Good Afternoon, Just wanted to submit a new plugin file for consideration. I've been playing with it and added a few checks that might be handy.
This version includes a couple of small fixes to the DM-Crypt and Ecryptfs tests, but I also included checks for: - libpam-tmpdir - libpam-usb - apt-listbugs - apt-listchanges - checkrestart (part of debian-goodies) - debsecan - debsums Overall this feels like a more complete Debian plugin for Lynis, simply because it does more than just a couple filesystem tests. What do you think? Are these tests worthwhile or am I going off the deep end? -- Dave Vehrs dve...@gmail.com
#!/bin/sh ######################################################################### # # Add custom section to screen output InsertSection "Debian Tests" # ################################################################################# # Constants # Declare reduced BINPATHS for Debian Tests DEBIAN_BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin" ################################################################################# # Start by scanning for any tools that will be required for later custom tests. # # This is basically a copy of the test from the file # /usr/share/lynis/include/binaries with a shorter list of files to look for. # # Some of the files we search for here may be repeated checks from the default # tests, but we look for them again due to local function dependencies. It's a # tiny redundancy that doesn't slow the tests up significantly. # Test : DEB-0001 # Description : Check for system binaries # Notes : Always perform this test, other tests depend on it. Register --test-no DEB-0001 --weight L --network NO --description "Check for system binaries required by Debian Tests" SCANNEDPATHS=""; N=0 Display --indent 2 --text "- Checking for system binaries that are required by Debian Tests..." logtext "Status: Starting binary scan..." for SCANDIR in ${DEBIAN_BINPATHS}; do logtext "Test: Checking binaries in directory ${SCANDIR}" if [ -d ${SCANDIR} ]; then Display --indent 4 --text "- Checking ${SCANDIR}... " --result FOUND --color GREEN SCANNEDPATHS="${SCANNEDPATHS}, ${SCANDIR}" logtext "Directory ${SCANDIR} exists. Starting directory scanning..." FIND=`ls ${SCANDIR}` for I in ${FIND}; do N=`expr ${N} + 1` BINARY="${SCANDIR}/${I}" logtext "Binary: ${BINARY}" # Optimized, much quicker (limited file access needed) case ${I} in apt-listbugs) APTLISTBUGSBINARY=${BINARY}; logtext " Found known binary: apt-listbugs (System tool) - ${BINARY}" ;; apt-listchanges) APTLISTCHANGESBINARY=${BINARY}; logtext " Found known binary: apt-listchanges (System tool) - ${BINARY}" ;; checkrestart) CHECKRESTARTBINARY="${BINARY}"; logtext " Found known binary: checkrestart (System tool) - ${BINARY}" ;; cryptmount) CRYPTMOUNTFOUND=1; CRYPTMOUNTBINARY="${BINARY}"; logtext " Found known binary: cryptmount (Encryption tool) - ${BINARY}" ;; cryptsetup) CRYPTSETUPFOUND=1; CRYPTSETUPBINARY="${BINARY}"; logtext " Found known binary: cryptsetup (Encryption tool) - ${BINARY}" ;; debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (System tool) - ${BINARY}" ;; debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (System tool) - ${BINARY}" ;; ecryptfsd) ECRYPTFSDFOUND=1; ECRYPTFSDBINARY="${BINARY}"; logtext " Found known binary: ecryptfsd (Layered Encryption) - ${BINARY}" ;; ecryptfs-migrate-home) ECRYPTFSMIGRATEFOUND=1; ECRYPTFSMIGRATEBINARY=${BINARY}; logtext " Found known binary: ecryptfs-migrate-home (Layered Encryption) - ${BINARY}" ;; lvdisplay) LVDISPLAYBINARY="${BINARY}"; logtext " Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;; mount) MOUNTBINARY="${BINARY}"; logtext " Fount known binary: mount (File system tool) - ${BINARY}" ;; esac done else Display --indent 4 --text "- Checking ${SCANDIR}... " --result "NOT FOUND" --color WHITE logtext "Directory ${SCANDIR} does NOT exist." fi logtextbreak done SCANNEDPATHS=`echo ${SCANNEDPATHS} | sed 's/^, //g'` logtext "Discovered directories: ${SCANNEDPATHS}" logtext "DEB-0001 Result: found ${N} binaries" # report "binaries_count=${N}" ################################################################################# # Authentication modules (Tests: DEB-02xx) Display --indent 2 --text "- Authentication:" logtext "Status: Starting Authentication checks..." Display --indent 4 --text "- PAM (Pluggable Authentication Modules):" # Test : DEB-0280 # Description : Checking if libpam-tmpdir is installed and enabled. logtext "Status: Checking if libpam-tmpdir is installed and enabled..." Register --test-no DEB-0280 --weight L --network NO --description "Checking if libpam-tmpdir is installed and enabled." if [ ${SKIPTEST} -eq 0 ]; then FIND=`find /lib -name pam_tmpdir.so` if [ ! "${FIND}" = "" ]; then logtext " - libpam-tmpdir is installed." AddHP 1 1 FIND2=`grep pam_tmpdir.so /etc/pam.d/common-session` if [ ! "${FIND2}" = "" ]; then Display --indent 6 --text "- libpam-tmpdir" --result "Installed and Enabled" --color GREEN logtext " - libpam-tmpdir is enabled in common-session." AddHP 1 1 else Display --indent 6 --text "- libpam-tmpdir" --result "Installed but not Enabled" --color YELLOW logtext " - libpam-tmpdir is not enabled in common-session." AddHP 0 1 fi else Display --indent 6 --text "- libpam-tmpdir" --result "Not Installed" --color RED logtext " - libpam-tmpdir is not installed." AddHP 0 2 ReportSuggestion ${TEST_NO} "Install libpam-tmpdir to set \$TMP and \$TMPDIR for PAM sessions" fi fi # Test : DEB-0285 # Description : Checking if libpam-usb is installed and enabled. logtext "Status: Checking if libpam-usb is installed and enabled..." Register --test-no DEB-0285 --weight L --network NO --description "Checking if libpam-usb is installed and enabled." if [ ${SKIPTEST} -eq 0 ]; then FIND=`find /lib -name pam_usb.so` if [ ! "${FIND}" = "" ]; then logtext " - libpam-usb is installed." AddHP 1 1 FIND2=`grep "^auth\s\+\(required\|sufficient\)\s\+pam_usb.so" /etc/pam.d/common-auth` COUNT=`find /etc/pam.d/ -type f ! -name "common-*" ! -name "*.dpkg-old" | wc -l` if [ ! "${FIND2}" = "" ]; then GREP=`echo ${FIND2} | grep "required"` if [ ! "${GREP}" = "" ]; then Display --indent 6 --text "- libpam-usb" --result "Installed and 'required' in common-auth" --color GREEN logtext " - pam_usb.so is 'required' in common-auth." AddHP 1 1 # Add Harden Points for ever other profile in /etc/pam.d that will # benefit from the inclusion in common-auth. These points are # only awarded for "required" because it will require the usb # thumbdrive and a password to gain access. For "sufficient", # the presence of the usb thumbdrive would act as a single # factor of authentication in place of the password. No points # for single factor authentication of either type. AddHP ${COUNT} ${COUNT} else Display --indent 6 --text "- libpam-usb" --result "Installed and 'sufficient' in common-auth" --color YELLOW logtext " - pam_usb.so is 'sufficient' in common-auth." AddHP 0 1 ReportSuggestion ${TEST_NO} "Change /etc/pam.d/common-auth to make pam_usb.so be 'required' instead of 'sufficient'." AddHP 0 ${COUNT} fi else # If pam_usb.so is not 'required' or 'sufficient' in # /etc/pam.d/common-auth then it may be enabled selectively in each # profile. This can be handy for systems that desire to require two # factor authentication via usb for local sessions but use ssh-keys # for more intense authentication for remote sessions than just # using a password allows. # COUNT2 is the number of profiles with a "required" statement for # pam_usb.so COUNT2=`find /etc/pam.d/ -type f ! -name "common-*" ! -name "*.dpkg-old" -exec grep "^auth\s\+required\s\+pam_usb.so" "{}" + | wc -l` # COUNT3 is the number of profiles with a "sufficient" statement for # pam_usb.so COUNT3=`find /etc/pam.d/ -type f ! -name "common-*" ! -name "*.dpkg-old" -exec grep "^auth\s\+sufficient\s\+pam_usb.so" "{}" + | wc -l` if [ ${COUNT2} > 0 ]; then Display --indent 6 --text "- libpam-usb" --result "Installed and 'required' by ${COUNT2} of ${COUNT} profiles" --color GREEN logtext " - pam_usb.so is 'required' for ${COUNT2} of ${COUNT} profiles." AddHP ${COUNT2} ${COUNT} fi if [ ${COUNT2} = 0 -a ${COUNT3} = 0 ]; then Display --indent 6 --text "- libpam-usb" --result "Installed and but not 'required' or 'sufficient' for any profiles." --color RED AddHP 0 ${COUNT} else logtext " - pam_usb.so is 'sufficient' for ${COUNT3} of ${COUNT} profiles." fi fi # Next test Users for configured to use pamusb Display --indent 8 --text "- Users configured in /etc/pamusb.conf:" # Start with root, as there is one example with root included in the # default file, this string needs to be found more than once to get a # hardening point. ROOT_COUNT=`grep "<user\sid=\"root\">" /etc/pamusb.conf | wc -l` if [ ${ROOT_COUNT} > 1 ]; then Display --indent 10 --text "- root" --result "Yes" --color GREEN logtext " - pamusb.conf includes configuration for root." AddHP 1 1 else Display --indent 10 --text "- root" --result "No" --color RED logtext " - pamusb.conf does not include configuration for root." AddHP 0 1 fi USERLIST=`awk -F: '($3 > 500) && ($3 != 65534) { print $1 }' /etc/passwd` for U in ${USERLIST}; do USER_COUNT=`grep "<user\sid=\"${U}\">" /etc/pamusb.conf | wc -l` if [ ${USER_COUNT} > 0 ]; then Display --indent 10 --text "- ${U}" --result "Yes" --color GREEN logtext " - pamusb.conf includes configuration for ${U}." AddHP 1 1 else Display --indent 10 --text "- ${U}" --result "No" --color RED logtext " - pamusb.conf does not include configuration for ${U}." AddHP 0 1 fi done else Display --indent 6 --text "- libpam-usb" --result "Not Installed" --color RED logtext " - libpam-usb is not installed." # 10 missed hardening points is somewhat arbitrary but seems to be about # half of the points available for each profile that are commonly # installed in /etc/pam.d on my test systems. AddHP 0 10 ReportSuggestion ${TEST_NO} "Install libpam-usb to enable multi-factor authentication for PAM sessions" fi fi ################################################################################# # File system (Tests: Deb-05xx) Display --indent 2 --text "- File System Checks:" logtext "Status: Starting file system checks..." # Test : DEB-0510 # Description : Checking if LVM Groups or file systems are stored on encrypted partitions (dm-crypt, cryptsetup & cryptmount) Display --indent 4 --text "- DM-Crypt, Cryptsetup & Cryptmount:" logtext "Status: Starting file system checks for dm-crypt, cryptsetup & cryptmount..." if [ ! "${MOUNTBINARY}" = "" -a ! "${LVDISPLAYBINARY}" = "" -a ! "${CRYPTSETUPBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no DEB-0510 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking if LVM volume groups or file systems are stored on encrypted partitions" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking file system mount points" FIND=`${MOUNTBINARY} 2> /dev/null | grep -v "^[binfmt_misc|devpts|fusectl|hugetlbfs|none|proc|sysfs|systemd|tmpfs|udev]" | grep -v ecryptfs | awk '{ print $1 ":" $3 }'` TESTED_LIST="" if [ ! "${FIND}" = "" ]; then logtext "Result: found one or more file system mount points" for I in ${FIND}; do # physical device PDEV=${I%:*} # Mount Point MOUNTPOINT=${I#*:} # Test if we've already checked this physical device. If we are # using bind mounts to mitigate issues with read-only file # systems or to expand the size of one partition by bind # mounting a directory to space on another drive then the bind # mounts can cause a physical device to appear multiple times in # the output of 'mount'. This test makes sure we only test # whether or not it is encrypted one time. # # As far as I know there is no way to have the bind mounts not # listed in /etc/mtab, /proc/mounts, or the output of mount # because the kernel does not distinguish between bind and # other mounts. To the kernel, it's just another mounted # file system. # # Normal file systems are listed by 'mount' generally before # those bind mounted on my systems, so forgoing a '| sort' on # the FIND command appears to make sure that the mount points we # care about are listed first and the bind second (which can # and will be ignored in this test). echo ${TESTED_LIST} | grep ${PDEV} > /dev/null exitstatus=$? if [ ${exitstatus} -eq 0 ]; then # already tested this physical device, breaking out of the # loop to the next item on the list. logtext "- For ${MOUNTPOINT}: Already tested ${PDEV}, assuming bind mount and skipping." continue fi logtext "Testing file system mount point: ${PDEV}" case "${PDEV}" in /dev/mapper/*) TEST_DEVICE=`${LVDISPLAYBINARY} -m ${PDEV} 2>/dev/null` exitstatus=$? if [ ${exitstatus} -ne 0 ]; then # If lvdisplay has a failing exit status, assign # PDEV as DEVICE. Some partitions will be mounted # through /dev/mapper mappings but not be part of # LVM groups. DEVICE=${PDEV} else # If lvdisplay does not have a failing exit status, # then get the DEVICE from its output DEVICE=`echo ${TEST_DEVICE} | sed -e 's/.*Physical volume \(.*\) Physical.*/\1/'` fi ;; * ) DEVICE=${PDEV} ;; esac CRYPT=`${CRYPTSETUPBINARY} status ${DEVICE} 2>/dev/null` exitstatus=$? # It is possible that multiple partitions may be included within # the same group (for LVM) and that group container may or may # not be encrypted. If that is so, you will gain or # lose hardening points for each partition in the group. Just # as you would if they were individual partitions on the hard # drive. # # Tests only apply to those partitions that are mounted when # Lynis is run. You will not gain or lose points for any # partitions that are not mounted. if [ ${exitstatus} -eq 0 ]; then TYPE=`echo ${CRYPT} | grep "type:" | sed -e 's/.*type: \(.*\) cipher.*/\1/'` if [ "a${TYPE}a" = "aa" ]; then # Partitions mounted via cryptmount will pass cryptsetup # with a valid exit status and will show as "active" but # will not show a type, cipher or other descriptions. # # We do not add a hardening point because this result is # not definite but only possible. Display output is # yellow to alert the user so they can manually check # it. AddHP 0 1 if [ ! "${CRYPTMOUNTBINARY}" = "" ]; then # if cryptsetup exist with a valid exit status and # cryptmount is installed, then that may explain why # we are unable to determine the type from # cryptsetup's output. Display --indent 6 --text "- Checking ${MOUNTPOINT} on ${DEVICE}" --result "Possible Cryptmount Usage" --color YELLOW else # if cryptsetup exits with a valid exit status but # cryptmount is not installed then Display informs # the user that the test is uncertain of the # encryption status of the partition or drive. It # will be up to the user to determine its status. Display --indent 6 --text "- Checking ${MOUNTPOINT} on ${DEVICE}" --result "Unknown Encryption Status" --color YELLOW fi else # cryptsetup exited with a valid exit status (0) and we # were able to determine the type of encryption used # from its output. AddHP 1 1 Display --indent 6 --text "- Checking ${MOUNTPOINT} on ${DEVICE}" --result "ENCRYPTED (Type: ${TYPE})" --color GREEN fi else # if cryptsetup exits with a non-zero exit status, then the # drive or partition has not been encrypted in a manner that # cryptsetup can detect. For the purposes of this test, it # is considered to be not encrypted. if [ ! "${MOUNTPOINT}" = "/boot" ]; then AddHP 0 1 Display --indent 6 --text "- Checking ${MOUNTPOINT} on ${DEVICE}" --result "NOT ENCRYPTED" --color WHITE else # /boot is generally not be encrypted. We should test to see # that it is on its own partition. Also might test if # it is mounted read-only? logtext " - ${DEVICE} is mounted on ${MOUNTPOINT}, cannot be encrypted with DM-Crypt." Display --indent 6 --text "- Checking /boot on ${DEVICE}" --result "NOT ENCRYPTED" --color WHITE fi fi # add physical device to the tested list. TESTED_LIST="${TESTED_LIST},${PDEV}" done else Display --indent 6 --text "- No file system mount points found" --result ERROR --color RED fi fi # Test : DEB-0520 # Description : Check if user home directories are encrypted with ecryptfs # Notes : Ecryptfs is useful on multi-user systems. Can be configured # so that files in the users home directories are only # decrypted while the user is logged in. # # This function