CloudyScripts 1.6.1 → 1.7.27
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/Rakefile +1 -1
- data/lib/audit/checks/APACHE2.group +6 -0
- data/lib/audit/checks/APACHE2_CONFIG_01.check +36 -0
- data/lib/audit/checks/APACHE2_CONFIG_02.check +34 -0
- data/lib/audit/checks/APACHE2_CONFIG_03.check +60 -0
- data/lib/audit/checks/APACHE2_CONFIG_04.check +23 -0
- data/lib/audit/checks/APACHE2_CONFIG_05.check +23 -0
- data/lib/audit/checks/APACHE2_CONFIG_06.check +30 -0
- data/lib/audit/checks/APACHE2_INIT_1.check +14 -0
- data/lib/audit/checks/APACHE2_INIT_2.check +66 -0
- data/lib/audit/checks/APACHE2_INIT_3.check +13 -0
- data/lib/audit/checks/APACHE2_USER_7.check +17 -0
- data/lib/audit/checks/BACKUP_HOME_DOTFILES.check +26 -0
- data/lib/audit/checks/BACKUP_LOG.check +24 -0
- data/lib/audit/checks/BACKUP_MAIL.check +19 -0
- data/lib/audit/checks/BACKUP_WEB.check +12 -0
- data/lib/audit/checks/CONFIGURATION_BACKUP.check +14 -0
- data/lib/audit/checks/DIRECTORY_LISTING.check +14 -0
- data/lib/audit/checks/DISTRIBUTION_FACTS.check +60 -0
- data/lib/audit/checks/DMESG_OUTPUT.check +14 -0
- data/lib/audit/checks/FIND_GROUP_FILE.check +6 -0
- data/lib/audit/checks/FIND_PASSWD_FILE.check +8 -0
- data/lib/audit/checks/FIND_SHADOW_FILE.check +5 -0
- data/lib/audit/checks/FIND_SUDOERS_FILE.check +6 -0
- data/lib/audit/checks/FREE_SPACE.check +26 -0
- data/lib/audit/checks/HAS_AWK.check +30 -0
- data/lib/audit/checks/HAS_BASE.check +21 -0
- data/lib/audit/checks/HAS_CAT.check +18 -0
- data/lib/audit/checks/HAS_COMPRESSOR.check +30 -0
- data/lib/audit/checks/HAS_CUT.check +18 -0
- data/lib/audit/checks/HAS_DF.check +19 -0
- data/lib/audit/checks/HAS_DPKG.check +18 -0
- data/lib/audit/checks/HAS_FILE_DOWNLOADER.check +32 -0
- data/lib/audit/checks/HAS_FIND.check +18 -0
- data/lib/audit/checks/HAS_GREP.check +19 -0
- data/lib/audit/checks/HAS_GROUPCHECK.check +23 -0
- data/lib/audit/checks/HAS_GROUPS.check +19 -0
- data/lib/audit/checks/HAS_HOSTNAME.check +7 -0
- data/lib/audit/checks/HAS_ID.check +7 -0
- data/lib/audit/checks/HAS_LSB_RELEASE.check +16 -0
- data/lib/audit/checks/HAS_MOUNT.check +19 -0
- data/lib/audit/checks/HAS_NETSTAT.check +20 -0
- data/lib/audit/checks/HAS_PASSWD_CHECK.check +17 -0
- data/lib/audit/checks/HAS_PS.check +19 -0
- data/lib/audit/checks/HAS_ROUTE.check +19 -0
- data/lib/audit/checks/HAS_SH.check +19 -0
- data/lib/audit/checks/HAS_SORT.check +17 -0
- data/lib/audit/checks/HAS_STAT.check +17 -0
- data/lib/audit/checks/HAS_SUPERUSER.check +11 -0
- data/lib/audit/checks/HAS_TAIL.check +16 -0
- data/lib/audit/checks/HAS_TAR.check +7 -0
- data/lib/audit/checks/HAS_TR.check +22 -0
- data/lib/audit/checks/HAS_UNAME.check +7 -0
- data/lib/audit/checks/HAS_UNIQ.check +17 -0
- data/lib/audit/checks/HAS_WC.check +16 -0
- data/lib/audit/checks/HAS_WHO.check +18 -0
- data/lib/audit/checks/HAS_YUM.check +18 -0
- data/lib/audit/checks/LASTLOG.check +28 -0
- data/lib/audit/checks/LIST_ROUTES.check +33 -0
- data/lib/audit/checks/LIST_USER_ACCOUNTS.check +25 -0
- data/lib/audit/checks/LOADED_MODULES.check +22 -0
- data/lib/audit/checks/LOCAL_NMAP.check +97 -0
- data/lib/audit/checks/LOGGED_USERS.check +28 -0
- data/lib/audit/checks/LYNIS_AUTH.group +9 -0
- data/lib/audit/checks/LYNIS_AUTH_9204.check +43 -0
- data/lib/audit/checks/LYNIS_AUTH_9208.check +35 -0
- data/lib/audit/checks/LYNIS_AUTH_9216.check +24 -0
- data/lib/audit/checks/LYNIS_AUTH_9222.check +25 -0
- data/lib/audit/checks/LYNIS_AUTH_9226.check +24 -0
- data/lib/audit/checks/LYNIS_AUTH_9228.check +24 -0
- data/lib/audit/checks/LYNIS_AUTH_9252.check +19 -0
- data/lib/audit/checks/MAYBE_HAS_BZIP2.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_CURL.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_DU.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_HOSTNAME.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_ID.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_LSB_RELEASE.check +15 -0
- data/lib/audit/checks/MAYBE_HAS_SUPERUSER.check +36 -0
- data/lib/audit/checks/MAYBE_HAS_TAR.check +19 -0
- data/lib/audit/checks/MAYBE_HAS_UNAME.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_WGET.check +17 -0
- data/lib/audit/checks/MOUNTED_DEVICES.check +22 -0
- data/lib/audit/checks/MYSQL_HISTORY_1.check +29 -0
- data/lib/audit/checks/MYSQL_INIT_1.check +9 -0
- data/lib/audit/checks/MYSQL_INIT_2.check +12 -0
- data/lib/audit/checks/MYSQL_INIT_3.check +7 -0
- data/lib/audit/checks/PACKAGES_INSTALLED_DPKG.check +38 -0
- data/lib/audit/checks/PACKAGES_INSTALLED_YUM.check +36 -0
- data/lib/audit/checks/PASSWORD_INFORMATION.check +33 -0
- data/lib/audit/checks/PLATFORM_FACTS.check +35 -0
