CloudyScripts 1.6.1 → 1.7.27
Sign up to get free protection for your applications and to get access to all the features.
- data/Rakefile +1 -1
- data/lib/audit/checks/APACHE2.group +6 -0
- data/lib/audit/checks/APACHE2_CONFIG_01.check +36 -0
- data/lib/audit/checks/APACHE2_CONFIG_02.check +34 -0
- data/lib/audit/checks/APACHE2_CONFIG_03.check +60 -0
- data/lib/audit/checks/APACHE2_CONFIG_04.check +23 -0
- data/lib/audit/checks/APACHE2_CONFIG_05.check +23 -0
- data/lib/audit/checks/APACHE2_CONFIG_06.check +30 -0
- data/lib/audit/checks/APACHE2_INIT_1.check +14 -0
- data/lib/audit/checks/APACHE2_INIT_2.check +66 -0
- data/lib/audit/checks/APACHE2_INIT_3.check +13 -0
- data/lib/audit/checks/APACHE2_USER_7.check +17 -0
- data/lib/audit/checks/BACKUP_HOME_DOTFILES.check +26 -0
- data/lib/audit/checks/BACKUP_LOG.check +24 -0
- data/lib/audit/checks/BACKUP_MAIL.check +19 -0
- data/lib/audit/checks/BACKUP_WEB.check +12 -0
- data/lib/audit/checks/CONFIGURATION_BACKUP.check +14 -0
- data/lib/audit/checks/DIRECTORY_LISTING.check +14 -0
- data/lib/audit/checks/DISTRIBUTION_FACTS.check +60 -0
- data/lib/audit/checks/DMESG_OUTPUT.check +14 -0
- data/lib/audit/checks/FIND_GROUP_FILE.check +6 -0
- data/lib/audit/checks/FIND_PASSWD_FILE.check +8 -0
- data/lib/audit/checks/FIND_SHADOW_FILE.check +5 -0
- data/lib/audit/checks/FIND_SUDOERS_FILE.check +6 -0
- data/lib/audit/checks/FREE_SPACE.check +26 -0
- data/lib/audit/checks/HAS_AWK.check +30 -0
- data/lib/audit/checks/HAS_BASE.check +21 -0
- data/lib/audit/checks/HAS_CAT.check +18 -0
- data/lib/audit/checks/HAS_COMPRESSOR.check +30 -0
- data/lib/audit/checks/HAS_CUT.check +18 -0
- data/lib/audit/checks/HAS_DF.check +19 -0
- data/lib/audit/checks/HAS_DPKG.check +18 -0
- data/lib/audit/checks/HAS_FILE_DOWNLOADER.check +32 -0
- data/lib/audit/checks/HAS_FIND.check +18 -0
- data/lib/audit/checks/HAS_GREP.check +19 -0
- data/lib/audit/checks/HAS_GROUPCHECK.check +23 -0
- data/lib/audit/checks/HAS_GROUPS.check +19 -0
- data/lib/audit/checks/HAS_HOSTNAME.check +7 -0
- data/lib/audit/checks/HAS_ID.check +7 -0
- data/lib/audit/checks/HAS_LSB_RELEASE.check +16 -0
- data/lib/audit/checks/HAS_MOUNT.check +19 -0
- data/lib/audit/checks/HAS_NETSTAT.check +20 -0
- data/lib/audit/checks/HAS_PASSWD_CHECK.check +17 -0
- data/lib/audit/checks/HAS_PS.check +19 -0
- data/lib/audit/checks/HAS_ROUTE.check +19 -0
- data/lib/audit/checks/HAS_SH.check +19 -0
- data/lib/audit/checks/HAS_SORT.check +17 -0
- data/lib/audit/checks/HAS_STAT.check +17 -0
- data/lib/audit/checks/HAS_SUPERUSER.check +11 -0
- data/lib/audit/checks/HAS_TAIL.check +16 -0
- data/lib/audit/checks/HAS_TAR.check +7 -0
- data/lib/audit/checks/HAS_TR.check +22 -0
- data/lib/audit/checks/HAS_UNAME.check +7 -0
- data/lib/audit/checks/HAS_UNIQ.check +17 -0
- data/lib/audit/checks/HAS_WC.check +16 -0
- data/lib/audit/checks/HAS_WHO.check +18 -0
- data/lib/audit/checks/HAS_YUM.check +18 -0
- data/lib/audit/checks/LASTLOG.check +28 -0
- data/lib/audit/checks/LIST_ROUTES.check +33 -0
- data/lib/audit/checks/LIST_USER_ACCOUNTS.check +25 -0
- data/lib/audit/checks/LOADED_MODULES.check +22 -0
- data/lib/audit/checks/LOCAL_NMAP.check +97 -0
- data/lib/audit/checks/LOGGED_USERS.check +28 -0
- data/lib/audit/checks/LYNIS_AUTH.group +9 -0
- data/lib/audit/checks/LYNIS_AUTH_9204.check +43 -0
- data/lib/audit/checks/LYNIS_AUTH_9208.check +35 -0
- data/lib/audit/checks/LYNIS_AUTH_9216.check +24 -0
- data/lib/audit/checks/LYNIS_AUTH_9222.check +25 -0
- data/lib/audit/checks/LYNIS_AUTH_9226.check +24 -0
