needs more parsing, depending on the options found
- PAM_CONTROL_OPTIONS=`echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//"`
+ PAM_CONTROL_OPTIONS=$(echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//")
LogText "Result: Found brackets in line, indicating multiple options for control flags: ${PAM_CONTROL_OPTIONS}"
- LINE=`echo ${LINE} | sed "s/ \[.*\] / other /"`
+ LINE=$(echo ${LINE} | sed "s/ \[.*\] / other /")
fi
- PAM_MODULE=`echo ${LINE} | awk '{ print $3 }'`
- PAM_MODULE_OPTIONS=`echo ${LINE} | cut -d ' ' -f 4-`
- PAM_CONTROL_FLAG=`echo ${LINE} | awk '{ print $2 }'`
+ PAM_MODULE=$(echo ${LINE} | awk '{ print $3 }')
+ PAM_MODULE_OPTIONS=$(echo ${LINE} | cut -d ' ' -f 4-)
+ PAM_CONTROL_FLAG=$(echo ${LINE} | awk '{ print $2 }')
case ${PAM_CONTROL_FLAG} in
"optional"|"required"|"requisite"|"sufficient")
#Debug "Found a common control flag: ${PAM_CONTROL_FLAG} for ${PAM_MODULE}"
@@ -135,7 +135,7 @@
LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) without options configured"
fi
- PAM_MODULE_NAME=`echo ${PAM_MODULE} | sed 's/.so$//'`
+ PAM_MODULE_NAME=$(echo ${PAM_MODULE} | sed 's/.so$//')
#
# Specific PAMs are commonly seen on these platforms:
#
@@ -202,8 +202,8 @@
if [ "${PAM_PASSWORD_PWHISTORY_AMOUNT}" = "" ]; then PAM_PASSWORD_PWHISTORY_AMOUNT=10; fi
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do
- OPTION=`echo ${I} | awk -F= '{ print $1 }'`
- VALUE=`echo ${I} | awk -F= '{ print $2 }'`
+ OPTION=$(echo ${I} | awk -F= '{ print $1 }')
+ VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0
case ${OPTION} in
remember)
@@ -231,8 +231,8 @@
LogText "Result: found ${PAM_MODULE} module (generic)"
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do
- OPTION=`echo ${I} | awk -F= '{ print $1 }'`
- VALUE=`echo ${I} | awk -F= '{ print $2 }'`
+ OPTION=$(echo ${I} | awk -F= '{ print $1 }')
+ VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0
case ${OPTION} in
remember)
@@ -268,9 +268,9 @@
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
Debug "Module options configured"
for I in ${PAM_MODULE_OPTIONS}; do
- OPTION=`echo ${I} | awk -F= '{ print $1 }'`
+ OPTION=$(echo ${I} | awk -F= '{ print $1 }')
Debug ${OPTION}
- VALUE=`echo ${I} | awk -F= '{ print $2 }'`
+ VALUE=$(echo ${I} | awk -F= '{ print $2 }')
CREDITS_CONFIGURED=0
case ${OPTION} in
minlen)
@@ -286,7 +286,7 @@
MAX_PASSWORD_RETRY=${VALUE}
;;
minclass)
- # Minimum number of class required out of upper, lower, digit and oters
+ # Minimum number of class required out of upper, lower, digit and others
LogText "Result: Min number of password class is configured"
MIN_PASSWORD_CLASS=${VALUE}
;;
@@ -318,8 +318,8 @@
fi
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
for I in ${PAM_MODULE_OPTIONS}; do
- OPTION=`echo ${I} | awk -F= '{ print $1 }'`
- VALUE=`echo ${I} | awk -F= '{ print $2 }'`
+ OPTION=$(echo ${I} | awk -F= '{ print $1 }')
+ VALUE=$(echo ${I} | awk -F= '{ print $2 }')
case ${OPTION} in
deny)
AUTH_BLOCK_BAD_LOGIN_ATTEMPTS="${VALUE}"
@@ -402,7 +402,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Digits
if [ ${CREDITS_D_PASSWORD} -lt 0 ]; then
- CREDITS_D_PASSWORD=`echo ${CREDITS_D_PASSWORD} | cut -b 2-`
+ CREDITS_D_PASSWORD=$(echo ${CREDITS_D_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Digital characters required: ${CREDITS_D_PASSWORD}"
Report "password_min_digital_required=${CREDITS_D_PASSWORD}"
elif [ ${CREDITS_D_PASSWORD} -ge 0 ]; then
@@ -412,7 +412,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Lowercase
if [ ${CREDITS_L_PASSWORD} -lt 0 ]; then
- CREDITS_L_PASSWORD=`echo ${CREDITS_L_PASSWORD} | cut -b 2-`
+ CREDITS_L_PASSWORD=$(echo ${CREDITS_L_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Lowercase characters required: ${CREDITS_L_PASSWORD}"
Report "password_min_l_required=${CREDITS_L_PASSWORD}"
elif [ ${CREDITS_L_PASSWORD} -ge 0 ]; then
@@ -422,7 +422,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Other characters
if [ ${CREDITS_O_PASSWORD} -lt 0 ]; then
- CREDITS_O_PASSWORD=`echo ${CREDITS_O_PASSWORD} | cut -b 2-`
+ CREDITS_O_PASSWORD=$(echo ${CREDITS_O_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Other characters required: ${CREDITS_O_PASSWORD}"
Report "password_min_other_required=${CREDITS_O_PASSWORD}"
elif [ ${CREDITS_O_PASSWORD} -ge 0 ]; then
@@ -432,7 +432,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Uppercase
if [ ${CREDITS_U_PASSWORD} -lt 0 ]; then
- CREDITS_U_PASSWORD=`echo ${CREDITS_U_PASSWORD} | cut -b 2-`
+ CREDITS_U_PASSWORD=$(echo ${CREDITS_U_PASSWORD} | cut -b 2-)
LogText "[PAM] Minimum number of Uppercase characters required: ${CREDITS_U_PASSWORD}"
Report "password_min_u_required=${CREDITS_U_PASSWORD}"
elif [ ${CREDITS_U_PASSWORD} -ge 0 ]; then
diff --git a/plugins/plugin_systemd_phase1 b/plugins/plugin_systemd_phase1
index 53a72b12..a3544c3d 100644
--- a/plugins/plugin_systemd_phase1
+++ b/plugins/plugin_systemd_phase1
@@ -39,7 +39,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3800 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemctl exit code" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${SYSTEMCTLBINARY} > /dev/null`