- data/lib/audit/checks/PORTS_OPEN_NETSTAT.check +121 -0
- data/lib/audit/checks/PROCESS_LIST.check +87 -0
- data/lib/audit/checks/SLOW.group +7 -0
- data/lib/audit/checks/SLOW_1.check +4 -0
- data/lib/audit/checks/SLOW_2.check +4 -0
- data/lib/audit/checks/SLOW_3.check +4 -0
- data/lib/audit/checks/SSH.group +14 -0
- data/lib/audit/checks/SSH_CONFIG_01.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_02.check +15 -0
- data/lib/audit/checks/SSH_CONFIG_03.check +13 -0
- data/lib/audit/checks/SSH_CONFIG_04.check +11 -0
- data/lib/audit/checks/SSH_CONFIG_05.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_06.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_07.check +11 -0
- data/lib/audit/checks/SSH_CONFIG_08.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_09.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_10.check +15 -0
- data/lib/audit/checks/SSH_CONFIG_11.check +14 -0
- data/lib/audit/checks/SSH_INIT_1.check +9 -0
- data/lib/audit/checks/SSH_INIT_2.check +12 -0
- data/lib/audit/checks/SSH_KEYS_1.check +32 -0
- data/lib/audit/checks/USERS_INIT_1.check +9 -0
- data/lib/audit/checks/USERS_INIT_2.check +5 -0
- data/lib/audit/checks/USERS_INIT_3.check +5 -0
- data/lib/audit/checks/USERS_INIT_4.check +9 -0
- data/lib/audit/checks/USERS_INIT_5.check +10 -0
- data/lib/audit/checks/USER_INFORMATION.check +29 -0
- data/lib/audit/checks/VARIOUS.group +19 -0
- data/lib/audit/checks/VAR_LIST_HOME_DIRECTORIES.check +5 -0
- data/lib/audit/checks/benchmark.group +6 -0
- data/lib/audit/checks/footer.template +12 -0
- data/lib/audit/checks/header.template +10 -0
- data/lib/audit/checks/helpers/head.sh +59 -0
- data/lib/audit/checks/script_header.template +69 -0
- data/lib/audit/create_benchmark.sh +93 -0
- data/lib/audit/lib/audit.rb +136 -0
- data/lib/audit/lib/audit_facade.rb +5 -0
- data/lib/audit/lib/benchmark/audit_benchmark.rb +165 -0
- data/lib/audit/lib/benchmark/automatic_dependencies.rb +13 -0
- data/lib/audit/lib/benchmark/benchmark_factory.rb +23 -0
- data/lib/audit/lib/benchmark/benchmark_result.rb +25 -0
- data/lib/audit/lib/benchmark/check.rb +34 -0
- data/lib/audit/lib/benchmark/group.rb +30 -0
- data/lib/audit/lib/benchmark/item_exception.rb +13 -0
- data/lib/audit/lib/benchmark/result_code.rb +11 -0
- data/lib/audit/lib/benchmark/rule_result.rb +42 -0
- data/lib/audit/lib/benchmark/rule_role.rb +5 -0
- data/lib/audit/lib/benchmark/rule_severity.rb +13 -0
- data/lib/audit/lib/benchmark/yaml_benchmark.rb +133 -0
- data/lib/audit/lib/connection/ami_connection.rb +4 -0
- data/lib/audit/lib/connection/connection_factory.rb +27 -0
- data/lib/audit/lib/connection/ssh_connection.rb +243 -0
- data/lib/audit/lib/ec2_utils.rb +245 -0
- data/lib/audit/lib/http_fingerprint.rb +116 -0
- data/lib/audit/lib/lazy.rb +37 -0
- data/lib/audit/lib/linear_script_generator.rb +31 -0
- data/lib/audit/lib/main.rb +13 -0
- data/lib/audit/lib/my_option_parser.rb +106 -0
- data/lib/audit/lib/nessus_new.rb +290 -0
- data/lib/audit/lib/nessus_utils.rb +102 -0
- data/lib/audit/lib/parser/command/abstract_command.rb +32 -0
- data/lib/audit/lib/parser/command/abstract_command_result.rb +30 -0
- data/lib/audit/lib/parser/command/attach_file_command.rb +63 -0
- data/lib/audit/lib/parser/command/check_finished_command.rb +45 -0
- data/lib/audit/lib/parser/command/cpe_name_command.rb +37 -0
- data/lib/audit/lib/parser/command/data_command.rb +43 -0
- data/lib/audit/lib/parser/command/listening_port_command.rb +46 -0
- data/lib/audit/lib/parser/command/message_command.rb +21 -0
- data/lib/audit/lib/parser/command/program_name_command.rb +42 -0
- data/lib/audit/lib/parser/parse_exception.rb +2 -0
- data/lib/audit/lib/parser/result_type.rb +13 -0
- data/lib/audit/lib/parser/script_output_parser.rb +201 -0
- data/lib/audit/lib/parser/stdout_line_buffer.rb +43 -0
- data/lib/audit/lib/ssh_fingerprint.rb +220 -0
- data/lib/audit/lib/ssh_fingerprint2.rb +170 -0
- data/lib/audit/lib/ssh_utils.rb +292 -0
- data/lib/audit/lib/transformers/web_view_transformer.rb +171 -0
- data/lib/audit/lib/transformers/yaml_transformer.rb +50 -0
- data/lib/audit/lib/util/random_string.rb +22 -0
- data/lib/audit/lib/version.rb +7 -0
- data/lib/help/ec2_helper.rb +65 -2
- data/lib/help/remote_command_handler.rb +17 -0
- data/lib/help/state_transition_helper.rb +8 -0
- data/lib/scripts/ec2/open_port_checker.rb +112 -0
- data/lib/scripts/ec2/port_range_detector.rb +0 -1
- metadata +175 -16
data/Rakefile
CHANGED
|
@@ -12,7 +12,7 @@ require 'rake/testtask'
|
|
|
12
12
|
|
|
13
13
|
spec = Gem::Specification.new do |s|
|
|
14
14
|
s.name = 'CloudyScripts'
|
|
15
|
-
s.version = '1.
