"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "include/tests_authentication" between
lynis-3.0.1.tar.gz and lynis-3.0.2.tar.gz

About: Lynis is a security and system auditing tool.

tests_authentication  (lynis-3.0.1):tests_authentication  (lynis-3.0.2)
skipping to change at line 34 skipping to change at line 34
# #
LDAP_AUTH_ENABLED=0 LDAP_AUTH_ENABLED=0
LDAP_PAM_ENABLED=0 LDAP_PAM_ENABLED=0
LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf ${ ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf ${ROOTDIR}usr/l ocal/etc/openldap/ldap.conf" LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf ${ ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf ${ROOTDIR}usr/l ocal/etc/openldap/ldap.conf"
PAM_FILE_LOCATIONS="${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib /i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/s ecurity ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" PAM_FILE_LOCATIONS="${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib /i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/s ecurity ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security"
SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers ${R OOTDIR}usr/pkg/etc/sudoers" SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers ${R OOTDIR}usr/pkg/etc/sudoers"
SUDOERS_FILE="" SUDOERS_FILE=""
# #
################################################################################ # ################################################################################ #
# #
InsertSection "Users, Groups and Authentication" InsertSection "${SECTION_USERS_GROUPS_AND_AUTHENTICATION}"
# Test : AUTH-9204 # Test : AUTH-9204
# Description : Check users with UID zero (0) # Description : Check users with UID zero (0)
# Notes : Ignores :0: in file if match is in NIS related line # Notes : Ignores :0: in file if match is in NIS related line
Register --test-no AUTH-9204 --weight L --network NO --category security --d escription "Check users with an UID of zero" Register --test-no AUTH-9204 --weight L --network NO --category security --d escription "Check users with an UID of zero"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Search accounts with UID 0 # Search accounts with UID 0
LogText "Test: Searching accounts with UID 0" LogText "Test: Searching accounts with UID 0"
# Check if device is a QNAP, as the root user is called admin, and not r oot # Check if device is a QNAP, as the root user is called admin, and not r oot
if [ ${QNAP_DEVICE} -eq 1 ]; then if [ ${QNAP_DEVICE} -eq 1 ]; then
skipping to change at line 355 skipping to change at line 355
Display --indent 2 --text "- Password hashing methods" --result "${S TATUS_SUGGESTION}" --color YELLOW Display --indent 2 --text "- Password hashing methods" --result "${S TATUS_SUGGESTION}" --color YELLOW
LogText "Result: poor password hashing methods found: ${FIND}" LogText "Result: poor password hashing methods found: ${FIND}"
ReportSuggestion "${TEST_NO}" "Check PAM configuration, add rounds i f applicable and expire passwords to encrypt with new values" ReportSuggestion "${TEST_NO}" "Check PAM configuration, add rounds i f applicable and expire passwords to encrypt with new values"
AddHP 0 2 AddHP 0 2
fi fi
fi fi
# #
################################################################################ # ################################################################################ #
# #
# Test : AUTH-9230 # Test : AUTH-9230
# Description : Check group password hashing rounds in login.defs # Description : Check password hashing rounds in login.defs
# Notes : Applicable to all Unix-like OS # Notes : Applicable to all Unix-like OS
PREQS_MET="NO" PREQS_MET="NO"
if [ -f ${ROOTDIR}etc/login.defs ]; then if [ -f ${ROOTDIR}etc/login.defs ]; then
PREQS_MET="YES" PREQS_MET="YES"
fi fi
Register --test-no AUTH-9230 --preqs-met ${PREQS_MET} --root-only NO --weigh t L --network NO --category security --description "Check group password hashing rounds" Register --test-no AUTH-9230 --preqs-met ${PREQS_MET} --root-only NO --weigh t L --network NO --category security --description "Check password hashing round s"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking SHA_CRYPT_MIN_ROUNDS option in ${ROOTDIR}etc/log SHA_CRYPT_MIN_ROUNDS_FIND=$(${GREPBINARY} "^SHA_CRYPT_MIN_ROUNDS" ${ROOT
in.defs" DIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MIN_ROUNDS") { print $2
FIND=$(${GREPBINARY} "^SHA_CRYPT_MIN_ROUNDS" ${ROOTDIR}etc/login.defs | } }')
${AWKBINARY} '{ if ($1=="SHA_CRYPT_MIN_ROUNDS") { print $2 } }') SHA_CRYPT_MAX_ROUNDS_FIND=$(${GREPBINARY} "^SHA_CRYPT_MAX_ROUNDS" ${ROOT
