|
Lines 6-12
Link Here
|
| 6 |
# ------------------ |
6 |
# ------------------ |
| 7 |
# |
7 |
# |
| 8 |
# Copyright 2007-2013, Michael Boelen |
8 |
# Copyright 2007-2013, Michael Boelen |
| 9 |
# Copyright 2007-2020, CISOfy |
9 |
# Copyright 2007-2021, CISOfy |
| 10 |
# |
10 |
# |
| 11 |
# Website : https://cisofy.com |
11 |
# Website : https://cisofy.com |
| 12 |
# Blog : http://linux-audit.com |
12 |
# Blog : http://linux-audit.com |
|
Lines 22-28
Link Here
|
| 22 |
# |
22 |
# |
| 23 |
################################################################################# |
23 |
################################################################################# |
| 24 |
# |
24 |
# |
| 25 |
InsertSection "Kernel" |
25 |
InsertSection "${SECTION_KERNEL}" |
| 26 |
# |
26 |
# |
| 27 |
################################################################################# |
27 |
################################################################################# |
| 28 |
# |
28 |
# |
|
Lines 81-87
Link Here
|
| 81 |
fi |
81 |
fi |
| 82 |
else |
82 |
else |
| 83 |
LogText "Result: file ${ROOTDIR}etc/inittab not found" |
83 |
LogText "Result: file ${ROOTDIR}etc/inittab not found" |
| 84 |
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then |
84 |
if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then |
| 85 |
LogText "Test: Checking run level with who -r, for Debian based systems" |
85 |
LogText "Test: Checking run level with who -r, for Debian based systems" |
| 86 |
FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }') |
86 |
FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }') |
| 87 |
if HasData "${FIND}"; then |
87 |
if HasData "${FIND}"; then |
|
Lines 103-109
Link Here
|
| 103 |
# Description : Check CPU options and support (PAE, No eXecute, eXecute Disable) |
103 |
# Description : Check CPU options and support (PAE, No eXecute, eXecute Disable) |
| 104 |
# More info : pae and nx bit are both visible on AMD and Intel CPU's if supported |
104 |
# More info : pae and nx bit are both visible on AMD and Intel CPU's if supported |
| 105 |
|
105 |
|
| 106 |
Register --test-no KRNL-5677 --platform x86_64 --os Linux --weight L --network NO --category security --description "Check CPU options and support" |
106 |
Register --test-no KRNL-5677 --platform "x86_64 amd64" --os "Linux NetBSD" --weight L --network NO --category security --description "Check CPU options and support" |
| 107 |
if [ ${SKIPTEST} -eq 0 ]; then |
107 |
if [ ${SKIPTEST} -eq 0 ]; then |
| 108 |
Display --indent 2 --text "- Checking CPU support (NX/PAE)" |
108 |
Display --indent 2 --text "- Checking CPU support (NX/PAE)" |
| 109 |
LogText "Test: Checking /proc/cpuinfo" |
109 |
LogText "Test: Checking /proc/cpuinfo" |
|
Lines 235-246
Link Here
|
| 235 |
Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config" |
235 |
Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config" |
| 236 |
if [ ${SKIPTEST} -eq 0 ]; then |
236 |
if [ ${SKIPTEST} -eq 0 ]; then |
| 237 |
CHECKFILE="${ROOTDIR}boot/config-$(uname -r)" |
237 |
CHECKFILE="${ROOTDIR}boot/config-$(uname -r)" |
|
|
238 |
CHECKFILE_ZIPPED="${ROOTDIR}proc/config.gz" |
| 238 |
if [ -f ${CHECKFILE} ]; then |
239 |
if [ -f ${CHECKFILE} ]; then |
| 239 |
LINUXCONFIGFILE="${CHECKFILE}" |
240 |
LINUXCONFIGFILE="${CHECKFILE}" |
| 240 |
LogText "Result: found config (${LINUXCONFIGFILE})" |
241 |
LogText "Result: found config (${LINUXCONFIGFILE})" |
| 241 |
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN |
242 |
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN |
| 242 |
elif [ -f ${ROOTDIR}proc/config.gz ]; then |
243 |
elif [ -f ${CHECKFILE_ZIPPED} ]; then |
| 243 |
LINUXCONFIGFILE="${CHECKFILE}" |
244 |
LINUXCONFIGFILE="${CHECKFILE_ZIPPED}" |
| 244 |
LINUXCONFIGFILE_ZIPPED=1 |
245 |
LINUXCONFIGFILE_ZIPPED=1 |
| 245 |
LogText "Result: found config: ${ROOTDIR}proc/config.gz (compressed)" |
246 |
LogText "Result: found config: ${ROOTDIR}proc/config.gz (compressed)" |
| 246 |
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN |
247 |
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN |
|
Lines 367-375
Link Here
|
| 367 |
# |
368 |
# |
| 368 |
# Test : KRNL-5788 |
369 |
# Test : KRNL-5788 |
| 369 |
# Description : Checking availability new kernel |
370 |