|
|
15
|
+
s.version = '1.7.27'
|
|
16
16
|
s.has_rdoc = true
|
|
17
17
|
s.extra_rdoc_files = ['README.rdoc', 'LICENSE']
|
|
18
18
|
s.summary = 'Scripts to facilitate programming for infrastructure clouds.'
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
ID: APACHE2_CONFIG_01
|
|
2
|
+
Depends: [APACHE2_INIT_2, HAS_CAT, HAS_BASE, HAS_GREP]
|
|
3
|
+
Description: Get user for running Apache2 from configuration files and export it to APACHE2_USER.
|
|
4
|
+
Type: [info]
|
|
5
|
+
Name: APACHE2 get user from configuration files
|
|
6
|
+
Script: |
|
|
7
|
+
APACHE2_USER=""
|
|
8
|
+
TMP_NUM_USERS=$(${CAT} ${APACHE2_CONFIG_FILES} | ${GREP} -c -E '^[[:blank:]]*User')
|
|
9
|
+
|
|
10
|
+
if [ ! "${TMP_NUM_USERS}" = 1 ]
|
|
11
|
+
then
|
|
12
|
+
script_error_message "Found more than one 'User' directive in configuration files"
|
|
13
|
+
else
|
|
14
|
+
TMP_USER=$(${CAT} ${APACHE2_CONFIG_FILES} | ${GREP} -E '^[[:blank:]]*User' | sed -e 's/^[[:blank:]]*User[[:blank:]]*//')
|
|
15
|
+
|
|
16
|
+
#In Ubuntu, the user name is a variable and is really defined in /etc/apache2/envvars
|
|
17
|
+
if echo "${TMP_USER}" | ${GREP} '$' 2>/dev/null 1>/dev/null
|
|
18
|
+
then
|
|
19
|
+
TMP_USER_VAR=$( echo "${TMP_USER}" | ${SED} -e 's/\${\?//;s/}//' )
|
|
20
|
+
TMP_USER=$(${CAT} /etc/apache2/envvars | ${GREP} "${TMP_USER_VAR}" | ${SED} -e "s/^.*${TMP_USER_VAR}[[:blank:]]*=[[:blank:]]*\(.*\)$/\1/")
|
|
21
|
+
APACHE2_USER=${TMP_USER}
|
|
22
|
+
else
|
|
23
|
+
APACHE2_USER=${TMP_USER}
|
|
24
|
+
fi
|
|
25
|
+
|
|
26
|
+
if [ "${APACHE2_USER}" = "" ]
|
|
27
|
+
then
|
|
28
|
+
script_error_message "could not find Apache2 user"
|
|
29
|
+
false
|
|
30
|
+
else
|
|
31
|
+
script_info_message "Found Apache2 user: ${APACHE2_USER}"
|
|
32
|
+
! false
|
|
33
|
+
fi
|
|
34
|
+
fi
|
|
35
|
+
|
|
36
|
+
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
ID: APACHE2_CONFIG_02
|
|
2
|
+
Depends: [APACHE2_INIT_2, HAS_CAT, HAS_BASE, HAS_GREP]
|
|
3
|
+
Description: Get group for running Apache2 from configuration files and export it to APACHE2_GROUP.
