2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2019-01-31 14:47:35 +01:00
# Copyright 2007-2019, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# SSH
#
#################################################################################
#
SSH_DAEMON_CONFIG_LOCS="/etc /etc/ssh /usr/local/etc/ssh /opt/csw/etc/ssh"
SSH_DAEMON_CONFIG=""
SSH_DAEMON_PORT=""
SSH_DAEMON_RUNNING=0
2016-05-02 15:04:40 +02:00
SSH_DAEMON_OPTIONS_FILE=""
2018-10-23 17:14:47 +02:00
OPENSSHD_VERSION=0
OPENSSHD_VERSION_MAJOR=0
OPENSSHD_VERSION_MINOR=0
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
InsertSection "SSH Support"
#
#################################################################################
#
# Test : SSH-7402
# Description : Check for a running SSH daemon
2016-07-24 17:22:00 +02:00
Register --test-no SSH-7402 --weight L --network NO --category security --description "Check for running SSH daemon"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Searching for a SSH daemon"
2014-08-26 17:33:55 +02:00
IsRunning sshd
2016-03-30 13:48:18 +02:00
if [ ${RUNNING} -eq 1 ] || PortIsListening "TCP" 22; then
2014-08-26 17:33:55 +02:00
SSH_DAEMON_RUNNING=1
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN
2016-05-02 15:04:40 +02:00
# Store settings in a temporary file
CreateTempFile
SSH_DAEMON_OPTIONS_FILE="${TEMP_FILE}"
2018-05-14 08:29:30 +02:00
# Use a non-existing user, to ensure that systems that have a Match block configured, will be evaluated as well
2018-06-22 12:29:25 +02:00
${SSHDBINARY} -T -C user=doesnotexist,host=none,addr=none 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE}
2017-04-23 20:06:54 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : SSH-7404
# Description : Determine SSH daemon configuration file location
if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no SSH-7404 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH daemon file location"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
2015-12-21 21:17:15 +01:00
LogText "Test: searching for sshd_config file"
2014-08-26 17:33:55 +02:00
for I in ${SSH_DAEMON_CONFIG_LOCS}; do
if [ -f "${I}/sshd_config" ]; then
2017-03-07 20:23:08 +01:00
LogText "Result: ${I}/sshd_config exists"
if [ ${FOUND} -eq 1 ]; then
ReportException "${TEST_NO}:01"
LogText "Result: we already had found another sshd_config file. Using this new file then."
fi
FileIsReadable ${I}/sshd_config
if [ ${CANREAD} -eq 1 ]; then
FOUND=1
SSH_DAEMON_CONFIG="${I}/sshd_config"
2017-04-23 20:06:54 +02:00
else
2017-03-07 20:23:08 +01:00
LogText "Result: can not read ${I}/sshd_config file (no permission)"
fi
2014-09-09 14:49:37 +02:00
fi
done
2017-04-23 20:06:54 +02:00
if [ -z "${SSH_DAEMON_CONFIG}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: No sshd configuration found"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Searching SSH configuration" --result "${STATUS_NOT_FOUND}" --color YELLOW
2014-09-09 14:49:37 +02:00
ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found"
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Searching SSH configuration" --result "${STATUS_FOUND}" --color GREEN
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
2018-10-23 17:14:47 +02:00
#
# Test : SSH-7406
# Description : Check OpenSSH version
if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determine OpenSSH version"
if [ ${SKIPTEST} -eq 0 ]; then
2019-03-19 10:45:10 +01:00
OPENSSHD_VERSION=$(${SSHDBINARY} -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d ',' | ${TRBINARY} -d '\r')
2018-10-23 17:14:47 +02:00
LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}"
if [ ! -z ${OPENSSHD_VERSION} ]; then
2019-03-19 10:45:10 +01:00
OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $1}')
2018-10-23 17:14:47 +02:00
LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}"
2019-03-19 10:45:10 +01:00
OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $2}')
2018-10-23 17:14:47 +02:00
LogText "Result: OpenSSH minor version: ${OPENSSHD_VERSION_MINOR}"
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : SSH-7408
# Description : Check SSH specific defined options
2016-04-19 12:04:51 +02:00
# Notes : Instead of parsing the configuration file, we query the SSH daemon itself
2019-03-19 10:45:10 +01:00
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" -a ${OPENSSHD_VERSION_MAJOR} -ge 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-05-02 15:04:40 +02:00
LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}"