# Description : Checking availability new kernel |
| 370 |
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi |
371 |
if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then |
|
|
372 |
PREQS_MET="YES" |
| 373 |
else |
| 374 |
PREQS_MET="NO" |
| 375 |
fi |
| 371 |
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" |
376 |
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" |
| 372 |
if [ ${SKIPTEST} -eq 0 ]; then |
377 |
if [ ${SKIPTEST} -eq 0 ]; then |
|
|
378 |
FINDKERNEL="" |
| 373 |
HAS_VMLINUZ=0 |
379 |
HAS_VMLINUZ=0 |
| 374 |
LogText "Test: Searching apt-cache, to determine if a newer kernel is available" |
380 |
LogText "Test: Searching apt-cache, to determine if a newer kernel is available" |
| 375 |
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then |
381 |
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then |
|
Lines 378-439
Link Here
|
| 378 |
if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then |
384 |
if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then |
| 379 |
HAS_VMLINUZ=1 |
385 |
HAS_VMLINUZ=1 |
| 380 |
if [ -f ${ROOTDIR}vmlinuz ]; then |
386 |
if [ -f ${ROOTDIR}vmlinuz ]; then |
| 381 |
FINDVMLINUZ=${ROOTDIR}vmlinuz |
387 |
FINDVMLINUZ="${ROOTDIR}vmlinuz" |
| 382 |
else |
388 |
else |
| 383 |
FINDVMLINUZ=${ROOTDIR}boot/vmlinuz |
389 |
FINDVMLINUZ="${ROOTDIR}boot/vmlinuz" |
| 384 |
fi |
390 |
fi |
| 385 |
LogText "Result: found ${FINDVMLINUZ}" |
391 |
LogText "Result: found ${FINDVMLINUZ}" |
| 386 |
LogText "Test: checking readlink location of ${FINDVMLINUZ}" |
392 |
LogText "Test: checking readlink location of ${FINDVMLINUZ}" |
| 387 |
FINDKERNFILE=$(readlink -f ${FINDVMLINUZ}) |
393 |
FINDKERNFILE=$(readlink -f ${FINDVMLINUZ}) |
| 388 |
LogText "Output: readlink reported file ${FINDKERNFILE}" |
394 |
LogText "Output: readlink reported file ${FINDKERNFILE}" |
| 389 |
LogText "Test: checking package from dpkg -S" |
395 |
LogText "Test: checking relevant package using output from dpkg -S" |
| 390 |
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}') |
396 |
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}') |
| 391 |
LogText "Output: dpkg -S reported package ${FINDKERNEL}" |
397 |
LogText "Output: dpkg -S reported package ${FINDKERNEL}" |
| 392 |
elif [ -e ${ROOTDIR}dev/grsec ]; then |
398 |
elif [ -e ${ROOTDIR}dev/grsec ]; then |
| 393 |
FINDKERNEL=linux-image-$(uname -r) |
399 |
FINDKERNEL="linux-image-$(uname -r)" |
| 394 |
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" |
400 |
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" |
| 395 |
elif [ -e ${ROOTDIR}etc/rpi-issue ]; then |
401 |
elif [ -e ${ROOTDIR}etc/rpi-issue ]; then |
| 396 |
FINDKERNEL=raspberrypi-kernel |
402 |
FINDKERNEL="raspberrypi-kernel" |
| 397 |
LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian" |
403 |
LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian" |
| 398 |
elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then |
404 |
elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then |
| 399 |
FINDKERNEL=linux-image-$(uname -r) |
405 |
FINDKERNEL="linux-image-$(uname -r)" |
| 400 |
LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No" |
406 |
LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No" |
| 401 |
else |
407 |
else |
| 402 |
LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." |
408 |
LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." |
| 403 |
ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" |
409 |
ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" |
| 404 |
fi |
410 |
fi |
| 405 |
LogText "Test: Using apt-cache policy to determine if there is an update available" |
411 |
|
| 406 |
FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') |
412 |
if IsEmpty "${FINDKERNEL}"; then |
| 407 |
FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') |
413 |
LogText "Result: could not check kernel update status as kernel is unknown" |
| 408 |
LogText "Kernel installed: ${FINDINST}" |
|
|
| 409 |
LogText "Kernel candidate: ${FINDCAND}" |
| 410 |
if IsEmpty "${FINDINST}"; then |
| 411 |
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW |
| 412 |
LogText "Result: Exception occurred, no output from apt-cache policy" |
| 413 |