|
|
4
|
+
Type: [info]
|
|
5
|
+
Name: APACHE2 get group from configuration files
|
|
6
|
+
Script: |
|
|
7
|
+
APACHE2_GROUP=""
|
|
8
|
+
TMP_NUM_GROUPS=$(${CAT} ${APACHE2_CONFIG_FILES} | ${GREP} -c -E '^[[:blank:]]*Group')
|
|
9
|
+
|
|
10
|
+
if [ ! "${TMP_NUM_GROUPS}" = 1 ]
|
|
11
|
+
then
|
|
12
|
+
script_error_message "Found more than one 'Group' directive in configuration files"
|
|
13
|
+
else
|
|
14
|
+
TMP_GROUP=$(${CAT} ${APACHE2_CONFIG_FILES} | ${GREP} -E '^[[:blank:]]*Group' | sed -e 's/^[[:blank:]]*Group[[:blank:]]*//')
|
|
15
|
+
|
|
16
|
+
#In Ubuntu, the group name is a variable and is really defined in /etc/apache2/envvars
|
|
17
|
+
if echo "${TMP_GROUP}" | ${GREP} '$' 2>/dev/null 1>/dev/null
|
|
18
|
+
then
|
|
19
|
+
TMP_GROUP_VAR=$( echo "${TMP_GROUP}" | ${SED} -e 's/\${\?//;s/}//' )
|
|
20
|
+
TMP_GROUP=$(${CAT} /etc/apache2/envvars | ${GREP} "${TMP_GROUP_VAR}" | ${SED} -e "s/^.*${TMP_GROUP_VAR}[[:blank:]]*=[[:blank:]]*\(.*\)$/\1/")
|
|
21
|
+
APACHE2_GROUP=${TMP_GROUP}
|
|
22
|
+
else
|
|
23
|
+
APACHE2_GROUP=${TMP_GROUP}
|
|
24
|
+
fi
|
|
25
|
+
|
|
26
|
+
if [ "${APACHE2_GROUP}" = "" ]
|
|
27
|
+
then
|
|
28
|
+
script_error_message "could not find Apache2 group"
|
|
29
|
+
false
|
|
30
|
+
else
|
|
31
|
+
script_info_message "Found Apache2 group: ${APACHE2_GROUP}"
|
|
32
|
+
! false
|
|
33
|
+
fi
|
|
34
|
+
fi
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
ID: APACHE2_CONFIG_03
|
|
2
|
+
Depends: [APACHE2_INIT_2, HAS_CAT, HAS_BASE, HAS_GREP]
|
|
3
|
+
Description: Find all directories that are publicly accessible through Apache2.
|
|
4
|
+
Exports: [APACHE2_DOCUMENT_ROOT]
|
|
5
|
+
Type: [info]
|
|
6
|
+
Name: APACHE2 find public directories
|
|
7
|
+
Script: |
|
|
8
|
+
# first check for alias definitions (see mod_alias for details)
|
|
9
|
+
TMP_ALIAS_NUM=1
|
|
10
|
+
for TMP_FILE in ${APACHE2_CONFIG_FILES}
|
|
11
|
+
do
|
|
12
|
+
TMP_PUBLICDIRS=$( ${CAT} ${TMP_FILE} | ${GREP} -E '^[[:blank:]]*(Alias|ScriptAlias)' | ${SED} -e 's/^[[:blank:]]*//' )
|
|
13
|
+
IFS=$( printf '\n+' ); IFS=${IFS%+}
|
|
14
|
+
|
|
15
|
+
for TMP_PUBLICDIR in ${TMP_PUBLICDIRS}
|
|
16
|
+
do
|
|
17
|
+
TMP_SHARETYPE=$( echo ${TMP_PUBLICDIR} | ${CUT} -d" " -f1)
|
|
18
|
+
TMP_DIRECTORY=$( echo ${TMP_PUBLICDIR} | ${CUT} -d" " -f3 | ${SED} -e 's/^"//;s/"$//')
|
|
19
|
+
TMP_URL=$( echo ${TMP_PUBLICDIR} | ${CUT} -d" " -f2 | ${SED} -e 's/^"//;s/"$//')
|
|
20
|
+
|
|
21
|
+
script_data "apache2.aliases.${TMP_ALIAS_NUM}.defined_in" "${TMP_FILE}"
|
|
22
|
+
script_data "apache2.aliases.${TMP_ALIAS_NUM}.type" "${TMP_SHARETYPE}"
|
|
23
|
+
script_data "apache2.aliases.${TMP_ALIAS_NUM}.directory" "${TMP_DIRECTORY}"
|
|
24
|
+
script_data "apache2.aliases.${TMP_ALIAS_NUM}.url" "${TMP_URL}"
|
|
25
|
+
script_info_message "Directory ${TMP_DIRECTORY} is accessible as ${TMP_URL} through alias in file ${TMP_FILE}"
|
|
26
|
+
TMP_ALIAS_NUM=$(( ${TMP_ALIAS_NUM} + 1 ))
|
|
27
|
+
done
|
|
28
|
+
IFS=" "
|
|
29
|
+
done
|
|
30
|
+
|
|
31
|
+
#then check for document root definitions
|
|
32
|
+
#I've dropped the idea of checking that there is only one document root definition, there may be
|
|
33
|
+
#multiple vhosts, each with a document root definition.
|
|
34
|
+
TMP_DOCROOT_NUM=1
|
|
35
|
+
for TMP_FILE in ${APACHE2_CONFIG_FILES}
|
|
36
|
+
do
|
|
37
|
+
TMP_PUBLICDIRS=$( ${CAT} ${TMP_FILE} | ${GREP} -E '^[[:blank:]]*DocumentRoot' | ${SED} -e 's/^[[:blank:]]*//' )
|
|
38
|
+
IFS=$( printf '\n+' ); IFS=${IFS%+}
|
|
39
|
+
for TMP_PUBLICDIR in ${TMP_PUBLICDIRS}
|
|
40
|
+
do
|
|
41
|
+
TMP_SHARETYPE=$( echo ${TMP_PUBLICDIR} | ${CUT} -d" " -f1)
|
|
42
|
+
TMP_DIRECTORY=$( echo ${TMP_PUBLICDIR} | ${CUT} -d" " -f2)
|
|
43
|
+
|
|
44
|
+
script_data "apache2.document_roots.${TMP_DOCROOT_NUM}.defined_in" "${TMP_FILE}"
|
|
45
|
+
script_data "apache2.document_roots.${TMP_DOCROOT_NUM}.type" "${TMP_SHARETYPE}"
|
|
46
|
+
script_data "apache2.document_roots.${TMP_DOCROOT_NUM}.directory" "${TMP_DIRECTORY}"
|
|
47
|
+
|
|
48
|
+
script_info_message "Directory ${TMP_DIRECTORY} is accessible as document root in file ${TMP_FILE}"
|
|
49
|
+
|
|
50
|
+
#up to now, I don't have a better idea on how to set this ... normally there should be one
|
|
51
|
+
#document root definition for port 80 of the principal server (not a vhost), that should be
|
|
52
|
+
#used here ...
