Health Check Oracle iPlanet Web Server

Two files:
1) HealthCheck.sh
2) HC.config

HealthCheck.sh:

#!/usr/bin/ksh
set -x
. ./hc.config

touch ${RESULT_OUTPUT}
rm ${RESULT_OUTPUT}
touch ${RESULT_OUTPUT}
echo `date` >> ${RESULT_OUTPUT}
echo `hostname` >> ${RESULT_OUTPUT}

echo AK.1.2.1>> ${RESULT_OUTPUT}
echo >> ${RESULT_OUTPUT}
echo Resource Access Logs >> ${RESULT_OUTPUT}
echo >> ${RESULT_OUTPUT}
echo Checking config files for logging entries… >> ${RESULT_OUTPUT}

cat $WEB_INSTANCES | while read inst
do
logver=`grep accesslog ${IPLANET_ROOT}/https-${inst}/config/server.xml`
if test -z “${logver}”
then
BAD=”${BAD} ${inst}”
ERRCHK=1
else
GOOD=”${GOOD} ${inst}”
fi
done
echo PASS: ${GOOD} >> ${RESULT_OUTPUT}
if test -z “${BAD}”
then
echo FAIL:  none >> ${RESULT_OUTPUT}
else
echo FAIL: $BAD >> ${RESULT_OUTPUT}
echo For failed sites, please turn on transaction logging in server.xml >> ${RESULT_OUTPUT}
fi
echo >> ${RESULT_OUTPUT}

echo AK.1.2.2 >> ${RESULT_OUTPUT}
echo >> ${RESULT_OUTPUT}
echo Webserver Administrator >> ${RESULT_OUTPUT}
LOGIN_CHECK=`passwd -s ${IPLANET_USER} < nofile | grep LK`

if test -z “${LOGIN_CHECK}”
then
echo The \’${IPLANET_USER}\’ userid has remote logins allowed. Not a violation, but disable if possible.  >> ${RESULT_OUTPUT}
else
echo The \’${IPLANET_USER}\’ userid has remote logins disabled. >> ${RESULT_OUTPUT}
fi

echo >> ${RESULT_OUTPUT}
echo Web Authors >> ${RESULT_OUTPUT}
echo Nothing to check in this section.  >> ${RESULT_OUTPUT}

echo >> ${RESULT_OUTPUT}
echo Web Developers >> ${RESULT_OUTPUT}
echo Nothing to check in this section.  >> ${RESULT_OUTPUT}

echo >> ${RESULT_OUTPUT}
echo Web Server ID >> ${RESULT_OUTPUT}

ROOT_CHECK=`grep root:: /etc/group | grep ${IPLANET_USER}`

if test -z “${ROOT_CHECK}”
then
echo The \’${IPLANET_USER}\’ userid is not in the root group.  >> ${RESULT_OUTPUT}
else
ERRCHK=1
echo The \’${IPLANET_USER}\’ userid should not be in the root group.  >> ${RESULT_OUTPUT}
fi

ROOT_CHECK=`grep ${IPLANET_USER} ${SUDOERS_FILE}`
if test -z “${ROOT_CHECK}”
then
echo The \’${IPLANET_USER}\’ userid is not in the sudoers file.  >> ${RESULT_OUTPUT}
else
ERRCHK=1
echo The \’${IPLANET_USER}\’ userid should not exist in the sudoers file. >> ${RESULT_OUTPUT}
fi
GOOD=
BAD=
echo Verifying that each webserver is running as ${IPLANET_USER} >> ${RESULT_OUTPUT}
cat $WEB_INSTANCES | while read inst
do
serverid=`grep ${IPLANET_USER} ${IPLANET_ROOT}/https-${inst}/config/magnus.conf`
if test -z “${serverid}”
then
ERRCHK=1
BAD=”${BAD} ${inst}”
else
GOOD=”${GOOD} ${inst}”
fi
done
echo PASS: ${GOOD} >> ${RESULT_OUTPUT}
if test -z “${BAD}”
then
echo FAIL:  none >> ${RESULT_OUTPUT}
else
echo FAIL: $BAD >> ${RESULT_OUTPUT}
echo For failed sites, please make ${IPLANET_USER} the defined server id in magnus.conf >> ${RESULT_OUTPUT}
fi
echo >> ${RESULT_OUTPUT}

