2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2015-07-22 17:37:11 +02:00
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Software: webserver
#
#################################################################################
#
InsertSection "Software: webserver"
#
#################################################################################
#
# Reset Apache status
APACHE_INSTALLED=0
APACHE_MODULES_ENABLED_LOCS="/etc/apache2/mods-enabled"
2015-04-24 13:31:49 +02:00
APACHE_MODULES_LOCS="/etc/httpd/modules /opt/local/apache2/modules /usr/lib/apache2 /usr/lib/httpd/modules /usr/libexec/apache2 /usr/lib64/apache2 /usr/lib64/apache2/modules /usr/lib64/httpd/modules /usr/local/libexec/apache /usr/local/libexec/apache22"
2014-08-26 17:33:55 +02:00
NGINX_RUNNING=0
NGINX_CONF_LOCS="/etc/nginx /usr/local/etc/nginx /usr/local/nginx/conf"
NGINX_CONF_LOCATION=""
#
#################################################################################
#
sTEST_APACHE_TARGETS="/etc/apache /etc/apache2 /etc/httpd /usr/local/apache /usr/local/apache2 \
/usr/local/etc/apache /usr/local/etc/apache2 /usr/local/etc/apache22 \
/usr/pkg/etc/httpd /etc/sysconfig/apache2"
if [ "${OS}" = "AIX" ]; then
RANDOMSTRING1=`echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')`; RANDOMSTRING2=`echo lynis2-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')`
TMPFILE="/tmp/${RANDOMSTRING1}"; TMPFILE2="/tmp/${RANDOMSTRING2}"
echo "" > ${TMPFILE}; echo "" > ${TMPFILE2}
else
TMPFILE=`mktemp /tmp/lynis.XXXXXXXXXX` || exit 1
TMPFILE2=`mktemp /tmp/lynis2.XXXXXXXXXX` || exit 1
fi
#
#################################################################################
#
# Test : HTTP-6622
# Description : Test for Apache installation
# Notes : Do not run on NetBSD, -v is unknown option for httpd binary
2015-10-01 16:02:09 +02:00
# On OpenBSD do not run /usr/sbin/httpd with -v: builtin non-Apache
2014-08-26 17:33:55 +02:00
if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Apache presence"
if [ ${SKIPTEST} -eq 0 ]; then
2015-10-01 16:02:09 +02:00
if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then HTTPDBINARY=""; fi
2014-08-26 17:33:55 +02:00
if [ "${HTTPDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE
else
2014-09-15 12:01:09 +02:00
logtext "Test: Scanning for Apache binary"
2015-10-01 16:02:09 +02:00
IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | egrep '[aA]pache'`
2014-08-26 17:33:55 +02:00
if [ "${IS_APACHE}" = "" ]; then
logtext "Result: ${HTTPDBINARY} is not Apache"
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
else
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "FOUND" --color GREEN
logtext "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon"
APACHE_INSTALLED=1
fi
fi
fi
#
#################################################################################
#
# Test : HTTP-6624
# Description : Testing main Apache configuration file
2014-11-04 02:08:29 +01:00
# Notes : Do not run on OpenBSD/NetBSD, as -V is an unknown option for httpd binary
2014-08-26 17:33:55 +02:00
if [ ${APACHE_INSTALLED} -eq 1 ]; then
2014-11-04 02:08:29 +01:00
if [ ! "${OS}" = "NetBSD" -a ! "${OS}" = "OpenBSD" ]; then
2014-08-26 17:33:55 +02:00
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
else
PREQS_MET="NO"
fi
Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing main Apache configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
APACHE_CONFIGFILE=""
2014-11-04 02:08:29 +01:00
APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | grep "\-D SERVER_CONFIG_FILE=" | sed 's/[ ]-D SERVER_CONFIG_FILE=//' | tr -d '"' | tr -d ' ' | tr -d '[:cntrl:]'`
2014-08-26 17:33:55 +02:00
if [ "${APACHE_TEST}" = "" ]; then
2014-11-04 02:08:29 +01:00
logtext "Result: Can't find the configuration file, so skipping some Apache related tests"
2014-08-26 17:33:55 +02:00
else
