1#!/bin/sh 2 3################################################################################# 4# 5# Lynis 6# ------------------ 7# 8# Copyright 2007-2013, Michael Boelen 9# Copyright 2007-2021, CISOfy 10# 11# Website : https://cisofy.com 12# Blog : http://linux-audit.com 13# GitHub : https://github.com/CISOfy/lynis 14# 15# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are 16# welcome to redistribute it under the terms of the GNU General Public License. 17# See LICENSE file for usage of this software. 18# 19################################################################################# 20# 21# Printers and spools 22# 23################################################################################# 24# 25 CUPSD_CONFIG_LOCS="${ROOTDIR}etc/cups ${ROOTDIR}usr/local/etc/cups ${ROOTDIR}private/etc/cups" 26 CUPSD_CONFIG_FILE="" 27 CUPSD_RUNNING=0 28 CUPSD_FOUND=0 29 LPD_RUNNING=0 30 PRINTING_DAEMON="" 31 QDAEMON_CONFIG_ENABLED=0 32 QDAEMON_CONFIG_FILE="" 33 QDAEMON_RUNNING=0 34# 35################################################################################# 36# 37 InsertSection "${SECTION_PRINTERS_AND_SPOOLS}" 38# 39################################################################################# 40# 41 # Test : PRNT-2302 42 # Description : Check printcap file consistency 43 Register --test-no PRNT-2302 --os FreeBSD --weight L --network NO --category security --description "Check for printcap consistency" 44 if [ ${SKIPTEST} -eq 0 ]; then 45 LogText "Test: Searching /usr/sbin/chkprintcap" 46 if [ ! -f ${ROOTDIR}usr/sbin/chkprintcap ]; then 47 Display --indent 2 --text "- Checking chkprintcap" --result "${STATUS_NOT_FOUND}" --color WHITE 48 LogText "Result: ${ROOTDIR}usr/sbin/chkprintcap NOT found, test skipped" 49 else 50 LogText "Result: ${ROOTDIR}usr/sbin/chkprintcap found" 51 FIND=$(${ROOTDIR}usr/sbin/chkprintcap > /dev/null ; echo $?) 52 # Only an exit code of zero should come back. Use string instead of integer, due unexpected trash 53 if [ "${FIND}" = "0" ]; then 54 Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_OK}" --color GREEN 55 LogText "Result: chkprintcap did NOT gave any warnings" 56 else 57 Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_WARNING}" --color RED 58 ReportSuggestion "${TEST_NO}" "Run chkprintcap manually to test printcap file" 59 LogText "Output from chkprintcap: ${FIND}" 60 LogText "Run chkprintcap and check the ${ROOTDIR}etc/printcap file" 61 fi 62 fi 63 fi 64# 65################################################################################# 66# 67 # Test : PRNT-2304 68 # Description : Check cupsd status 69 Register --test-no PRNT-2304 --weight L --network NO --category security --description "Check cupsd status" 70 if [ ${SKIPTEST} -eq 0 ]; then 71 LogText "Test: Checking cupsd status" 72 if IsRunning "cupsd"; then 73 Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN 74 LogText "Result: cups daemon running" 75 CUPSD_RUNNING=1; PRINTING_DAEMON="cups" 76 else 77 Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_NOT_FOUND}" --color WHITE 78 LogText "Result: cups daemon not running, cups daemon tests skipped" 79 fi 80 fi 81# 82################################################################################# 83# 84 # Test : PRNT-2306 85 # Description : Check CUPSd configuration file 86 if [ ${CUPSD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 87 Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file" 88 if [ ${SKIPTEST} -eq 0 ]; then 89 LogText "Test: Searching cupsd configuration file" 90 for DIR in ${CUPSD_CONFIG_LOCS}; do 91 if [ -f ${DIR}/cupsd.conf ]; then 92 if FileIsReadable ${DIR}/cupsd.conf; then 93 CUPSD_CONFIG_FILE="${DIR}/cupsd.conf" 94 LogText "Result: found ${CUPSD_CONFIG_FILE}" 95 fi 96 fi 97 done 98 if HasData "${CUPSD_CONFIG_FILE}"; then 99 Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_OK}" --color GREEN 100 LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})" 101 CUPSD_FOUND=1 102 else 103 Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_NOT_FOUND}" --color RED 104 LogText "Result: configuration file not found" 105 LogText "Development: no CUPS configuration file found" 106 fi 107 fi 108# 109################################################################################# 110# 111 # Test : PRNT-2307 112 # Description : Check CUPSd configuration file permissions 113 # TODO : Add function 114 if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 115 Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions" 116 if [ ${SKIPTEST} -eq 0 ]; then 117 LogText "Test: Checking CUPS configuration file permissions" 118 FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10) 119 LogText "Result: found ${FIND}" 120 case "${FIND}" in 121 r[w-]-[r-][w-]---- ) 122 Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN 123 AddHP 1 1 124 ;; 125 * ) 126 Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED 127 ReportSuggestion "${TEST_NO}" "Access to CUPS configuration could be more strict." 