"Fossies" - the Fresh Open Source Software Archive

Member "lynis/include/tests_shells" (21 Apr 2019, 13740 Bytes) of package /linux/misc/lynis-2.7.4.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "tests_shells": 2.7.3_vs_2.7.4.

    1 #!/bin/sh
    2 
    3 #################################################################################
    4 #
    5 #   Lynis
    6 # ------------------
    7 #
    8 # Copyright 2007-2013, Michael Boelen
    9 # Copyright 2007-2019, CISOfy
   10 #
   11 # Website  : https://cisofy.com
   12 # Blog     : http://linux-audit.com
   13 # GitHub   : https://github.com/CISOfy/lynis
   14 #
   15 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
   16 # welcome to redistribute it under the terms of the GNU General Public License.
   17 # See LICENSE file for usage of this software.
   18 #
   19 #################################################################################
   20 #
   21 # Shells
   22 #
   23 #################################################################################
   24 #
   25     IDLE_TIMEOUT=0
   26     InsertSection "Shells"
   27 #
   28 #################################################################################
   29 #
   30     # bash
   31     # Files (interactive login shells):     /etc/profile $HOME/.bash_profile
   32     #                                       $HOME/.bash_login $HOME/.profile
   33     # Files (interactive non-login shells): $HOME/.bash_rc
   34     #
   35     # csh/tcsh
   36     # Files: /etc/csh.cshrc /etc/csh.login
   37     #
   38     # zsh
   39     # Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile
   40     #        /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc
   41     #        $ZDOTDIR/.zshrc /etc/zlogin /etc/zsh/zlogin
   42 
   43     SHELL_LOGIN_FILES="${ROOTDIR}etc/csh.cshrc ${ROOTDIR}etc/csh.login ${ROOTDIR}etc/zshenv ${ROOTDIR}etc/zsh/zshenv
   44                        ${ROOTDIR}etc/zprofile ${ROOTDIR}etc/zsh/zprofile ${ROOTDIR}etc/zshrc ${ROOTDIR}etc/zsh/zshrc
   45                        ${ROOTDIR}etc/zlogin ${ROOTDIR}etc/zsh/zlogin"
   46 #
   47 #################################################################################
   48 #
   49 
   50     # Test        : SHLL-6202
   51     # Description : check all console TTYs in which root user can enter single user mode without password
   52     Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs"
   53     if [ ${SKIPTEST} -eq 0 ]; then
   54         LogText "Test: Checking console TTYs"
   55         FIND=$(${EGREPBINARY} '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure')
   56         if [ -z "${FIND}" ]; then
   57             Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
   58             LogText "Result: console is secured against single user mode without password."
   59         else
   60             Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_WARNING}" --color RED
   61             LogText "Result: Found insecure console in ${ROOTDIR}etc/ttys. Single user mode login without password allowed!"
   62             LogText "Output ${ROOTDIR}etc/ttys:"
   63             LogText "${FIND}"
   64             ReportWarning ${TEST_NO} "Found unprotected console in ${ROOTDIR}etc/ttys"
   65             LogText "Possible solution: Change the console line from 'secure' to 'insecure'."
   66         fi
   67     fi
   68 #
   69 #################################################################################
   70 #
   71     # Test        : SHLL-6211
   72     # Description : Determine available shell according /etc/shells
   73     Register --test-no SHLL-6211 --weight L --network NO --category security --description "Available and valid shells"
   74     if [ ${SKIPTEST} -eq 0 ]; then
   75         LogText "Test: Searching for ${ROOTDIR}etc/shells"
   76         if [ -f ${ROOTDIR}etc/shells ]; then
   77             LogText "Result: Found ${ROOTDIR}etc/shells file"
   78             LogText "Test: Reading available shells from ${ROOTDIR}etc/shells"
   79             SSHELLS=$(${GREPBINARY} "^/" ${ROOTDIR}etc/shells)
   80             CSSHELLS=0; CSSHELLS_ALL=0
   81             Display --indent 2 --text "- Checking shells from ${ROOTDIR}etc/shells"
   82             for I in ${SSHELLS}; do
   83                 CSSHELLS_ALL=$((CSSHELLS_ALL + 1))
   84                 Report "available_shell[]=${I}"
   85                 # TODO add check for symlinked shells
   86                 if [ -f ${I} ]; then
   87                     LogText "Found installed shell: ${I}"
   88                     CSSHELLS=$((CSSHELLS + 1))
   89                 else
   90                     LogText "Shell ${I} not installed. Probably a dummy or non existing shell."
   91                 fi
   92             done
   93             Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})."