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then DIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MAX_ROUNDS") { print $2
LogText "Result: number of minimum rounds used by the encryption alg } }')
orithm is not configured" SHA_CRYPT_ROUNDS=0
Display --indent 2 --text "- Checking minimum group password hashing
rounds" --result "${STATUS_DISABLED}" --color YELLOW if [ -n "${SHA_CRYPT_MIN_ROUNDS_FIND}" -a -n "${SHA_CRYPT_MAX_ROUNDS_FIN
ReportSuggestion "${TEST_NO}" "Configure minimum encryption algorith D}" ]; then
m rounds in /etc/login.defs" if [ ${SHA_CRYPT_MIN_ROUNDS_FIND} -lt ${SHA_CRYPT_MAX_ROUNDS_FIND} ]
AddHP 0 2 ; then
elif [ "${FIND}" -lt 5000 ]; then SHA_CRYPT_ROUNDS=${SHA_CRYPT_MIN_ROUNDS_FIND}
LogText "Result: low number of minimum encryption algorithm rounds f else
ound: ${FIND}" SHA_CRYPT_ROUNDS=${SHA_CRYPT_MAX_ROUNDS_FIND}
PASSWORD_MINIMUM_ROUNDS=${FIND} fi
Display --indent 2 --text "- Group password hashing rounds (minimum) elif [ -z "${SHA_CRYPT_MIN_ROUNDS_FIND}" -a -n "${SHA_CRYPT_MAX_ROUNDS_F
" --result "${STATUS_SUGGESTION}" --color YELLOW IND}" ]; then
AddHP 1 2 SHA_CRYPT_ROUNDS=${SHA_CRYPT_MAX_ROUNDS_FIND}
else elif [ -n "${SHA_CRYPT_MIN_ROUNDS_FIND}" -a -z "${SHA_CRYPT_MAX_ROUNDS_F
LogText "Result: number of encryption algorithm rounds is ${FIND}" IND}" ]; then
PASSWORD_MINIMUM_ROUNDS=${FIND} SHA_CRYPT_ROUNDS=${SHA_CRYPT_MIN_ROUNDS_FIND}
Display --indent 2 --text "- Group password hashing rounds (minimum) else
" --result CONFIGURED --color GREEN SHA_CRYPT_ROUNDS=0
AddHP 2 2
fi fi
LogText "Test: Checking SHA_CRYPT_MAX_ROUNDS option in ${ROOTDIR}etc/log LogText "Test: Checking SHA_CRYPT_{MIN,MAX}_ROUNDS option in ${ROOTDIR}e
in.defs" tc/login.defs"
FIND=$(${GREPBINARY} "^SHA_CRYPT_MAX_ROUNDS" ${ROOTDIR}etc/login.defs | if [ ${SHA_CRYPT_ROUNDS} -eq 0 ]; then
${AWKBINARY} '{ if ($1=="SHA_CRYPT_MAX_ROUNDS") { print $2 } }') LogText "Result: number of password hashing rounds is not configured
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then "
LogText "Result: number of maximum rounds used by the encryption alg Display --indent 2 --text "- Checking password hashing rounds" --res
orithm is not configured" ult "${STATUS_DISABLED}" --color YELLOW
Display --indent 2 --text "- Checking maximum group password hashing ReportSuggestion "${TEST_NO}" "Configure password hashing rounds in
rounds" --result "${STATUS_DISABLED}" --color YELLOW /etc/login.defs"
ReportSuggestion "${TEST_NO}" "Configure maximum encryption algorith
m rounds in /etc/login.defs"
AddHP 0 2 AddHP 0 2
elif [ "${FIND}" -lt 10000 ]; then fi
LogText "Result: low number of maximum encryption algorithm rounds f
ound: ${FIND}" if [ -n "${SHA_CRYPT_ROUNDS}" ] && [ ${SHA_CRYPT_ROUNDS} -gt 0 ]; then
PASSWORD_MINIMUM_ROUNDS=${FIND} if [ ${SHA_CRYPT_ROUNDS} -lt 5000 ]; then
Display --indent 2 --text "- Group password hashing rounds (maximum) LogText "Result: low number of password hashing rounds found: ${
" --result "${STATUS_SUGGESTION}" --color YELLOW SHA_CRYPT_ROUNDS}"
AddHP 1 2 Display --indent 2 --text "- Password hashing rounds (minimum)"
else --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: number of encryption algorithm rounds is ${FIND}" AddHP 1 2
PASSWORD_MINIMUM_ROUNDS=${FIND} else
Display --indent 2 --text "- Group password hashing rounds (maximum) LogText "Result: number of password hashing rounds is ${SHA_CRYP
" --result CONFIGURED --color GREEN T_ROUNDS}"
AddHP 2 2 Display --indent 2 --text "- Password hashing rounds (minimum)"
--result CONFIGURED --color GREEN
AddHP 2 2
fi
fi fi
fi fi
# #
################################################################################ # ################################################################################ #
# #
# Test : AUTH-9234 # Test : AUTH-9234
# Description : Query user accounts # Description : Query user accounts
# Notes : AIX: 100+ # Notes : AIX: 100+
# HPUX: 100+ # HPUX: 100+
# macOS doesn't have any user info in /etc/passwd, users are m anaged with opendirectoryd) # macOS doesn't have any user info in /etc/passwd, users are m anaged with opendirectoryd)
skipping to change at line 505 skipping to change at line 505
################################################################################ # ################################################################################ #