- data/lib/audit/checks/LYNIS_AUTH_9228.check +24 -0
- data/lib/audit/checks/LYNIS_AUTH_9252.check +19 -0
- data/lib/audit/checks/MAYBE_HAS_BZIP2.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_CURL.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_DU.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_HOSTNAME.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_ID.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_LSB_RELEASE.check +15 -0
- data/lib/audit/checks/MAYBE_HAS_SUPERUSER.check +36 -0
- data/lib/audit/checks/MAYBE_HAS_TAR.check +19 -0
- data/lib/audit/checks/MAYBE_HAS_UNAME.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_WGET.check +17 -0
- data/lib/audit/checks/MOUNTED_DEVICES.check +22 -0
- data/lib/audit/checks/MYSQL_HISTORY_1.check +29 -0
- data/lib/audit/checks/MYSQL_INIT_1.check +9 -0
- data/lib/audit/checks/MYSQL_INIT_2.check +12 -0
- data/lib/audit/checks/MYSQL_INIT_3.check +7 -0
- data/lib/audit/checks/PACKAGES_INSTALLED_DPKG.check +38 -0
- data/lib/audit/checks/PACKAGES_INSTALLED_YUM.check +36 -0
- data/lib/audit/checks/PASSWORD_INFORMATION.check +33 -0
- data/lib/audit/checks/PLATFORM_FACTS.check +35 -0
- data/lib/audit/checks/PORTS_OPEN_NETSTAT.check +121 -0
- data/lib/audit/checks/PROCESS_LIST.check +87 -0
- data/lib/audit/checks/SLOW.group +7 -0
- data/lib/audit/checks/SLOW_1.check +4 -0
- data/lib/audit/checks/SLOW_2.check +4 -0
- data/lib/audit/checks/SLOW_3.check +4 -0
- data/lib/audit/checks/SSH.group +14 -0
- data/lib/audit/checks/SSH_CONFIG_01.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_02.check +15 -0
- data/lib/audit/checks/SSH_CONFIG_03.check +13 -0
- data/lib/audit/checks/SSH_CONFIG_04.check +11 -0
- data/lib/audit/checks/SSH_CONFIG_05.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_06.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_07.check +11 -0
- data/lib/audit/checks/SSH_CONFIG_08.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_09.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_10.check +15 -0
- data/lib/audit/checks/SSH_CONFIG_11.check +14 -0
- data/lib/audit/checks/SSH_INIT_1.check +9 -0
- data/lib/audit/checks/SSH_INIT_2.check +12 -0
- data/lib/audit/checks/SSH_KEYS_1.check +32 -0
- data/lib/audit/checks/USERS_INIT_1.check +9 -0
- data/lib/audit/checks/USERS_INIT_2.check +5 -0
- data/lib/audit/checks/USERS_INIT_3.check +5 -0
- data/lib/audit/checks/USERS_INIT_4.check +9 -0
- data/lib/audit/checks/USERS_INIT_5.check +10 -0
- data/lib/audit/checks/USER_INFORMATION.check +29 -0
- data/lib/audit/checks/VARIOUS.group +19 -0
- data/lib/audit/checks/VAR_LIST_HOME_DIRECTORIES.check +5 -0
- data/lib/audit/checks/benchmark.group +6 -0
- data/lib/audit/checks/footer.template +12 -0
- data/lib/audit/checks/header.template +10 -0
- data/lib/audit/checks/helpers/head.sh +59 -0
- data/lib/audit/checks/script_header.template +69 -0
- data/lib/audit/create_benchmark.sh +93 -0
- data/lib/audit/lib/audit.rb +136 -0
- data/lib/audit/lib/audit_facade.rb +5 -0
- data/lib/audit/lib/benchmark/audit_benchmark.rb +165 -0
- data/lib/audit/lib/benchmark/automatic_dependencies.rb +13 -0
- data/lib/audit/lib/benchmark/benchmark_factory.rb +23 -0
- data/lib/audit/lib/benchmark/benchmark_result.rb +25 -0
- data/lib/audit/lib/benchmark/check.rb +34 -0
- data/lib/audit/lib/benchmark/group.rb +30 -0
- data/lib/audit/lib/benchmark/item_exception.rb +13 -0
- data/lib/audit/lib/benchmark/result_code.rb +11 -0
- data/lib/audit/lib/benchmark/rule_result.rb +42 -0
- data/lib/audit/lib/benchmark/rule_role.rb +5 -0