GOOD=
BAD=
echo Checking for files in Document Root not owned by ${IPLANET_USER}:${IPLANET_GROUP} >> ${RESULT_OUTPUT}

cat $WEB_INSTANCES | while read inst
do
docroot=`grep docroot ${IPLANET_ROOT}/https-${inst}/config/server.xml | awk ‘{print $3}’ | sed -e ‘s/value\=//g’ | sed -e ‘s/\>//g’ | s
ed “s,/$,,” | sed -e ‘s/\”//g’ | head -1`
ownerperms=`find ${docroot}/. \( ! -type l \) \( ! -user ${IPLANET_USER} -o ! -group ${IPLANET_GROUP}\) > /dev/null`
if test -z “${ownerperms}”
then
GOOD=”${GOOD} ${inst}”
else
ERRCHK=1
BAD=”${BAD} ${inst}”
fi
done

echo PASS: ${GOOD} >> ${RESULT_OUTPUT}
if test -z “${BAD}”
then
echo FAIL:  none >> ${RESULT_OUTPUT}
else
echo FAIL: $BAD >> ${RESULT_OUTPUT}
echo For failed sites, use the following command to find files with incorrect perms and correct them: >> ${RESULT_OUTPUT}
echo find \<Document Root\>\/. \\\( ! -user ${IPLANET_USER} -o ! -group ${IPLANET_GROUP} \\\) >> ${RESULT_OUTPUT}
fi
echo >> ${RESULT_OUTPUT}

GOOD=
BAD=
echo Verifying that webserver config files are owned by ${IPLANET_USER}:${IPLANET_GROUP} and have 740 permissions… >> ${RESULT_OUTPUT}
cat $WEB_INSTANCES | while read inst
do
configperms=`find ${IPLANET_ROOT}/https-${inst}/config/. \( ! -type l \) \( ! -user ${IPLANET_USER} -o ! -group ${IPLANET_GROUP} -o ! –
perm 600 \) | egrep -v admin.conf | egrep -v \(.\)`

if test -z “${configperms}”
then
GOOD=”${GOOD} ${inst}”
else
ERRCHK=1
BAD=”${BAD} ${inst}”
fi
done

echo PASS: ${GOOD} >> ${RESULT_OUTPUT}
if test -z “${BAD}”
then
echo FAIL:  none >> ${RESULT_OUTPUT}
else
echo FAIL: $BAD >> ${RESULT_OUTPUT}
#   echo For failed sites, change ownership of all files in the config directory to www:wwwadmin and perms to 640. >> ${RESULT_OUTPUT}
echo For failed sites, change ownership of all files in the config directory to nsadmin:nsadgrp and perms to 640. >> ${RESULT_OUTPUT}
fi
echo >> ${RESULT_OUTPUT}

echo >> ${RESULT_OUTPUT}
echo General Users >> ${RESULT_OUTPUT}
echo .   We do not have the ability to verify this.  >> ${RESULT_OUTPUT}

echo >> ${RESULT_OUTPUT}
echo AK.1.2.3 >> ${RESULT_OUTPUT}

echo >> ${RESULT_OUTPUT}

echo General Users >> ${RESULT_OUTPUT}
echo .   See Webserver ID section of 1.2.2 for verification of this section. >> ${RESULT_OUTPUT}
echo >> ${RESULT_OUTPUT}

echo Automatic Directory Listings >> ${RESULT_OUTPUT}
echo >> ${RESULT_OUTPUT}

GOOD=
BAD=
echo Verifying that each site is WSL protected.  WSL does not allow indexing at all.  Iplanet does by default, and it cannot be turned off
, but it does not extend outside the document root. >> ${RESULT_OUTPUT}
cat $WEB_INSTANCES | while read inst
do
#   wslprot=`grep AuthTrans ${IPLANET_ROOT}/https-${inst}/config/obj.conf`
wslprot=`grep NameTrans ${IPLANET_ROOT}/https-${inst}/config/obj.conf`
if test -z “${wslprot}”
then
ERRCHK=1
BAD=”${BAD} ${inst}”
else
GOOD=”${GOOD} ${inst}”
fi
done

echo PASS: ${GOOD} >> ${RESULT_OUTPUT}
if test -z “${BAD}”
then
echo FAIL:  none >> ${RESULT_OUTPUT}
else
echo FAIL: $BAD >> ${RESULT_OUTPUT}
echo For failed sites, please add WSL protection and rerun the healthcheck. >> ${RESULT_OUTPUT}
fi
echo >> ${RESULT_OUTPUT}

echo CGI Scripts \(Internet\) >> ${RESULT_OUTPUT}
echo >> ${RESULT_OUTPUT}

GOOD=
BAD=
echo Checking for exploitable cgi scripts. >> ${RESULT_OUTPUT}
cat $WEB_INSTANCES | while read inst
do
cgichk2=
for inst2 in $EXPLOIT_CGI
do
#     docroot=`grep docroot ${IPLANET_ROOT}/https-${inst}/config/server.xml | awk ‘{print $3}’ | sed -e ‘s/root\=//g’ | sed -e ‘s/\”//g’`
#  docroot=`grep docroot ${IPLANET_ROOT}/https-${inst}/config/server.xml | awk ‘{print $3}’ | sed -e ‘s/value\=//g’ | sed -e ‘s/\>//g’ | s
ed “s,/$,,” | sed -e ‘s/\”//g’ | head -1`
docroot=/usr/netscape/suitespot/bin
cgichk=`find ${docroot}/. -type f -name ${inst2}`
cgichk2=”$cgichk2$cgichk”
done
if test -z “${cgichk2}”
then
GOOD=”${GOOD} ${inst}”
else
ERRCHK=1
BAD=”${BAD} ${inst}”
cgichk3=”${cgichk3}\n${cgichk2}”
fi
done