# We found a possible match. Checking if it's valid filename. If not, we need to add a prefix
if [ -f ${APACHE_TEST} ]; then
APACHE_CONFIGFILE="${APACHE_TEST}"
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
else
# Probably the prefix is missing, so we are going to search that
2015-10-01 16:06:27 +02:00
APACHE_HTTPDROOT=`${HTTPDBINARY} -V 2> /dev/null | grep "\-D HTTPD_ROOT=" | sed 's/[ ]-D HTTPD_ROOT=//' | tr -d '"' | tr -d ' '`
2014-08-26 17:33:55 +02:00
#echo "Apache root prefix: ${APACHE_HTTPDROOT}"
#echo "Complete path to configuration file: ${APACHE_HTTPDROOT}/${APACHE_TEST}"
APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}"
if [ -f ${APACHE_TESTFILE} ]; then
APACHE_CONFIGFILE="${APACHE_TESTFILE}"
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
logtext "Result: Configuration file found (${APACHE_CONFIGFILE})"
else
2014-10-14 10:40:00 +02:00
logtext "Result: File or directory ${APACHE_CONFIGFILE} does not exist"
2014-08-26 17:33:55 +02:00
Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests"
ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration"
fi
fi
fi
fi
#
#################################################################################
#
# Test : HTTP-6626
# Description : Testing other Apache configuration files
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6626 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing other Apache configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-15 12:01:09 +02:00
#Display --indent 4 --text "- Searching Apache virtual hosts"
2014-08-26 17:33:55 +02:00
for I in ${sTEST_APACHE_TARGETS}; do
if [ -d ${I} ]; then
find ${I} -name "*.conf" -print >> ${TMPFILE2}
fi
done
# Sort unsorted list, save it in temp file and then remove unsorted list
if [ -f ${TMPFILE2} ]; then
2015-10-04 17:59:28 +02:00
sort -u ${TMPFILE2} >> ${TMPFILE}
2014-08-26 17:33:55 +02:00
rm -f ${TMPFILE2}
fi
cVHOSTS=0; tVHOSTS=""
# Check every configuration file
for I in `cat ${TMPFILE}`; do
logtext "Apache config file: ${I}"
2014-09-08 23:51:27 +02:00
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
# Search Virtual Hosts
2015-10-10 13:25:14 +02:00
for J in `grep "ServerName" ${I} | grep -v "^#" | awk '{ if ($1=="ServerName") print $2 }'`; do
2014-09-08 23:51:27 +02:00
if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=`expr ${cVHOSTS} + 1`
fi
done
# Search Server aliases
2015-10-10 13:25:14 +02:00
for J in `grep "ServerAlias" ${I} | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do
2014-09-08 23:51:27 +02:00
if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=`expr ${cVHOSTS} + 1`
fi
done
else
logtext "Result: can not read configuration file with this user ID"
ReportException "${TEST_NO}:1" "Can not read configuration file $I"
fi
2014-08-26 17:33:55 +02:00
done
# Log all virtual hosts we found
for J in ${tVHOSTS}; do
if [ ! -z ${J} ]; then
logtext "Virtual host: ${J}"
report "apache_vhost_name[]=${J}"
fi
done
# Show number of vhosts if we found any
logtext "Result: found ${cVHOSTS} virtual hosts"
if [ ${cVHOSTS} -gt 0 ]; then
Display --indent 6 --text "Info: Found ${cVHOSTS} virtual hosts"
else
Display --indent 6 --text "Info: No virtual hosts found"
fi
fi
# Remove temp files
if [ -f ${TMPFILE} -a ! "${TMPFILE}" = "" ]; then
rm -f ${TMPFILE}
fi
if [ ! "${TMPFILE2}" = "" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
#
#################################################################################
#
# Test : HTTP-6628
# Description : Testing other Apache configuration files
#if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no HTTP-6628 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing other Apache configuration file"
#if [ ${SKIPTEST} -eq 0 ]; then
# # Configuration specific tests
# SERVERTOKENSFOUND=0
# APACHE_CONFIGFILES="${APACHE_CONFIGFILE} /usr/local/etc/apache22/extra/httpd-default.conf /etc/apache2/sysconfig.d/global.conf"