- data/lib/audit/lib/benchmark/rule_severity.rb +13 -0
- data/lib/audit/lib/benchmark/yaml_benchmark.rb +133 -0
- data/lib/audit/lib/connection/ami_connection.rb +4 -0
- data/lib/audit/lib/connection/connection_factory.rb +27 -0
- data/lib/audit/lib/connection/ssh_connection.rb +243 -0
- data/lib/audit/lib/ec2_utils.rb +245 -0
- data/lib/audit/lib/http_fingerprint.rb +116 -0
- data/lib/audit/lib/lazy.rb +37 -0
- data/lib/audit/lib/linear_script_generator.rb +31 -0
- data/lib/audit/lib/main.rb +13 -0
- data/lib/audit/lib/my_option_parser.rb +106 -0
- data/lib/audit/lib/nessus_new.rb +290 -0
- data/lib/audit/lib/nessus_utils.rb +102 -0
- data/lib/audit/lib/parser/command/abstract_command.rb +32 -0
- data/lib/audit/lib/parser/command/abstract_command_result.rb +30 -0
- data/lib/audit/lib/parser/command/attach_file_command.rb +63 -0
- data/lib/audit/lib/parser/command/check_finished_command.rb +45 -0
- data/lib/audit/lib/parser/command/cpe_name_command.rb +37 -0
- data/lib/audit/lib/parser/command/data_command.rb +43 -0
- data/lib/audit/lib/parser/command/listening_port_command.rb +46 -0
- data/lib/audit/lib/parser/command/message_command.rb +21 -0
- data/lib/audit/lib/parser/command/program_name_command.rb +42 -0
- data/lib/audit/lib/parser/parse_exception.rb +2 -0
- data/lib/audit/lib/parser/result_type.rb +13 -0
- data/lib/audit/lib/parser/script_output_parser.rb +201 -0
- data/lib/audit/lib/parser/stdout_line_buffer.rb +43 -0
- data/lib/audit/lib/ssh_fingerprint.rb +220 -0
- data/lib/audit/lib/ssh_fingerprint2.rb +170 -0
- data/lib/audit/lib/ssh_utils.rb +292 -0
- data/lib/audit/lib/transformers/web_view_transformer.rb +171 -0
- data/lib/audit/lib/transformers/yaml_transformer.rb +50 -0
- data/lib/audit/lib/util/random_string.rb +22 -0
- data/lib/audit/lib/version.rb +7 -0
- data/lib/help/ec2_helper.rb +65 -2
- data/lib/help/remote_command_handler.rb +17 -0
- data/lib/help/state_transition_helper.rb +8 -0
- data/lib/scripts/ec2/open_port_checker.rb +112 -0
- data/lib/scripts/ec2/port_range_detector.rb +0 -1
- metadata +175 -16
@@ -0,0 +1,97 @@
|
|
1
|
+
ID: LOCAL_NMAP
|
2
|
+
Name: Run local nmap for fingerprinting purposes
|
3
|
+
Description: >
|
4
|
+
Extract all information from the /etc/passwd file
|
5
|
+
and export it as key/value pairs.
|
6
|
+
Depends: [HAS_TAR, HAS_UNAME, HAS_HOSTNAME, HAS_FILE_DOWNLOADER, MAYBE_HAS_SUPERUSER]
|
7
|
+
Imports: [SHADOW_FILE, PASSWD_FILE, CAT, CUT, RUN_AS_SUPERUSER]
|
8
|
+
Script: |
|
9
|
+
TMP_NMAP_LIGHT_TEXT_OUTPUT="${AUDIT_DIRECTORY}/nmap_light.log"
|
10
|
+
TMP_NMAP_LIGHT_XML_OUTPUT="${AUDIT_DIRECTORY}/nmap_light.xml"
|
11
|
+
TMP_NMAP_LIGHT_NONROOT_PARAMS="-vv -p 0-65535 -Pn -sV --version-light -script=default,ssh2-enum-algos,ssh-hostkey --host-timeout 2m"
|
12
|
+
TMP_NMAP_LIGHT_ROOT_PARAMS="-O --osscan-limit"
|
13
|
+
|
14
|
+
TMP_NMAP_THOROUGH_TEXT_OUTPUT="${AUDIT_DIRECTORY}/nmap_thorough.log"
|
15
|
+
TMP_NMAP_THOROUGH_XML_OUTPUT="${AUDIT_DIRECTORY}/nmap_thorough.xml"
|
16
|
+
TMP_NMAP_THOROUGH_NONROOT_PARAMS="-vv -p 0-65535 -Pn -sV --version-all -script=default,ssh2-enum-algos,ssh-hostkey --host-timeout 5m"
|
17
|
+
TMP_NMAP_THOROUGH_ROOT_PARAMS="-O --osscan-guess"
|
18
|
+
|
19
|
+
TMP_NMAP="" # this is the path of the nmap program that will be started
|
20
|
+
TMP_NMAP_DIR="" # nmap directory is used to delete copied nmap
|
21
|
+
TMP_NMAP_LIGHT_EXIT_CODE=1
|
22
|
+
TMP_NMAP_THOROUGH_EXIT_CODE=1
|
23
|
+
TMP_ARCH=$( ${UNAME} -m )
|
24
|
+
|
25
|
+
# download nmap and unpack it
|
