File: classique.test

package info (click to toggle)
yasat 526-1
  • links: PTS
  • area: main
  • in suites: wheezy
  • size: 920 kB
  • sloc: sh: 4,723; makefile: 47
file content (214 lines) | stat: -rw-r--r-- 8,064 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
 
#!/bin/sh
################################################################################
#                                                                              #
#   Copyright (C) 2008-2012 LABBE Corentin <corentin.labbe@geomatys.fr>
#
#    YASAT is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    YASAT is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with YASAT.  If not, see <http://www.gnu.org/licenses/>.
#                                                                              #
################################################################################

Title "Check common problems"

#TODO check TMOUT in /etc/profile and ~/.kde/share/config/kdesktoprc

UMASK_POSSIBLE_LOCATION='/etc/profile /etc/bashrc /etc/login.defs'
for TMP_FILE in $UMASK_POSSIBLE_LOCATION
do
	if [ -e "$TMP_FILE" ] ;then
		FindValueOf $TMP_FILE umask JUSTTEST INSENSITIVE
		if [ ! -z "$RESULTAT" ] ;then
			if [ "$RESULTAT" = "027" ];then
				Display --indent 2 --text "umask in $TMP_FILE" --result GOOD --color GREEN
			else
				Display --indent 2 --text "bad umask ($RESULTAT) in $TMP_FILE (not 027)" --result WARNING --color RED --advice UMASK_NOT027
			fi
		fi
	fi
done

if [ -e "/etc/security/limits.conf" -o -e "/etc/security/limits.d" ]
then
	Display --indent 2 --text "/etc/security/limits.conf" --result FOUND --color GREEN
	#check for fork bomb prevention (hard nproc)
	#TODO for the moment just check if a rule is present (or not), need more analysis
	if [ -z "`grep -rivh '^[[:space:]]*#' /etc/security/limits.* | grep hard | grep nproc`" ]
	then
		Display --indent 4 --text "Limit for nproc" --result NOTFOUND --color ORANGE --advice NO_FORK_BOMB_PREVENTION
	else
		Display --indent 4 --text "Limit for nproc" --result FOUND --color GREEN
	fi
	TMP_RESULT="${TEMPYASATDIR}/limits.tmpresult"
	grep -rivh '^[[:space:]]*#' /etc/security/limits.* | grep hard | grep core | sed 's/[[:space:]][[:space:]]*/ /g'> ${TMP_RESULT}
	NBLINE="`cat ${TMP_RESULT} |wc -l`"
	if [ $NBLINE = '0' ]
	then
		Display --indent 4 --text "Limit for core" --result NOTFOUND --color ORANGE --advice LIMITS_NO_CORE_RESTRICTION
	else
		if [ $NBLINE -ge 2 ]
		then
			Display --indent 4 --text "Limit for core" --result MULTIPLE --color RED --advice GLOBAL_MULTIPLE_DECLARATIONS
		else
			COREVALUE="`cat ${TMP_RESULT} | cut -d\  -f4`"
			if [ $COREVALUE = '0' ]
			then
				Display --indent 4 --text "Limit for core = $COREVALUE" --result FOUND --color GREEN
			else
				Display --indent 4 --text "Limit for core = $COREVALUE" --result NOTFOUND --color ORANGE --advice LIMITS_NO_CORE_RESTRICTION
			fi
		fi
	fi
else
	Display --indent 2 --text "/etc/security/limits.conf" --result NOTFOUND --color BLUE
fi

#if [ -e /etc/hosts.equiv ]
#then
#	Display --indent 2 --text "/etc/hosts.equiv" --result WARNING --color RED --advice TODO
#fi

if [ "$OS_TYPE" = 'Linux' ] ;then
	#Check coredump for suid
	SUID_DUMP="`sysctl fs.suid_dumpable 2>> $ERROR_OUTPUT_FILE | sed 's/^.*=[[:space:]]*//'`"
	if [ -z "$SUID_DUMP" ] ; then
		Display --indent 2 --text "SUID Coredumpable" --result UNKNOW --color BLUE
	else
		if [ $SUID_DUMP -eq 0 ] ; then
			Display --indent 2 --text "SUID Coredumpable" --result NO --color GREEN
		else
			Display --indent 2 --text "SUID Coredumpable" --result YES --color ORANGE --advice SUID_COREDUMPABLE
		fi
	fi
fi

#check minimal password lenght
if [ -e /etc/login.defs ] ;then
	FindValueOf /etc/login.defs PASS_MIN_LEN JUSTTEST
	if [ -z "$RESULTAT" ]
	then
		Display --indent 2 --text "Minimum password lenght" --result NOTSET --color RED --advice  PASSWORD_MIN_LENGHT
	else
		if [ $RESULTAT -le 7 ]
		then
			Display --indent 2 --text "Minimum password lenght" --result "$RESULTAT" --color RED --advice PASSWORD_MIN_LENGHT
		else
			Display --indent 2 --text "Minimum password lenght" --result "$RESULTAT" --color GREEN
		fi
	fi
fi