if [ ${HAS_VMLINUZ} -eq 1 ]; then |
| 414 |
ReportException "${TEST_NO}:01" |
| 415 |
ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" |
| 416 |
fi |
| 417 |
LogText "Result: apt-cache policy did not return an installed kernel version" |
| 418 |
else |
414 |
else |
| 419 |
if [ "${FINDINST}" = "${FINDCAND}" ]; then |
415 |
LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing" |
| 420 |
if [ -e /dev/grsec ]; then |
416 |
LogText "Test: Using apt-cache policy to determine if there is an update available" |
| 421 |
Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN |
417 |
FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') |
| 422 |
LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" |
418 |
FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') |
| 423 |
ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" |
419 |
LogText "Kernel installed: ${FINDINSTALLED}" |
| 424 |
else |
420 |
LogText "Kernel candidate: ${FINDCANDIDATE}" |
| 425 |
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN |
421 |
if IsEmpty "${FINDINSTALLED}"; then |
| 426 |
LogText "Result: no kernel update available" |
422 |
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW |
|
|
423 |
LogText "Result: Exception occurred, no output from apt-cache policy" |
| 424 |
if [ ${HAS_VMLINUZ} -eq 1 ]; then |
| 425 |
ReportException "${TEST_NO}:01" "Found vmlinuz (${FINDVMLINUZ}) but could not determine the installed kernel using apt-cache policy" |
| 426 |
ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" |
| 427 |
fi |
427 |
fi |
|
|
428 |
LogText "Result: apt-cache policy did not return an installed kernel version" |
| 428 |
else |
429 |
else |
| 429 |
Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW |
430 |
if [ "${FINDINSTALLED}" = "${FINDCANDIDATE}" ]; then |
| 430 |
LogText "Result: kernel update available according 'apt-cache policy'." |
431 |
if [ -e /dev/grsec ]; then |
| 431 |
ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" |
432 |
Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN |
|
|
433 |
LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" |
| 434 |
ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" |
| 435 |
else |
| 436 |
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN |
| 437 |
LogText "Result: no kernel update available" |
| 438 |
fi |
| 439 |
else |
| 440 |
Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW |
| 441 |
LogText "Result: kernel update available according 'apt-cache policy'." |
| 442 |
ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" |
| 443 |
fi |
| 432 |
fi |
444 |
fi |
| 433 |
fi |
445 |
fi |
| 434 |
else |
446 |
else |
| 435 |
LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests." |
447 |
LogText "Result: could NOT find ${ROOTDIR}usr/bin/apt-cache, skipped other tests." |
| 436 |
fi |
448 |
fi |
|
|
449 |
unset FINDCANDIDATE FINDINSTALLED FINDKERNEL HAS_VMLINUZ |
| 437 |
fi |
450 |
fi |
| 438 |
# |
451 |
# |
| 439 |
################################################################################# |
452 |
################################################################################# |
|
Lines 457-465
Link Here
|
| 457 |
# check conf files in possibly existing coredump.conf.d folders |
470 |
# check conf files in possibly existing coredump.conf.d folders |
| 458 |
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. |
471 |
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. |
| 459 |
# while there could be multiple files overwriting each other, we are checking the number of occurrences |
472 |
# while there could be multiple files overwriting each other, we are checking the number of occurrences |
| 460 |
SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) |
473 |
SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) |
| 461 |
SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l) |
474 |
SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l) |
| 462 |
SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') |
475 |
SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') |
| 463 |
SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}') |
476 |
SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}') |
| 464 |
SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}') |