26
|
+
case "${TMP_ARCH}" in
|
27
|
+
i686)
|
28
|
+
TMP_NMAP_ARCHIVE="nmap-5.51-x86-tmp.tar.bz2"
|
29
|
+
${DOWNLOAD_FILE} "/tmp/${TMP_NMAP_ARCHIVE}" "http://home.in.tum.de/zaddach/var/${TMP_NMAP_ARCHIVE}" 2>/dev/null 1>/dev/null
|
30
|
+
if [ ! -f "/tmp/${TMP_NMAP_ARCHIVE}" ]
|
31
|
+
then
|
32
|
+
script_error_message "Downloading of NMap archive ${TMP_NMAP_ARCHIVE} failed"
|
33
|
+
else
|
34
|
+
${TAR} xjf "/tmp/${TMP_NMAP_ARCHIVE}" -C /
|
35
|
+
TMP_NMAP_DIR="/tmp/nmap-5.51-x86"
|
36
|
+
TMP_NMAP="/tmp/nmap-5.51-x86/bin/nmap"
|
37
|
+
fi
|
38
|
+
;;
|
39
|
+
x86_64)
|
40
|
+
TMP_NMAP_ARCHIVE="nmap-5.51-x64-tmp.tar.bz2"
|
41
|
+
${DOWNLOAD_FILE} "/tmp/${TMP_NMAP_ARCHIVE}" "http://home.in.tum.de/zaddach/var/${TMP_NMAP_ARCHIVE}" 2>/dev/null 1>/dev/null
|
42
|
+
if [ ! -f "/tmp/${TMP_NMAP_ARCHIVE}" ]
|
43
|
+
then
|
44
|
+
script_error_message "Downloading of NMap archive ${TMP_NMAP_ARCHIVE} failed"
|
45
|
+
else
|
46
|
+
${TAR} xjf "/tmp/${TMP_NMAP_ARCHIVE}" -C /
|
47
|
+
TMP_NMAP_DIR="/tmp/nmap-5.51-x64"
|
48
|
+
TMP_NMAP="/tmp/nmap-5.51-x64/bin/nmap"
|
49
|
+
fi
|
50
|
+
;;
|
51
|
+
*)
|
52
|
+
script_error_message "Unknown architecture ${TMP_ARCH}"
|
53
|
+
;;
|
54
|
+
esac
|
55
|
+
|
56
|
+
# if an nmap was installed
|
57
|
+
if [ ! "${TMP_NMAP}" = "" ]
|
58
|
+
then
|
59
|
+
if [ "${HAS_SUPERUSER}" = "yes" ]
|
60
|
+
then
|
61
|
+
# if superuser possible, execute nmap with superuser rights
|
62
|
+
${RUN_AS_SUPERUSER} ${TMP_NMAP} -oX "${TMP_NMAP_LIGHT_XML_OUTPUT}" -oN "${TMP_NMAP_LIGHT_TEXT_OUTPUT}" ${TMP_NMAP_LIGHT_NONROOT_PARAMS} ${TMP_NMAP_LIGHT_ROOT_PARAMS} $( ${HOSTNAME} ) 2>/dev/null 1>/dev/null
|
63
|
+
TMP_NMAP_LIGHT_EXIT_CODE=$?
|
64
|
+
${RUN_AS_SUPERUSER} ${TMP_NMAP} -oX "${TMP_NMAP_THOROUGH_XML_OUTPUT}" -oN "${TMP_NMAP_THOROUGH_TEXT_OUTPUT}" ${TMP_NMAP_THOROUGH_NONROOT_PARAMS} ${TMP_NMAP_THOROUGH_ROOT_PARAMS} $( ${HOSTNAME} ) 2>/dev/null 1>/dev/null
|
65
|
+
TMP_NMAP_THOROUGH_EXIT_CODE=$?
|
66
|
+
else
|
67
|
+
${TMP_NMAP} -oX "${TMP_NMAP_LIGHT_XML_OUTPUT}" -oN "${TMP_NMAP_LIGHT_TEXT_OUTPUT}" ${TMP_NMAP_LIGHT_NONROOT_PARAMS} $( ${HOSTNAME} ) 2>/dev/null 1>/dev/null
|
68
|
+
TMP_NMAP_LIGHT_EXIT_CODE=$?
|
69
|
+
${TMP_NMAP} -oX "${TMP_NMAP_THOROUGH_XML_OUTPUT}" -oN "${TMP_NMAP_THOROUGH_TEXT_OUTPUT}" ${TMP_NMAP_THOROUGH_NONROOT_PARAMS} $( ${HOSTNAME} ) 2>/dev/null 1>/dev/null
|
70
|
+
TMP_NMAP_THOROUGH_EXIT_CODE=$?
|
71
|
+
fi
|
72
|
+
|
73
|
+
script_attach_file "${TMP_NMAP_LIGHT_TEXT_OUTPUT}"
|
74
|
+
script_attach_file "${TMP_NMAP_LIGHT_XML_OUTPUT}"
|
75
|
+
script_attach_file "${TMP_NMAP_THOROUGH_TEXT_OUTPUT}"
|
76
|
+
script_attach_file "${TMP_NMAP_THOROUGH_XML_OUTPUT}"
|
77
|
+
|
78
|
+
# if nmap directory was set, remove the installed nmap
|
79
|
+
if [ ! "${TMP_NMAP_DIR}" = "" ]
|
80
|
+
then
|
81
|
+
rm -Rf "${TMP_NMAP_DIR}"
|
82
|
+
fi
|
83
|
+
|
84
|
+
# and also delete the archive that we downloaded
|
85
|
+
if [ ! "${TMP_NMAP_ARCHIVE}" = "" ] && [ -f "/tmp/${TMP_NMAP_ARCHIVE}" ]
|
86
|
+
then
|
87
|
+
rm -f "/tmp/${TMP_NMAP_ARCHIVE}"
|
88
|
+
fi
|
89
|
+
fi
|
90
|
+
|
91
|
+
if [ ${TMP_NMAP_LIGHT_EXIT_CODE} -eq 0 ] && [ ${TMP_NMAP_THOROUGH_EXIT_CODE} -eq 0 ]
|
92
|
+
then
|
93
|
+
#both nmaps finished with exit code 0, script suceeded
|
94
|
+
! false
|
95
|
+
else
|
96
|
+
false
|
97
|
+
fi
|
@@ -0,0 +1,28 @@
|
|
1
|
+
ID: LOGGED_USERS
|
2
|
+
Name: List logged-in users
|
3
|
+
Depends: [HAS_AWK, HAS_WHO, HAS_BASE]
|
4
|
+
Imports: [AWK, WHO, SED]
|
5
|
+
Description: List all users that are currently logged in using who.
