From 918b962ae5c033ab324ec1f108cba7cb629f2b94 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 3 May 2017 10:42:34 +0200 Subject: Code enhancements --- include/tests_shells | 50 ++++++++++++++++++++++++------------------------ include/tests_webservers | 41 ++++++++++++++++++--------------------- 2 files changed, 44 insertions(+), 47 deletions(-) diff --git a/include/tests_shells b/include/tests_shells index 628fa4c9..c668dd83 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -57,10 +57,10 @@ LogText "Result: console is secured against single user mode without password." else Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_WARNING}" --color RED - LogText "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!" - LogText "Output /etc/ttys:" + LogText "Result: Found insecure console in ${ROOTDIR}etc/ttys. Single user mode login without password allowed!" + LogText "Output ${ROOTDIR}etc/ttys:" LogText "${FIND}" - ReportWarning ${TEST_NO} "Found unprotected console in /etc/ttys" + ReportWarning ${TEST_NO} "Found unprotected console in ${ROOTDIR}etc/ttys" LogText "Possible solution: Change the console line from 'secure' to 'insecure'." fi fi @@ -72,12 +72,12 @@ Register --test-no SHLL-6211 --weight L --network NO --category security --description "Checking available and valid shells" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for ${ROOTDIR}etc/shells" - if [ -f /etc/shells ]; then - LogText "Result: Found /etc/shells file" - LogText "Test: Reading available shells from /etc/shells" + if [ -f ${ROOTDIR}etc/shells ]; then + LogText "Result: Found ${ROOTDIR}etc/shells file" + LogText "Test: Reading available shells from ${ROOTDIR}etc/shells" SSHELLS=$(${GREPBINARY} "^/" ${ROOTDIR}etc/shells) CSSHELLS=0; CSSHELLS_ALL=0 - Display --indent 2 --text "- Checking shells from /etc/shells" + Display --indent 2 --text "- Checking shells from ${ROOTDIR}etc/shells" for I in ${SSHELLS}; do CSSHELLS_ALL=$((CSSHELLS_ALL + 1)) Report "available_shell[]=${I}" @@ -91,7 +91,7 @@ done Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})." else - LogText "Result: /etc/shells not found, skipping test" + LogText "Result: ${ROOTDIR}etc/shells not found, skipping test" fi fi # @@ -119,7 +119,7 @@ # Determine if we can find a TMOUT value FIND=$(${GREPBINARY} 'TMOUT=' ${ROOTDIR}etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') # Determine if the value is exported (with export, readonly, or typeset) - FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') + FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' ${ROOTDIR}etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') if [ ! -z "${FIND}" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do @@ -128,13 +128,13 @@ N=$((N + 1)) done if [ ${N} -eq 1 ]; then - LogText "Result: found TMOUT value configured in /etc/profile" + LogText "Result: found TMOUT value configured in ${ROOTDIR}etc/profile" else - LogText "Result: found several TMOUT values configured in /etc/profile" + LogText "Result: found several TMOUT values configured in ${ROOTDIR}etc/profile" fi Report "session_timeout_method[]=profile" else - LogText "Result: could not find TMOUT setting in /etc/profile" + LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile" fi if [ ! -z "${FIND2}" ]; then @@ -146,17 +146,17 @@ fi done if [ ${N} -gt 0 ]; then - LogText "Result: found readonly setting in /etc/profile (readonly or typeset -r)" + LogText "Result: found readonly setting in ${ROOTDIR}etc/profile (readonly or typeset -r)" Report "session_timeout_set_readonly=1" else - LogText "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)" + LogText "Result: NO readonly setting found in ${ROOTDIR}etc/profile (readonly or typeset -r)" Report "session_timeout_set_readonly=0" fi else - LogText "Result: could not find export, readonly or typeset -r in /etc/profile" + LogText "Result: could not find export, readonly or typeset -r in ${ROOTDIR}etc/profile" fi else - LogText "Result: skip /etc/profile test, file not available on this system" + LogText "Result: skip ${ROOTDIR}etc/profile test, file not available on this system" fi if [ -d ${ROOTDIR}etc/profile.d ]; then @@ -175,13 +175,13 @@ N=$((N + 1)) done if [ ${N} -eq 1 ]; then - LogText "Result: found TMOUT value configured in one of the files in /etc/profile.d directory" + LogText "Result: found TMOUT value configured in one of the files in ${ROOTDIR}etc/profile.d directory" else - LogText "Result: found several TMOUT values configured in one of the files in /etc/profile.d directory" + LogText "Result: found several TMOUT values configured in one of the files in ${ROOTDIR}etc/profile.d directory" fi Report "session_timeout_method[]=profile" else - LogText "Result: could not find TMOUT setting in /etc/profile.d/*.sh" + LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile.d/*.sh" fi # Check for readonly if [ ! -z "${FIND2}" ]; then @@ -193,18 +193,18 @@ fi done if [ ${N} -gt 0 ]; then - LogText "Result: found readonly setting in /etc/profile (readonly or typeset -r)" + LogText "Result: found readonly setting in ${ROOTDIR}etc/profile (readonly or typeset -r)" Report "session_timeout_set_readonly=1" else - LogText "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)" + LogText "Result: NO readonly setting found in ${ROOTDIR}etc/profile (readonly or typeset -r)" Report "session_timeout_set_readonly=0" fi