|
|
53
|
+
APACHE2_DOCUMENT_ROOT="${TMP_DIRECTORY}"
|
|
54
|
+
TMP_DOCROOT_NUM=$(( ${TMP_DOCROOT_NUM} + 1 ))
|
|
55
|
+
done
|
|
56
|
+
IFS=" "
|
|
57
|
+
done
|
|
58
|
+
|
|
59
|
+
IFS=${TMP_IFS}
|
|
60
|
+
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
ID: APACHE2_CONFIG_04
|
|
2
|
+
Depends: [APACHE2_CONFIG_01, APACHE_CONFIG_02, HAS_GROUPS]
|
|
3
|
+
Description: Find groups for Apache2 user and verify that she is only in one group and that this group corresponds to the web server group.
|
|
4
|
+
Type: [info]
|
|
5
|
+
Name: APACHE2 check groups of web server user
|
|
6
|
+
Script: |
|
|
7
|
+
if ${GROUPS} ${APACHE2_USER}
|
|
8
|
+
then
|
|
9
|
+
script_error_message "something went wrong while executing the ${GROUP} command to find the groups of ${APACHE2_USER}"
|
|
10
|
+
false
|
|
11
|
+
else
|
|
12
|
+
TMP_GROUPS=$(${GROUPS} ${APACHE2_USER})
|
|
13
|
+
#strip leading and trailing whitespace
|
|
14
|
+
TMP_GROUPS=$(echo ${TMP_GROUPS})
|
|
15
|
+
|
|
16
|
+
if [ "${APACHE2_GROUP}" = "${TMP_GROUPS}" ]
|
|
17
|
+
then
|
|
18
|
+
! false
|
|
19
|
+
else
|
|
20
|
+
script_warn_message "Either apache user ${APACHE2_USER} with apache group ${APACHE2_GROUP} has multiple groups or not the same group as in the web server configuration file: ${TMP_GROUPS}"
|
|
21
|
+
false
|
|
22
|
+
fi
|
|
23
|
+
fi
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
ID: APACHE2_CONFIG_05
|
|
2
|
+
Depends: [APACHE2_CONFIG_01, APACHE_CONFIG_02, HAS_GROUPS]
|
|
3
|
+
Description: Check that the ServerSignature directive is off.
|
|
4
|
+
Type: [info]
|
|
5
|
+
Name: APACHE2 check groups of web server user
|
|
6
|
+
Script: |
|
|
7
|
+
if ${GROUPS} ${APACHE2_USER}
|
|
8
|
+
then
|
|
9
|
+
script_error_message "something went wrong while executing the ${GROUP} command to find the groups of ${APACHE2_USER}"
|
|
10
|
+
false
|
|
11
|
+
else
|
|
12
|
+
TMP_GROUPS=$(${GROUPS} ${APACHE2_USER})
|
|
13
|
+
#strip leading and trailing whitespace
|
|
14
|
+
TMP_GROUPS=$(echo ${TMP_GROUPS})
|
|
15
|
+
|
|
16
|
+
if [ "${APACHE2_GROUP}" = "${TMP_GROUPS}" ]
|
|
17
|
+
then
|
|
18
|
+
! false
|
|
19
|
+
else
|
|
20
|
+
script_warn_message "Either apache user ${APACHE2_USER} with apache group ${APACHE2_GROUP} has multiple groups or not the same group as in the web server configuration file: ${TMP_GROUPS}"
|
|
21
|
+
false
|
|
22
|
+
fi
|
|
23
|
+
fi
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
ID: APACHE2_CONFIG_06
|
|
2
|
+
Depends: [APACHE2_CONFIG_01, APACHE_CONFIG_02, HAS_GROUPS]
|
|
3
|
+
Description: Check that Apache2 user is not allowed to login in /etc/passwd and /etc/shadow
|
|
4
|
+
Type: [info]
|
|
5
|
+
Name: Check that Apache2 user login is disabled
|
|
6
|
+
Script: |
|
|
7
|
+
#test that user is not allowed to login via /etc/passwd
|
|
8
|
+
TMP_PASSWD=$(${GREP} "${APACHE2_USER}" "${PASSWD_FILE}" | ${CUT} -d: -f2)
|
|
9
|
+
|
|
10
|
+
if ! [ "${TMP_PASSWD}" = x ]
|
|
11
|
+
then
|
|
12
|
+
script_error_message "Apache2 user ${APACHE2_USER} is allowed to login in ${PASSWD_FILE}"
|
|
13
|
+
fi
|
|
14
|
+
|
|
15
|
+
#test that user is not allowed to login via /etc/shadow
|
|
16
|
+
#this test needs superuser privileges to access /etc/shadow
|
|
17
|
+
if [ "${HAVE_SUPERUSER_PRIVILEGES}" = 1 ]
|
|
18
|
+
then
|
|
19
|
+
TMP_SHADOW=$(execute_as_superuser "${GREP} \"${APACHE2_USER}\" \"${SHADOW_FILE}\" | ${CUT} -d: -f2")
|
|
20
|
+
|
|
21
|
+
if [ ! "${TMP_SHADOW}" = '*' ] || [ ! "${TMP_SHADOW##\!}" = "${TMP_SHADOW}" ]
|
|
22
|
+
then
|
|
23
|
+
script_error_message "Apache2 user ${APACHE2_USER} is allowed to login in ${SHADOW_FILE}"
|
|
24
|
+
fi
|
|
25
|
+
fi
|
|
26
|
+
|
|
27
|
+
#test that user is not allowed to login via ssh
|
|
28
|
+
#test that user is not allowed to login via rlogin
|
|
29
|
+
#test that user is not allowed to login via ftp
|
|
30
|
+
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
ID: APACHE2_INIT_1
|
|
2
|
+
Depends: [HAS_PS, HAS_SED, HAS_GREP]
|
|
3
|
+
Imports: [PS, SED, GREP]
|
|
4
|
+
Exports: [APACHE2_PID]
|
|
5
|
+
Description: Check if the Apache server version 2 is running.