|
6
|
+
Script: |
|
7
|
+
IFS=$( printf "\n+" ); IFS=${IFS%+}
|
8
|
+
TMP_OUTPUT=$( ${WHO} -u -p )
|
9
|
+
|
10
|
+
for TMP_LINE in ${TMP_OUTPUT}
|
11
|
+
do
|
12
|
+
TMP_USER=$( echo ${TMP_LINE} | ${AWK} '{ print $1 }' )
|
13
|
+
TMP_TERMINAL=$( echo ${TMP_LINE} | ${AWK} '{ print $2 }' )
|
14
|
+
TMP_DATE=$( echo ${TMP_LINE} | ${AWK} '{ print $3 }' )
|
15
|
+
TMP_TIME=$( echo ${TMP_LINE} | ${AWK} '{ print $4 }' )
|
16
|
+
TMP_IDLE=$( echo ${TMP_LINE} | ${AWK} '{ print $5 }' )
|
17
|
+
TMP_PID=$( echo ${TMP_LINE} | ${AWK} '{ print $6 }' )
|
18
|
+
TMP_COMMENT=$( echo ${TMP_LINE} | ${AWK} '{ print $7 }' )
|
19
|
+
|
20
|
+
|
21
|
+
script_data "logins.who.${TMP_USER}.line.{${TMP_TERMINAL}}.login_date" "${TMP_DATE}"
|
22
|
+
script_data "logins.who.${TMP_USER}.line.{${TMP_TERMINAL}}.login_time" "${TMP_TIME}"
|
23
|
+
script_data "logins.who.${TMP_USER}.line.{${TMP_TERMINAL}}.idle" "${TMP_IDLE}"
|
24
|
+
script_data "logins.who.${TMP_USER}.line.{${TMP_TERMINAL}}.pid" "${TMP_PID}"
|
25
|
+
script_data "logins.who.${TMP_USER}.line.{${TMP_TERMINAL}}.comment" "${TMP_COMMENT}"
|
26
|
+
done
|
27
|
+
! false
|
28
|
+
|
@@ -0,0 +1,43 @@
|
|
1
|
+
ID: LYNIS_AUTH_9204
|
2
|
+
Name: Check users with UID zero (0)
|
3
|
+
Depends: [FIND_PASSWD_FILE, HAS_GREP]
|
4
|
+
Exports: [GROUPS]
|
5
|
+
Imports: [HEAD, SED]
|
6
|
+
Description: >
|
7
|
+
Check that there is only one user with UID 0. Only the 'root' account
|
8
|
+
should have this UID, as you are able to do everything you want on a
|
9
|
+
system if you have UID 0. If you want to allow multiple accounts to
|
10
|
+
administrate your machine, consider using sudo.
|
11
|
+
Script: |
|
12
|
+
TMP_COUNTER=1
|
13
|
+
for TMP_LINE in $(${GREP} -E "^[^:]*:[^:]*:0:" "${PASSWD_FILE}" )
|
14
|
+
do
|
15
|
+
TMP_USER=$(echo ${TMP_LINE} | ${CUT} -d: -f1)
|
16
|
+
TMP_UID=$(echo ${TMP_LINE} | ${CUT} -d: -f3)
|
17
|
+
TMP_GID=$(echo ${TMP_LINE} | ${CUT} -d: -f4)
|
18
|
+
|
19
|
+
script_info_message "User ${TMP_USER} [${TMP_UID}] has root rights"
|
20
|
+
|
21
|
+
if [ ! "${TMP_USER}" = "root" ]
|
22
|
+
then
|
23
|
+
script_data "errors.users.duplicate_root.${TMP_COUNTER}.name" "${TMP_USER}"
|
24
|
+
script_data "errors.users.duplicate_root.${TMP_COUNTER}.uid" "${TMP_UID}"
|
25
|
+
script_data "errors.users.duplicate_root.${TMP_COUNTER}.gid" "${TMP_GID}"
|
26
|
+
fi
|
27
|
+
|
28
|
+
TMP_COUNTER=$(( ${TMP_COUNTER} + 1 ))
|
29
|
+
done
|
30
|
+
|
31
|
+
if [ ${TMP_COUNTER} = 1 ]
|
32
|
+
then
|
33
|
+
script_error_message "No administrator accounts found"
|
34
|
+
false
|
35
|
+
elif [ ${TMP_COUNTER} = 2 ]
|
36
|
+
then
|
37
|
+
script_info_message "No accounts found with UID 0 other than root"
|
38
|
+
! false
|
39
|
+
else
|
40
|
+
script_error_message "Multiple users with UID 0 found in passwd file"
|
41
|
+
false
|
42
|
+
fi
|
43
|
+
|
@@ -0,0 +1,35 @@
|
|
1
|
+
ID: LYNIS_AUTH_9208
|
2
|
+
Name: Check non unique user ids
|
3
|
+
Depends: [FIND_PASSWD_FILE, HAS_GREP, HAS_CUT, HAS_CAT]
|
4
|
+
Imports: [PASSWD_FILE, GREP, CUT, CAT]
|
5
|
+
Description: >
|
6
|
+
Check that each user has a unique UID. Having several
|
7
|
+
accounts with the same UID is not meaningful. as only the
|
8
|
+
UID is ised internally to distinguish between users.