477 |
SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}') |
| 465 |
if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \ |
478 |
if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \ |
|
Lines 484-496
Link Here
|
| 484 |
( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ) || \ |
497 |
( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ) || \ |
| 485 |
( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \ |
498 |
( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \ |
| 486 |
( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then |
499 |
( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then |
| 487 |
LogText "Result: core dumps are explicitely enabled in systemd configuration files" |
500 |
LogText "Result: core dumps are explicitly enabled in systemd configuration files" |
| 488 |
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')" |
501 |
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')" |
| 489 |
Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED |
502 |
Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED |
| 490 |
AddHP 0 1 |
503 |
AddHP 0 1 |
| 491 |
else |
504 |
else |
| 492 |
LogText "Result: core dumps are not disabled in systemd configuration. Didn't find settings 'ProcessSizeMax=0' and 'Storage=none'" |
505 |
LogText "Result: core dumps are not disabled in systemd configuration. Didn't find settings 'ProcessSizeMax=0' and 'Storage=none'" |
| 493 |
Display --indent 4 --text "- configuration in systemd conf files" --result "DEFAULT" --color WHITE |
506 |
Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_DEFAULT}" --color WHITE |
| 494 |
AddHP 0 1 |
507 |
AddHP 0 1 |
| 495 |
fi |
508 |
fi |
| 496 |
fi |
509 |
fi |
|
Lines 500-580
Link Here
|
| 500 |
LogText "Test: Checking if 'ulimit -c 0' exists in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" |
513 |
LogText "Test: Checking if 'ulimit -c 0' exists in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" |
| 501 |
# use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts) |
514 |
# use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts) |
| 502 |
ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" |
515 |
ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" |
| 503 |
ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" |
516 |
ULIMIT_C_VALUE_SUB="$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" |
| 504 |
if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then |
517 |
if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then |
| 505 |
LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" |
518 |
LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" |
| 506 |
Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN |
519 |
Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN |
| 507 |
AddHP 1 1 |
520 |
AddHP 1 1 |
| 508 |
elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then |
521 |
elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then |
| 509 |
LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'" |
522 |
LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'" |
| 510 |
Display --indent 4 --text "- configuration in etc/profile" --result "DEFAULT" --color WHITE |
523 |
Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_DEFAULT}" --color WHITE |
| 511 |
AddHP 0 1 |
524 |
AddHP 0 1 |
| 512 |
elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then |
525 |
elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then |
| 513 |
LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'" |
526 |
LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'" |
| 514 |
Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ENABLED}" --color RED |
527 |
Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ENABLED}" --color RED |
| 515 |
AddHP 0 1 |
528 |
AddHP 0 1 |
| 516 |
else |
529 |
else |
| 517 |
LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!" |
530 |
LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!" |
| 518 |
Display --indent 4 --text "- configuration in etc/profile" --result "ERROR" --color YELLOW |
531 |
Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW |
| 519 |
fi |
532 |
fi |
| 520 |
fi |
533 |
fi |
| 521 |
# Limits option |
534 |
|
| 522 |
LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf" |