   94         else
   95             LogText "Result: ${ROOTDIR}etc/shells not found, skipping test"
   96         fi
   97     fi
   98 #
   99 #################################################################################
  100 #
  101     # Test        : SHLL-6220
  102     # Description : Check for idle session killing tools or settings
  103     Register --test-no SHLL-6220 --weight L --network NO --category security --description "Idle session killing tools or settings"
  104     if [ ${SKIPTEST} -eq 0 ]; then
  105 
  106         IDLE_TIMEOUT_METHOD=""
  107         IDLE_TIMEOUT_READONLY=""
  108 
  109         LogText "Test: Search for session timeout tools or settings in shell"
  110         IsRunning timeoutd
  111         if [ ${RUNNING} -eq 1 ]; then
  112             IDLE_TIMEOUT=1
  113             LogText "Result: found timeoutd process to kill idle sesions"
  114             IDLE_TIMEOUT_METHOD="timeout-daemon"
  115         fi
  116         IsRunning autolog
  117         if [ ${RUNNING} -eq 1 ]; then
  118             IDLE_TIMEOUT=1
  119             LogText "Result: found autolog process to kill idle sesions"
  120             Report="session_timeout_method[]=autolog"
  121             IDLE_TIMEOUT_METHOD="autolog"
  122         fi
  123 
  124         if [ -f ${ROOTDIR}etc/profile ]; then
  125             # Determine if we can find a TMOUT value
  126             FIND=$(${GREPBINARY} 'TMOUT=' ${ROOTDIR}etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
  127             # Determine if the value is exported (with export, readonly, or typeset)
  128             FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' ${ROOTDIR}etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
  129             if [ ! -z "${FIND}" ]; then
  130                 N=0; IDLE_TIMEOUT=1
  131                 for I in ${FIND}; do
  132                     LogText "Output: ${I}"
  133                     Report "session_timeout_value[]=${I}"
  134                     N=$((N + 1))
  135                 done
  136                 if [ ${N} -eq 1 ]; then
  137                     LogText "Result: found TMOUT value configured in ${ROOTDIR}etc/profile"
  138                 else
  139                     LogText "Result: found several TMOUT values configured in ${ROOTDIR}etc/profile"
  140                 fi
  141                 IDLE_TIMEOUT_METHOD="profile"
  142             else
  143                 LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile"
  144             fi
  145 
  146             if [ ! -z "${FIND2}" ]; then
  147                 N=0;
  148                 for I in ${FIND2}; do
  149                     LogText "Output: ${I}"
  150                     if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then
  151                         N=$((N + 1))
  152                     fi
  153                 done
  154                 if [ ${N} -gt 0 ]; then
  155                     LogText "Result: found readonly setting in ${ROOTDIR}etc/profile (readonly or typeset -r)"
  156                     IDLE_TIMEOUT_READONLY=1
  157                 else
  158                     LogText "Result: NO readonly setting found in ${ROOTDIR}etc/profile (readonly or typeset -r)"
  159                     IDLE_TIMEOUT_READONLY=0
  160                 fi
  161             else
  162                 LogText "Result: could not find export, readonly or typeset -r in ${ROOTDIR}etc/profile"
  163             fi
  164         else
  165             LogText "Result: skip ${ROOTDIR}etc/profile test, file not available on this system"
  166         fi
  167 
  168         if [ -d ${ROOTDIR}etc/profile.d ]; then
  169             FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null)
  170             if [ ! -z "${FIND}" ]; then
  171                 # Determine if we can find a TMOUT value
  172                 FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
  173                 # Determine if the value is exported (with export, readonly, or typeset)
  174                 FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
  175                 if [ ! -z "${FIND}" ]; then
  176                     N=0; IDLE_TIMEOUT=1
  177                     for I in ${FIND}; do
  178                         LogText "Output: ${I}"
  179                         Report "session_timeout_value[]=${I}"
  180                         N=$((N + 1))
  181                     done
  182                     if [ ${N} -eq 1 ]; then
  183                         LogText "Result: found TMOUT value configured in one of the files in ${ROOTDIR}etc/profile.d directory"
  184                     else
  185                         LogText "Result: found several TMOUT values configured in one of the files in ${ROOTDIR}etc/profile.d directory"
  186                     fi
  187                     IDLE_TIMEOUT_METHOD="profile.d"
  188                 else