adds hardening points according to the # following criteria: # +1 Ecryptfs Installed # +1 for each user account that can be configured to use it. if [ ! "${ECRYPTFSDBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no "DEB-0520" --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for Ecryptfs" if [ ${SKIPTEST} -eq 0 -a ! "${ECRYPTFSDBINARY}" = "" ]; then Display --indent 4 --text "- Ecryptfs" --result INSTALLED --color GREEN logtext "Ecryptfs installed." AddHP 1 1 logtext "Test: If user home directories are configured to use Ecryptfs" USERLIST=`awk -F: '($3 > 500) && ($3 != 65534) { print $1","$6 }' /etc/passwd` for U in ${USERLIST}; do ECRYPTFSHOME=1 USER=`echo ${U} | sed -e 's/,.*//'` HOMEDIR=`echo ${U} | sed -e 's/^[^,]*,//'` logtext "USER: ${USER}" logtext "HOME DIR: ${HOMEDIR}" if [ -d /home/.ecryptfs/${USER} -a -f /home/.ecryptfs/${USER}/.ecryptfs/auto-mount -a -f /home/.ecryptfs/${USER}/.ecryptfs/Private.mnt ]; then PRIVDIR=`cat /home/.ecryptfs/${USER}/.ecryptfs/Private.mnt` logtext "PRIVATE DIR: ${PRIVDIR}" if [ "${HOMEDIR}" = ${PRIVDIR} ]; then # Ecryptfs installed and configured to encrypt users # entire ${HOME} directory. logtext "Result: Home directory for ${USER} configured to use Ecryptfs" Display --indent 6 --text "- Home for ${USER}" --result YES --color GREEN AddHP 1 1 ECRYPTFSHOME=0 fi fi if [ ${ECRYPTFSHOME} = 1 ]; then # Ecryptfs Private directory configured but not for # users ${HOME} directory -OR- Ecryptfs has not been setup # for user. logtext "Result: Ecryptfs installed but not configured for ${USER}'s home directory" Display --indent 6 --text "- Home for ${USER}" --result NO --color RED AddHP 0 1 # Unsure if ecryptfs-migrate-home is part of all Ecryptfs installations # on all Linux distributions. if [ ! "${ECRYPTFSMIGRATEBINARY}" = "" ]; then ReportSuggestion ${TEST_NO} "As root run 'ecryptfs-migrate-home --user ${USER}' to configure Ecryptfs for user's home directory" else ReportSuggestion ${TEST_NO} "Configure Ecryptfs for ${USER}'s home directory" fi fi done else Display --indent 4 --text "- Ecryptfs" --result "NOT INSTALLED" --color RED ReportSuggestion ${TEST_NO} "Install 'ecryptfs-utils' and configure for each user." # Increasing potential Hardening score by 1 for each account that could be # configured to use Ecryptfs USERCOUNT=`awk -F: '($3 > 500) && ($3 != 65534) { print $1 }' /etc/passwd | wc -l` AddHP 0 $((USERCOUNT+1)) fi ################################################################################# # Software Display --indent 2 --text "- Software:" logtext "Status: Starting Software checks..." # Test : DEB-0810 # Description : Checking if apt-listbugs is installed and enabled. Register --test-no "DEB-0810" --weight L --network NO --description "Checking for apt-listbugs" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${APTLISTBUGSBINARY}" = "" ]; then logtext " - apt-listbugs is installed." AddHP 1 1 FIND=`find /etc/apt/apt.conf.d -name *listbugs` if [ ! ${FIND} = "" ]; then logtext " - Apt configured to use apt-listbugs" Display --indent 4 --text "- apt-listbugs" --result "Installed and enabled for apt" --color GREEN AddHP 1 1 else logtext " - Apt is not configured to use apt-listbugs" Display --indent 4 --text "- apt-listbugs" --result "Installed but not enabled for apt" --color YELLOW AddHP 0 1 ReportSuggestion ${TEST_NO} "Reinstall apt-listbugs to enabled default task in /etc/apt/apt.comf.d" fi else logtext " - apt-listbugs is not installed." Display --indent 4 --text "- apt-listbugs" --result "Not Installed" --color RED AddHP 0 2 ReportSuggestion ${TEST_NO} "Install apt-listbugs to display a list of critical bugs prior to each APT installation." fi fi # Test : DEB-0811 # Description : Checking if apt-listchanges is installed and enabled. Register --test-no "DEB-0811" --weight L --network NO --description "Checking for apt-listchanges" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${APTLISTCHANGESBINARY}" = "" ]; then logtext " - apt-listchanges is installed." AddHP 1 1 FIND=`find /etc/apt/apt.conf.d -name *listchanges` if [ ! ${FIND} = "" ]; then logtext " - Apt configured to use apt-listchanges" Display --indent 4 --text "- apt-listchanges" --result "Installed and enabled for apt" --color GREEN AddHP 1 1 else logtext " - Apt is not configured to use apt-listchanges" Display --indent 4 --text "- apt-listchanges" --result "Installed but not enabled for apt" --color YELLOW AddHP 0 1 ReportSuggestion ${TEST_NO} "Reinstall apt-listchanges to enabled default task in /etc/apt/apt.comf.d" fi else logtext " - apt-listchanges is not installed." Display --indent 4 --text "- apt-listchanges" --result "Not Installed" --color RED AddHP 0 2 ReportSuggestion ${TEST_NO} "Install apt-listchanges to display any significant changes prior to any upgrade via APT." fi fi # Test : DEB-0830 # Description : Checking if checkrestart is installed. Register --test-no DEB-0830 --weight L --network NO --description "Verifying that checkrestart is installed." if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${CHECKRESTARTBINARY}" = "" ]; then logtext " - checkrestart is installed." Display --indent 4 --text "- checkrestart" --result "Installed" --color GREEN AddHP 1 1 else logtext " - checkrestart is not installed." Display --indent 4 --text "- checkrestart" --result "Not Installed" --color RED ReportSuggestion ${TEST_NO} "Install debian-goodies so that you can run checkrestart after upgrades to determine which services are using old versions of libraries and need restarting." AddHP 0 1 fi fi # Test : DEB-0870 # Description : Checking if debsecan is installed and enabled. Register --test-no "DEB-0870" --weight L --network NO --description "Checking for debsecan" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DEBSECANBINARY}" = "" ]; then logtext " - debsecan is installed." AddHP 1 1 FIND=`find /etc/cron* -name debsecan` if [ ! ${FIND} = "" ]; then logtext " - cron job is configured for debsecan" Display --indent 4 --text "- debsecan" --result "Installed and enabled for cron" --color GREEN AddHP 1 1 else logtext " - cron job is not configured for debsecan" Display --indent 4 --text "- debsecan" --result "Installed but not enabled for cron" --color YELLOW AddHP 0 1 ReportSuggestion ${TEST_NO} "Reinstall debsecan to enabled default task in /etc/cron.d/debsecan" fi else logtext " - debsecan is not installed." Display --indent 4 --text "- debsecan" --result "Not Installed" --color RED AddHP 0 2 ReportSuggestion ${TEST_NO} "Install debsecan to generate lists of vulnerabilities which affect this installation." fi fi # Test : DEB-0875 # Description : Checking if debsums is installed and enabled. Register --test-no "DEB-0875" --weight L --network NO --description "Checking for debsums" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DEBSUMSBINARY}" = "" ]; then logtext " - debsums is installed." AddHP 1 1 COUNT=`find /etc/cron* -name debsums | wc -l` # Default installation of debsums includes scripts in /etc/cron.daily, # /etc/cron.weekly and /etc/cron.monthly. As there are three, simply # checking if the find statement is not blank produced an error. # However, by testing if more than zero were found, we can be sure that # it is enabled for cron. if [ ${COUNT} > 0 ]; then logtext " - cron jobs are configured for debsums." Display --indent 4 --text "- debsums" --result "Installed and enabled for cron." --color GREEN AddHP 1 1 else logtext " - cron jobs are not configured for debsums." Display --indent 4 --text "- debsums" --result "Installed but not enabled for cron." --color YELLOW AddHP 0 1 ReportSuggestion ${TEST_NO} "Reinstall debsums to enabled default tasks for cron." fi else logtext " - debsums is not installed." Display --indent 4 --text "- debsums" --result "Not Installed" --color RED AddHP 0 2 ReportSuggestion ${TEST_NO} "Install debsums for the verification of installed package files against MD5 checksums." fi fi ################################################################################# logtextbreak # Wait for keypress (unless --quick is being used) wait_for_keypress #EOF