535 |
# Limits options |
| 523 |
if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then |
536 |
for DIR in "/" "/usr/"; do |
| 524 |
LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists" |
537 |
LogText "Test: Checking presence ${DIR}etc/security/limits.conf" |
| 525 |
LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" |
538 |
if [ -f "${DIR}etc/security/limits.conf" ]; then |
| 526 |
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. |
539 |
LogText "Result: file ${DIR}etc/security/limits.conf exists" |
| 527 |
FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) |
540 |
LogText "Test: Checking if core dumps are disabled in ${DIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" |
| 528 |
FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) |
541 |
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. |
| 529 |
FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) |
542 |
FIND1=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) |
|
|
543 |
FIND2=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) |
| 544 |
FIND3=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) |
| 530 |
|
545 |
|
| 531 |
# When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file. |
546 |
# When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file. |
| 532 |
if [ "${FIND3}" = "core dumps disabled" ]; then |
547 |
if [ "${FIND3}" = "core dumps disabled" ]; then |
| 533 |
FIND1="soft core disabled" |
548 |
FIND1="soft core disabled" |
| 534 |
FIND2="hard core disabled" |
549 |
FIND2="hard core disabled" |
| 535 |
elif [ "${FIND3}" = "core dumps enabled" ]; then |
550 |
elif [ "${FIND3}" = "core dumps enabled" ]; then |
| 536 |
FIND1="soft core enabled" |
551 |
FIND1="soft core enabled" |
| 537 |
FIND2="hard core enabled" |
552 |
FIND2="hard core enabled" |
| 538 |
fi |
553 |
fi |
| 539 |
|
554 |
|
| 540 |
IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)" |
555 |
IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" |
| 541 |
IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)" |
556 |
IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" |
| 542 |
|
557 |
|
| 543 |
if [ "${FIND2}" = "hard core disabled" ]; then |
558 |
if [ "${FIND2}" = "hard core disabled" ]; then |
| 544 |
LogText "Result: core dumps are hard disabled" |
559 |
LogText "Result: core dumps are hard disabled" |
| 545 |
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN" |
560 |
Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN" |
| 546 |
if [ "${FIND1}" = "soft core disabled" ]; then |
561 |
if [ "${FIND1}" = "soft core disabled" ]; then |
| 547 |
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" |
562 |
Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" |
|
|
563 |
else |
| 564 |
Display --indent 4 --text "- 'soft' config in ${DIR}etc/security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN" |
| 565 |
fi |
| 566 |
AddHP 3 3 |
| 567 |
elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then |
| 568 |
LogText "Result: core dumps (soft and hard) are enabled" |
| 569 |
Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" |
| 570 |
Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" |
| 571 |
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file" |
| 572 |
AddHP 0 3 |
| 573 |
elif [ "${FIND1}" = "soft core disabled" ]; then |
| 574 |
LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})" |
| 575 |
Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" |
| 576 |
Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" |
| 577 |
AddHP 2 3 |
| 578 |
elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then |
| 579 |
LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})" |
| 580 |
Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" |
| 581 |
Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" |
| 582 |
AddHP 0 3 |
| 548 |
else |
583 |
else |
| 549 |
Display --indent 4 --text "- 'soft' config in security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN" |
584 |
LogText "Result: core dumps are not explicitly disabled" |
|
|
585 |
Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" |
| 586 |
Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" |
| 587 |
