CloudyScripts 1.6.1 → 1.7.27
Sign up to get free protection for your applications and to get access to all the features.
- data/Rakefile +1 -1
- data/lib/audit/checks/APACHE2.group +6 -0
- data/lib/audit/checks/APACHE2_CONFIG_01.check +36 -0
- data/lib/audit/checks/APACHE2_CONFIG_02.check +34 -0
- data/lib/audit/checks/APACHE2_CONFIG_03.check +60 -0
- data/lib/audit/checks/APACHE2_CONFIG_04.check +23 -0
- data/lib/audit/checks/APACHE2_CONFIG_05.check +23 -0
- data/lib/audit/checks/APACHE2_CONFIG_06.check +30 -0
- data/lib/audit/checks/APACHE2_INIT_1.check +14 -0
- data/lib/audit/checks/APACHE2_INIT_2.check +66 -0
- data/lib/audit/checks/APACHE2_INIT_3.check +13 -0
- data/lib/audit/checks/APACHE2_USER_7.check +17 -0
- data/lib/audit/checks/BACKUP_HOME_DOTFILES.check +26 -0
- data/lib/audit/checks/BACKUP_LOG.check +24 -0
- data/lib/audit/checks/BACKUP_MAIL.check +19 -0
- data/lib/audit/checks/BACKUP_WEB.check +12 -0
- data/lib/audit/checks/CONFIGURATION_BACKUP.check +14 -0
- data/lib/audit/checks/DIRECTORY_LISTING.check +14 -0
- data/lib/audit/checks/DISTRIBUTION_FACTS.check +60 -0
- data/lib/audit/checks/DMESG_OUTPUT.check +14 -0
- data/lib/audit/checks/FIND_GROUP_FILE.check +6 -0
- data/lib/audit/checks/FIND_PASSWD_FILE.check +8 -0
- data/lib/audit/checks/FIND_SHADOW_FILE.check +5 -0
- data/lib/audit/checks/FIND_SUDOERS_FILE.check +6 -0
- data/lib/audit/checks/FREE_SPACE.check +26 -0
- data/lib/audit/checks/HAS_AWK.check +30 -0
- data/lib/audit/checks/HAS_BASE.check +21 -0
- data/lib/audit/checks/HAS_CAT.check +18 -0
- data/lib/audit/checks/HAS_COMPRESSOR.check +30 -0
- data/lib/audit/checks/HAS_CUT.check +18 -0
- data/lib/audit/checks/HAS_DF.check +19 -0
- data/lib/audit/checks/HAS_DPKG.check +18 -0
- data/lib/audit/checks/HAS_FILE_DOWNLOADER.check +32 -0
- data/lib/audit/checks/HAS_FIND.check +18 -0
- data/lib/audit/checks/HAS_GREP.check +19 -0
- data/lib/audit/checks/HAS_GROUPCHECK.check +23 -0
- data/lib/audit/checks/HAS_GROUPS.check +19 -0
- data/lib/audit/checks/HAS_HOSTNAME.check +7 -0
- data/lib/audit/checks/HAS_ID.check +7 -0
- data/lib/audit/checks/HAS_LSB_RELEASE.check +16 -0
- data/lib/audit/checks/HAS_MOUNT.check +19 -0
- data/lib/audit/checks/HAS_NETSTAT.check +20 -0
- data/lib/audit/checks/HAS_PASSWD_CHECK.check +17 -0
- data/lib/audit/checks/HAS_PS.check +19 -0
- data/lib/audit/checks/HAS_ROUTE.check +19 -0
- data/lib/audit/checks/HAS_SH.check +19 -0
- data/lib/audit/checks/HAS_SORT.check +17 -0
- data/lib/audit/checks/HAS_STAT.check +17 -0
- data/lib/audit/checks/HAS_SUPERUSER.check +11 -0
- data/lib/audit/checks/HAS_TAIL.check +16 -0
- data/lib/audit/checks/HAS_TAR.check +7 -0
- data/lib/audit/checks/HAS_TR.check +22 -0
- data/lib/audit/checks/HAS_UNAME.check +7 -0
- data/lib/audit/checks/HAS_UNIQ.check +17 -0
- data/lib/audit/checks/HAS_WC.check +16 -0
- data/lib/audit/checks/HAS_WHO.check +18 -0
- data/lib/audit/checks/HAS_YUM.check +18 -0
- data/lib/audit/checks/LASTLOG.check +28 -0
- data/lib/audit/checks/LIST_ROUTES.check +33 -0
- data/lib/audit/checks/LIST_USER_ACCOUNTS.check +25 -0
- data/lib/audit/checks/LOADED_MODULES.check +22 -0
- data/lib/audit/checks/LOCAL_NMAP.check +97 -0
- data/lib/audit/checks/LOGGED_USERS.check +28 -0
- data/lib/audit/checks/LYNIS_AUTH.group +9 -0
- data/lib/audit/checks/LYNIS_AUTH_9204.check +43 -0
- data/lib/audit/checks/LYNIS_AUTH_9208.check +35 -0
- data/lib/audit/checks/LYNIS_AUTH_9216.check +24 -0
- data/lib/audit/checks/LYNIS_AUTH_9222.check +25 -0
- data/lib/audit/checks/LYNIS_AUTH_9226.check +24 -0
- data/lib/audit/checks/LYNIS_AUTH_9228.check +24 -0
- data/lib/audit/checks/LYNIS_AUTH_9252.check +19 -0
