From 56cc2df2c22d017e4acc5c5fbd659f4e20d9c2fa Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 8 Sep 2014 23:51:27 +0200 Subject: Adjustments to allow non-privileged scan and reduce errors on screen --- .gitignore | 0 CHANGELOG | 5 +++- include/functions | 62 ++++++++++++++++++++++++++++++++++++++------ include/tests_accounting | 2 +- include/tests_authentication | 4 +-- include/tests_crypto | 2 +- include/tests_filesystems | 7 +++-- include/tests_mac_frameworks | 38 +++++++++++++++++---------- include/tests_networking | 4 +-- include/tests_ports_packages | 2 +- include/tests_webservers | 41 ++++++++++++++++++----------- 11 files changed, 119 insertions(+), 48 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..e69de29b diff --git a/CHANGELOG b/CHANGELOG index d596ea2a..998d9e18 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -26,12 +26,15 @@ Changes: - Improved vulnerable packages test on Debian based systems (apt-check) [PKGS-7392] + - CheckUpdates function will have better output when no connection is available - Improved chown command when file permissions are incorrect + - Changed output of update test, show when status is unknown + - Remove warning for old files in /tmp [FILE-6354] - Test for actual files in /etc/modprobe.d before grepping in it - Don't show warnings for 'swap' in 4th column fstab file [FILE-6336] - Changes to parameters and functions, to allow penetration tests with Lynis - Extended SafePerms function to also check for UID - - Several tests will have root-only bit set + - Several tests will have root-only bit set now - Improved netstat tests on Arch Linux -- diff --git a/include/functions b/include/functions index 97c8e452..73750701 100644 --- a/include/functions +++ b/include/functions @@ -254,24 +254,70 @@ FileIsReadable() { - CHECKFILE=$1 + sFILE=$1 CANREAD=0 - if [ -d ${CHECKFILE} ]; then - OTHERPERMS=`ls -d -l ${CHECKFILE} | cut -c 8` - elif [ -f ${CHECKFILE} ]; then - OTHERPERMS=`ls -d -l ${CHECKFILE} | cut -c 8` + logtext "Test: testing if we can access ${sFILE}" + + # Check for symlink + if [ -L ${sFILE} ]; then + if [ ! "${READLINKBINARY}" = "" ]; then + tFILE=`${READLINKBINARY} ${sFILE}` + # Check if we can find the file now + if [ -f ${tFILE} ]; then + sFILE="${tFILE}" + logtext "Result: symlink found, pointing to file ${sFILE}" + elif [ -d ${tFILE} ]; then + sFILE="${tFILE}" + logtext "Result: symlink found, pointing to directory ${sFILE}" + else + # Check the full path of the symlink, strip the filename, copy the path and linked filename together + tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'` + tFILE="${tDIR}/${tFILE}" + if [ -f ${tFILE} ]; then + sFILE="${tFILE}" + logtext "Result: symlink found, seems to be file ${sFILE}" + elif [ -d ${tFILE} ]; then + sFILE="${tFILE}" + logtext "Result: symlink found, seems to be directory ${sFILE}" + fi + fi + fi + fi + # Only check the file if it isn't a symlink (after previous check) + if [ -L ${sFILE} ]; then + OTHERPERMS="-" + logtext "Result: unclear if we can read this file, as this is a symlink" + ReportException "FileIsReadable" "Can not determine symlink ${sFILE}" + elif [ -d ${sFILE} ]; then + OTHERPERMS=`ls -d -l ${sFILE} | cut -c 8` + elif [ -f ${sFILE} ]; then + OTHERPERMS=`ls -d -l ${sFILE} | cut -c 8` else OTHERPERMS="-" fi + + # Also check if we are the actual owner of the file + FILEOWNER=`ls -n ${sFILE} | awk -F" " '{ print $3 }'` + if [ "${FILEOWNER}" = "${MYID}" ]; then + logtext "Result: file is owned by our current user ID (${MYID}), checking if it is readable" + if [ -d ${sFILE} ]; then + OTHERPERMS=`ls -d -l ${sFILE} | cut -c 2` + elif [ -f ${sFILE} ]; then + OTHERPERMS=`ls -d -l ${sFILE} | cut -c 2` + fi + fi + + # YYY check group ownership (just in case) + # Check if we have the read bit if [ "${OTHERPERMS}" = "r" ]; then CANREAD=1 + logtext "Result: file ${sFILE} is readable (or directory accessible)." + else + logtext "Result: file ${sFILE} is NOT readable (or directory accessible), symlink, or does not exist." fi } - - - # Get Host ID GetHostID() { diff --git a/include/tests_accounting b/include/tests_accounting index e6036b6a..e751b059 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -136,7 +136,7 @@ # Test : ACCT-9630 # Description : Check auditd rules if [ ! "${AUDITDBINARY}" = "" -a ! "${AUDITCTLBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd rules" + Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --description "Check for auditd