# #
# Test : AUTH-9240 # Test : AUTH-9240
# Description : Query NIS+ authentication support # Description : Query NIS+ authentication support
Register --test-no AUTH-9240 --weight L --network NO --category security --d escription "Query NIS+ authentication support" Register --test-no AUTH-9240 --weight L --network NO --category security --d escription "Query NIS+ authentication support"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then if [ -f /etc/nsswitch.conf ]; then
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus") FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus")
if [ -z "${FIND}" ]; then if [ -z "${FIND}" ]; then
LogText "Result: NIS+ authentication not enabled" LogText "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- NIS+ authentication support" --resu lt "NOT ENABLED" --color WHITE Display --indent 2 --text "- NIS+ authentication support" --resu lt "${STATUS_NOT_ENABLED}" --color WHITE
else else
FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.c onf | ${GREPBINARY} "nisplus") FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.c onf | ${GREPBINARY} "nisplus")
FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | $ {GREPBINARY} "nisplus") FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | $ {GREPBINARY} "nisplus")
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
LogText "Result: NIS+ authentication enabled" LogText "Result: NIS+ authentication enabled"
Display --indent 2 --text "- NIS+ authentication support" -- result "${STATUS_ENABLED}" --color GREEN Display --indent 2 --text "- NIS+ authentication support" -- result "${STATUS_ENABLED}" --color GREEN
else else
LogText "Result: NIS+ authentication not enabled" LogText "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- NIS+ authentication support" -- result "NOT ENABLED" --color WHITE Display --indent 2 --text "- NIS+ authentication support" -- result "${STATUS_NOT_ENABLED}" --color WHITE
fi fi
fi fi
else else
LogText "Result: /etc/nsswitch.conf not found" LogText "Result: /etc/nsswitch.conf not found"
fi fi
fi fi
# #
################################################################################ # ################################################################################ #
# #
# Test : AUTH-9242 # Test : AUTH-9242
# Description : Query NIS authentication support # Description : Query NIS authentication support
Register --test-no AUTH-9242 --weight L --network NO --category security --d escription "Query NIS authentication support" Register --test-no AUTH-9242 --weight L --network NO --category security --d escription "Query NIS authentication support"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then if [ -f /etc/nsswitch.conf ]; then
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus") FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus")
if [ -z "${FIND}" ]; then if [ -z "${FIND}" ]; then
LogText "Result: NIS authentication not enabled" LogText "Result: NIS authentication not enabled"
Display --indent 2 --text "- NIS authentication support" --resul t "NOT ENABLED" --color WHITE Display --indent 2 --text "- NIS authentication support" --resul t "${STATUS_NOT_ENABLED}" --color WHITE
else else
FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${G REPBINARY} "nis" | ${GREPBINARY} -v "nisplus") FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${G REPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINA RY} "nis" | ${GREPBINARY} -v "nisplus") FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINA RY} "nis" | ${GREPBINARY} -v "nisplus")
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
LogText "Result: NIS authentication enabled" LogText "Result: NIS authentication enabled"
Display --indent 2 --text "- NIS authentication support" --r esult "${STATUS_ENABLED}" --color GREEN Display --indent 2 --text "- NIS authentication support" --r esult "${STATUS_ENABLED}" --color GREEN
else else
LogText "Result: NIS authentication not enabled" LogText "Result: NIS authentication not enabled"
Display --indent 2 --text "- NIS authentication support" --r esult "NOT ENABLED" --color WHITE Display --indent 2 --text "- NIS authentication support" --r esult "${STATUS_NOT_ENABLED}" --color WHITE
fi fi
fi fi
else else
LogText "Result: /etc/nsswitch.conf not found" LogText "Result: /etc/nsswitch.conf not found"
fi fi
fi fi
# #
################################################################################ # ################################################################################ #
# #
# Test : AUTH-9250 # Test : AUTH-9250
skipping to change at line 852 skipping to change at line 852
if [ ${LDAP_PAM_ENABLED} -eq 1 ]; then if [ ${LDAP_PAM_ENABLED} -eq 1 ]; then
Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_ FOUND}" --color GREEN Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_ FOUND}" --color GREEN
else else
Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_ NOT_FOUND}" --color WHITE Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_ NOT_FOUND}" --color WHITE
fi fi
fi fi
# #
################################################################################ # ################################################################################ #
# #
# Test : AUTH-9282 and AUTH-9283 # Test : AUTH-9282, AUTH-9283, and AUTH-9284
# Note : Every Linux based operating system seem to have different pa sswd # Note : Every Linux based operating system seem to have different pa sswd
# options, so we have to check the version first. # options, so we have to check the version first.
if [ "${OS}" = "Linux" ]; then if [ "${OS}" = "Linux" ]; then
if [ "${OS_REDHAT_OR_CLONE}" -eq 0 ]; then if [ "${OS_REDHAT_OR_CLONE}" -eq 0 ]; then
case ${LINUX_VERSION} in case ${LINUX_VERSION} in
"SuSE") "SuSE")
PREQS_MET="YES" PREQS_MET="YES"
FIND_P=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2= ="P" && $5=="99999") print $1 }') FIND_P=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2= ="P" && $5=="99999") print $1 }')
FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2== "NP") print $1 }') FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2== "NP") print $1 }')
FIND3=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2== "L") print $1 }' | sort | uniq)
;; ;;
*) *)
PREQS_MET="YES" PREQS_MET="YES"
FIND_P=$(passwd --all --status 2> /dev/null | ${AWKBINARY} ' { if ($2=="P" && $5=="99999") print $1 }') FIND_P=$(passwd --all --status 2> /dev/null | ${AWKBINARY} ' { if ($2=="P" && $5=="99999") print $1 }')
FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }') FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
FIND3=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq)
;; ;;
esac esac
elif [ "${OS_REDHAT_OR_CLONE}" -eq 1 ]; then elif [ "${OS_REDHAT_OR_CLONE}" -eq 1 ]; then
PREQS_MET="YES" PREQS_MET="YES"
FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/pas swd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $ 1 }' ; done) FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/pas swd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $ 1 }' ; done)
FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/pass wd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done) FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/pass wd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done)
FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/pass wd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L" || $2=="LK") print $1 }' | sort | uniq ; done)
else else
LogText "Result: skipping test for this Linux version" LogText "Result: skipping test for this Linux version"
ReportManual "AUTH-9282:01" ReportManual "AUTH-9282:01"
PREQS_MET="NO" PREQS_MET="NO"
FIND_P="" FIND_P=""
FIND2="" FIND2=""
FIND3=""
fi fi
else else
PREQS_MET="NO" PREQS_MET="NO"
fi fi
# Test : AUTH-9282 # Test : AUTH-9282
# Description : Search password protected accounts without expire (Linux) # Description : Search password protected accounts without expire (Linux)
Register --test-no AUTH-9282 --preqs-met ${PREQS_MET} --weight L --network N O --category security --description "Checking password protected account without expire date" Register --test-no AUTH-9282 --preqs-met ${PREQS_MET} --weight L --network N O --category security --description "Checking password protected account without expire date"
if [ "${SKIPTEST}" -eq 0 ]; then if [ "${SKIPTEST}" -eq 0 ]; then
LogText "Test: Checking Linux version and password expire date status" LogText "Test: Checking Linux version and password expire date status"
if [ -z "${FIND_P}" ]; then if [ -z "${FIND_P}" ]; then
LogText "Result: all accounts seem to have an expire date" LogText "Result: all accounts seem to have an expire date"
Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: found one or more accounts without expire date set" LogText "Result: found one or more accounts without expire date set"
for I in ${FIND_P}; do for I in ${FIND_P}; do
LogText "Account without expire date: ${I}" LogText "Account without expire date: ${I}"
done done
Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "When possible set expire dates for al l password protected accounts" ReportSuggestion "${TEST_NO}" "When possible set expire dates for al l password protected accounts"
fi fi
fi fi
#
################################################################################