2015-09-07 17:35:07 +02:00
#
2014-08-26 17:33:55 +02:00
# for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do
2015-09-07 17:35:07 +02:00
# if [ -f ${APACHE_CONFIGFILE} ]; then
2014-08-26 17:33:55 +02:00
# # Check if option ServerTokens is configured
2015-10-10 13:25:14 +02:00
# SERVERTOKENSTEST=`grep ServerTokens ${APACHE_CONFIGFILE} | grep -v '^#'`
2014-08-26 17:33:55 +02:00
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then
2014-09-15 12:01:09 +02:00
# Display --indent 4 --text "- Checking option ServerTokens" --result FOUND --color WHITE
2014-08-26 17:33:55 +02:00
# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '`
# logtext "Option ServerTokens found: ${SERVERTOKENSTEST}"
2015-10-10 13:25:14 +02:00
# SERVERTOKENSEXPECTED=`grep 'apache' ${PROFILE} | grep 'ServerTokens' | cut -d ':' -f3`
2014-08-26 17:33:55 +02:00
# if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then
# logtext "Result: Value from configuration file yielded the same output as in template"
# SERVERTOKENSFOUND=1
# else
2014-09-15 10:52:06 +02:00
# logtext "Result: Value of ServerTokens within active configuration is different than from used template."
2014-08-26 17:33:55 +02:00
# logtext "Found: ${SERVERTOKENSTEST}"
# logtext "Expected: ${SERVERTOKENSEXPECTED}"
# fi
# else
2014-09-15 12:01:09 +02:00
# Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE
2014-08-26 17:33:55 +02:00
# fi
2015-09-07 17:35:07 +02:00
#
2014-08-26 17:33:55 +02:00
# else
# # File does not exist, skipping
# logtext "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file"
# fi
# done
2015-09-07 17:35:07 +02:00
#
2014-08-26 17:33:55 +02:00
# # Display results from checks
# if [ ${SERVERTOKENSFOUND} -eq 1 ]; then
2014-09-15 12:01:09 +02:00
# Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN
2015-09-07 17:35:07 +02:00
# else
2014-09-15 12:01:09 +02:00
# Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED
2014-08-26 17:33:55 +02:00
# ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template"
# fi
# fi
# fi
# fi
#
#################################################################################
#
# Test : HTTP-6630
# Description : Search for all loaded modules
#if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no HTTP-6630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining all loaded Apache modules"
#if [ ${SKIPTEST} -eq 0 ]; then
# Testing Debian style
#logtext "Test: searching loaded/enabled Apache modules"
#apachectl -t -D DUMP_MODULES 2>&1 | egrep -v "(Loaded Modules|Syntax OK)" | sed 's/(\(shared\|static\))//' | sed 's/ //'
#for I in ${APACHE_MODULES_ENABLED_LOCS}; do
#logtext "Test: checking ${I}"
#if [ -d ${I} ]; then
#FIND=`grep -r LoadModule ${I}/* | grep -v "^#" | awk '{ print $2":"$3 }'`
#else
#logtext "Result: ${I} does not exist"
#fi
#done
#fi
#
#################################################################################
#
# Test : HTTP-6632
# Description : Search for available Apache modules
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining all available Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching available Apache modules"
N=0
for I in ${APACHE_MODULES_LOCS}; do
DirectoryExists ${I}
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=`find ${I} -name mod_* -print | sort`
for J in ${FIND}; do
report "apache_module[]=${J}"
logtext "Result: found Apache module ${J}"
N=`expr ${N} + 1`
done
fi
done
if [ ${N} -eq 0 ]; then
Display --indent 4 --text "* Loadable modules" --result "NONE" --color WHITE
ReportException "${TEST_NO}:1" "No loadable Apache modules found"
else
Display --indent 4 --text "* Loadable modules" --result "FOUND" --color GREEN
Display --indent 8 --text "- Found ${N} loadable modules"
fi
fi
#
#################################################################################
#
# Test : HTTP-6640
# Description : Search for special Apache modules: evasive
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6640 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
2014-09-23 23:27:01 +02:00
CheckItem "apache_module" "/mod_evasive([0-9][0-9])?.so"
2014-08-26 17:33:55 +02:00
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result FOUND --color GREEN
AddHP 3 3
else
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "NOT FOUND" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
fi
fi
#
#################################################################################
#
# Test : HTTP-6641
# Description : Search for special Apache modules: Quality of Service
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6641 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_qos.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "mod_qos: anti-Slowloris" --result FOUND --color GREEN
AddHP 3 3
else
Display --indent 10 --text "mod_qos: anti-Slowloris" --result "NOT FOUND" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_qos to guard webserver against Slowloris attacks"
fi
fi
#
#################################################################################
#
# Test : HTTP-6642
# Description : Search for special Apache modules: Spamhaus
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6642 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_spamhaus.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result FOUND --color GREEN
AddHP 3 3
else
Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "NOT FOUND" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_spamhaus to guard webserver against spammers"
fi
fi
#
#################################################################################
#
# Test : HTTP-6643
# Description : Search for special Apache modules: security
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_security2.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "ModSecurity: web application firewall" --result FOUND --color GREEN
AddHP 3 3
else
Display --indent 10 --text "ModSecurity: web application firewall" --result "NOT FOUND" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks"