|
|
6
|
+
Type: [check, export]
|
|
7
|
+
Script: |
|
|
8
|
+
APACHE2_PID=$(${PS} -A | ${GREP} apache2 | ${SED} -e 's/^[[:blank:]]*\([0-9]\+\)[[:blank:]]\+.*/\1/')
|
|
9
|
+
if [ ! -z "${APACHE2_PID}" ]
|
|
10
|
+
then
|
|
11
|
+
! false
|
|
12
|
+
else
|
|
13
|
+
false
|
|
14
|
+
fi
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
# Copyright 2010-2011 SecludIT
|
|
2
|
+
#
|
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
# you may not use this file except in compliance with the License.
|
|
5
|
+
# You may obtain a copy of the License at
|
|
6
|
+
#
|
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
#
|
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
# See the License for the specific language governing permissions and
|
|
13
|
+
# limitations under the License.
|
|
14
|
+
|
|
15
|
+
ID: APACHE2_INIT_2
|
|
16
|
+
Imports: [SED, GREP, CUT]
|
|
17
|
+
Exports: [APACHE2_CONFIG_FILES]
|
|
18
|
+
Depends: [HAS_BASE, HAS_GREP, HAS_CUT]
|
|
19
|
+
Description: Find the Apache 2 daemon configuration files.
|
|
20
|
+
WarningMessage: >
|
|
21
|
+
Apache2 daemon configuration file not found, Apache2 checks will be omitted.
|
|
22
|
+
Type: [check, export]
|
|
23
|
+
Script: |
|
|
24
|
+
TMP_UNTREATED_CONFIG_FILES=""
|
|
25
|
+
APACHE2_CONFIG_FILES=""
|
|
26
|
+
for path in /etc/apache2/apache2.conf /etc/apache2/httpd.conf
|
|
27
|
+
do
|
|
28
|
+
ls ${path} 2>/dev/null 1>/dev/null &&
|
|
29
|
+
TMP_UNTREATED_CONFIG_FILES="${TMP_UNTREATED_CONFIG_FILES}${path}:"
|
|
30
|
+
done
|
|
31
|
+
|
|
32
|
+
while [ ! -z "${TMP_UNTREATED_CONFIG_FILES%%:}" ]
|
|
33
|
+
do
|
|
34
|
+
#get next configuration file from the untreated config files fifo
|
|
35
|
+
NEXT_CONFIG_FILE=$(echo "${TMP_UNTREATED_CONFIG_FILES}" | ${CUT} -d: -f1) && TMP_UNTREATED_CONFIG_FILES=$(echo "${TMP_UNTREATED_CONFIG_FILES}" | ${CUT} -d: -f2-)
|
|
36
|
+
|
|
37
|
+
if [ -z "${NEXT_CONFIG_FILE}" ]; then continue; fi
|
|
38
|
+
|
|
39
|
+
#for each include directive in the config file (automatically expands file expressions with *)
|
|
40
|
+
for f in $(${GREP} -E "^[[:blank:]]*Include" "${NEXT_CONFIG_FILE}" | ${SED} -e 's/^[[:blank:]]*Include[[:blank:]]\+\([^#]\+\)/\1/')
|
|
41
|
+
do
|
|
42
|
+
#if a whole directory is included, we want to expand to every file in the directory
|
|
43
|
+
if [ -d "$f" ]; then f="${f%%/}/*"; fi
|
|
44
|
+
|
|
45
|
+
#to handle the 'every file in directory' we just constructed
|
|
46
|
+
for g in $f
|
|
47
|
+
do
|
|
48
|
+
#check that file is not in any fifo yet; this avoids looping forever if there is an include loop
|
|
49
|
+
if ! ( echo "${APACHE2_CONFIG_FILES}" | ${GREP} "$g" 1>/dev/null 2>/dev/null || echo "${TMP_UNTREATED_CONFIG_FILES}" | ${GREP} "$g" 1>/dev/null 2>/dev/null )
|
|
50
|
+
then
|
|
51
|
+
#append newly found configuration file to the fifo of untreated files
|
|
52
|
+
TMP_UNTREATED_CONFIG_FILES="${TMP_UNTREATED_CONFIG_FILES%%:}:$g:"
|
|
53
|
+
fi
|
|
54
|
+
done
|
|
55
|
+
done
|
|
56
|
+
#all includes from this file fleshed out, put it to the treated config files
|
|
57
|
+
APACHE2_CONFIG_FILES="${APACHE2_CONFIG_FILES%% } ${NEXT_CONFIG_FILE}"
|
|
58
|
+
script_info_message "Found configuration file ${NEXT_CONFIG_FILE}"
|
|
59
|
+
done
|
|
60
|
+
|
|
61
|
+
#to remove nasty leading/trailing colons
|
|
62
|
+
APACHE2_CONFIG_FILES="${APACHE2_CONFIG_FILES%% }"
|
|
63
|
+
APACHE2_CONFIG_FILES="${APACHE2_CONFIG_FILES## }"
|
|
64
|
+
|
|
65
|
+
#check only successful if at least one configuration file is found
|
|
66
|
+
[ ! "${APACHE2_CONFIG_FILES}" = "" ]
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
ID: APACHE2_INIT_3
|
|
2
|
+
Depends: [HAS_WHICH, HAS_BASE]
|
|
3
|
+
Imports: [WHICH, HEAD]
|
|
4
|
+
Exports: [APACHE2_BINARY, APACHE2CTL_BINARY]
|
|
5
|
+
Description: Check for Apache2 binaries.