- data/lib/audit/checks/MAYBE_HAS_BZIP2.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_CURL.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_DU.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_HOSTNAME.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_ID.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_LSB_RELEASE.check +15 -0
- data/lib/audit/checks/MAYBE_HAS_SUPERUSER.check +36 -0
- data/lib/audit/checks/MAYBE_HAS_TAR.check +19 -0
- data/lib/audit/checks/MAYBE_HAS_UNAME.check +17 -0
- data/lib/audit/checks/MAYBE_HAS_WGET.check +17 -0
- data/lib/audit/checks/MOUNTED_DEVICES.check +22 -0
- data/lib/audit/checks/MYSQL_HISTORY_1.check +29 -0
- data/lib/audit/checks/MYSQL_INIT_1.check +9 -0
- data/lib/audit/checks/MYSQL_INIT_2.check +12 -0
- data/lib/audit/checks/MYSQL_INIT_3.check +7 -0
- data/lib/audit/checks/PACKAGES_INSTALLED_DPKG.check +38 -0
- data/lib/audit/checks/PACKAGES_INSTALLED_YUM.check +36 -0
- data/lib/audit/checks/PASSWORD_INFORMATION.check +33 -0
- data/lib/audit/checks/PLATFORM_FACTS.check +35 -0
- data/lib/audit/checks/PORTS_OPEN_NETSTAT.check +121 -0
- data/lib/audit/checks/PROCESS_LIST.check +87 -0
- data/lib/audit/checks/SLOW.group +7 -0
- data/lib/audit/checks/SLOW_1.check +4 -0
- data/lib/audit/checks/SLOW_2.check +4 -0
- data/lib/audit/checks/SLOW_3.check +4 -0
- data/lib/audit/checks/SSH.group +14 -0
- data/lib/audit/checks/SSH_CONFIG_01.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_02.check +15 -0
- data/lib/audit/checks/SSH_CONFIG_03.check +13 -0
- data/lib/audit/checks/SSH_CONFIG_04.check +11 -0
- data/lib/audit/checks/SSH_CONFIG_05.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_06.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_07.check +11 -0
- data/lib/audit/checks/SSH_CONFIG_08.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_09.check +12 -0
- data/lib/audit/checks/SSH_CONFIG_10.check +15 -0
- data/lib/audit/checks/SSH_CONFIG_11.check +14 -0
- data/lib/audit/checks/SSH_INIT_1.check +9 -0
- data/lib/audit/checks/SSH_INIT_2.check +12 -0
- data/lib/audit/checks/SSH_KEYS_1.check +32 -0
- data/lib/audit/checks/USERS_INIT_1.check +9 -0
- data/lib/audit/checks/USERS_INIT_2.check +5 -0
- data/lib/audit/checks/USERS_INIT_3.check +5 -0
- data/lib/audit/checks/USERS_INIT_4.check +9 -0
- data/lib/audit/checks/USERS_INIT_5.check +10 -0
- data/lib/audit/checks/USER_INFORMATION.check +29 -0
- data/lib/audit/checks/VARIOUS.group +19 -0
- data/lib/audit/checks/VAR_LIST_HOME_DIRECTORIES.check +5 -0
- data/lib/audit/checks/benchmark.group +6 -0
- data/lib/audit/checks/footer.template +12 -0
- data/lib/audit/checks/header.template +10 -0
- data/lib/audit/checks/helpers/head.sh +59 -0
- data/lib/audit/checks/script_header.template +69 -0
- data/lib/audit/create_benchmark.sh +93 -0
- data/lib/audit/lib/audit.rb +136 -0
- data/lib/audit/lib/audit_facade.rb +5 -0
- data/lib/audit/lib/benchmark/audit_benchmark.rb +165 -0
- data/lib/audit/lib/benchmark/automatic_dependencies.rb +13 -0
- data/lib/audit/lib/benchmark/benchmark_factory.rb +23 -0
- data/lib/audit/lib/benchmark/benchmark_result.rb +25 -0
- data/lib/audit/lib/benchmark/check.rb +34 -0
- data/lib/audit/lib/benchmark/group.rb +30 -0
- data/lib/audit/lib/benchmark/item_exception.rb +13 -0
- data/lib/audit/lib/benchmark/result_code.rb +11 -0
- data/lib/audit/lib/benchmark/rule_result.rb +42 -0
- data/lib/audit/lib/benchmark/rule_role.rb +5 -0
- data/lib/audit/lib/benchmark/rule_severity.rb +13 -0
- data/lib/audit/lib/benchmark/yaml_benchmark.rb +133 -0
- data/lib/audit/lib/connection/ami_connection.rb +4 -0
- data/lib/audit/lib/connection/connection_factory.rb +27 -0
- data/lib/audit/lib/connection/ssh_connection.rb +243 -0
- data/lib/audit/lib/ec2_utils.rb +245 -0
- data/lib/audit/lib/http_fingerprint.rb +116 -0
- data/lib/audit/lib/lazy.rb +37 -0