rules" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking auditd rules" FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"` diff --git a/include/tests_authentication b/include/tests_authentication index ad59897a..a14d62ee 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -114,7 +114,7 @@ # Test : AUTH-9216 # Description : Check /etc/group and shadow group files if [ ! "${GRPCKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check group and shadow group files" + Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --description "Check group and shadow group files" if [ ${SKIPTEST} -eq 0 ]; then # Test : run grpck to test group files (most likely /etc/group and shadow group files) # Expected result : 0 (exit code) @@ -131,7 +131,7 @@ # Overrule for SuSE if [ "${LINUX_VERSION}" = "SuSE" ]; then - FIND=`${GRPCKBINARY} -q -r > /dev/null ; echo $?` + FIND=`${GRPCKBINARY} -q -r > /dev/null ; echo $?` fi # Check exit-code diff --git a/include/tests_crypto b/include/tests_crypto index 8560b05c..af73fd6c 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -34,7 +34,7 @@ if [ -d ${I} ]; then logtext "Result: found directory ${I}" # Search for CRT files - sFINDCRTS=`find ${I} -name "*.crt" -type f -print` + sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null` for J in ${sFINDCRTS}; do logtext "Test: checking certificate ${J}" # Check certificate where 'end date' has been expired diff --git a/include/tests_filesystems b/include/tests_filesystems index 2d36a2a0..86c7e167 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -244,7 +244,7 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Searching for old files in /tmp..." # Search for files only in /tmp, with an access time older than X days - FIND=`find /tmp -type f -atime +${TMP_OLD_DAYS} | sed 's/ /!space!/g'` + FIND=`find /tmp -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking for old files in /tmp..." --result OK --color GREEN logtext "Result: no files found in /tmp which are older than 3 months" @@ -261,8 +261,7 @@ logtext "private information and should be deleted it not being used actively. Use a tool like lsof to" logtext "see which programs possibly are using a particular file. Some systems can cleanup temporary" logtext "directories by setting a boot option." - ReportWarning ${TEST_NO} "L" "Found ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days" - ReportSuggestion ${TEST_NO} "Clean up unused files in /tmp" + ReportSuggestion ${TEST_NO} "L" "Check ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days" fi fi # @@ -335,7 +334,7 @@ # # Test : FILE-6368 # Description : Checking Linux root file system ACL support - Register --test-no FILE-6368 --os Linux --weight L --network NO --description "Checking ACL support on root file system" + Register --test-no FILE-6368 --os Linux --weight L --network NO --root-only YES --description "Checking ACL support on root file system" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 logtext "Test: Checking acl option on root file system" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 21a55907..a4ed8854 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -28,15 +28,15 @@ # Description : Check if AppArmor is installed Register --test-no MACF-6204 --weight L --network NO --description "Check AppArmor presence" if [ ${SKIPTEST} -eq 0 ]; then - if [ "${AASTATUSBINARY}" = "" ]; then - APPARMORFOUND=0 - logtext "Result: aa-status binary not found, AppArmor not installed" - Display --indent 2 --text "- Checking presence AppArmor" --result "NOT FOUND" --color WHITE - else - APPARMORFOUND=1 - logtext "Result: aa-status binary found, AppArmor is installed" - Display --indent 2 --text "- Checking presence AppArmor" --result FOUND --color GREEN - fi + if [ "${AASTATUSBINARY}" = "" ]; then + APPARMORFOUND=0 + logtext "Result: aa-status binary not found, AppArmor not installed" + Display --indent 2 --text "- Checking presence AppArmor" --result "NOT FOUND" --color WHITE + else + APPARMORFOUND=1 + logtext "Result: aa-status binary found, AppArmor is installed" + Display --indent 2 --text "- Checking presence AppArmor" --result FOUND --color GREEN + fi fi # ################################################################################# @@ -48,20 +48,32 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${AASTATUSBINARY}" = "" ]; then # Checking AppArmor status - FIND=`${AASTATUSBINARY} > /dev/null; echo $?