|
|
6
|
+
Type: [check, info, export]
|
|
7
|
+
Script: |
|
|
8
|
+
APACHE2_BINARY=$(${WHICH} apache2)
|
|
9
|
+
APACHE2CTL_BINARY=$(${WHICH} apache2ctl)
|
|
10
|
+
TMP_APACHE2_NAME=$(${APACHE2_BINARY} -v | ${HEAD} -1 | ${SED} -e 's/^[^:]*:\([^\/]\+\)\/\(.*\)/\1/')
|
|
11
|
+
TMP_APACHE2_VERSION=$(${APACHE2_BINARY} -v | ${HEAD} -1 | ${SED} -e 's/^[^:]*:\([^\/]\+\)\/\(.*\)/\2/')
|
|
12
|
+
echo "%% ${MY_SCRIPT_ID} %% INFO %% PROGRAM_NAME %% ${TMP_APACHE2_NAME} %% ${TMP_APACHE2_VERSION}"
|
|
13
|
+
${WHICH} apache2 apache2ctl 2>/dev/null 1>/dev/null
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
ID: APACHE2_USER_7
|
|
2
|
+
Depends: [APACHE2_INIT_2, HAS_CAT, HAS_BASE, HAS_GREP]
|
|
3
|
+
Description: Find all directories that are publicly accessible through Apache2.
|
|
4
|
+
Exports: [APACHE2_DOCUMENT_ROOT]
|
|
5
|
+
Type: [info]
|
|
6
|
+
Name: APACHE2 find public directories
|
|
7
|
+
Script: |
|
|
8
|
+
TMP_SHELL=$(${GREP} "${APACHE2_USER}" "${PASSWD_FILE}" | ${CUT} -d: -f7- )
|
|
9
|
+
|
|
10
|
+
if [ "${TMP_SHELL}" = "/bin/nologin" ] ||
|
|
11
|
+
[ "${TMP_SHELL}" = "/bin/false" ]
|
|
12
|
+
then
|
|
13
|
+
! false
|
|
14
|
+
else
|
|
15
|
+
script_warn_message "Apache2 user has login shell ${TMP_SHELL} which is not recommended (should be an invalid shell)"
|
|
16
|
+
false
|
|
17
|
+
fi
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
ID: BACKUP_HOME_DOTFILES
|
|
2
|
+
Name: Create a backup copy of dotfiles in home directories
|
|
3
|
+
Depends: [HAS_BASE, HAS_FIND, HAS_CAT, HAS_CUT, HAS_COMPRESSOR, MAYBE_HAS_SUPERUSER]
|
|
4
|
+
Imports: [HAS_COMPRESSOR, MAYBE_HAS_SUPERUSER]
|
|
5
|
+
Description: Create a backup copy of the /var/log directory
|
|
6
|
+
Script: |
|
|
7
|
+
#if [ "${DU}" = "" ]
|
|
8
|
+
#then
|
|
9
|
+
# TMP_SIZE=0
|
|
10
|
+
#else
|
|
11
|
+
# TMP_SIZE=$( ${DU} -s | ${AWK} '{ print $1 }' )
|
|
12
|
+
#fi
|
|
13
|
+
|
|
14
|
+
#if [ ${TMP_SIZE} -gt 30000 ]
|
|
15
|
+
#then
|
|
16
|
+
# script_warning_message "/var/log directory is bigger than 30M (${TMP_SIZE}k) and will not be backuped"
|
|
17
|
+
#else
|
|
18
|
+
TMP_FILES=$( ${RUN_AS_SUPERUSER} ${FIND} $( ${CAT} ${PASSWD_FILE} | ${CUT} -d: -f6 ) -maxdepth 1 -name '.*' 2>/dev/null )
|
|
19
|
+
${RUN_AS_SUPERUSER} ${COMPRESSOR} ${AUDIT_DIRECTORY}/BACKUP_HOME_DOTFILES.${COMPRESSOR_SUFFIX} ${TMP_FILES} 2>/dev/null
|
|
20
|
+
TMP_EXITCODE=$?
