tiger 1:3.2.3-12 / usr / lib / tiger / scripts / check_apache

This file is indexed.

/usr/lib/tiger/scripts/check_apache is in tiger 1:3.2.3-12.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
#!/bin/sh
#
#     tiger - A UN*X security checking system
#     Copyright (C) 2002 Javier Fernandez-Sanguino
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2, or (at your option)
#    any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#     Please see the file `COPYING' for the complete copyright notice.
#
# check_apache - 11/25/2002 - jfs - first release
#
# The checks in this script are derived from the following references:
# Bastille's Apache module
# http://httpd.apache.org/docs-2.0/misc/security_tips.html
# http://www.intersectalliance.com/projects/ApacheConfig/index.html 
# SANS's Linux Security Checklist (item #25)
#
# 08/12/2003 - jfs - Fixed a typo in the call to SED
# 11/08/2007 - jfs - Change message calls so that they can be filtered (Debian bug #411534)
#                  - Fix the way the configuration file is handled to obtain
#                  the IP address and port (Debian bug #436904)
#
# TODO (generic)
# - include checks for problematic modules
# - analyse authenticating methods
# - analyse SSL configuration (is the certificate protected?)
# - include some more analysis of the configuration file
# - provide cross-checks for configuration (i.e. not only determine if 
#   a given directive is configured but if the current setup might 
#   be vulnerable: eg. user with a symbolic link back to the root filesystem
#
#-----------------------------------------------------------------------------
#
TigerInstallDir="/usr/lib/tiger"

#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
   case $parm in
   -B) basedir=$2; break;;
   esac
done

#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
  echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
  exit 1
}

. $basedir/config

. $BASEDIR/initdefs

#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
  haveallcmds GREP AWK CAT SED CUT || exit 1
  haveallfiles APACHECONFDIR BASEDIR WORKDIR || exit 1
  
  echo "--CONFIG-- [init003c] $0: Configuration ok..."
  exit 0
}

#------------------------------------------------------------------------

echo
echo "# Checking apache configuration files..."

haveallcmds GREP AWK CAT SED CUT || exit 1
haveallfiles APACHECONFDIR BASEDIR WORKDIR || exit 1


# First check if Apache is bound to use only an IP address
[ -f $APACHECONFDIR/httpd.conf ] && {
	listen=`$GREP ^Listen $APACHECONFDIR/httpd.conf | head -1 | $AWK '{print $2}'`
        if [ -n "$listen" ]; then
                if echo "$listen" | grep -q ':' ; then
                    port=`echo "$listen" | $CUT -d : -f 2`
                    ipaddr=`echo "$listen" | $SED -e 's/:.*$//'`
                else
                    port="$listen"
                    ipaddr=""
                fi
        fi
	# TODO: this check should warn only if this is a multihomed host
	# (we probably need to check this in other places so a utils function
	# 'amImultihome' might be useful)
	if [ -z "$port" -o -z "$ipaddr" ]; then
		message WARN apa001w "" "The Apache server is not configured to be bound to an specific IP address."
	else 
		message INFO apa001w "" "The Apache server is configured to listen only on address $ipaddr port $port."
	fi
}
# Now check options
# we need to do this for all possible configuration files
# Options that might be a securityrisk are FollowSymlinks, Indexes,
# FollowSymlinksIfOwnerMatch

for file in $APACHECONFDIR/*.conf 
do
# We have to read the file line by line in order to know which Directory
# we are talking about
	directory="Any (default)"; export directory;
	denyfirst=0; export denyfirst
	alldenied=0; export alldenied
	options=""; export options
	$CAT $file |  $GREP -v '^#' |
	while read line
	do
		if [ ! -z "`echo $line | $GREP -i \"<Directory\"`" ] ; then
			directory=`echo $line | $AWK '/^\s*<Directory (.*)$/ {print $2} ' | $SED -e 's/>$//'`
			denyfirst=0
		fi

		if [ ! -z "`echo $line | $GREP -i \"</Directory\"`" ] ; then
		# Before reseting check the '/' configuration
			if  [ "$directory" = "/" ] ; then
				[ $denyfirst -ne 1 -o $alldenied -ne 0 ] &&  \
				message WARN apa002w "" "There is no limitation to access filesystem locations (configuration for '/')"
				[ "$options" != "None" -a "$options" != "none" ] && \
				message WARN apa002w "" "Options flag  for the filesystem should be 'None' (configuration for '/')"
			fi
			directory="Any (default)"
			denyfirst=0
			alldenied=0
			options=""
		fi

		if [ ! -z "`echo $line | $GREP -i Options`" ]; then

			options=`echo $line | $SED -e 's/options\b//i'`

			if [ ! -z "`echo $options | $GREP -i followsymlinks`" ]; then
# TODO: We could try to check if there are symlinks that are going to be
# followed back to the root dir
# Sample: ln -s /etc/passwd
			if [ ! -z "`echo $options | $GREP -i ifownermatch`" ]; then
			message INFO apa003i "" "$directory directory configuration permits symlink following only if owner of the symlink matches."
			else 
			message WARN apa004w "" "$directory directory configuration permits symlink following."
			fi
			fi # of followsymlinks

# TODO: we could list executable files in the directory
			if [ ! -z "`echo $options | $GREP -i execcgi`" ]; then
			message WARN apa005w "" "$directory directory can hold executable CGI."
			fi

#  TODO we could check which directories do not have an index.html file
			if [ ! -z "`echo $options | $GREP -i indexes`" ]; then
			message WARN apa006w "" "$directory directory will provide content listing if there are no index.html files."
			fi

		fi # of the options

# Some more parsing for configuration  (to be checked when the Directory
# is finished)
		if [ ! -z "`echo $line | $GREP -i \"Order\"`" ] ; then
			denyfirst=0
			[ ! -z "`echo $line | $GREP -i \"Deny,Allow\"`" ] && denyfirst=1
		fi

		[ ! -z "`echo $line | $GREP -i \"Deny from all\"`" ] && alldenied=1
		[ ! -z "`echo $line | $GREP -i \"Allow from all\"`" ] && alldenied=0

	done


done

APT Browse - Built by Thomas Orozco.