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${DIR}etc/security/limits.conf file" |
| 588 |
AddHP 1 3 |
| 550 |
fi |
589 |
fi |
| 551 |
AddHP 3 3 |
|
|
| 552 |
elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then |
| 553 |
LogText "Result: core dumps (soft and hard) are enabled" |
| 554 |
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" |
| 555 |
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" |
| 556 |
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file" |
| 557 |
AddHP 0 3 |
| 558 |
elif [ "${FIND1}" = "soft core disabled" ]; then |
| 559 |
LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})" |
| 560 |
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" |
| 561 |
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" |
| 562 |
AddHP 2 3 |
| 563 |
elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then |
| 564 |
LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})" |
| 565 |
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" |
| 566 |
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" |
| 567 |
AddHP 0 3 |
| 568 |
else |
590 |
else |
| 569 |
LogText "Result: core dumps are not explicitly disabled" |
591 |
LogText "Result: file ${DIR}etc/security/limits.conf does not exist, skipping test for this file" |
| 570 |
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" |
|
|
| 571 |
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" |
| 572 |
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file" |
| 573 |
AddHP 1 3 |
| 574 |
fi |
592 |
fi |
| 575 |
else |
593 |
done |
| 576 |
LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test" |
|
|
| 577 |
fi |
| 578 |
|
594 |
|
| 579 |
# Sysctl option |
595 |
# Sysctl option |
| 580 |
LogText "Test: Checking sysctl value of fs.suid_dumpable" |
596 |
LogText "Test: Checking sysctl value of fs.suid_dumpable" |
|
Lines 586-603
Link Here
|
| 586 |
fi |
602 |
fi |
| 587 |
if [ "${FIND}" = "2" ]; then |
603 |
if [ "${FIND}" = "2" ]; then |
| 588 |
LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" |
604 |
LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" |
| 589 |
Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color WHITE |
605 |
Display --indent 4 --text "- Checking setuid core dumps configuration" --result "${STATUS_PROTECTED}" --color WHITE |
| 590 |
AddHP 1 1 |
606 |
AddHP 1 1 |
| 591 |
elif [ "${FIND}" = "1" ]; then |
607 |
elif [ "${FIND}" = "1" ]; then |
| 592 |
LogText "Result: all programs can perform core dumps (value 1, for debugging)" |
608 |
LogText "Result: all programs can perform core dumps (value 1, for debugging)" |
| 593 |
Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW |
609 |
Display --indent 2 --text "- Checking setuid core dumps configuration" --result "${STATUS_DEBUG}" --color YELLOW |
| 594 |
ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump" |
610 |
ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump" |
| 595 |
AddHP 0 1 |
611 |
AddHP 0 1 |
| 596 |
else |
612 |
else |
| 597 |
# 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped |
613 |
# 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped |
| 598 |
# https://www.kernel.org/doc/Documentation/sysctl/fs.txt |
614 |
# https://www.kernel.org/doc/Documentation/sysctl/fs.txt |
| 599 |
LogText "Result: found default option (0), no execute only program or program with changed privilege levels can dump" |
615 |
LogText "Result: found default option (0), no execute only program or program with changed privilege levels can dump" |
| 600 |
Display --indent 4 --text "- Checking setuid core dumps configuration" --result DISABLED --color GREEN |
616 |
Display --indent 4 --text "- Checking setuid core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN |
| 601 |
AddHP 1 1 |
617 |
AddHP 1 1 |
| 602 |
fi |
618 |
fi |
| 603 |
fi |
619 |
fi |
|
Lines 609-633
Link Here
|
| 609 |
Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel" |
625 |
Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel" |
| 610 |
if [ ${SKIPTEST} -eq 0 ]; then |
626 |
if [ ${SKIPTEST} -eq 0 ]; then |
| 611 |
REBOOT_NEEDED=2 |
627 |
REBOOT_NEEDED=2 |
| 612 |
FILE="${ROOTDIR}var/run/reboot-required.pkgs" |
628 |
for FILE in "${ROOTDIR}var/run/reboot-required.pkgs" "${ROOTDIR}var/run/needs_restarting" |
| 613 |
