#!/bin/bash
#
# test_security
#
# collect security settings
###############################################################
#
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
MYDIR=`dirname $0`
#
if [[ $# -ge 2 ]]
 then
  DT="$1 $2"
else
  DT=`date '+%F %T%:z'`
fi
#
# /etc/sysconfig/security
#
if [[ -f /etc/sysconfig/security ]]
 then
  W=`grep '^PERMISSION_SECURITY=' /etc/sysconfig/security | sed 's/.*PERMISSION_SECURITY="\?\([^ "]*\).*$/\1/'`
  if [[ -n "$W" ]]
   then
    send_test_value Security "Settings" "Security" $DT "$W" ' '
  fi
fi
#
#
# /etc/sysconfig/kernel
#
if [[ -f /etc/sysconfig/kernel ]]
 then
  W=`grep '^INITRD_MODULES=' /etc/sysconfig/kernel | sed 's/^INITRD_MODULES="*\([^"]*\)".*$/\1/'`
  send_test_value Security "Settings" "initrd - Module" $DT "$W" ' '
fi
#
#
# CTRL-ALT-DEL
#
if [[ -f /etc/inittab ]]
 then
  W=`grep '^ca:' /etc/inittab | cut -d ':' -f 4`
  send_test_value Security "Settings" "CTRL-ALT-DEL" $DT "$W" ' '
fi
#
#
# GRUB Password
#
if [[ -f /boot/grub/menu.lst ]]
 then
  W=`grep -q '^password' /boot/grub/menu.lst && echo 'X' || echo '-'`
  send_test_value Security "Settings" "Grub-PWD" $DT "$W" ' '
fi
if [[ -f /boot/grub2/grub.cfg ]]
 then
  W=`grep -q '^password' /boot/grub2/grub.cfg && echo 'X' || echo '-'`
  send_test_value Security "Settings" "Grub-PWD" $DT "$W" ' '
fi
#
#
# rights of /var/log/messages
#
if [[ -f /var/log/messages ]]
 then
  W=`ls -l /var/log/messages | cut -d ' ' -f 1`
  send_test_value Security "Settings" "Rights of messages" $DT "$W" ' '
fi
#
# rights of /var/log/syslog
#
if [[ -f /var/log/syslog ]]
 then
  W=`ls -l /var/log/syslog | cut -d ' ' -f 1`
  send_test_value Security "Settings" "Rights of syslog" $DT "$W" ' '
fi
#
#
# Password - encryption
#
if [[ -f /etc/default/passwd ]]
 then
  W=`grep '^CRYPT_FILES=' /etc/default/passwd | sed 's/CRYPT_FILES=//'`
  send_test_value Security "Settings" "Password-encryption" $DT "$W" ' '
fi
#
#
# Password length
#
if [[ -f /etc/security/pam_pwcheck.conf ]]
 then
  W=`grep '^password:.*minlen=' /etc/security/pam_pwcheck.conf | sed 's/^password:.*minlen=\([0-9]*\)[^0-9].*/\1/'`
  if [[ -n "$W" ]]
   then
    send_test_value Security "Settings" "Passwordlength" $DT "$W" ' '
  fi
  W=`grep -v '^ *#' /etc/security/pam_pwcheck.conf`
  if [[ -n "$W" ]]
   then
    send_test_value Security "Settings:Pam" "pam_pwcheck.conf" $DT "$W" '_'
  fi
fi
#
#
# User mit leerem Passwort
#
W=`awk -F ':' '$1 != "+" && $2 == "" {print $1}' /etc/shadow`
if [[ -n "$W" ]]
 then
  send_test_value -s adm Security "Settings" "User without password" $DT "$W" ' '
fi
#
#
# /etc/login.defs
#
if [[ -f /etc/login.defs ]]
 then
  W=`egrep 'FTMP_FILE|UMASK' /etc/login.defs|grep -v "^#"|column -t`
  if [[ -n "$W" ]]
   then
    send_test_value Security "Settings" "login.defs" $DT "$W" ' '
  fi
fi
#
#
# Services
#
if which systemctl >/dev/null 2>&1
 then