  189                     LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile.d/*.sh"
  190                 fi
  191                 # Check for readonly
  192                 if [ ! -z "${FIND2}" ]; then
  193                     N=0;
  194                     for I in ${FIND2}; do
  195                         LogText "Output: ${I}"
  196                         if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then
  197                             N=$((N + 1))
  198                         fi
  199                     done
  200                     if [ ${N} -gt 0 ]; then
  201                         LogText "Result: found readonly setting in ${ROOTDIR}etc/profile (readonly or typeset -r)"
  202                         IDLE_TIMEOUT_READONLY=1
  203                     else
  204                         LogText "Result: NO readonly setting found in ${ROOTDIR}etc/profile (readonly or typeset -r)"
  205                         IDLE_TIMEOUT_READONLY=0
  206                     fi
  207                 else
  208                     LogText "Result: could not find export, readonly or typeset -r in ${ROOTDIR}etc/profile"
  209                 fi
  210             fi
  211         else
  212             LogText "Result: skip ${ROOTDIR}etc/profile.d directory test, directory not available on this system"
  213         fi
  214 
  215         if [ ! -z "${IDLE_TIMEOUT_METHOD}" ]; then
  216             Report "session_timeout_method[]=${IDLE_TIMEOUT_METHOD}"
  217         fi
  218         if [ ! -z "${IDLE_TIMEOUT_READONLY}" ]; then
  219             Report "session_timeout_set_readonly=${IDLE_TIMEOUT_READONLY}"
  220         fi
  221 
  222         if [ ${IDLE_TIMEOUT} -eq 1 ]; then
  223             Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_FOUND}" --color GREEN
  224             AddHP 3 3
  225         else
  226             Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_NONE}" --color YELLOW
  227             AddHP 1 3
  228         fi
  229     fi
  230 #
  231 #################################################################################
  232 #
  233     # Test        : SHLL-6230
  234     # Description : Check for umask values in shell configurations
  235     SHELL_CONFIG_FILES="${ROOTDIR}etc/bashrc ${ROOTDIR}etc/bash.bashrc ${ROOTDIR}etc/bash.bashrc.local ${ROOTDIR}etc/csh.cshrc ${ROOTDIR}etc/profile"
  236     Register --test-no SHLL-6230 --weight H --network NO --category security --description "Perform umask check for shell configurations"
  237     if [ ${SKIPTEST} -eq 0 ]; then
  238         FOUND=0
  239         Display --indent 2 --text "- Checking default umask values"
  240         for FILE in ${SHELL_CONFIG_FILES}; do
  241             HARDENING_POSSIBLE=0
  242             FIND=""
  243             if [ -f ${FILE} ]; then
  244                 LogText "Result: file ${FILE} exists"
  245                 FOUND=1
  246                 FIND=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }')
  247                 if IsEmpty "${FIND}"; then
  248                     LogText "Result: did not find umask configured in ${FILE}"
  249                     Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW
  250                 else
  251                     for UMASKVALUE in ${FIND}; do
  252                         LogText "Result: found umask ${UMASKVALUE} in ${FILE}"
  253                         case ${UMASKVALUE} in
  254                             027|0027|077|0077)
  255                                     LogText "Result: umask ${UMASKVALUE} is considered a properly hardened value"
  256                             ;;
  257                             *)
  258                                     LogText "Result: umask ${UMASKVALUE} can be hardened "
  259                                     HARDENING_POSSIBLE=1
  260                             ;;
  261                         esac
  262                     done
  263                     if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
  264                         Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_OK}" --color GREEN
  265                         AddHP 3 3
  266                     else
  267                         Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_WEAK}" --color YELLOW
  268                         AddHP 1 3
  269                     fi
  270                 fi
  271             else
  272                 LogText "Result: file ${FILE} not found"
  273             fi
  274         done
  275     fi
  276 #
  277 #################################################################################
  278 #
  279 
  280 Report "session_timeout_enabled=${IDLE_TIMEOUT}"
  281 
  282 
  283 WaitForKeyPress
  284 
  285 #
  286 #================================================================================
  287 # Lynis - Copyright 2007-2019, CISOfy - http://cisofy.com