From 0b9c6132c6958841880d4261144f78eca9f1e4f6 Mon Sep 17 00:00:00 2001
From: mboelen <michael@cisofy.com>
Date: Thu, 10 Sep 2015 21:06:40 +0200
Subject: Add test [SHLL-6230] to test for umask values in common shell
 configuration files

---
 include/tests_shells | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

(limited to 'include/tests_shells')

diff --git a/include/tests_shells b/include/tests_shells
index 52550562..1f1cdc21 100644
--- a/include/tests_shells
+++ b/include/tests_shells
@@ -213,6 +213,58 @@
     fi
 #
 #################################################################################
+#
+    # Test        : SHLL-6230
+    # Description : Check for umask values in shell configurations
+    SHELL_CONFIG_FILES="/etc/bashrc /etc/bash.bashrc /etc/csh.cshrc /etc/profile"
+    Register --test-no SHLL-6230 --weight H --network NO --description "Perform umask check for shell configurations"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        HARDENING_POSSIBLE=0
+        Display --indent 2 --text "- Checking default umask values"
+        for FILE in ${SHELL_CONFIG_FILES}; do
+            FIND=""
+            if [ -f ${FILE} ]; then
+                logtext "Result: file ${FILE} exists"
+                FOUND=1
+                FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'`
+                if [ "${FIND}" = "" ]; then
+                    logtext "Result: did not find umask configured in ${FILE}"
+                    Display --indent 4 --text "- Checking default umask in ${FILE}" --result NONE --color YELLOW
+                  else
+                    for UMASKVALUE in ${FIND}; do
+                        logtext "Result: found umask ${UMASKVALUE} in ${FILE}"
+                        case ${UMASKVALUE} in
+                            027|0027|077|0077)
+                                    logtext "Result: umask ${UMASKVALUE} is considered a properly hardened value"
+                            ;;
+                            *)
+                                    logtext "Result: umask ${UMASKVALUE} can be hardened "
+                                    HARDENING_POSSIBLE=1
+                            ;;
+                        esac
+                    done
+                    if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
+                        Display --indent 4 --text "- Checking default umask in ${FILE}" --result OK --color GREEN
+                        AddHP 3 3
+                      else
+                        Display --indent 4 --text "- Checking default umask in ${FILE}" --result WEAK --color YELLOW
+                        AddHP 1 3
+                    fi
+                fi
+            else
+              logtext "Result: file ${FILE} not found"
+            fi
+        done
+        #if [ ${FOUND} -eq 1 ]; then
+        #    if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
+        #        logtext "Result: all shell files found, contain a proper umask"
+        #        Display --indent 4 --text "- Default umask" --result OK --color GREEN
+        #    fi
+        #fi
+    fi
+#
+#################################################################################
 #
     # Test        : SHLL-6290
     # Description : Check for Shellshock vulnerability
-- 
cgit v1.2.3