- data/lib/audit/lib/linear_script_generator.rb +31 -0
- data/lib/audit/lib/main.rb +13 -0
- data/lib/audit/lib/my_option_parser.rb +106 -0
- data/lib/audit/lib/nessus_new.rb +290 -0
- data/lib/audit/lib/nessus_utils.rb +102 -0
- data/lib/audit/lib/parser/command/abstract_command.rb +32 -0
- data/lib/audit/lib/parser/command/abstract_command_result.rb +30 -0
- data/lib/audit/lib/parser/command/attach_file_command.rb +63 -0
- data/lib/audit/lib/parser/command/check_finished_command.rb +45 -0
- data/lib/audit/lib/parser/command/cpe_name_command.rb +37 -0
- data/lib/audit/lib/parser/command/data_command.rb +43 -0
- data/lib/audit/lib/parser/command/listening_port_command.rb +46 -0
- data/lib/audit/lib/parser/command/message_command.rb +21 -0
- data/lib/audit/lib/parser/command/program_name_command.rb +42 -0
- data/lib/audit/lib/parser/parse_exception.rb +2 -0
- data/lib/audit/lib/parser/result_type.rb +13 -0
- data/lib/audit/lib/parser/script_output_parser.rb +201 -0
- data/lib/audit/lib/parser/stdout_line_buffer.rb +43 -0
- data/lib/audit/lib/ssh_fingerprint.rb +220 -0
- data/lib/audit/lib/ssh_fingerprint2.rb +170 -0
- data/lib/audit/lib/ssh_utils.rb +292 -0
- data/lib/audit/lib/transformers/web_view_transformer.rb +171 -0
- data/lib/audit/lib/transformers/yaml_transformer.rb +50 -0
- data/lib/audit/lib/util/random_string.rb +22 -0
- data/lib/audit/lib/version.rb +7 -0
- data/lib/help/ec2_helper.rb +65 -2
- data/lib/help/remote_command_handler.rb +17 -0
- data/lib/help/state_transition_helper.rb +8 -0
- data/lib/scripts/ec2/open_port_checker.rb +112 -0
- data/lib/scripts/ec2/port_range_detector.rb +0 -1
- metadata +175 -16
data/Rakefile
CHANGED
@@ -12,7 +12,7 @@ require 'rake/testtask'
|
|
12
12
|
|
13
13
|
spec = Gem::Specification.new do |s|
|
14
14
|
s.name = 'CloudyScripts'
|
15
|
-
s.version = '1.
|
15
|
+
s.version = '1.7.27'
|
16
16
|
s.has_rdoc = true
|
17
17
|
s.extra_rdoc_files = ['README.rdoc', 'LICENSE']
|
18
18
|
s.summary = 'Scripts to facilitate programming for infrastructure clouds.'
|
@@ -0,0 +1,36 @@
|
|
1
|
+
ID: APACHE2_CONFIG_01
|
2
|
+
Depends: [APACHE2_INIT_2, HAS_CAT, HAS_BASE, HAS_GREP]
|
3
|
+
Description: Get user for running Apache2 from configuration files and export it to APACHE2_USER.
|
4
|
+
Type: [info]
|
5
|
+
Name: APACHE2 get user from configuration files
|
6
|
+
Script: |
|
7
|
+
APACHE2_USER=""
|
8
|
+
TMP_NUM_USERS=$(${CAT} ${APACHE2_CONFIG_FILES} | ${GREP} -c -E '^[[:blank:]]*User')
|
9
|
+
|
10
|
+
if [ ! "${TMP_NUM_USERS}" = 1 ]
|
11
|
+
then
|
12
|
+
script_error_message "Found more than one 'User' directive in configuration files"
|
13
|
+
else
|
14
|
+
TMP_USER=$(${CAT} ${APACHE2_CONFIG_FILES} | ${GREP} -E '^[[:blank:]]*User' | sed -e 's/^[[:blank:]]*User[[:blank:]]*//')
|
15
|
+
|
16
|
+
#In Ubuntu, the user name is a variable and is really defined in /etc/apache2/envvars
|
17
|
+
if echo "${TMP_USER}" | ${GREP} '$' 2>/dev/null 1>/dev/null
|
18
|
+
then
|
19
|
+
TMP_USER_VAR=$( echo "${TMP_USER}" | ${SED} -e 's/\${\?//;s/}//' )
|
20
|
+
TMP_USER=$(${CAT} /etc/apache2/envvars | ${GREP} "${TMP_USER_VAR}" | ${SED} -e "s/^.*${TMP_USER_VAR}[[:blank:]]*=[[:blank:]]*\(.*\)$/\1/")
|
21
|
+
APACHE2_USER=${TMP_USER}
|
22
|
+
else
|
23
|
+
APACHE2_USER=${TMP_USER}
|
24
|
+
fi
|
25
|
+
|
26
|
+
if [ "${APACHE2_USER}" = "" ]
|
27
|
+
then
|
28
|
+
script_error_message "could not find Apache2 user"
|
29
|
+
false
|
30
|
+
else
|
31
|
+
script_info_message "Found Apache2 user: ${APACHE2_USER}"
|
32
|
+
! false
|
33
|
+
fi
|
34
|
+
fi
|
35
|
+
|
36
|
+
|
@@ -0,0 +1,34 @@
|
|
1
|
+
ID: APACHE2_CONFIG_02
|
2
|
+
Depends: [APACHE2_INIT_2, HAS_CAT, HAS_BASE, HAS_GREP]
|
3
|
+
Description: Get group for running Apache2 from configuration files and export it to APACHE2_GROUP.