fi
# Extend test with nginx?
fi
#
#################################################################################
#
# Test : HTTP-6660
# Description : Search for "TraceEnable off" in configuration files
#
#################################################################################
#
# Test : HTTP-6702
# Description : Search for nginx process
Register --test-no HTTP-6702 --weight L --network NO --description "Check nginx process"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching running nginx process"
FIND=`${PSBINARY} ax | grep "/nginx" | grep "master" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found running nginx process(es)"
Display --indent 2 --text "- Checking nginx" --result FOUND --color GREEN
NGINX_RUNNING=1
else
logtext "Result: no running nginx process found"
Display --indent 2 --text "- Checking nginx" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : HTTP-6704
# Description : Search for nginx configuration file
if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching nginx configuration file"
for I in ${NGINX_CONF_LOCS}; do
if [ -f ${I}/nginx.conf ]; then
NGINX_CONF_LOCATION="${I}/nginx.conf"
logtext "Found file ${NGINX_CONF_LOCATION}"
fi
done
if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then
logtext "Result: found nginx configuration file"
report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN
else
logtext "Result: no nginx configuration file found"
Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : HTTP-6706
# Description : Search for includes within nginx configuration file
# Notes : Daemon nginx should be running, nginx.conf should be found
2015-09-07 10:13:20 +02:00
if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2014-08-26 17:33:55 +02:00
Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for additional nginx configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
# Remove temp file
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
N=0
2015-10-10 13:25:14 +02:00
sed -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}
2014-08-26 17:33:55 +02:00
# Search for included configuration files (may include directories and wild cards)
FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'`
for I in ${FIND}; do
FIND2=`${LSBINARY} ${I} 2>/dev/null`
for J in ${FIND2}; do
2015-09-07 10:13:20 +02:00
# Ensure that we are parsing normal files
2014-08-26 17:33:55 +02:00
if [ -f ${J} ]; then
N=`expr ${N} + 1`
logtext "Result: found Nginx configuration file ${J}"
report "nginx_sub_conf_file=${J}"
2014-09-08 23:51:27 +02:00
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
2015-10-10 13:25:14 +02:00
FIND3=`sed -e 's/^[ ]*//' ${J} | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}`
2014-09-08 23:51:27 +02:00
else
ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
fi
2014-08-26 17:33:55 +02:00
fi
done
done
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
2015-10-10 13:25:14 +02:00
SORTFILE=`sort -u ${TMPFILE} | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
2015-09-07 10:13:20 +02:00
for I in ${SORTFILE}; do
2014-08-26 17:33:55 +02:00
I=`echo ${I} | sed 's/:space:/ /g'`
report "nginx_config_option=${I}";
2015-09-07 10:13:20 +02:00
done
2014-08-26 17:33:55 +02:00
# Remove unsorted file for next tests
2015-09-07 10:13:20 +02:00
if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi
2014-08-26 17:33:55 +02:00
if [ ${N} -eq 0 ]; then
logtext "Result: no nginx include statements found"
else
Display --indent 6 --text "- Found nginx includes" --result "${N} FOUND" --color GREEN
fi
fi
#
#################################################################################
#
# Test : HTTP-6708
# Description : Check discovered nginx configuration settings for further hardering
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check discovered nginx configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: start parsing all discovered nginx options"
2014-09-15 12:01:09 +02:00
Display --indent 4 --text "- Parsing configuration options"
2014-08-26 17:33:55 +02:00
ParseNginx
fi
#
#################################################################################
#
# Test : HTTP-6710
# Description : Check SSL configuration of nginx
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx SSL configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_SSL_SUGGESTION=0
if [ ${NGINX_SSL_ON} -eq 1 ]; then