|
|
21
|
+
if [ ${TMP_EXITCODE} -eq 0 ]
|
|
22
|
+
then
|
|
23
|
+
script_attach_file "${AUDIT_DIRECTORY}/BACKUP_HOME_DOTFILES.${COMPRESSOR_SUFFIX}" 'Backup of the ~/.* directories'
|
|
24
|
+
fi
|
|
25
|
+
script_set_exit_code ${TMP_EXITCODE}
|
|
26
|
+
#fi
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
ID: BACKUP_LOG
|
|
2
|
+
Name: Create a backup copy of the /var/log directory
|
|
3
|
+
Depends: [HAS_COMPRESSOR, MAYBE_HAS_SUPERUSER]
|
|
4
|
+
Description: Create a backup copy of the /var/log directory
|
|
5
|
+
Script: |
|
|
6
|
+
#if [ "${DU}" = "" ]
|
|
7
|
+
#then
|
|
8
|
+
# TMP_SIZE=0
|
|
9
|
+
#else
|
|
10
|
+
# TMP_SIZE=$( ${DU} -s | ${AWK} '{ print $1 }' )
|
|
11
|
+
#fi
|
|
12
|
+
|
|
13
|
+
#if [ ${TMP_SIZE} -gt 30000 ]
|
|
14
|
+
#then
|
|
15
|
+
# script_warning_message "/var/log directory is bigger than 30M (${TMP_SIZE}k) and will not be backuped"
|
|
16
|
+
#else
|
|
17
|
+
${RUN_AS_SUPERUSER} ${COMPRESSOR} ${AUDIT_DIRECTORY}/BACKUP_LOG.${COMPRESSOR_SUFFIX} /var/log 2>/dev/null
|
|
18
|
+
TMP_EXITCODE=$?
|
|
19
|
+
if [ ${TMP_EXITCODE} -eq 0 ]
|
|
20
|
+
then
|
|
21
|
+
script_attach_file "${AUDIT_DIRECTORY}/BACKUP_LOG.${COMPRESSOR_SUFFIX}" "Backup of the /var/log directory"
|
|
22
|
+
fi
|
|
23
|
+
script_set_exit_code ${TMP_EXITCODE}
|
|
24
|
+
#fi
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
ID: BACKUP_MAIL
|
|
2
|
+
Name: Backup mail files
|
|
3
|
+
Depends: [HAS_COMPRESSOR, MAYBE_HAS_SUPERUSER, VAR_LIST_HOME_DIRECTORIES]
|
|
4
|
+
Description: Create a backup copy of the /var/mail directory and $HOME/mbox files
|
|
5
|
+
Script: |
|
|
6
|
+
${RUN_AS_SUPERUSER} ${COMPRESSOR} ${AUDIT_DIRECTORY}/BACKUP_MAIL.${COMPRESSOR_SUFFIX} /var/mail 2>/dev/null 1>/dev/null
|
|
7
|
+
TMP_EXITCODE=$?
|
|
8
|
+
IFS=:
|
|
9
|
+
for dir in ${HOME_DIRS_LIST}
|
|
10
|
+
do
|
|
11
|
+
${RUN_AS_SUPERUSER} ${COMPRESSOR} ${AUDIT_DIRECTORY}/BACKUP_MAIL.${COMPRESSOR_SUFFIX} ${dir}/mbox 2>/dev/null 1>/dev/null
|
|
12
|
+
TMP_EXITCODE=$(( ${TMP_EXITCODE} | $? ))
|
|
13
|
+
done
|
|
14
|
+
|
|
15
|
+
if [ -f "${AUDIT_DIRECTORY}/BACKUP_MAIL.${COMPRESSOR_SUFFIX}" ]
|
|
16
|
+
then
|
|
17
|
+
script_attach_file "${AUDIT_DIRECTORY}/BACKUP_MAIL.${COMPRESSOR_SUFFIX}" "Mails backup"
|
|
18
|
+
fi
|
|
19
|
+
script_set_exit_code ${TMP_EXITCODE}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
ID: BACKUP_WEB
|
|
2
|
+
Name: Create a backup copy of the /var/www and /srv/www directory
|
|
3
|
+
Depends: [HAS_COMPRESSOR, MAYBE_HAS_SUPERUSER]
|
|
4
|
+
Description: Create a backup copy of the /var/www and /srv/www directory
|
|
5
|
+
Script: |
|
|
6
|
+
${RUN_AS_SUPERUSER} ${COMPRESSOR} ${AUDIT_DIRECTORY}/BACKUP_WWW.${COMPRESSOR_SUFFIX} /var/www /srv/www 2>/dev/null 1>/dev/null
|
|
7
|
+
TMP_EXITCODE=$?
|
|
8
|
+
if [ -f "${AUDIT_DIRECTORY}/BACKUP_WWW.${COMPRESSOR_SUFFIX}" ]
|
|
9
|
+
then
|
|
10
|
+
script_attach_file "${AUDIT_DIRECTORY}/BACKUP_WWW.${COMPRESSOR_SUFFIX}" "Backup of the /var/www directory"
|
|
11
|
+
fi
|
|
12
|
+
script_set_exit_code ${TMP_EXITCODE}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
ID: CONFIGURATION_BACKUP
|
|
2
|
+
Name: Backup configuration
|
|
3
|
+
Depends: [HAS_COMPRESSOR, MAYBE_HAS_SUPERUSER]
|
|
4
|
+
Imports: [COMPRESSOR, COMPRESSOR_SUFFIX]
|
|
5
|
+
Description: >
|
|
6
|
+
Create an archive of all files in the /etc directory
|
|
7
|
+
Script: |
|
|
8
|
+
${RUN_AS_SUPERUSER} ${COMPRESSOR} ${AUDIT_DIRECTORY}/CONFIGURATION_BACKUP.${COMPRESSOR_SUFFIX} /etc 2>/dev/null
|
|
9
|
+
TMP_EXITCODE=$?
|
|
10
|
+
if [ ${TMP_EXITCODE} -eq 0 ]
|
|
11
|
+
then
|
|
12
|
+
script_attach_file "${AUDIT_DIRECTORY}/CONFIGURATION_BACKUP.${COMPRESSOR_SUFFIX}" "Backup of the /etc directory"
|
|
13
|
+
fi
|
|
14
|
+
script_set_exit_code ${TMP_EXITCODE}
|