|
4
|
+
Type: [info]
|
5
|
+
Name: APACHE2 get group from configuration files
|
6
|
+
Script: |
|
7
|
+
APACHE2_GROUP=""
|
8
|
+
TMP_NUM_GROUPS=$(${CAT} ${APACHE2_CONFIG_FILES} | ${GREP} -c -E '^[[:blank:]]*Group')
|
9
|
+
|
10
|
+
if [ ! "${TMP_NUM_GROUPS}" = 1 ]
|
11
|
+
then
|
12
|
+
script_error_message "Found more than one 'Group' directive in configuration files"
|
13
|
+
else
|
14
|
+
TMP_GROUP=$(${CAT} ${APACHE2_CONFIG_FILES} | ${GREP} -E '^[[:blank:]]*Group' | sed -e 's/^[[:blank:]]*Group[[:blank:]]*//')
|
15
|
+
|
16
|
+
#In Ubuntu, the group name is a variable and is really defined in /etc/apache2/envvars
|
17
|
+
if echo "${TMP_GROUP}" | ${GREP} '$' 2>/dev/null 1>/dev/null
|
18
|
+
then
|
19
|
+
TMP_GROUP_VAR=$( echo "${TMP_GROUP}" | ${SED} -e 's/\${\?//;s/}//' )
|
20
|
+
TMP_GROUP=$(${CAT} /etc/apache2/envvars | ${GREP} "${TMP_GROUP_VAR}" | ${SED} -e "s/^.*${TMP_GROUP_VAR}[[:blank:]]*=[[:blank:]]*\(.*\)$/\1/")
|
21
|
+
APACHE2_GROUP=${TMP_GROUP}
|
22
|
+
else
|
23
|
+
APACHE2_GROUP=${TMP_GROUP}
|
24
|
+
fi
|
25
|
+
|
26
|
+
if [ "${APACHE2_GROUP}" = "" ]
|
27
|
+
then
|
28
|
+
script_error_message "could not find Apache2 group"
|
29
|
+
false
|
30
|
+
else
|
31
|
+
script_info_message "Found Apache2 group: ${APACHE2_GROUP}"
|
32
|
+
! false
|
33
|
+
fi
|
34
|
+
fi
|
@@ -0,0 +1,60 @@
|
|
1
|
+
ID: APACHE2_CONFIG_03
|
2
|
+
Depends: [APACHE2_INIT_2, HAS_CAT, HAS_BASE, HAS_GREP]
|
3
|
+
Description: Find all directories that are publicly accessible through Apache2.
|
4
|
+
Exports: [APACHE2_DOCUMENT_ROOT]
|
5
|
+
Type: [info]
|
6
|
+
Name: APACHE2 find public directories
|
7
|
+
Script: |
|
8
|
+
# first check for alias definitions (see mod_alias for details)
|
9
|
+
TMP_ALIAS_NUM=1
|
10
|
+
for TMP_FILE in ${APACHE2_CONFIG_FILES}
|
11
|
+
do
|
12
|
+
TMP_PUBLICDIRS=$( ${CAT} ${TMP_FILE} | ${GREP} -E '^[[:blank:]]*(Alias|ScriptAlias)' | ${SED} -e 's/^[[:blank:]]*//' )
|
13
|
+
IFS=$( printf '\n+' ); IFS=${IFS%+}
|
14
|
+
|
15
|
+
for TMP_PUBLICDIR in ${TMP_PUBLICDIRS}
|
16
|
+
do
|
17
|
+
TMP_SHARETYPE=$( echo ${TMP_PUBLICDIR} | ${CUT} -d" " -f1)
|
18
|
+
TMP_DIRECTORY=$( echo ${TMP_PUBLICDIR} | ${CUT} -d" " -f3 | ${SED} -e 's/^"//;s/"$//')
|
19
|
+
TMP_URL=$( echo ${TMP_PUBLICDIR} | ${CUT} -d" " -f2 | ${SED} -e 's/^"//;s/"$//')
|
20
|
+
|
21
|
+
script_data "apache2.aliases.${TMP_ALIAS_NUM}.defined_in" "${TMP_FILE}"
|
22
|
+
script_data "apache2.aliases.${TMP_ALIAS_NUM}.type" "${TMP_SHARETYPE}"
|
23
|
+
script_data "apache2.aliases.${TMP_ALIAS_NUM}.directory" "${TMP_DIRECTORY}"
|
24
|
+
script_data "apache2.aliases.${TMP_ALIAS_NUM}.url" "${TMP_URL}"
|
25
|
+
script_info_message "Directory ${TMP_DIRECTORY} is accessible as ${TMP_URL} through alias in file ${TMP_FILE}"
|
26
|
+
TMP_ALIAS_NUM=$(( ${TMP_ALIAS_NUM} + 1 ))
|
27
|
+
done
|
28
|
+
IFS=" "
|
29
|
+
done
|
30
|
+
|
31
|
+
#then check for document root definitions
|
32
|
+
#I've dropped the idea of checking that there is only one document root definition, there may be
|
33
|
+
#multiple vhosts, each with a document root definition.
|
34
|
+
TMP_DOCROOT_NUM=1
|
35
|
+
for TMP_FILE in ${APACHE2_CONFIG_FILES}
|
36
|
+
do
|
37
|
+
TMP_PUBLICDIRS=$( ${CAT} ${TMP_FILE} | ${GREP} -E '^[[:blank:]]*DocumentRoot' | ${SED} -e 's/^[[:blank:]]*//' )
|
38
|
+
IFS=$( printf '\n+' ); IFS=${IFS%+}
|
39
|
+
for TMP_PUBLICDIR in ${TMP_PUBLICDIRS}
|
40
|
+
do
|
41
|
+
TMP_SHARETYPE=$( echo ${TMP_PUBLICDIR} | ${CUT} -d" " -f1)
|
42
|
+
TMP_DIRECTORY=$( echo ${TMP_PUBLICDIR} | ${CUT} -d" " -f2)
|
43
|
+
|
44
|
+
script_data "apache2.document_roots.${TMP_DOCROOT_NUM}.defined_in" "${TMP_FILE}"
|
45
|
+
script_data "apache2.document_roots.${TMP_DOCROOT_NUM}.type" "${TMP_SHARETYPE}"
|
46
|
+
script_data "apache2.document_roots.${TMP_DOCROOT_NUM}.directory" "${TMP_DIRECTORY}"
|
47
|
+
|
48
|
+
script_info_message "Directory ${TMP_DIRECTORY} is accessible as document root in file ${TMP_FILE}"
|
49
|
+
|
50
|
+
#up to now, I don't have a better idea on how to set this ... normally there should be one
|
51
|
+
#document root definition for port 80 of the principal server (not a vhost), that should be
|
52
|
+
#used here ...