echo PASS: ${GOOD} >> ${RESULT_OUTPUT}
if test -z “${BAD}”
then
echo FAIL:  none >> ${RESULT_OUTPUT}
else
echo FAIL: $BAD >> ${RESULT_OUTPUT}
echo An exploitable cgi-script was found in the failed server instances.  Please check for the following and remove:${cgichk3} >> ${RES
ULT_OUTPUT}
fi
echo >> ${RESULT_OUTPUT}

echo CGI Scripts \(Intranet\) >> ${RESULT_OUTPUT}
echo See CGI Scripts \(Internet\) >> ${RESULT_OUTPUT}

echo >> ${RESULT_OUTPUT}
echo AK.1.2.4 >> ${RESULT_OUTPUT}
echo >> ${RESULT_OUTPUT}

echo Confidential Information >> ${RESULT_OUTPUT}

echo Access control was already checked in \”Automatic Directory Listings.\”  We have no way of verifying what is confidential information
though. >> ${RESULT_OUTPUT}
echo >> ${RESULT_OUTPUT}

echo Document Tree >> ${RESULT_OUTPUT}
echo There is nothing to check here. >> ${RESULT_OUTPUT}
echo >> ${RESULT_OUTPUT}

echo >> ${RESULT_OUTPUT}
echo AK.1.2.5 >> ${RESULT_OUTPUT}
echo >> ${RESULT_OUTPUT}

echo Business Use Notice >> ${RESULT_OUTPUT}
echo There is nothing to test here. >> ${RESULT_OUTPUT}

echo >> ${RESULT_OUTPUT}
echo AK.1.2.6 >> ${RESULT_OUTPUT}
echo >> ${RESULT_OUTPUT}

echo Confidential Information >> ${RESULT_OUTPUT}

GOOD=
BAD=
if [ “${SSLREQ}” -eq 1 ]
then
echo >> ${RESULT_OUTPUT}
echo Verifying that each site SSL Encrypted. >> ${RESULT_OUTPUT}
cat $WEB_INSTANCES_secure | while read inst
do
wslprot=`grep 443 ${IPLANET_ROOT}/https-${inst}/config/server.xml`
if test -z “${wslprot}”
then
BAD=”${BAD} ${inst}”
else
GOOD=”${GOOD} ${inst}”
fi
done

echo PASS: ${GOOD} >> ${RESULT_OUTPUT}
if test -z “${BAD}”
then

echo FAIL:  none >> ${RESULT_OUTPUT}
else
echo FAIL: $BAD >> ${RESULT_OUTPUT}
echo Failed sites do not have SSL encryption.  If this is a production internet accessible site, this is a security violation. >> ${RES
ULT_OUTPUT}
fi
else
echo SSL encryption not required for this server.  Checking bypassed. >> ${RESULT_OUTPUT}
fi
echo >> ${RESULT_OUTPUT}
if [ “${ERRCHK}” -eq 0 ]
then
echo No Violations noted.  Log located in ${RESULT_OUTPUT}.
else
echo At least 1 failure was noted in ${RESULT_OUTPUT}.  Please correct and run the script again, or if there is a customer sign-off, pl
ease note it in the healthcheck data.
fi
echo `date` >> ${RESULT_OUTPUT}
uuencode $RESULT_OUTPUT $RESULT_OUTPUT |mail -s “LPAR102 HealthCheck” supportemail@company.com&d

 

HC.config:
# iPlanet server root directory
IPLANET_ROOT=/opt/oracle/webserver7
IPLANET_USER=username
IPLANET_GROUP=usergroup
sname=`uname -n`
ERRCHK=0
SSLREQ=1
SUDOERS_FILE=/etc/sudoers
set GOOD
set BAD
EXPLOIT_CGI=”phf test-cgi nph-test-cgi sh bash csh ksh tsh tclsh wish perl command.com”

# Filename in $IPLANET_ROOT which contains instances to start/stop
#WEB_INSTANCES=${IPLANET_ROOT}/instances
WEB_INSTANCES=/home/username/scripts/instances
WEB_INSTANCES_secure=/home/username/scripts/instancesecure

DATE_TAG=`date ‘+_%Y%m%d’`
#RESULT_OUTPUT=${IPLANET_ROOT}/scripts/results$DATE_TAG
RESULT_OUTPUT=/home/username/scripts/${sname}_results$DATE_TAG

 

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s