2015-12-03 00:57:50 +01:00
## SSHOPTIONS scheme:
2015-12-05 20:37:47 +01:00
## <OptionName>:<ExpectedValue>,<MediumScoreValue>,<WeakValue>:<TestType>
##
## Test types:
## (a) '=' -- equal to is better,
## (b) '<' -- less or equal is better,
## (c) '>' -- more or equal is better,
## (d) '!' -- not equal is better.
##
2015-12-03 00:57:50 +01:00
## Example:
2015-12-05 20:37:47 +01:00
## PermitRootLogin:NO,WITHOUT-PASSWORD,YES,:=
2016-02-09 12:54:47 +01:00
SSHOPS="AllowTcpForwarding:NO,LOCAL,YES:=\
ClientAliveCountMax:2,4,16:<\
ClientAliveInterval:300,600,900:<\
2018-04-23 10:57:27 +02:00
Compression:NO,,YES:=\
2015-12-05 20:37:47 +01:00
FingerprintHash:SHA256,MD5,:=\
2016-02-09 12:54:47 +01:00
GatewayPorts:NO,,YES:=\
2015-12-05 20:37:47 +01:00
IgnoreRhosts:YES,,NO:=\
2016-02-09 12:54:47 +01:00
LoginGraceTime:120,240,480:<\
2015-12-05 20:37:47 +01:00
LogLevel:VERBOSE,INFO,:=\
2019-03-15 14:00:47 +01:00
MaxAuthTries:3,6,999:<\
2016-02-09 12:54:47 +01:00
MaxSessions:2,4,8:<\
2018-07-25 13:35:00 +02:00
PermitRootLogin:(NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD),,YES:=\
2016-02-09 12:54:47 +01:00
PermitUserEnvironment:NO,,YES:=\
PermitTunnel:NO,,YES:=\
Port:,,22:!\
2015-12-05 20:37:47 +01:00
PrintLastLog:YES,,NO:=\
StrictModes:YES,,NO:=\
2016-02-09 12:54:47 +01:00
TCPKeepAlive:NO,,YES:=\
2016-05-19 19:58:52 +02:00
UseDNS:NO,,YES:=\
2015-12-05 20:37:47 +01:00
VerifyReverseMapping:YES,,NO:=\
2016-07-11 11:25:51 +02:00
X11Forwarding:NO,,YES:=\
AllowAgentForwarding:NO,,YES:="
2015-12-03 00:57:50 +01:00
2018-10-23 17:14:47 +02:00
# OpenSSH had some options removed over time. Based on the version we add some additional options to check
if [ ${OPENSSHD_VERSION_MAJOR} -lt 7 ]; then
LogText "Result: added additional options for OpenSSH 6.x and lower"
SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:= Protocol:2,,1:="
elif [ ${OPENSSHD_VERSION_MAJOR} -eq 7 ]; then
# Protocol 1 support removed (OpenSSH 7.4 and later)
if [ ${OPENSSHD_VERSION_MINOR} -lt 4 ]; then
LogText "Result: added additional options for OpenSSH < 7.4"
SSHOPS="${SSHOPS} Protocol:2,,1:="
fi
# UsePrivilegedSeparation removed (OpenSSH 7.5 and later)
if [ ${OPENSSHD_VERSION_MINOR} -lt 5 ]; then
LogText "Result: added additional options for OpenSSH < 7.5"
SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:="
fi
fi
2016-04-19 12:04:51 +02:00
# Go through our list of options
2015-12-03 12:15:49 +01:00
for I in ${SSHOPS}; do
2017-03-06 08:41:21 +01:00
OPTIONNAME=$(echo ${I} | ${CUTBINARY} -d ':' -f1)
OPTIONNAME_LOWER=$(echo ${I} | ${CUTBINARY} -d ':' -f1 | ${AWKBINARY} '{ print tolower($1) }')
EXPECTEDVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f1)
MEDIUMSCOREDVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f2)
WEAKVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f3)
TESTTYPE=$(echo ${I} | ${CUTBINARY} -d ':' -f3)
2015-12-05 20:37:47 +01:00
RESULT="NONE"
2015-12-03 00:57:50 +01:00
2016-04-19 12:37:40 +02:00
if ! SkipAtomicTest "${TEST_NO}:${OPTIONNAME_LOWER}"; then
2015-12-03 00:57:50 +01:00
2016-04-19 12:37:40 +02:00
# Get value and use the last occurrence
2017-03-06 08:41:21 +01:00
FOUNDVALUE=$(${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1)
2016-05-02 15:04:40 +02:00
LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}"
2015-12-05 20:52:26 +01:00
2017-04-23 20:06:54 +02:00
if [ ! -z "${FOUNDVALUE}" ]; then
2016-04-19 12:37:40 +02:00
LogText "Result: Option ${OPTIONNAME} found"
LogText "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}"
2015-12-05 21:14:24 +01:00
2016-04-19 12:37:40 +02:00
if [ "${TESTTYPE}" = "=" ]; then
if [ "${FOUNDVALUE}" = "${EXPECTEDVALUE}" ]; then
RESULT="GOOD"
elif [ "${FOUNDVALUE}" = "${MEDIUMSCOREDVALUE}" ]; then
RESULT="MIDSCORED"
elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
RESULT="WEAK"
else
2017-03-01 16:07:32 +01:00
if [ ! -z "${EXPECTEDVALUE}" ]; then
LogText "Expected value has multiple values, testing if active value is in list (${EXPECTEDVALUE})"
FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${EXPECTEDVALUE}")
2017-02-15 13:14:54 +01:00
if [ $? -eq 0 ]; then
LogText "Result: found"
RESULT="GOOD"
else
LogText "Result: not found"
fi
fi
if [ ! -z "${MEDIUMSCOREDVALUE}" ]; then
LogText "Medium scored value has multiple values, testing if active value is in list (${MEDIUMSCOREDVALUE})"
FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${MEDIUMSCOREDVALUE}")
if [ $? -eq 0 ]; then
LogText "Result: found"