|
53
|
+
APACHE2_DOCUMENT_ROOT="${TMP_DIRECTORY}"
|
54
|
+
TMP_DOCROOT_NUM=$(( ${TMP_DOCROOT_NUM} + 1 ))
|
55
|
+
done
|
56
|
+
IFS=" "
|
57
|
+
done
|
58
|
+
|
59
|
+
IFS=${TMP_IFS}
|
60
|
+
|
@@ -0,0 +1,23 @@
|
|
1
|
+
ID: APACHE2_CONFIG_04
|
2
|
+
Depends: [APACHE2_CONFIG_01, APACHE_CONFIG_02, HAS_GROUPS]
|
3
|
+
Description: Find groups for Apache2 user and verify that she is only in one group and that this group corresponds to the web server group.
|
4
|
+
Type: [info]
|
5
|
+
Name: APACHE2 check groups of web server user
|
6
|
+
Script: |
|
7
|
+
if ${GROUPS} ${APACHE2_USER}
|
8
|
+
then
|
9
|
+
script_error_message "something went wrong while executing the ${GROUP} command to find the groups of ${APACHE2_USER}"
|
10
|
+
false
|
11
|
+
else
|
12
|
+
TMP_GROUPS=$(${GROUPS} ${APACHE2_USER})
|
13
|
+
#strip leading and trailing whitespace
|
14
|
+
TMP_GROUPS=$(echo ${TMP_GROUPS})
|
15
|
+
|
16
|
+
if [ "${APACHE2_GROUP}" = "${TMP_GROUPS}" ]
|
17
|
+
then
|
18
|
+
! false
|
19
|
+
else
|
20
|
+
script_warn_message "Either apache user ${APACHE2_USER} with apache group ${APACHE2_GROUP} has multiple groups or not the same group as in the web server configuration file: ${TMP_GROUPS}"
|
21
|
+
false
|
22
|
+
fi
|
23
|
+
fi
|
@@ -0,0 +1,23 @@
|
|
1
|
+
ID: APACHE2_CONFIG_05
|
2
|
+
Depends: [APACHE2_CONFIG_01, APACHE_CONFIG_02, HAS_GROUPS]
|
3
|
+
Description: Check that the ServerSignature directive is off.
|
4
|
+
Type: [info]
|
5
|
+
Name: APACHE2 check groups of web server user
|
6
|
+
Script: |
|
7
|
+
if ${GROUPS} ${APACHE2_USER}
|
8
|
+
then
|
9
|
+
script_error_message "something went wrong while executing the ${GROUP} command to find the groups of ${APACHE2_USER}"
|
10
|
+
false
|
11
|
+
else
|
12
|
+
TMP_GROUPS=$(${GROUPS} ${APACHE2_USER})
|
13
|
+
#strip leading and trailing whitespace
|
14
|
+
TMP_GROUPS=$(echo ${TMP_GROUPS})
|
15
|
+
|
16
|
+
if [ "${APACHE2_GROUP}" = "${TMP_GROUPS}" ]
|
17
|
+
then
|
18
|
+
! false
|
19
|
+
else
|
20
|
+
script_warn_message "Either apache user ${APACHE2_USER} with apache group ${APACHE2_GROUP} has multiple groups or not the same group as in the web server configuration file: ${TMP_GROUPS}"
|
21
|
+
false
|
22
|
+
fi
|
23
|
+
fi
|
@@ -0,0 +1,30 @@
|
|
1
|
+
ID: APACHE2_CONFIG_06
|
2
|
+
Depends: [APACHE2_CONFIG_01, APACHE_CONFIG_02, HAS_GROUPS]
|
3
|
+
Description: Check that Apache2 user is not allowed to login in /etc/passwd and /etc/shadow
|
4
|
+
Type: [info]
|
5
|
+
Name: Check that Apache2 user login is disabled
|
6
|
+
Script: |
|
7
|
+
#test that user is not allowed to login via /etc/passwd
|
8
|
+
TMP_PASSWD=$(${GREP} "${APACHE2_USER}" "${PASSWD_FILE}" | ${CUT} -d: -f2)
|
9
|
+
|
10
|
+
if ! [ "${TMP_PASSWD}" = x ]
|
11
|
+
then
|
12
|
+
script_error_message "Apache2 user ${APACHE2_USER} is allowed to login in ${PASSWD_FILE}"
|
13
|
+
fi
|
14
|
+
|
15
|
+
#test that user is not allowed to login via /etc/shadow
|
16
|
+
#this test needs superuser privileges to access /etc/shadow
|
17
|
+
if [ "${HAVE_SUPERUSER_PRIVILEGES}" = 1 ]
|
18
|
+
then
|
19
|
+
TMP_SHADOW=$(execute_as_superuser "${GREP} \"${APACHE2_USER}\" \"${SHADOW_FILE}\" | ${CUT} -d: -f2")
|
20
|
+
|
21
|
+
if [ ! "${TMP_SHADOW}" = '*' ] || [ ! "${TMP_SHADOW##\!}" = "${TMP_SHADOW}" ]
|
22
|
+
then
|
23
|
+
script_error_message "Apache2 user ${APACHE2_USER} is allowed to login in ${SHADOW_FILE}"
|
24
|
+
fi
|
25
|
+
fi
|
26
|
+
|
27
|
+
#test that user is not allowed to login via ssh
|
28
|
+
#test that user is not allowed to login via rlogin
|
29
|
+
#test that user is not allowed to login via ftp
|
30
|
+
|
@@ -0,0 +1,14 @@
|
|
1
|
+
ID: APACHE2_INIT_1
|
2
|
+
Depends: [HAS_PS, HAS_SED, HAS_GREP]
|
3
|
+
Imports: [PS, SED, GREP]
|
4
|
+
Exports: [APACHE2_PID]
|
5
|
+
Description: Check if the Apache server version 2 is running.