logtext "Result: SSL is configured in nginx on one or more virtual hosts"
Display --indent 6 --text "- SSL configured" --result "YES" --color GREEN
AddHP 5 5
# Cipher tests
if [ ${NGINX_SSL_CIPHERS} -eq 1 ]; then
Display --indent 8 --text "- Ciphers configured" --result "YES" --color GREEN
else
Display --indent 8 --text "- Ciphers configured" --result "NO" --color RED
NGINX_SSL_SUGGESTION=1
fi
if [ ${NGINX_SSL_PREFER_SERVER_CIPHERS} -eq 1 ]; then
Display --indent 8 --text "- Prefer server ciphers" --result "YES" --color GREEN
else
Display --indent 8 --text "- Prefer server ciphers" --result "NO" --color RED
NGINX_SSL_SUGGESTION=1
fi
if [ ${NGINX_SSL_PROTOCOLS} -eq 1 ]; then
Display --indent 8 --text "- Protocols configured" --result "YES" --color GREEN
2014-10-14 10:01:46 +02:00
FIND=`${GREPBINARY} "ssl_protocols" ${NGINX_CONF_LOCATION} | ${GREPBINARY} "SSLv[12]"`
if [ "${FIND}" = "" ]; then
Display --indent 10 --text "- Insecure protocols found" --result "NO" --color GREEN
else
Display --indent 10 --text "- Insecure protocols found" --result "YES" --color RED
fi
2014-08-26 17:33:55 +02:00
else
Display --indent 8 --text "- Protocols configured" --result "NO" --color RED
NGINX_SSL_SUGGESTION=1
fi
else
logtext "Result: No SSL configuration found"
Display --indent 6 --text "- SSL configured" --result "NO" --color RED
NGINX_SSL_SUGGESTION=1
AddHP 1 5
fi
if [ ${NGINX_SSL_SUGGESTION} -eq 1 ]; then
logtext "Result: one or more parts of the nginx configuration could be enhanced regarding SSL"
ReportSuggestion ${TEST_NO} "Configure SSL in nginx for protection of sensitive data and privacy"
fi
fi
#
#################################################################################
#
# Test : HTTP-6712
# Description : Check logging configuration of nginx
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx access logging"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
2014-09-15 12:01:09 +02:00
Display --indent 6 --text "- Checking log file configuration"
2014-08-26 17:33:55 +02:00
# Check for missing access log
if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
Display --indent 8 --text "- Missing log files (access_log)" --result "YES" --color RED
else
Display --indent 8 --text "- Missing log files (access_log)" --result "NO" --color GREEN
fi
# Access log disabled
if [ ${NGINX_ACCESS_LOG_DISABLED} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
logtext "Result: found one or more virtual hosts which have their access log disabled"
Display --indent 8 --text "- Disabled access logging" --result "YES" --color RED
AddHP 2 3
else
logtext "Result: no virtual hosts found which have their access log disabled"
Display --indent 8 --text "- Disabled access logging" --result "NO" --color GREEN
AddHP 3 3
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "Check your nginx access log for proper functioning"
fi
fi
#
#################################################################################
#
# Test : HTTP-6714
# Description : Check missing error logs in nginx
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for missing error logs in nginx"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
# Check for missing access log
if [ ${NGINX_ERROR_LOG_MISSING} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
Display --indent 8 --text "- Missing log files (error_log)" --result "YES" --color RED
else
Display --indent 8 --text "- Missing log files (error_log)" --result "NO" --color GREEN
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "Check your nginx error_log statements"
fi
fi
#
#################################################################################
#
# Test : HTTP-6716
# Description : Check debug mode on error log in nginx
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for debug mode on error log in nginx"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
# Access log in debug mode
if [ ${NGINX_ERROR_LOG_DEBUG} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
logtext "Result: found one or more virtual hosts which have their error log in debug mode"
Display --indent 8 --text "- Debugging mode on error_log" --result "YES" --color RED
AddHP 2 3
else
logtext "Result: no virtual hosts found which have their access log disabled"
Display --indent 8 --text "- Debugging mode on error_log" --result "NO" --color GREEN
AddHP 3 3