else - LogText "Result: could not find export, readonly or typeset -r in /etc/profile" + LogText "Result: could not find export, readonly or typeset -r in ${ROOTDIR}etc/profile" fi fi else - LogText "Result: skip /etc/profile.d directory test, directory not available on this system" + LogText "Result: skip ${ROOTDIR}etc/profile.d directory test, directory not available on this system" fi if [ ${IDLE_TIMEOUT} -eq 1 ]; then @@ -220,7 +220,7 @@ # # Test : SHLL-6230 # Description : Check for umask values in shell configurations - SHELL_CONFIG_FILES="/etc/bashrc /etc/bash.bashrc /etc/csh.cshrc /etc/profile" + SHELL_CONFIG_FILES="${ROOTDIR}etc/bashrc ${ROOTDIR}etc/bash.bashrc ${ROOTDIR}etc/csh.cshrc ${ROOTDIR}etc/profile" Register --test-no SHLL-6230 --weight H --network NO --category security --description "Perform umask check for shell configurations" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 @@ -232,7 +232,7 @@ LogText "Result: file ${FILE} exists" FOUND=1 FIND=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }') - if [ -z "${FIND}" ]; then + if IsEmpty "${FIND}"; then LogText "Result: did not find umask configured in ${FILE}" Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW else diff --git a/include/tests_webservers b/include/tests_webservers index 580e831e..7c487383 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -57,12 +57,12 @@ Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache presence" if [ ${SKIPTEST} -eq 0 ]; then if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then HTTPDBINARY=""; fi - if [ -z "${HTTPDBINARY}" ]; then + if IsEmpty "${HTTPDBINARY}"; then Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE else LogText "Test: Scanning for Apache binary" IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache') - if [ -z "${IS_APACHE}" ]; then + if IsEmpty "${IS_APACHE}"; then LogText "Result: ${HTTPDBINARY} is not Apache" Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE else @@ -95,7 +95,7 @@ APACHE_CONFIGFILE="" APACHE_TEST=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | ${SEDBINARY} 's/[ ]-D SERVER_CONFIG_FILE=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '[:cntrl:]') - if [ -z "${APACHE_TEST}" ]; then + if IsEmpty "${APACHE_TEST}"; then LogText "Result: Can't find the configuration file, so skipping some Apache related tests" else # We found a possible match. Checking if it's valid filename. If not, we need to add a prefix @@ -105,8 +105,6 @@ else # Probably the prefix is missing, so we are going to search that APACHE_HTTPDROOT=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | ${SEDBINARY} 's/[ ]-D HTTPD_ROOT=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ') - #echo "Apache root prefix: ${APACHE_HTTPDROOT}" - #echo "Complete path to configuration file: ${APACHE_HTTPDROOT}/${APACHE_TEST}" APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}" if [ -f ${APACHE_TESTFILE} ]; then APACHE_CONFIGFILE="${APACHE_TESTFILE}" @@ -128,10 +126,9 @@ if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6626 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing other Apache configuration file" if [ ${SKIPTEST} -eq 0 ]; then - #Display --indent 4 --text "- Searching Apache virtual hosts" - for I in ${sTEST_APACHE_TARGETS}; do - if [ -d ${I} ]; then - find ${I} -name "*.conf" -print >> ${TMPFILE2} + for DIR in ${sTEST_APACHE_TARGETS}; do + if [ -d ${DIR} ]; then + find ${DIR} -name "*.conf" -print >> ${TMPFILE2} fi done @@ -150,7 +147,7 @@ if [ ${CANREAD} -eq 1 ]; then # Search Virtual Hosts for J in $(${GREPBINARY} "ServerName" ${I} | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'); do - if [ ! -z ${J} ]; then + if HasData "${J}"; then tVHOSTS="${tVHOSTS} ${J}" cVHOSTS=$((cVHOSTS + 1)) fi @@ -201,17 +198,17 @@ #if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi #Register --test-no HTTP-6630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining all loaded Apache modules" #if [ ${SKIPTEST} -eq 0 ]; then - # Testing Debian style - #LogText "Test: searching loaded/enabled Apache modules" - #apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //' - #for I in ${APACHE_MODULES_ENABLED_LOCS}; do - #LogText "Test: checking ${I}" - #if [ -d ${I} ]; then - #FIND=$(${GREPBINARY} -r LoadModule ${I}/* | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2":"$3 }') - #else - #LogText "Result: ${I} does not exist" - #fi - #done + # # Testing Debian style + # LogText "Test: searching loaded/enabled Apache modules" + # apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //' + # for I in ${APACHE_MODULES_ENABLED_LOCS}; do + # LogText "Test: checking ${I}" + # if [ -d ${I} ]; then + # FIND=$(${GREPBINARY} -r LoadModule ${I}/* | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2":"$3 }') + # else + # LogText "Result: ${I} does not exist" + # fi + # done #fi # ################################################################################# @@ -587,7 +584,7 @@ if [ -d ${DIR} ]; then LogText "Result: Directory ${DIR} exists, so will be used as search path" FIND=$(find ${DIR} -type f -exec ${GREPBINARY} access_log \{\} \; | ${GREPBINARY} -v "#" | ${AWKBINARY} '{ if($1=="access_log") { print $2 } }' | ${SEDBINARY} 's/;$//g' | ${SORTBINARY} -u) - if [ -z "${FIND}" ]; then + if IsEmpty "${FIND}"; then LogText "Result: no log files found" else LogText "Result: found one or more log files" -- cgit v1.2.3