  W=`systemctl list-unit-files --type=service | awk '$2 == "enabled"{gsub("[.]service","");print $1}' | sort`
  if [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:Services" "systemd" $DT "$W" '_'
  fi
fi
if which chkconfig >/dev/null 2>&1
 then
  W=`chkconfig | awk '$2 == "on"{print $1}' | sort`
  if [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:Services" "chkconfig" $DT "$W" '_'
  fi
  #
  # chkconfig - xinetd
  W=`chkconfig --list 2>/dev/null | awk '/inetd based services/ {inet = 1};$2 == "on" && inet == 1 {print $1}' | sort`
  if [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:Services" "xinetd" $DT "$W" '_'
  fi
fi
#
#
# getent passwd / group
#
if egrep -q '^[[:blank:]]*(passwd|group):[[:blank:]]+.*winbind' /etc/nsswitch.conf || egrep -q '^[[:blank:]]*account[[:blank:]]+include[[:blank:]].*winbind' /etc/pam.d/common-account
 then
  send_test_value -s adm Security "Settings:getent" "passwd" $DT "$(sort /etc/passwd)" '_'
  send_test_value -s adm Security "Settings:getent" "group" $DT "$(sort /etc/group)" '_'
else
  W=`getent passwd | sort`
  if [[ ${#W} -gt 20000 ]]
   then
    getent passwd | sort | send_stdin_file -s adm Security "Settings:getent" "passwd" $DT "passwd.txt"
  elif [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:getent" "passwd" $DT "$W" '_'
  fi
  #
  W=`getent group | sort`
  if [[ ${#W} -gt 20000 ]]
   then
    getent group | sort | send_stdin_file -s adm Security "Settings:getent" "group" $DT "group.txt"
  elif [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:getent" "group" $DT "$W" '_'
  fi
fi
#
#
# /etc/security/access.conf
#
if [[ -f /etc/security/access.conf ]]
 then
  W=`grep -v '^ *#' /etc/security/access.conf`
  if [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:Pam" "access.conf" $DT "$W" '_'
  fi
fi
#
#
# Mount-Optionen
#
W=`awk '$1 !~ "#" && $2 ~ "/tmp|/var|/home" {print $2, $4}' /etc/fstab`
if [[ -n "$W" ]]
 then
  send_test_value -s adm Security "Settings:Mount" "fstab" $DT "$W" '_'
fi
#
#
# xntp
#
if [[ -f /etc/ntp.conf ]]
 then
  W=`grep '^server' /etc/ntp.conf|sed -s 's/^server //'`
  if [[ -n "$W" ]]
   then
    send_test_value Security "Settings" "ntp" $DT "$W" ' '
  fi
fi
#
#
# VmWare - Timesync
#
if [[ -x /usr/bin/vmware-toolbox-cmd ]]
 then
  W=`/usr/bin/vmware-toolbox-cmd timesync status`
  if [[ -n "$W" ]]
   then
    send_test_value Security "Settings" "VmWare Timesync" $DT "$W" ' '
  fi
fi
#
#
# blocked user (pam_tally)
#
if which pam_tally >/dev/null 2>&1
 then
  W=`pam_tally`
  if [[ -n "$W" ]]
   then
    send_test_value Security "Settings" "pam_tally" $DT "$W" ' '
  fi
fi
#
#
# /etc/ssh/sshd_config
#
W=`grep '^Protocol' /etc/ssh/sshd_config | awk '{print $2}'`
if [[ -z "$W" ]]
 then
  send_test_value Security "Settings" "sshd-Protocol" $DT "2,1" ' '
else
  send_test_value Security "Settings" "sshd-Protocol" $DT "$W" ' '
fi
W=`grep '^PermitRootLogin' /etc/ssh/sshd_config | awk '{print $2}'`
if [[ -z "$W" ]]