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "Check your nginx error_log statements"
fi
fi
#
#################################################################################
#
2015-09-24 20:12:19 +02:00
# Test : HTTP-67xx
2014-08-26 17:33:55 +02:00
# Description : Check if nginx is running as a reverse proxy
# Notes : aliases are not counted yet (YYY)
# if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2015-09-24 20:12:19 +02:00
# Register --test-no HTTP-67xx --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx virtual hosts"
2014-08-26 17:33:55 +02:00
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# logtext "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}"
# FIND=`grep "proxy_pass" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/proxy_pass//g' | tr -d ';'`
# for I in ${FIND}; do
# logtext "Found reverse proxy configuration for: ${I}"
# N=`expr ${N} + 1`
# done
# if [ ${N} -eq 0 ]; then
# logtext "Result: no reverse proxying functionality found"
2014-09-15 12:01:09 +02:00
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "NOT FOUND" --color WHITE
2014-08-26 17:33:55 +02:00
# else
# logtext "Result: found ${N} addresses for which nginx will be a reverse proxy"
2014-09-15 12:01:09 +02:00
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "${N} FOUND" --color GREEN
2014-08-26 17:33:55 +02:00
# fi
# fi
#
#################################################################################
#
2015-09-24 20:12:19 +02:00
# Test : HTTP-67xx
2014-08-26 17:33:55 +02:00
# Description : Search for nginx virtual hosts
# Notes : Test if not aware yet of included configuration files
# if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2015-09-24 20:12:19 +02:00
# Register --test-no HTTP-67xx --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx virtual hosts"
2014-08-26 17:33:55 +02:00
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# logtext "Test: searching nginx virtual hosts"
# FIND=`grep "server_name" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/server_name//g' | tr -d ';'`
# for I in ${FIND}; do
# if [ "${I}" = "_" ]; then I="Default virtual host"; fi
# logtext "Found virtual host: ${I}"
# report "nginx_vhost_name[]=${I}"
# N=`expr ${N} + 1`
# done
# if [ ${N} -eq 0 ]; then
# logtext "Result: no virtual hosts found"
2014-09-15 12:01:09 +02:00
# Display --indent 4 --text "- Searching virtual hosts" --result "NOT FOUND" --color WHITE
2014-08-26 17:33:55 +02:00
# else
# logtext "Result: found ${N} virtual hosts"
2014-09-15 12:01:09 +02:00
# Display --indent 4 --text "- Searching virtual hosts" --result "${N} FOUND" --color GREEN
2014-08-26 17:33:55 +02:00
# fi
# fi
#
#################################################################################
#
# Test : HTTP-6720
# Description : Search for Nginx log files
if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6720 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Nginx log files"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking directories for files with log file definitions"
for I in ${NGINX_CONF_LOCS}; do
logtext "Test: Checking ${I}"
if [ -d ${I} ]; then
logtext "Result: Directory ${I} exists, so will be used as search path"
2015-10-04 17:59:28 +02:00
FIND=`find ${I} -type f -exec grep access_log \{\} \; | grep -v "#" | awk '{ if($1=="access_log") { print $2 } }' | sed 's/;$//g' | sort -u`
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "" ]; then
logtext "Result: no log files found"
else
logtext "Result: found one or more log files"
for I in ${FIND}; do
if [ -f ${I} ]; then
logtext "Found log file: ${I}"
report "log_file=${I}"
else
logtext "Found non existing log file: ${I}"
fi
done
fi
else
logtext "Result: directory ${I} not found, skipping search in this directory."
fi
done
fi
#
#################################################################################
#
# Test : HTTP-6740
# Description : Nginx: Check for server_tokens off in configuration files
#
#################################################################################
#
# Remove temp file (double check)
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
if [ ! "${TMPFILE2}" = "" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
wait_for_keypress
#
#================================================================================
2015-07-22 17:37:11 +02:00
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