|
9
|
+
Script: |
|
10
|
+
TMP_RESULT=""
|
11
|
+
|
12
|
+
TMP_DUPLICATE_UIDS=$( ${GREP} -v "^$" "${PASSWD_FILE}" | ${SED} -e 's/^[^:]*:[^:]*:\([^:]*\):.*$/\1/' | ${SORT} | ${UNIQ} -d )
|
13
|
+
IFS=$( printf ' \t\n+' ); IFS=${IFS%+}
|
14
|
+
for TMP_UID in $( echo ${TMP_DUPLICATE_UIDS} )
|
15
|
+
do
|
16
|
+
TMP_USERNAME_NUM=1
|
17
|
+
IFS=$( printf '\n+' ); IFS=${IFS%+}
|
18
|
+
for TMP_LINE in $(${GREP} -E "^[^:]*:[^:]*:${TMP_UID}:" "${PASSWD_FILE}" )
|
19
|
+
do
|
20
|
+
TMP_USER=$(echo ${TMP_LINE} | ${CUT} -d: -f1)
|
21
|
+
TMP_RESULT="${TMP_RESULT}I"
|
22
|
+
|
23
|
+
script_error_message "User ${TMP_USER} does not have a unique UID"
|
24
|
+
|
25
|
+
#TODO: UID is not a unique key here, as there may also be 3 users with the same UID ...
|
26
|
+
script_data "errors.users.duplicate_uid.${TMP_UID}.names.${TMP_USERNAME_NUM}" "${TMP_USER}"
|
27
|
+
|
28
|
+
TMP_USERNAME_NUM=$(( ${TMP_USERNAME_NUM} + 1 ))
|
29
|
+
done
|
30
|
+
IFS=$( printf ' \t\n+' ); IFS=${IFS%+}
|
31
|
+
done
|
32
|
+
|
33
|
+
# only succeed check if no users with same uid were found
|
34
|
+
[ "${TMP_DUPLICATE_UIDS}" = "" ]
|
35
|
+
|
@@ -0,0 +1,24 @@
|
|
1
|
+
ID: LYNIS_AUTH_9216
|
2
|
+
Name: Check /etc/group and shadow group files with grpck tool
|
3
|
+
Depends: [HAS_SUPERUSER, HAS_GROUPCHECK]
|
4
|
+
Imports: [PASSWD_FILE, GREP, CUT, CAT]
|
5
|
+
Description: >
|
6
|
+
Run grpck program to verify integrity of group
|
7
|
+
and gshadow files.
|
8
|
+
Script: |
|
9
|
+
TMP_GROUPCHECK_RESULT=$(${RUN_AS_SUPERUSER} ${GROUPCHECK})
|
10
|
+
|
11
|
+
if [ "${TMP_GROUPCHECK_RESULT}" = "" ]
|
12
|
+
then
|
13
|
+
! false
|
14
|
+
else
|
15
|
+
IFS=$( printf '\n+' ); IFS=${IFS%+}
|
16
|
+
TMP_COUNTER=1
|
17
|
+
for TMP_LINE in $(echo "${TMP_GROUPCHECK_RESULT}")
|
18
|
+
do
|
19
|
+
script_error_message "grpck reported error: ${TMP_LINE}"
|
20
|
+
script_data "errors.users.grpck.${TMP_COUNTER}" "${TMP_LINE}"
|
21
|
+
TMP_COUNTER=$(( ${TMP_COUNTER} + 1 ))
|
22
|
+
done
|
23
|
+
false
|
24
|
+
fi
|
@@ -0,0 +1,25 @@
|
|
1
|
+
ID: LYNIS_AUTH_9222
|
2
|
+
Name: Check non unique group names
|
3
|
+
Depends: [HAS_GREP, HAS_CUT, HAS_SORT, HAS_UNIQ, FIND_GROUP_FILE, HAS_TR]
|
4
|
+
Imports: [GREP, CUT, SORT, UNIQ, GROUP_FILE, TR]
|
5
|
+
Severity: low
|
6
|
+
Description: >
|
7
|
+
Check that each group name is defined only once in /etc/groups.
|
8
|
+
If a group name is defined multiple times this does not necessarily
|
9
|
+
mean an error, but you should verify that this is intended.
|
10
|
+
Script: |
|
11
|
+
TMP_DUPLICATE_GIDS=$(${GREP} -v '^$' ${GROUP_FILE} | ${CUT} -d: -f3 | ${SORT} | ${UNIQ} -d)
|
12
|
+
|
13
|
+
if [ "${TMP_DUPLICATE_GIDS}" = "" ]
|
14
|
+
then
|
15
|
+
script_info_message "no duplicate group ids"
|
16
|
+
! false
|
17
|
+
else
|
18
|
+
IFS=$( printf '\n+' ); IFS=${IFS%+}
|
19
|
+
for TMP_GID in $(echo ${TMP_DUPLICATE_GIDS})
|
20
|
+
do
|
21
|
+
TMP_GROUPNAMES=$(${GROUP} -E "^[^:]*:[^:]*:${TMP_GID}:" ${GROUP_FILE} | ${CUT} -d: -f1 | ${SORT} | ${UNIQ} | ${TR} '\n' ' ')
|
22
|
+
script_error_message "The group id ${TMP_GID} is defined multiple times for groups: ${TMP_GROUPNAMES}"
|
23
|
+
done
|
24
|
+
false
|
25
|
+
fi
|
@@ -0,0 +1,24 @@
|
|
1
|
+
ID: LYNIS_AUTH_9226
|
2
|
+
Name: Check non unique group names
|
3
|
+
Depends: [HAS_GREP, HAS_CUT, HAS_SORT, HAS_UNIQ, FIND_GROUP_FILE]
|
4
|
+
Imports: [GREP, CUT, SORT, UNIQ, GROUP_FILE]
|
5
|
+
Severity: low
|
6
|
+
Description: >
|
7
|
+
Check that each group name is defined only once in /etc/groups.