|
6
|
+
Type: [check, export]
|
7
|
+
Script: |
|
8
|
+
APACHE2_PID=$(${PS} -A | ${GREP} apache2 | ${SED} -e 's/^[[:blank:]]*\([0-9]\+\)[[:blank:]]\+.*/\1/')
|
9
|
+
if [ ! -z "${APACHE2_PID}" ]
|
10
|
+
then
|
11
|
+
! false
|
12
|
+
else
|
13
|
+
false
|
14
|
+
fi
|
@@ -0,0 +1,66 @@
|
|
1
|
+
# Copyright 2010-2011 SecludIT
|
2
|
+
#
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
6
|
+
#
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
#
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
14
|
+
|
15
|
+
ID: APACHE2_INIT_2
|
16
|
+
Imports: [SED, GREP, CUT]
|
17
|
+
Exports: [APACHE2_CONFIG_FILES]
|
18
|
+
Depends: [HAS_BASE, HAS_GREP, HAS_CUT]
|
19
|
+
Description: Find the Apache 2 daemon configuration files.
|
20
|
+
WarningMessage: >
|
21
|
+
Apache2 daemon configuration file not found, Apache2 checks will be omitted.
|
22
|
+
Type: [check, export]
|
23
|
+
Script: |
|
24
|
+
TMP_UNTREATED_CONFIG_FILES=""
|
25
|
+
APACHE2_CONFIG_FILES=""
|
26
|
+
for path in /etc/apache2/apache2.conf /etc/apache2/httpd.conf
|
27
|
+
do
|
28
|
+
ls ${path} 2>/dev/null 1>/dev/null &&
|
29
|
+
TMP_UNTREATED_CONFIG_FILES="${TMP_UNTREATED_CONFIG_FILES}${path}:"
|
30
|
+
done
|
31
|
+
|
32
|
+
while [ ! -z "${TMP_UNTREATED_CONFIG_FILES%%:}" ]
|
33
|
+
do
|
34
|
+
#get next configuration file from the untreated config files fifo
|
35
|
+
NEXT_CONFIG_FILE=$(echo "${TMP_UNTREATED_CONFIG_FILES}" | ${CUT} -d: -f1) && TMP_UNTREATED_CONFIG_FILES=$(echo "${TMP_UNTREATED_CONFIG_FILES}" | ${CUT} -d: -f2-)
|
36
|
+
|
37
|
+
if [ -z "${NEXT_CONFIG_FILE}" ]; then continue; fi
|
38
|
+
|
39
|
+
#for each include directive in the config file (automatically expands file expressions with *)
|
40
|
+
for f in $(${GREP} -E "^[[:blank:]]*Include" "${NEXT_CONFIG_FILE}" | ${SED} -e 's/^[[:blank:]]*Include[[:blank:]]\+\([^#]\+\)/\1/')
|
41
|
+
do
|
42
|
+
#if a whole directory is included, we want to expand to every file in the directory
|
43
|
+
if [ -d "$f" ]; then f="${f%%/}/*"; fi
|
44
|
+
|
45
|
+
#to handle the 'every file in directory' we just constructed
|
46
|
+
for g in $f
|
47
|
+
do
|
48
|
+
#check that file is not in any fifo yet; this avoids looping forever if there is an include loop
|
49
|
+
if ! ( echo "${APACHE2_CONFIG_FILES}" | ${GREP} "$g" 1>/dev/null 2>/dev/null || echo "${TMP_UNTREATED_CONFIG_FILES}" | ${GREP} "$g" 1>/dev/null 2>/dev/null )
|
50
|
+
then
|
51
|
+
#append newly found configuration file to the fifo of untreated files
|
52
|
+
TMP_UNTREATED_CONFIG_FILES="${TMP_UNTREATED_CONFIG_FILES%%:}:$g:"
|
53
|
+
fi
|
54
|
+
done
|
55
|
+
done
|
56
|
+
#all includes from this file fleshed out, put it to the treated config files
|
57
|
+
APACHE2_CONFIG_FILES="${APACHE2_CONFIG_FILES%% } ${NEXT_CONFIG_FILE}"
|
58
|
+
script_info_message "Found configuration file ${NEXT_CONFIG_FILE}"
|
59
|
+
done
|
60
|
+
|
61
|
+
#to remove nasty leading/trailing colons
|
62
|
+
APACHE2_CONFIG_FILES="${APACHE2_CONFIG_FILES%% }"
|
63
|
+
APACHE2_CONFIG_FILES="${APACHE2_CONFIG_FILES## }"
|
64
|
+
|
65
|
+
#check only successful if at least one configuration file is found
|
66
|
+
[ ! "${APACHE2_CONFIG_FILES}" = "" ]
|
@@ -0,0 +1,13 @@
|
|
1
|
+
ID: APACHE2_INIT_3
|
2
|
+
Depends: [HAS_WHICH, HAS_BASE]
|
3
|
+
Imports: [WHICH, HEAD]
|
4
|
+
Exports: [APACHE2_BINARY, APACHE2CTL_BINARY]
|
5
|
+
Description: Check for Apache2 binaries.