LogText "Test: Checking presence ${FILE}" |
629 |
do |
| 614 |
if [ -f ${FILE} ]; then |
630 |
LogText "Test: Checking presence ${FILE}" |
| 615 |
LogText "Result: file ${FILE} exists" |
631 |
if [ -f ${FILE} ]; then |
| 616 |
FIND=$(${WCBINARY} -l < ${FILE}) |
632 |
LogText "Result: file ${FILE} exists" |
| 617 |
if [ "${FIND}" = "0" ]; then |
633 |
FIND=$(${WCBINARY} -l < ${FILE}) |
| 618 |
LogText "Result: No reboot needed (file empty)" |
634 |
if [ "${FIND}" = "0" ]; then |
| 619 |
REBOOT_NEEDED=0 |
635 |
LogText "Result: No reboot needed (file empty)" |
|
|
636 |
REBOOT_NEEDED=0 |
| 637 |
break |
| 638 |
else |
| 639 |
PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) |
| 640 |
LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" |
| 641 |
for I in ${FIND}; do |
| 642 |
LogText "Package: ${I}" |
| 643 |
done |
| 644 |
REBOOT_NEEDED=1 |
| 645 |
break |
| 646 |
fi |
| 620 |
else |
647 |
else |
| 621 |
PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) |
648 |
LogText "Result: file ${FILE} not found" |
| 622 |
LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" |
|
|
| 623 |
for I in ${FIND}; do |
| 624 |
LogText "Package: ${I}" |
| 625 |
done |
| 626 |
REBOOT_NEEDED=1 |
| 627 |
fi |
649 |
fi |
| 628 |
else |
650 |
done |
| 629 |
LogText "Result: file ${FILE} not found" |
|
|
| 630 |
fi |
| 631 |
|
651 |
|
| 632 |
# Check if /boot exists |
652 |
# Check if /boot exists |
| 633 |
if [ -d "${ROOTDIR}boot" ]; then |
653 |
if [ -d "${ROOTDIR}boot" ]; then |
|
Lines 657-671
Link Here
|
| 657 |
ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" |
677 |
ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" |
| 658 |
fi |
678 |
fi |
| 659 |
elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then |
679 |
elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then |
| 660 |
if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then |
680 |
if [ -f ${ROOTDIR}boot/vmlinuz ]; then |
|
|
681 |
LogText "Result: found ${ROOTDIR}boot/vmlinuz" |
| 682 |
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz |
| 683 |
elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then |
| 661 |
LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux" |
684 |
LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux" |
| 662 |
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux |
685 |
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux |
| 663 |
elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then |
686 |
elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then |
| 664 |
LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts" |
687 |
LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts" |
| 665 |
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts |
688 |
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts |
|
|
689 |
elif [ -f ${ROOTDIR}boot/vmlinuz-lts ]; then |
| 690 |
LogText "Result: found ${ROOTDIR}boot/vmlinuz-lts" |
| 691 |
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-lts |
| 666 |
else |
692 |
else |
| 667 |
# Match on /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default |
693 |
# Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Sort based on versions (-v) and then find the last item |
| 668 |
FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1) |
694 |
# Note: ignore a rescue kernel (e.g. CentOS) |
|
|
695 |
FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${TAILBINARY} -1) |
| 669 |
LogText "Result: found ${FOUND_VMLINUZ}" |
696 |
LogText "Result: found ${FOUND_VMLINUZ}" |
| 670 |
fi |
697 |
fi |
| 671 |
|
698 |
|
|
Lines 674-683
Link Here
|
| 674 |
LogText "Result: found a symlink, retrieving destination" |
701 |
LogText "Result: found a symlink, retrieving destination" |
| 675 |
FOUND_VMLINUZ=$(readlink "${FOUND_VMLINUZ}") |
702 |
FOUND_VMLINUZ=$(readlink "${FOUND_VMLINUZ}") |
| 676 |
LogText "Result: destination file is ${FOUND_VMLINUZ}" |
703 |
LogText "Result: destination file is ${FOUND_VMLINUZ}" |
| 677 |
VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's/^vmlinuz-//') |
704 |
VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') |
| 678 |
LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" |
705 |
LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" |
|
|
706 |