|
8
|
+
If a group name is defined multiple times this does not necessarily
|
9
|
+
mean an error, but you should verify that this is intended.
|
10
|
+
Script: |
|
11
|
+
TMP_DUPLICATE_GROUPS=$(${GREP} -v '^$' ${GROUP_FILE} | ${CUT} -d: -f1 | ${SORT} | ${UNIQ} -d)
|
12
|
+
|
13
|
+
if [ "${TMP_DUPLICATE_GROUPS}" = "" ]
|
14
|
+
then
|
15
|
+
script_info_message "no duplicate groups"
|
16
|
+
! false
|
17
|
+
else
|
18
|
+
IFS=$( printf '\n+' ); IFS=${IFS%+}
|
19
|
+
for TMP_LINE in $(echo ${TMP_DUPLICATE_GROUPS})
|
20
|
+
do
|
21
|
+
script_error_message "The group ${TMP_LINE} is defined multiple times in ${GROUP_FILE}"
|
22
|
+
done
|
23
|
+
false
|
24
|
+
fi
|
@@ -0,0 +1,24 @@
|
|
1
|
+
ID: LYNIS_AUTH_9228
|
2
|
+
Name: Check Linux password file consistency pwck tool
|
3
|
+
Depends: [HAS_SUPERUSER, HAS_PASSWD_CHECK, HAS_GREP]
|
4
|
+
Imports: [RUN_AS_SUPERUSER, PASSWD_CHECK, GREP]
|
5
|
+
Description: >
|
6
|
+
Run pwck program to verify integrity of passwd and shadow files.
|
7
|
+
Script: |
|
8
|
+
TMP_PWCHECK_RESULT=$(${RUN_AS_SUPERUSER} ${PASSWD_CHECK})
|
9
|
+
|
10
|
+
if [ "${TMP_PWCHECK_RESULT}" = "" ]
|
11
|
+
then
|
12
|
+
script_info_message "Password and shadow file ok"
|
13
|
+
! false
|
14
|
+
else
|
15
|
+
IFS=$( printf '\n+' ); IFS=${IFS%+}
|
16
|
+
TMP_COUNTER=1
|
17
|
+
for TMP_LINE in $(echo "${TMP_PWCHECK_RESULT}" | ${GREP} -v "pwck:")
|
18
|
+
do
|
19
|
+
script_error_message "pwck reported error: ${TMP_LINE}"
|
20
|
+
script_data "errors.users.pwck.${TMP_COUNTER}" "${TMP_LINE}"
|
21
|
+
TMP_COUNTER=$(( ${TMP_COUNTER} + 1 ))
|
22
|
+
done
|
23
|
+
false
|
24
|
+
fi
|
@@ -0,0 +1,19 @@
|
|
1
|
+
ID: LYNIS_AUTH_9252
|
2
|
+
Name: Check for sudoers file permissions
|
3
|
+
Depends: [HAS_STAT, FIND_SUDOERS_FILE]
|
4
|
+
Imports: [STAT, SUDOERS_FILE]
|
5
|
+
Severity: low
|
6
|
+
Description: >
|
7
|
+
Check that each group name is defined only once in /etc/groups.
|
8
|
+
If a group name is defined multiple times this does not necessarily
|
9
|
+
mean an error, but you should verify that this is intended.
|
10
|
+
Script: |
|
11
|
+
TMP_PERMS=$( ${STAT} -c '%a' ${SUDOERS_FILE} )
|
12
|
+
|
13
|
+
if [ "${TMP_PERMS}" = "440" ] || [ "${TMP_PERMS}" = "660" ] || [ "${TMP_PERMS}" = "600" ]
|
14
|
+
then
|
15
|
+
script_info_message "Sudoers file ${SUDOERS_FILE} permissions ok"
|
16
|
+
else
|
17
|
+
script_error_message "Permissions (${TMP_PERMS}) of ${SUDOERS_FILE} may be too loose"
|
18
|
+
false
|
19
|
+
fi
|
@@ -0,0 +1,17 @@
|
|
1
|
+
ID: MAYBE_HAS_BZIP2
|
2
|
+
Name: Check for bzip2
|
3
|
+
Depends: [HAS_BASE]
|
4
|
+
Exports: [BZIP2]
|
5
|
+
Imports: [HEAD, SED]
|
6
|
+
Description: Find the bzip2 program and export it to BZIP2.