128 AddHP 1 2 129 ;; 130 esac 131 fi 132# 133################################################################################# 134# 135 # Test : PRNT-2308 136 # Description : Check CUPS daemon network configuration 137 # Notes : Listen and SSLListen can be used 138 if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 139 Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd network configuration" 140 if [ ${SKIPTEST} -eq 0 ]; then 141 FOUND=0 142 # Checking network addresses 143 LogText "Test: Checking CUPS daemon listening network addresses" 144 FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') 145 COUNT=0 146 for ITEM in ${FIND}; do 147 LogText "Result: found network address: ${ITEM}" 148 COUNT=$((COUNT + 1)) 149 FOUND=1 150 done 151 152 # Search for Port statement 153 FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE}) 154 if [ -n "${FIND}" ]; then 155 LogText "Result: found CUPS listening on port 631 (most likely all interfaces)" 156 FOUND=1 157 fi 158 159 # Check if daemon might be running on localhost 160 if [ ${FOUND} -eq 0 ]; then 161 LogText "Result: CUPS does not look to be listening on a network port" 162 elif [ ${COUNT} -eq 1 ]; then 163 if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then 164 LogText "Result: CUPS daemon only running on localhost" 165 AddHP 2 2 166 else 167 LogText "Result: CUPS daemon running on one or more interfaces (not limited to localhost)" 168 ReportSuggestion "${TEST_NO}" "Check CUPS configuration if it really needs to listen on the network" 169 AddHP 1 2 170 fi 171 else 172 LogText "Result: CUPS daemon is running on several network addresses" 173 ReportSuggestion "${TEST_NO}" "Check CUPS configuration if it really needs to run on several network addresses" 174 AddHP 1 2 175 fi 176 177 # Checking sockets 178 LogText "Test: Checking cups daemon listening sockets" 179 FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }') 180 for ITEM in ${FIND}; do 181 LogText "Found socket address: ${ITEM}" 182 COUNT=$((COUNT + 1)) 183 done 184 185 if [ ${COUNT} -eq 0 ]; then 186 Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_NONE}" --color WHITE 187 LogText "Result: no addresses found on which CUPS daemon is listening" 188 else 189 Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_FOUND}" --color GREEN 190 LogText "Result: CUPS daemon is listening on network/socket" 191 fi 192 fi 193# 194################################################################################# 195# 196 # Test : PRNT-2314 197 # Description : Check lpd status 198 Register --test-no PRNT-2314 --weight L --network NO --category security --description "Check lpd status" 199 if [ ${SKIPTEST} -eq 0 ]; then 200 LogText "Test: Checking lpd status" 201 if IsRunning "lpd"; then 202 Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_RUNNING}" --color GREEN 203 LogText "Result: lp daemon running" 204 LPD_RUNNING=1; PRINTING_DAEMON="lp" 205 else 206 Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE 207 LogText "Result: lp daemon not running" 208 AddHP 4 4 209 fi 210 fi 211# 212################################################################################# 213# 214 # Test : PRNT-2316 215 # Description : Check /etc/qconfig file 216 Register --test-no PRNT-2316 --os AIX --weight L --network NO --category security --description "Checking /etc/qconfig file" 217 if [ ${SKIPTEST} -eq 0 ]; then 218 LogText "Test: Checking ${ROOTDIR}etc/qconfig" 219 QDAEMON_CONFIG_FILE="${ROOTDIR}etc/qconfig" 220 FileIsReadable ${QDAEMON_CONFIG_FILE} 221 if [ ${CANREAD} -eq 1 ]; then 222 FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device") 223 if [ -n "${FIND}" ]; then 224 LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}" 225 Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN 226 QDAEMON_CONFIG_ENABLED=1 227 else 228 LogText "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined" 229 Display --indent 2 --text "- Checking /etc/qconfig file" --result EMPTY --color WHITE 230 fi 231 else 232 LogText "Result: Can not read ${QDAEMON_CONFIG_FILE} (no permission)" 233 fi 234 fi 235# 236################################################################################# 237# 238 # Test : PRNT-2418 239 # Description : Check qdaemon printer spooler status 240 Register --test-no PRNT-2418 --os AIX --weight L --network NO --category security --description "Checking qdaemon printer spooler status" 241 if [ ${SKIPTEST} -eq 0 ]; then 242 LogText "Test: Checking qdaemon status" 243 if IsRunning "qdaemon"; then 244 LogText "Result: qdaemon daemon running" 245 Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_RUNNING}" --color GREEN 246 QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon" 247 else 248 if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then 249 LogText "Result: qdaemon daemon not running" 250 Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED 251 ReportSuggestion "${TEST_NO}" "Activate print spooler daemon (qdaemon) in order to process print jobs" 252 else 253 LogText "Result: qdaemon daemon not running" 254 Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE 255 fi 256 fi 257 fi 258# 259################################################################################# 260# 261 # Test : PRNT-2420 262 # Description : Checking old print jobs 263 Register --test-no PRNT-2420 --os AIX --weight L --network NO --category security --description "Checking old print jobs" 264 if [ ${SKIPTEST} -eq 0 ]; then 265 LogText "Test: Checking old print jobs" 266 DirectoryExists ${ROOTDIR}var/spool/lpd/qdir 267 if [ ${DIRECTORY_FOUND} -eq 1 ]; then 268 FIND=$(find ${ROOTDIR}var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g') 269 if HasData "${FIND}"; then 270 COUNT=0 271 for ITEM in ${FIND}; do 272 FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g') 273 LogText "Found old print job: ${FILE}" 274 COUNT=$((COUNT + 1)) 275 done 276 LogText "Result: Found ${COUNT} old print jobs in /var/spool/lpd/qdir" 277 Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW 278 ReportSuggestion "${TEST_NO}" "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed" 279 LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed" 280 else 281 LogText "Result: Old print jobs not found in /var/spool/lpd/qdir" 282 Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_NONE}" --color GREEN 283 fi 284 fi 285 fi 286# 287################################################################################# 288# 289 290if [ -n "${PRINTING_DAEMON}" ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi 291 292WaitForKeyPress 293 294# 295#================================================================================ 296# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com 297