` #0 if apparmor is enabled and policy is loaded. #1 if apparmor is not enabled/loaded. #2 if apparmor is enabled but no policy is loaded. + #3 if control files are not available + #4 if apparmor status can't be read + FIND=`${AASTATUSBINARY} > /dev/null; echo $?` if [ ${FIND} -eq 0 ]; then MAC_FRAMEWORK_ACTIVE=1 logtext "Result: AppArmor is enabled and a policy is loaded" - Display --indent 4 --text "- Checking AppArmor status" --result "ENABLED" --color GREEN + Display --indent 4 --text "- Checking AppArmor status" --result "ENABLED" --color GREEN + elif [ ${FIND} -eq 4 ]; then + logtext "Result: Can not determine status, most likely due to lacking permissions" + Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED + elif [ ${FIND} -eq 3 ]; then + logtext "Result: Can not check control files" + Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED elif [ ${FIND} -eq 2 ]; then logtext "Result: AppArmor is enabled, but no policy is loaded" ReportSuggestion ${TEST_NO} "Disable AppArmor or load a policy" - Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN + Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN elif [ ${FIND} -eq 1 ]; then - Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW + logtext "Result: AppArmor is disabled" + Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW + else + Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED + ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected" fi fi fi diff --git a/include/tests_networking b/include/tests_networking index 8d304cd1..6535a493 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -256,9 +256,9 @@ Linux) if [ ! "${NETSTATBINARY}" = "" ]; then # UDP - FIND=`${NETSTATBINARY} -nlp | grep "^udp" | awk '{ print $4"|"$1"|"$6"|" }' | sed 's:|[0-9]*/:|:'` + FIND=`${NETSTATBINARY} -nlp 2> /dev/null | grep "^udp" | awk '{ print $4"|"$1"|"$6"|" }' | sed 's:|[0-9]*/:|:'` # TCP - FIND2=`${NETSTATBINARY} -nlp | grep "^tcp" | awk '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | sed 's:|[0-9]*/:|:'` + FIND2=`${NETSTATBINARY} -nlp 2> /dev/null | grep "^tcp" | awk '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | sed 's:|[0-9]*/:|:'` else ReportException "${TEST_NO}:1" "netstat binary is missing" fi diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 958cf7bb..00e62817 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -647,7 +647,7 @@ Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Ubuntu database consistency" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Package database consistency by running apt-get check" - FIND=`/usr/bin/apt-get -q=2 check; echo $?` + FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?` if [ "${FIND}" = "0" ]; then Display --indent 2 --text "- Checking APT package database..." --result OK --color GREEN logtext "Result: package database seems to be consistent." diff --git a/include/tests_webservers b/include/tests_webservers index 8ec5ca24..4348993a 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -139,20 +139,26 @@ for I in `cat ${TMPFILE}`; do logtext "Apache config file: ${I}" - # Search Virtual Hosts - for J in `cat ${I} | grep "ServerName" | grep -v "^#" | awk '{ if ($1=="ServerName") print $2 }'`; do - if [ ! -z ${J} ]; then - tVHOSTS="${tVHOSTS} ${J}" - cVHOSTS=`expr ${cVHOSTS} + 1` - fi - done - # Search Server aliases - for J in `cat ${I} | grep "ServerAlias" | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do - if [ ! -z ${J} ]; then - tVHOSTS="${tVHOSTS} ${J}" - cVHOSTS=`expr ${cVHOSTS} + 1` - fi - done + FileIsReadable ${I} + if [ ${CANREAD} -eq 1 ]; then + # Search Virtual Hosts + for J in `cat ${I} | grep "ServerName" | grep -v "^#" | awk '{ if ($1=="ServerName") print $2 }'`; do + if [ ! -z ${J} ]; then + tVHOSTS="${tVHOSTS} ${J}" + cVHOSTS=`expr ${cVHOSTS} + 1` + fi + done + # Search Server aliases + for J in `cat ${I} | grep "ServerAlias" | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do + if [ ! -z ${J} ]; then + tVHOSTS="${tVHOSTS} ${J}" + cVHOSTS=`expr ${cVHOSTS} + 1` + fi + done + else + logtext "Result: can not read configuration file with this user ID" + ReportException "${TEST_NO}:1" "Can not read configuration file $I" + fi done # Log all virtual hosts we found @@ -425,7 +431,12 @@ N=`expr ${N} + 1` logtext "Result: found Nginx configuration file ${J}" report "nginx_sub_conf_file=${J}" - FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}` + FileIsReadable ${J} + if [ ${CANREAD} -eq 1 ]; then + FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}` + else + ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable" + fi fi done done -- cgit v1.2.3