elif [ -f "${FOUND_VMLINUZ}" ]; then |
| 707 |
VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//' | ${SEDBINARY} '$s/-\?\(linux\)\?-\?\(lts\)\?//') |
| 708 |
LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" |
| 709 |
|
| 679 |
fi |
710 |
fi |
| 680 |
|
711 |
|
|
|
712 |
# Data check: perform reset if we found a version but looks incomplete |
| 713 |
# Example: Arch Linux will return only 'linux' as its version after it discovered /boot/vmlinuz-linux |
| 714 |
case ${VERSION_ON_DISK} in |
| 715 |
"linux" | "linux-lts") |
| 716 |
LogText "Result: reset of version (${VERSION_ON_DISK}) as it looks incomplete" |
| 717 |
VERSION_ON_DISK="" |
| 718 |
;; |
| 719 |
esac |
| 720 |
|
| 721 |
# If we did not find the version yet, see if we can extract it from the magic data that 'file' returns |
| 681 |
if [ -z "${VERSION_ON_DISK}" ]; then |
722 |
if [ -z "${VERSION_ON_DISK}" ]; then |
| 682 |
LogText "Test: checking kernel version on disk" |
723 |
LogText "Test: checking kernel version on disk" |
| 683 |
NEXTLINE=0 |
724 |
NEXTLINE=0 |
|
Lines 693-698
Link Here
|
| 693 |
done |
734 |
done |
| 694 |
fi |
735 |
fi |
| 695 |
|
736 |
|
|
|
737 |
# Last check if we finally got a version or not |
| 696 |
if [ -z "${VERSION_ON_DISK}" ]; then |
738 |
if [ -z "${VERSION_ON_DISK}" ]; then |
| 697 |
LogText "Result: could not find the version on disk" |
739 |
LogText "Result: could not find the version on disk" |
| 698 |
ReportException "${TEST_NO}:4" "Could not find the kernel version" |
740 |
ReportException "${TEST_NO}:4" "Could not find the kernel version" |
|
Lines 724-729
Link Here
|
| 724 |
done |
766 |
done |
| 725 |
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) |
767 |
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) |
| 726 |
# Ignore rescue images. Remove generic. and huge. for Slackware machines |
768 |
# Ignore rescue images. Remove generic. and huge. for Slackware machines |
|
|
769 |
# TODO: see if this can be simplified using ls -v sorting |
| 727 |
LogText "Action: checking relevant kernels" |
770 |
LogText "Action: checking relevant kernels" |
| 728 |
KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.) |
771 |
KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.) |
| 729 |
KERNELS_ONE_LINE=$(${ECHOCMD} ${KERNELS} | ${TRBINARY} '\n' ' ') |
772 |
KERNELS_ONE_LINE=$(${ECHOCMD} ${KERNELS} | ${TRBINARY} '\n' ' ') |
|
Lines 776-782
Link Here
|
| 776 |
# Attempt to check for Raspbian if reboot is needed |
819 |
# Attempt to check for Raspbian if reboot is needed |
| 777 |
# This check searches for apt package "raspberrypi-kernel-[package-date]", trys to extract the date of packaging from the filename |
820 |
# This check searches for apt package "raspberrypi-kernel-[package-date]", trys to extract the date of packaging from the filename |
| 778 |
# and compares that date with the currently running kernel's build date (uname -v). |
821 |
# and compares that date with the currently running kernel's build date (uname -v). |
| 779 |
# Of course there can be a time difference between kernel build and kernel packaging, therefor a time difference of |
822 |
# Of course there can be a time difference between kernel build and kernel packaging, therefore a time difference of |
| 780 |
# 3 days is accepted and it is assumed with only 3 days apart, this must be the same kernel version. |
823 |
# 3 days is accepted and it is assumed with only 3 days apart, this must be the same kernel version. |
| 781 |
if [ ${REBOOT_NEEDED} -eq 2 ] && [ -d "${APT_ARCHIVE_DIRECTORY}" ]; then |
824 |
if [ ${REBOOT_NEEDED} -eq 2 ] && [ -d "${APT_ARCHIVE_DIRECTORY}" ]; then |
| 782 |
LogText "Result: found folder ${APT_ARCHIVE_DIRECTORY}; assuming this is a debian based distribution" |
825 |
LogText "Result: found folder ${APT_ARCHIVE_DIRECTORY}; assuming this is a debian based distribution" |
|
Lines 894-897
Link Here
|
| 894 |
|
937 |
|
| 895 |
# |
938 |
# |
| 896 |
#================================================================================ |
939 |
#================================================================================ |
| 897 |
# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com |
940 |
# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com |