#
#
# Test : AUTH-9283 # Test : AUTH-9283
# Description : Search passwordless accounts # Description : Search passwordless accounts
# Notes : requires FIND2 variable
Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network N O --category security --description "Checking accounts without password" Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network N O --category security --description "Checking accounts without password"
if [ "${SKIPTEST}" -eq 0 ]; then if [ "${SKIPTEST}" -eq 0 ]; then
LogText "Test: Checking passwordless accounts" LogText "Test: Checking passwordless accounts"
if [ -z "${FIND2}" ]; then if [ -z "${FIND2}" ]; then
LogText "Result: all accounts seem to have a password" LogText "Result: all accounts seem to have a password"
Display --indent 2 --text "- Accounts without password" --result "${ STATUS_OK}" --color GREEN Display --indent 2 --text "- Accounts without password" --result "${ STATUS_OK}" --color GREEN
else else
LogText "Result: found one or more accounts without password" LogText "Result: found one or more accounts without password"
for I in ${FIND2}; do for I in ${FIND2}; do
LogText "Account without password: ${I}" LogText "Account without password: ${I}"
Report "account_without_password=${I}" Report "account_without_password=${I}"
done done
Display --indent 2 --text "- Accounts without password" --result "${ STATUS_WARNING}" --color RED Display --indent 2 --text "- Accounts without password" --result "${ STATUS_WARNING}" --color RED
ReportWarning "${TEST_NO}" "Found accounts without password" ReportWarning "${TEST_NO}" "Found accounts without password"
fi fi
fi fi
# Test : AUTH-9284
# Description : Check locked user accounts in /etc/passwd
# Notes : requires FIND3 variable
Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network N
O --category security --description "Check locked user accounts in /etc/passwd"
if [ "${SKIPTEST}" -eq 0 ]; then
LogText "Test: Checking locked accounts"
NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print
$1}' ${ROOTDIR}etc/passwd | ${SORTBINARY} | ${UNIQBINARY})
LOCKED_NON_SYSTEM_ACCOUNTS=0
for account in ${FIND3}; do
if echo "${NON_SYSTEM_ACCOUNTS}" | ${GREPBINARY} -w "${account}" > /
dev/null ; then
LOCKED_NON_SYSTEM_ACCOUNTS=$((LOCKED_NON_SYSTEM_ACCOUNTS + 1))
fi
done
if [ ${LOCKED_NON_SYSTEM_ACCOUNTS} -eq 0 ]; then
LogText "Result: all accounts seem to be unlocked"
Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}
" --color GREEN
else
LogText "Result: found one or more locked accounts"
for account in ${FIND3}; do
if echo "${NON_SYSTEM_ACCOUNTS}" | ${GREPBINARY} -w "${account}"
> /dev/null ; then
LogText "Locked account: ${account}"
Report "locked_account[]=${account}"
fi
done
Display --indent 2 --text "- Locked accounts" --result "${STATUS_FOU
ND}" --color RED
ReportSuggestion "${TEST_NO}" "Look at the locked accounts and consi
der removing them"
fi
unset account LOCKED_NON_SYSTEM_ACCOUNTS NON_SYSTEM_ACCOUNTS
fi
unset FIND1 FIND2 FIND3
# #
################################################################################ # ################################################################################ #
# #
# Test : AUTH-9286 # Test : AUTH-9286
# Description : Check user password aging # Description : Check user password aging
# Notes : MIN = minimum age, avoid rotation of passwords too quickly # Notes : MIN = minimum age, avoid rotation of passwords too quickly
# : MAX = maximum age, ensure regular change of passwords # : MAX = maximum age, ensure regular change of passwords
PREQS_MET="NO" PREQS_MET="NO"
if [ -f ${ROOTDIR}etc/login.defs ]; then if [ -f ${ROOTDIR}etc/login.defs ]; then
PREQS_MET="YES" PREQS_MET="YES"
skipping to change at line 1036 skipping to change at line 1071
else else
LogText "Result: file /etc/default/sulogin does not exist" LogText "Result: file /etc/default/sulogin does not exist"
fi fi
fi fi
# #
################################################################################ # ################################################################################ #
# #
# Test : AUTH-9306 # Test : AUTH-9306
# Description : Check if authentication is needed to boot the system # Description : Check if authentication is needed to boot the system
# Notes : :d_boot_authenticate: is a good option for production machin es to # Notes : :d_boot_authenticate: is a good option for production machin es to
# avoid unauthorized booting of systems. Option :d_boot_autent ication@: # avoid unauthorized booting of systems. Option :d_boot_authen tication@:
# disabled a required login. # disabled a required login.
Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --category s ecurity --description "Check single boot authentication" Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --category s ecurity --description "Check single boot authentication"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check if file exists # Check if file exists
LogText "Test: Searching /tcb/files/auth/system/default" LogText "Test: Searching /tcb/files/auth/system/default"
if [ -f ${ROOTDIR}tcb/files/auth/system/default ]; then if [ -f ${ROOTDIR}tcb/files/auth/system/default ]; then
LogText "Result: file ${ROOTDIR}tcb/files/auth/system/default exists " LogText "Result: file ${ROOTDIR}tcb/files/auth/system/default exists "
LogText "Test: checking presence :d_boot_authenticate@:" LogText "Test: checking presence :d_boot_authenticate@:"
FIND=$(${GREPBINARY} "^:d_boot_authenticate@" /tcb/files/auth/system /default) FIND=$(${GREPBINARY} "^:d_boot_authenticate@" /tcb/files/auth/system /default)
if [ -z "${FIND}" ]; then if [ -z "${FIND}" ]; then
skipping to change at line 1443 skipping to change at line 1478
LogText "Result: retries option not configured" LogText "Result: retries option not configured"
AddHP 1 2 AddHP 1 2
fi fi
else else
LogText "Result: file ${ROOTDIR}etc/default/login does not exist " LogText "Result: file ${ROOTDIR}etc/default/login does not exist "
fi fi
fi fi
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking account locking" --result "${S TATUS_ENABLED}" --color GREEN Display --indent 2 --text "- Checking account locking" --result "${S TATUS_ENABLED}" --color GREEN
else else
Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW Display --indent 2 --text "- Checking account locking" --result "${S TATUS_NOT_ENABLED}" --color YELLOW
fi fi
fi fi
# #
################################################################################ # ################################################################################ #
# #
# Test : AUTH-9402 # Test : AUTH-9402
# Description : Query LDAP authentication support # Description : Query LDAP authentication support
Register --test-no AUTH-9402 --weight L --network NO --category security --d escription "Query LDAP authentication support" Register --test-no AUTH-9402 --weight L --network NO --category security --d escription "Query LDAP authentication support"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f ${ROOTDIR}etc/nsswitch.conf ]; then if [ -f ${ROOTDIR}etc/nsswitch.conf ]; then
FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREP BINARY} "ldap") FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREP BINARY} "ldap")
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: LDAP authentication not enabled" LogText "Result: LDAP authentication not enabled"
Display --indent 2 --text "- LDAP authentication support" --resu lt "NOT ENABLED" --color WHITE Display --indent 2 --text "- LDAP authentication support" --resu lt "${STATUS_NOT_ENABLED}" --color WHITE
else else
LogText "Result: LDAP authentication enabled" LogText "Result: LDAP authentication enabled"
Display --indent 2 --text "- LDAP authentication support" --resu lt "${STATUS_ENABLED}" --color GREEN Display --indent 2 --text "- LDAP authentication support" --resu lt "${STATUS_ENABLED}" --color GREEN
LDAP_AUTH_ENABLED=1 LDAP_AUTH_ENABLED=1
fi fi
else else
LogText "Result: /etc/nsswitch.conf not found" LogText "Result: /etc/nsswitch.conf not found"
fi fi
fi fi
# #
 End of changes. 22 change blocks. 
65 lines changed or deleted 106 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)