RESULT="MIDSCORED"
else
LogText "Result: not found"
fi
fi
# Set result to weak if we can't find any matches
if [ "${RESULT}" = "NONE" ]; then RESULT="WEAK"; fi
2016-04-19 12:37:40 +02:00
fi
elif [ "${TESTTYPE}" = "<" ]; then
if [ "${FOUNDVALUE}" -ge "${WEAKVALUE}" -o "${FOUNDVALUE}" -gt "${MEDIUMSCOREDVALUE}" ]; then
RESULT="WEAK"
elif [ "${FOUNDVALUE}" -le "${MEDIUMSCOREDVALUE}" -a "${FOUNDVALUE}" -gt "${EXPECTEDVALUE}" ]; then
RESULT="MIDSCORED"
elif [ "${FOUNDVALUE}" -le "${EXPECTEDVALUE}" ]; then
RESULT="GOOD"
else
RESULT="UNKNOWN"
fi
elif [ "${TESTTYPE}" = ">" ]; then
if [ "${FOUNDVALUE}" -le "${WEAKVALUE}" ]; then
RESULT="WEAK"
elif [ "${FOUNDVALUE}" -le "${WEAKVALUE}" -a "${FOUNDVALUE}" -ge "${MEDIUMSCOREDVALUE}" ]; then
RESULT="MIDSCORED"
elif [ "${FOUNDVALUE}" -ge "${EXPECTEDVALUE}" ]; then
RESULT="GOOD"
else
RESULT="UNKNOWN"
fi
elif [ "${TESTTYPE}" = "!" ]; then
if [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
RESULT="WEAK"
elif [ ! "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
RESULT="GOOD"
else
RESULT="UNKNOWN"
fi
2015-12-05 21:45:40 +01:00
else
2016-04-19 12:37:40 +02:00
RESULT="NONE"
2015-12-05 21:45:40 +01:00
fi
2016-04-19 12:37:40 +02:00
fi
2015-12-05 21:45:40 +01:00
2016-04-19 12:37:40 +02:00
if [ "${RESULT}" = "GOOD" ]; then
LogText "Result: SSH option ${OPTIONNAME} is configured very well"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_OK}" --color GREEN
2016-04-19 12:37:40 +02:00
AddHP 3 3
elif [ "${RESULT}" = "MIDSCORED" ]; then
LogText "Result: SSH option ${OPTIONNAME} is configured reasonably"
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
2016-04-19 12:37:40 +02:00
AddHP 1 3
elif [ "${RESULT}" = "WEAK" ]; then
LogText "Result: SSH option ${OPTIONNAME} is in a weak configuration state and should be fixed"
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
2016-04-19 12:37:40 +02:00
AddHP 0 3
elif [ "${RESULT}" = "UNKNOWN" ]; then
LogText "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE
Report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|"
2015-12-03 00:57:50 +01:00
else
2016-04-19 12:37:40 +02:00
LogText "Result: Option ${OPTIONNAME} not found in output"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_NOT_FOUND}" --color WHITE
2015-12-03 00:57:50 +01:00
fi
2017-04-23 20:06:54 +02:00
else
2016-04-20 12:08:10 +02:00
if IsVerbose; then Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "SKIPPED (via config)" --color WHITE; fi
2015-12-05 20:37:47 +01:00
fi
2014-08-26 17:33:55 +02:00
done
fi
#
#################################################################################
#
# Test : SSH-7440
# Description : AllowUsers / AllowGroups
# Goal : Check if only a specific amount of users/groups can log in to the system
2017-04-23 20:06:54 +02:00
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH option: AllowUsers and AllowGroups"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
2014-09-09 14:49:37 +02:00
# AllowUsers
2017-03-06 08:41:21 +01:00
FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
2017-04-23 20:06:54 +02:00
if [ ! -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: AllowUsers set, with value ${FIND}"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
2014-09-09 14:49:37 +02:00
FOUND=1
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: AllowUsers is not set"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-09-09 14:49:37 +02:00
fi
# AllowGroups
2017-03-06 08:41:21 +01:00
FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
2017-04-23 20:06:54 +02:00
if [ ! -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: AllowUsers set ${FIND}"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
2014-09-09 14:49:37 +02:00
FOUND=1
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: AllowGroups is not set"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
2014-09-09 14:49:37 +02:00
if [ ${FOUND} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: SSH is limited to a specific set of users, which is good"
2014-09-09 14:49:37 +02:00
AddHP 2 2
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine."
2014-09-09 14:49:37 +02:00
AddHP 0 1
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
2015-07-22 17:37:11 +02:00
2015-12-21 21:17:15 +01:00
Report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
2014-08-26 17:33:55 +02:00
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-03-13 16:03:46 +01:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com