#Check PATH
PATHVALUE="`export |grep [[:space:]]PATH= | sed 's/^.*PATH=//g' | sed 's/\"//g' | sed "s/\'//g" | sed 's/:/ /g'`"
for directory in $PATHVALUE
do
	if [ ! -z "`echo $directory | grep -viE '^/usr/local/sbin$|^/usr/local/bin$|^/bin$|^/sbin/*$|^/usr/bin/*$|^/usr/sbin/*|/usr/x86_64-pc-linux-gnu/gcc-bin/.*'`" ]
	then
		Display --indent 2 --text "PATH $directory" --result UNKNOWN --color ORANGE --advice PATH_UNKNOWN
	fi
done

#TODO LD_PRELOAD and other library stuffs
if [ -e /etc/ld.so.conf ]
then
	Display --indent 2 --text "/etc/ld.so.conf" --result FOUND --color GREEN
	TMP_RESULT="${TEMPYASATDIR}/ldsoconf"
	prepare_generic_conf /etc/ld.so.conf $TMP_RESULT 2> /dev/null
	cat "$TMP_RESULT" | grep -v '^include' |
	while read line
	do
		# TODO must use more better regex
		if [ ! -z "`echo $line | grep -v '^/lib$' |grep -v '^/usr/lib$' |grep -v '^/usr/local/lib$' \
			| grep -v '^/usr/kde/3.5/lib' | grep -v '^/usr/qt/[0-9]/lib' | grep -v '^/usr/[a-zA-Z0-9_]*-pc-linux-gnu/lib' \
			| grep -v '^/usr/lib[64]*/[a-zA-Z0-9]*/*$' |grep -v '^/usr/lib64/openais$' \
			| grep -v '^/*/usr/lib/opengl/xorg-x11/lib' | grep -v '^/lib/[a-zA-Z0-9_]-linux-gnu' \
			| grep -v '^/*/lib/x86_64-linux-gnu' | grep -v '^/lib/[a-zA-Z0-9_]-linux-gnu' \
			| grep -v '^/usr/lib/[a-zA-Z0-9_]*-linux-gnu' `" ]
		then
			Display --indent 4 --text "Unknown lib location $line" --result FOUND --color ORANGE --advice LD_SO_CONF_UNK_LIB
		fi
	done
fi

if [ "$SCANTYPE" != "FULL" ]
then
	Display --indent 2 --text "Sanity files checks" --result SKIP --color BLUE --advice GLOBAL_SKIPPED_LONG_TESTS
	return 1;
fi

TMP_RESULT="${TEMPYASATDIR}/files_without_owner"
echo '  Checking file without owner (long test)'
find / -nouser 2> /dev/null > $TMP_RESULT
RESULTAT=`cat $TMP_RESULT | wc -l`
if [ $RESULTAT -eq 0 ]
then
		Display --indent 4 --text "No file without owner" --result OK --color GREEN
else
	if [ $RESULTAT -le 10 ]
	then
		Display --indent 4 --text "$RESULTAT files have no owner" --result WARNING --color RED --advice FILES_WITHOUT_OWNER
		cat $TMP_RESULT |
		while read line
		do
			Display --indent 4 --text "$line" --result "`stat $STAT_USER $line`" --color RED
		done
	else
		Display --indent 4 --text "$RESULTAT files have no owner" --result WARNING --color RED --advice FILES_WITHOUT_OWNER
	fi
fi


TMP_RESULT="${TEMPYASATDIR}/files_without_group"
echo '  Checking file without group (long test)'
find / -nogroup 2> /dev/null > $TMP_RESULT
RESULTAT=`cat $TMP_RESULT | wc -l`
if [ $RESULTAT -eq 0 ]
then
		Display --indent 4 --text "No file without group" --result OK --color GREEN
else
	if [ $RESULTAT -le 10 ]
	then
		Display --indent 4 --text "$RESULTAT files have no group" --result WARNING --color RED --advice FILES_WITHOUT_GROUP
		cat $TMP_RESULT |
		while read line
		do
			Display --indent 4 --text "$line" --result "`stat $STAT_GROUP $line`" --color RED
		done
	else
		Display --indent 4 --text "$RESULTAT files have no group" --result WARNING --color RED --advice FILES_WITHOUT_GROUP
	fi
fi

TMP_RESULT="${TEMPYASATDIR}/world.others"
echo '  Checking file with write to others (long test)'
find / -perm $PERM_OW ! -type l 2> /dev/null |grep -v '^/proc' | grep -v '^/selinux' |grep -v '^/dev' > $TMP_RESULT

RESULTAT=`cat $TMP_RESULT | wc -l`
if [ $RESULTAT -eq 0 ]
then
		Display --indent 4 --text "No file with others write access" --result OK --color GREEN
else
	if [ $RESULTAT -le 20 ]
	then
		Display --indent 4 --text "$RESULTAT files have others write access" --result WARNING --color RED
		cat $TMP_RESULT |
		while read line
		do
			Display --indent 4 --text "$line" --result "`stat $STAT_RIGHT $line`" --color RED
		done
	else
		Display --indent 4 --text "$RESULTAT files have others write access" --result WARNING --color RED
	fi
fi