 then
  send_test_value Security "Settings" "sshd-PermitRootLogin" $DT "yes" ' '
else
  send_test_value Security "Settings" "sshd-PermitRootLogin" $DT "$W" ' '
fi
W=`grep '^X11Forwarding' /etc/ssh/sshd_config | awk '{print $2}'`
if [[ -z "$W" ]]
 then
  send_test_value Security "Settings" "sshd-X11Forwarding" $DT "no" ' '
else
  send_test_value Security "Settings" "sshd-X11Forwarding" $DT "$W" ' '
fi
W=`grep '^UsePrivilegeSeparation' /etc/ssh/sshd_config | awk '{print $2}'`
if [[ -z "$W" ]]
 then
  send_test_value Security "Settings" "sshd-UsePrivilegeSeparation" $DT "yes" ' '
else
  send_test_value Security "Settings" "sshd-UsePrivilegeSeparation" $DT "$W" ' '
fi
#
#
# Postfix
#
if [[ -d /etc/postfix ]]
 then
  W=`egrep '^ *relayhost|^ *disable_dns_lookups|^ *myhostname' /etc/postfix/main.cf`
  if [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:Postfix" "main.cf" $DT "$W" '_'
  fi
  W=`grep -v '^ *#' /etc/postfix/canonical`
  if [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:Postfix" "canonical" $DT "$W" '_'
  fi
  W=`grep -v '^ *#' /etc/postfix/sender_canonical`
  if [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:Postfix" "sender_canonical" $DT "$W" '_'
  fi
  W=`awk '/^ *root:/ {print $2}' /etc/aliases`
  if [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:Postfix" "root-alias" $DT "$W" '_'
  fi
  W=`grep -v '^ *#' /etc/postfix/transport`
  if [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:Postfix" "transport" $DT "$W" '_'
  fi
fi
#
#
# LDAP
#
if [[ -f /etc/ldap.conf && "`awk '/^base/ && ! /dc=example,dc=com/ {print $2}' /etc/ldap.conf`" != "" ]]
 then
  W="`egrep -i '^ *uri|^ *base|^ *nss_base_' /etc/ldap.conf`"
  if [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:Ldap" "summary" $DT "$W" '_'
  fi
fi
#
#
# Kerberos
#
if [[ -f /etc/krb5.conf && "`awk '$1 == "default_realm" && $2 == "=" && $3 !~ "EXAMPLE" { print $3 }' /etc/krb5.conf`" != "" ]]
 then
  W="`sed 's/^[[:blank:]]*//g' /etc/krb5.conf | egrep '^default_realm|^kdc'`"
  if [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:Kerberos" "summary" $DT "$W" '_'
  fi
fi
#
#
# netstat
#
W=`netstat -ntpl | awk '/LISTEN/{printf("%-18s %s\n", $4, $NF)}' | sort -t : -g -k 2,2 -k 4,4`
if [[ -n "$W" ]]
 then
  send_test_value -s adm Security "Settings:Services" "Listen" $DT "$W" '_'
fi
#
#
# /etc/security/pam_unix2.conf
#
if [[ -f /etc/security/pam_unix2.conf ]]
 then
  W=`grep -v '^ *#' /etc/security/pam_unix2.conf`
  if [[ -n "$W" ]]
   then
    send_test_value -s adm Security "Settings:Pam" "pam_unix2" $DT "$W" '_'
  fi
fi
#
#
#
# /etc/pam.d/common-auth
#
W=`grep -v '^ *#' /etc/pam.d/common-auth`
if [[ -n "$W" ]]
 then
  send_test_value -s adm Security "Settings:Pam" "common-auth" $DT "$W" '_'
fi
#
#
# /etc/pam.d/common-password
#
W=`grep -v '^ *#' /etc/pam.d/common-password`
if [[ -n "$W" ]]
 then
  send_test_value -s adm Security "Settings:Pam" "common-password" $DT "$W" '_'