+ FIND=$(${SYSTEMCTLBINARY} > /dev/null)
if [ $? -gt 0 ]; then
Report "systemctl_error_message=${FIND}"
else
@@ -57,13 +57,13 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3802 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd version and options" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1`
+ FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1)
if [ ! "${FIND}" = "" ]; then
SYSTEMD_VERSION=${FIND}
Report "systemd_version=${FIND}"
LogText "Result: found systemd version ${FIND}"
fi
- FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1`
+ FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1)
if [ ! "${FIND}" = "" ]; then
Report "systemd_builtin_components=${FIND}"
LogText "Result: found builtin components list"
@@ -77,7 +77,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'`
+ FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found systemd unit files via systemctl list-unit-files"
for I in ${FIND}; do
@@ -94,7 +94,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'`
+ FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found systemd unit files via systemctl list-unit-files"
for I in ${FIND}; do
@@ -111,7 +111,7 @@
if [ -f /etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3808 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd machine ID" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`cat /etc/machine-id | head -1`
+ FIND=$(cat /etc/machine-id | head -1)
if [ ! "${FIND}" = "" ]; then
SYSTEMD_MACHINEID="${FIND}"
LogText "Result: found machine ID: ${SYSTEMD_MACHINEID}"
@@ -125,7 +125,7 @@
if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|"`
+ FIND=$(find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
if [ ! "${FIND}" = "" ]; then
Report "systemd_binaries=${FIND}"
LogText "Result: found systemd binaries in /usr/lib/systemd"
@@ -141,10 +141,10 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3812 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${JOURNALCTLBINARY} --list-boots | wc -l`
+ FIND=$(${JOURNALCTLBINARY} --list-boots | wc -l)
LogText "Output: number of boots listed in journal is ${FIND}"
if [ ! "${FIND}" = "" ]; then Report "journal_bootlogs=${FIND}"; fi
- FIND=`${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }'`
+ FIND=$(${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }')
LogText "Output: oldest boot date in journal is ${FIND}"
if [ ! "${FIND}" = "" ]; then Report "journal_oldest_bootdate=${FIND}"; fi
fi
@@ -156,11 +156,11 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3814 --preqs-met ${PREQS_MET} --weight L --network NO --description "Verify journal integrity" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${JOURNALCTLBINARY} --verify 2>&1 | grep FAIL | sed 's/[[:space:]]/:space:/g'`
+ FIND=$(${JOURNALCTLBINARY} --verify 2>&1 | grep FAIL | sed 's/[[:space:]]/:space:/g')
if [ ! "${FIND}" = "" ]; then
Report "journal_contains_errors=1"
for I in ${FIND}; do
- LINE=`echo ${I} | sed 's/:space:/ /g'`
+ LINE=$(echo ${I} | sed 's/:space:/ /g')
LogText "Output (fails): ${LINE}"
done
else
@@ -176,7 +176,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'`
+ FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}')
Report "journal_disk_size=${FIND}"
LogText "Result: journals are ${FIND} in size"
fi
@@ -188,7 +188,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'`
+ FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g')
Report "journal_meta_data=${FIND}"
fi
#
@@ -214,7 +214,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3830 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1`
+ FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1)
if [ ! "${FIND}" = "" ]; then
Report "systemd_status=${FIND}"
LogText "Result: found systemd status = ${FIND}"
@@ -228,7 +228,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'`
+ FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }')
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
Report "systemd_unit_not_found[]=${I}"
@@ -243,7 +243,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'`
+ FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found one or more services with faulty state"
for I in ${FIND}; do
@@ -261,7 +261,7 @@
Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
if [ ${SKIPTEST} -eq 0 ]; then
SYSTEMD_COREDUMP_USED=1
- FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump`
+ FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump)
if [ ! "${FIND}" = "" ]; then
LogText "Result: systemd uses systemd-coredump to handle coredumps"
Report "systemd_coredump_used=1"
@@ -281,7 +281,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3860 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${JOURNALCTLBINARY} SYSLOG_IDENTIFIER=systemd-coredump --since=yesterday -o cat 2> /dev/null`
+ FIND=$(${JOURNALCTLBINARY} SYSLOG_IDENTIFIER=systemd-coredump --since=yesterday -o cat 2> /dev/null)
if [ ! "${FIND}" = "" ]; then
Report "journal_coredumps_lastday=1"
LogText "Result: found recent coredumps"
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-19 12:02:04 +0300