|
6
|
+
Type: [check, info, export]
|
7
|
+
Script: |
|
8
|
+
APACHE2_BINARY=$(${WHICH} apache2)
|
9
|
+
APACHE2CTL_BINARY=$(${WHICH} apache2ctl)
|
10
|
+
TMP_APACHE2_NAME=$(${APACHE2_BINARY} -v | ${HEAD} -1 | ${SED} -e 's/^[^:]*:\([^\/]\+\)\/\(.*\)/\1/')
|
11
|
+
TMP_APACHE2_VERSION=$(${APACHE2_BINARY} -v | ${HEAD} -1 | ${SED} -e 's/^[^:]*:\([^\/]\+\)\/\(.*\)/\2/')
|
12
|
+
echo "%% ${MY_SCRIPT_ID} %% INFO %% PROGRAM_NAME %% ${TMP_APACHE2_NAME} %% ${TMP_APACHE2_VERSION}"
|
13
|
+
${WHICH} apache2 apache2ctl 2>/dev/null 1>/dev/null
|
@@ -0,0 +1,17 @@
|
|
1
|
+
ID: APACHE2_USER_7
|
2
|
+
Depends: [APACHE2_INIT_2, HAS_CAT, HAS_BASE, HAS_GREP]
|
3
|
+
Description: Find all directories that are publicly accessible through Apache2.
|
4
|
+
Exports: [APACHE2_DOCUMENT_ROOT]
|
5
|
+
Type: [info]
|
6
|
+
Name: APACHE2 find public directories
|
7
|
+
Script: |
|
8
|
+
TMP_SHELL=$(${GREP} "${APACHE2_USER}" "${PASSWD_FILE}" | ${CUT} -d: -f7- )
|
9
|
+
|
10
|
+
if [ "${TMP_SHELL}" = "/bin/nologin" ] ||
|
11
|
+
[ "${TMP_SHELL}" = "/bin/false" ]
|
12
|
+
then
|
13
|
+
! false
|
14
|
+
else
|
15
|
+
script_warn_message "Apache2 user has login shell ${TMP_SHELL} which is not recommended (should be an invalid shell)"
|
16
|
+
false
|
17
|
+
fi
|
@@ -0,0 +1,26 @@
|
|
1
|
+
ID: BACKUP_HOME_DOTFILES
|
2
|
+
Name: Create a backup copy of dotfiles in home directories
|
3
|
+
Depends: [HAS_BASE, HAS_FIND, HAS_CAT, HAS_CUT, HAS_COMPRESSOR, MAYBE_HAS_SUPERUSER]
|
4
|
+
Imports: [HAS_COMPRESSOR, MAYBE_HAS_SUPERUSER]
|
5
|
+
Description: Create a backup copy of the /var/log directory
|
6
|
+
Script: |
|
7
|
+
#if [ "${DU}" = "" ]
|
8
|
+
#then
|
9
|
+
# TMP_SIZE=0
|
10
|
+
#else
|
11
|
+
# TMP_SIZE=$( ${DU} -s | ${AWK} '{ print $1 }' )
|
12
|
+
#fi
|
13
|
+
|
14
|
+
#if [ ${TMP_SIZE} -gt 30000 ]
|
15
|
+
#then
|
16
|
+
# script_warning_message "/var/log directory is bigger than 30M (${TMP_SIZE}k) and will not be backuped"
|
17
|
+
#else
|
18
|
+
TMP_FILES=$( ${RUN_AS_SUPERUSER} ${FIND} $( ${CAT} ${PASSWD_FILE} | ${CUT} -d: -f6 ) -maxdepth 1 -name '.*' 2>/dev/null )
|
19
|
+
${RUN_AS_SUPERUSER} ${COMPRESSOR} ${AUDIT_DIRECTORY}/BACKUP_HOME_DOTFILES.${COMPRESSOR_SUFFIX} ${TMP_FILES} 2>/dev/null
|
20
|
+
TMP_EXITCODE=$?