|
7
|
+
Script: |
|
8
|
+
if echo "test" | bzip2 --version 2>/dev/null 1>/dev/null
|
9
|
+
then
|
10
|
+
BZIP2=bzip2
|
11
|
+
TMP_BZIP2_NAME=$(echo "test" | ${BZIP2} --version 2>&1 1>/dev/null | ${HEAD} -1 | ${SED} -e 's/^\(.*\) Version \(.*\)$/\1/')
|
12
|
+
TMP_BZIP2_VERSION=$(echo "test" | ${BZIP2} --version 2>&1 1>/dev/null | ${HEAD} -1 | ${SED} -e 's/^\(.*\) Version \(.*\)$/\2/')
|
13
|
+
script_program_name "${TMP_BZIP2_NAME}" "${TMP_BZIP2_VERSION}"
|
14
|
+
else
|
15
|
+
script_message "bzip2 not found"
|
16
|
+
fi
|
17
|
+
! false
|
@@ -0,0 +1,17 @@
|
|
1
|
+
ID: MAYBE_HAS_CURL
|
2
|
+
Name: Check for curl program
|
3
|
+
Depends: [HAS_BASE]
|
4
|
+
Imports: [HEAD, SED]
|
5
|
+
Description: Find the curl program and export it to CURL, but do not fail if it is not installed.
|
6
|
+
Script: |
|
7
|
+
if curl --version 2>/dev/null 1>/dev/null
|
8
|
+
then
|
9
|
+
CURL=curl
|
10
|
+
TMP_CURL_NAME=$(${CURL} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z ]\+\)[[:blank:]]\([0-9.]\+\)[[:blank:]].*$/\1/')
|
11
|
+
TMP_CURL_VERSION=$(${CURL} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)[[:blank:]].*$/\2/')
|
12
|
+
script_program_name "${TMP_CURL_NAME}" "${TMP_CURL_VERSION}"
|
13
|
+
else
|
14
|
+
CURL=""
|
15
|
+
script_error_message "not found"
|
16
|
+
fi
|
17
|
+
! false
|
@@ -0,0 +1,17 @@
|
|
1
|
+
ID: MAYBE_HAS_DU
|
2
|
+
Name: Check for du program
|
3
|
+
Depends: [HAS_BASE]
|
4
|
+
Imports: [HEAD, SED]
|
5
|
+
Description: Find the du program and export it to DU.
|
6
|
+
Script: |
|
7
|
+
if du --version 2>/dev/null 1>/dev/null
|
8
|
+
then
|
9
|
+
DU=du
|
10
|
+
TMP_DU_NAME=$(${DU} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)/\1/')
|
11
|
+
TMP_DU_VERSION=$(${DU} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)/\2/')
|
12
|
+
script_program_name "${TMP_DU_NAME}" "${TMP_DU_VERSION}"
|
13
|
+
else
|
14
|
+
DU=""
|
15
|
+
script_error_message "du not found"
|
16
|
+
fi
|
17
|
+
! false
|
@@ -0,0 +1,17 @@
|
|
1
|
+
ID: MAYBE_HAS_HOSTNAME
|
2
|
+
Name: Check for hostname program
|
3
|
+
Depends: [HAS_BASE]
|
4
|
+
Imports: [HEAD, SED]
|
5
|
+
Description: Find the hostname program and export it to HOSTNAME, but do not fail if it is not installed.
|
6
|
+
Script: |
|
7
|
+
if hostname --version 2>/dev/null 1>/dev/null
|
8
|
+
then
|
9
|
+
HOSTNAME=hostname
|
10
|
+
TMP_HOSTNAME_NAME=$(${HOSTNAME} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)/\1/')
|
11
|
+
TMP_HOSTNAME_VERSION=$(${HOSTNAME} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)/\2/')
|
12
|
+
script_program_name "${TMP_HOSTNAME_NAME}" "${TMP_HOSTNAME_VERSION}"
|
13
|
+
else
|
14
|
+
HOSTNAME=""
|
15
|
+
script_error_message "not found"
|
16
|
+
fi
|
17
|
+
! false
|
@@ -0,0 +1,17 @@
|
|
1
|
+
ID: MAYBE_HAS_ID
|
2
|
+
Name: Check for id program
|
3
|
+
Depends: [HAS_BASE]
|
4
|
+
Imports: [HEAD, SED]
|
5
|
+
Description: Find the id program and export it to ID, but do not fail if it is not installed.
|
6
|
+
Script: |
|
7
|
+
if id --version 2>/dev/null 1>/dev/null
|
8
|
+
then
|
9
|
+
ID=id
|
10
|
+
TMP_ID_NAME=$(${ID} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)/\1/')
|
11
|
+
TMP_ID_VERSION=$(${ID} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)/\2/')
|
12
|
+
script_program_name "${TMP_ID_NAME}" "${TMP_ID_VERSION}"
|
13
|
+
else
|
14
|
+
ID=""
|
15
|
+
script_error_message "not found"
|
16
|
+
fi
|
17
|
+
! false
|
@@ -0,0 +1,15 @@
|
|
1
|
+
ID: MAYBE_HAS_LSB_RELEASE
|
2
|
+
Name: Check for lsb_release program
|
3
|
+
Depends: [HAS_BASE]
|
4
|
+
Imports: [HEAD, SED]
|
5
|
+
Description: Find the lsb_release program and export it to LSB_RELEASE.
|
6
|
+
Script: |
|
7
|
+
lsb_release 2>/dev/null 1>/dev/null
|
8
|
+
if ! [ "$?" = 127 ]
|
9
|
+
then
|
10
|
+
LSB_RELEASE="lsb_release -s"
|
11
|
+
script_program_name "lsb_release" "unknown"
|
12
|
+
else
|
13
|
+
script_warn_message "lsb_release not found"
|
14
|
+
fi
|
15
|
+
! false
|