fi
#
#
# /etc/pam.d/common-account
#
W=`grep -v '^ *#' /etc/pam.d/common-account`
if [[ -n "$W" ]]
 then
  send_test_value -s adm Security "Settings:Pam" "common-account" $DT "$W" '_'
fi
#
#
# Firewall
#
if iptables -nL | egrep -q "DROP|REJECT"
 then
  send_test_value Security "Settings" "Firewall" $DT "on" ' '
  send_test_value -s adm Security "Settings:Firewall" "services" $DT "`iptables -vnL | awk ' BEGIN {
  while( 0 < getline <"/proc/net/dev" )
  { if( $1 != "lo:" && $2 ~ /[0-9]/ )
    { gsub(":", "", $1)
      iface[$1] = 1
    }
  }
  close("/proc/net/dev")
}

#
# chains[<chain>] = 1

$1 == "Chain" {
  c = $2
  if( $3 !~ /ACCEPT|LOG|DROP|TCPMSS|REJECT/ )
    chains[$2] = 1
}

#
# lu[<inputchain>:<source>] = <target>
# lp[<inputchain>:<target>:<source>:<tcp|udp|multiport>] = <ports>

$1 ~ /[0-9]+/ && $2 ~ /[0-9]+/ && c !~ /FORWARD|OUTPUT/ {
  if( $4 ~ /all|tcp|udp/ )
  { if( $10 == "" )
    { if( lu[c":"$6] )
        lu[c":"$6] = $3
      else
        lu[c":"$6] = lu[c":"$6] " " $3
    }
    else if( $10 ~ /tcp|udp/ && $11 ~ /dpt/ )
    { gsub("dpts?:", "", $11)
      if( lp[c":"$3":"$6":"$10] )
        lp[c":"$3":"$6":"$10] = lp[c":"$3":"$6":"$10] ", " $11
      else
        lp[c":"$3":"$6":"$10] = $11
    }
    else if( $10 == "multiport" && $11 == "dports" )
    { if( $4 ~ /tcp|udp/ )
        tu = $4
      else
        tu = $10
      if( lp[c":"$3":"$6":"tu] )
        lp[c":"$3":"$6":"tu] = lp[c":"$3":"$6":"tu] ", " $12
      else
        lp[c":"$3":"$6":"tu] = $12
    }
  }
}

END {
  for( f in iface )
  { if( lu["INPUT:"f] == "ACCEPT" )
      print f " all"
    else if( lu["INPUT:"f] ~ /DROP|REJECT/ )
      print f " nothing"
    else
    { n = split(lu["INPUT:"f], a)
      if( n )
      { for( i = 1; i <= n; i++ )
        { if( lp[a[i]":ACCEPT:*:tcp"] || lp[a[i]":ACCEPT:"f":tcp"] )
            print f " tcp: " lp[a[i]":ACCEPT:*:tcp"] " " lp[a[i]":ACCEPT:"f":tcp"]
          if( lp[a[i]":ACCEPT:*:udp"] || lp[a[i]":ACCEPT:"f":udp"] )
            print f " udp: " lp[a[i]":ACCEPT:*:udp"] " " lp[a[i]":ACCEPT:"f":udp"]
          if( lp[a[i]":ACCEPT:*:multiport"] || lp[a[i]":ACCEPT:"f":multiport"] )
            print f " multiport: " lp[a[i]":ACCEPT:*:multiport"] " " lp[a[i]":ACCEPT:"f":multiport"]
        }
      }
      else
      { if( lp["INPUT:ACCEPT:*:tcp"] || lp["INPUT:ACCEPT:"f":tcp"] )
          print f " tcp: " lp["INPUT:ACCEPT:*:tcp"] " " lp["INPUT:ACCEPT:"f":tcp"]
        if( lp["INPUT:ACCEPT:*:udp"] || lp["INPUT:ACCEPT:"f":udp"] )
          print f " udp: " lp["INPUT:ACCEPT:*:udp"] " " lp["INPUT:ACCEPT:"f":udp"]
        if( lp["INPUT:ACCEPT:*:multiport"] || lp["INPUT:ACCEPT:"f":multiport"] )
          print f " multiport: " lp["INPUT:ACCEPT:*:multiport"] " " lp["INPUT:ACCEPT:"f":multiport"]
      }
    }
  }
}'`" '_'
else
  send_test_value Security "Settings" "Firewall" $DT "off" ' '
fi
#
# Patchstatus
$MYDIR/send_patchstatus