|
21
|
+
if [ ${TMP_EXITCODE} -eq 0 ]
|
22
|
+
then
|
23
|
+
script_attach_file "${AUDIT_DIRECTORY}/BACKUP_HOME_DOTFILES.${COMPRESSOR_SUFFIX}" 'Backup of the ~/.* directories'
|
24
|
+
fi
|
25
|
+
script_set_exit_code ${TMP_EXITCODE}
|
26
|
+
#fi
|
@@ -0,0 +1,24 @@
|
|
1
|
+
ID: BACKUP_LOG
|
2
|
+
Name: Create a backup copy of the /var/log directory
|
3
|
+
Depends: [HAS_COMPRESSOR, MAYBE_HAS_SUPERUSER]
|
4
|
+
Description: Create a backup copy of the /var/log directory
|
5
|
+
Script: |
|
6
|
+
#if [ "${DU}" = "" ]
|
7
|
+
#then
|
8
|
+
# TMP_SIZE=0
|
9
|
+
#else
|
10
|
+
# TMP_SIZE=$( ${DU} -s | ${AWK} '{ print $1 }' )
|
11
|
+
#fi
|
12
|
+
|
13
|
+
#if [ ${TMP_SIZE} -gt 30000 ]
|
14
|
+
#then
|
15
|
+
# script_warning_message "/var/log directory is bigger than 30M (${TMP_SIZE}k) and will not be backuped"
|
16
|
+
#else
|
17
|
+
${RUN_AS_SUPERUSER} ${COMPRESSOR} ${AUDIT_DIRECTORY}/BACKUP_LOG.${COMPRESSOR_SUFFIX} /var/log 2>/dev/null
|
18
|
+
TMP_EXITCODE=$?
|
19
|
+
if [ ${TMP_EXITCODE} -eq 0 ]
|
20
|
+
then
|
21
|
+
script_attach_file "${AUDIT_DIRECTORY}/BACKUP_LOG.${COMPRESSOR_SUFFIX}" "Backup of the /var/log directory"
|
22
|
+
fi
|
23
|
+
script_set_exit_code ${TMP_EXITCODE}
|
24
|
+
#fi
|
@@ -0,0 +1,19 @@
|
|
1
|
+
ID: BACKUP_MAIL
|
2
|
+
Name: Backup mail files
|
3
|
+
Depends: [HAS_COMPRESSOR, MAYBE_HAS_SUPERUSER, VAR_LIST_HOME_DIRECTORIES]
|
4
|
+
Description: Create a backup copy of the /var/mail directory and $HOME/mbox files
|
5
|
+
Script: |
|
6
|
+
${RUN_AS_SUPERUSER} ${COMPRESSOR} ${AUDIT_DIRECTORY}/BACKUP_MAIL.${COMPRESSOR_SUFFIX} /var/mail 2>/dev/null 1>/dev/null
|
7
|
+
TMP_EXITCODE=$?
|
8
|
+
IFS=:
|
9
|
+
for dir in ${HOME_DIRS_LIST}
|
10
|
+
do
|
11
|
+
${RUN_AS_SUPERUSER} ${COMPRESSOR} ${AUDIT_DIRECTORY}/BACKUP_MAIL.${COMPRESSOR_SUFFIX} ${dir}/mbox 2>/dev/null 1>/dev/null
|
12
|
+
TMP_EXITCODE=$(( ${TMP_EXITCODE} | $? ))
|
13
|
+
done
|
14
|
+
|
15
|
+
if [ -f "${AUDIT_DIRECTORY}/BACKUP_MAIL.${COMPRESSOR_SUFFIX}" ]
|
16
|
+
then
|
17
|
+
script_attach_file "${AUDIT_DIRECTORY}/BACKUP_MAIL.${COMPRESSOR_SUFFIX}" "Mails backup"
|
18
|
+
fi
|
19
|
+
script_set_exit_code ${TMP_EXITCODE}
|
@@ -0,0 +1,12 @@
|
|
1
|
+
ID: BACKUP_WEB
|
2
|
+
Name: Create a backup copy of the /var/www and /srv/www directory
|
3
|
+
Depends: [HAS_COMPRESSOR, MAYBE_HAS_SUPERUSER]
|
4
|
+
Description: Create a backup copy of the /var/www and /srv/www directory
|
5
|
+
Script: |
|
6
|
+
${RUN_AS_SUPERUSER} ${COMPRESSOR} ${AUDIT_DIRECTORY}/BACKUP_WWW.${COMPRESSOR_SUFFIX} /var/www /srv/www 2>/dev/null 1>/dev/null
|
7
|
+
TMP_EXITCODE=$?
|
8
|
+
if [ -f "${AUDIT_DIRECTORY}/BACKUP_WWW.${COMPRESSOR_SUFFIX}" ]
|
9
|
+
then
|
10
|
+
script_attach_file "${AUDIT_DIRECTORY}/BACKUP_WWW.${COMPRESSOR_SUFFIX}" "Backup of the /var/www directory"
|
11
|
+
fi
|
12
|
+
script_set_exit_code ${TMP_EXITCODE}
|
@@ -0,0 +1,14 @@
|
|
1
|
+
ID: CONFIGURATION_BACKUP
|
2
|
+
Name: Backup configuration
|
3
|
+
Depends: [HAS_COMPRESSOR, MAYBE_HAS_SUPERUSER]
|
4
|
+
Imports: [COMPRESSOR, COMPRESSOR_SUFFIX]
|
5
|
+
Description: >
|
6
|
+
Create an archive of all files in the /etc directory
|
7
|
+
Script: |
|
8
|
+
${RUN_AS_SUPERUSER} ${COMPRESSOR} ${AUDIT_DIRECTORY}/CONFIGURATION_BACKUP.${COMPRESSOR_SUFFIX} /etc 2>/dev/null
|
9
|
+
TMP_EXITCODE=$?
|
10
|
+
if [ ${TMP_EXITCODE} -eq 0 ]
|
11
|
+
then
|
12
|
+
script_attach_file "${AUDIT_DIRECTORY}/CONFIGURATION_BACKUP.${COMPRESSOR_SUFFIX}" "Backup of the /etc directory"
|
13
|
+
fi
|
14
|
+
script_set_exit_code ${TMP_EXITCODE}
|