lynis/include/tests_kernel_hardening

#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
#
# Website  : https://cisofy.com
# Blog     : http://linux-audit.com
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Kernel
#
#################################################################################
#
    InsertSection "${SECTION_KERNEL_HARDENING}"
#
#################################################################################
#
    # Test        : KRNL-6000
    # Description : Check sysctl parameters
    # Sysctl      : net.ipv4.icmp_ignore_bogus_error_responses (=1)
    if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        DATA_TO_SCAN=""
        N=0
        Display --indent 2 --text "- Comparing sysctl key pairs with scan profile"

        # First scan optional profiles only (ignore default and custom)
        for PROFILE in ${PROFILES}; do
            FILE=$(echo ${PROFILE} | ${AWKBINARY} -F/ '{print $NF}')
            if [ ! "${FILE}" = "default.prf" -a ! "${FILE}" = "custom.prf" ]; then
                FIND=$(${GREPBINARY} "^config-data=sysctl;" ${PROFILE} | ${SEDBINARY} 's/ /-space-/g')
                DATA_TO_SCAN="${DATA_TO_SCAN} ${FIND}"
            fi
        done

        # Scan custom profile
        if [ -n "${CUSTOM_PROFILE}" ]; then
            FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
            for LINE in ${FIND}; do
                SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
                HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};")
                if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi
            done
        fi

        # Last, use data from default profile
        if [ -n "${DEFAULT_PROFILE}" ]; then
            FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
            for LINE in ${FIND}; do
                SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
                HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};")
                if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi
            done
        fi

        # Sort the results
        DATA_TO_SCAN=$(echo ${DATA_TO_SCAN} | ${TRBINARY} ' ' '\n' | sort)

        for line in ${DATA_TO_SCAN}; do
            tFINDkey=$(echo ${line} | ${AWKBINARY} -F\; '{ print $2 }')
            if ! SkipAtomicTest "${TEST_NO}:${tFINDkey}"; then
                tFINDexpvalue=$(echo ${line} | ${AWKBINARY} -F\; '{ print $3 }' | ${TRBINARY} '|' ' ')
                tFINDhp=$(echo ${line} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]")
                tFINDdesc=$(echo ${line} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g')
                tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
                if [ -n "${tFINDcurvalue}" ]; then
                    positive_match=0
                    for value in ${tFINDexpvalue}; do
                        if [ "${value}" = "${tFINDcurvalue}" ]; then
                            positive_match=1
                        fi
                    done
                    if [ ${positive_match} -eq 1 ]; then
                        LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
                        Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN
                        AddHP ${tFINDhp} ${tFINDhp}
                    else
                        LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
                        Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_DIFFERENT}" --color RED
                        AddHP 0 ${tFINDhp}
                        FOUND=1
                        N=$((N + 1))
                        ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}"
                    fi
                else
                    LogText "Result: key ${tFINDkey} does not exist on this machine"
                fi
            else
                LogText "Skipped test for ${tFINDkey} via profile"
            fi
        done

        # Add suggestion if one or more sysctls have a different value than scan profile
        if [ ${FOUND} -eq 1 ]; then
            LogText "Result: found ${N} keys that can use tuning, according scan profile"
            ReportSuggestion "${TEST_NO}" "One or more sysctl values differ from the scan profile and could be tweaked" "" "Change sysctl value or disable test (skip-test=${TEST_NO}:<sysctl-key>)"
        fi
    fi
#
#################################################################################
#

WaitForKeyPress

#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
Initial import 2014-08-26 17:33:55 +02:00			`#!/bin/sh`

			`#################################################################################`
			`#`
			`# Lynis`
			`# ------------------`
			`#`
Added link to website, blog, github 2016-03-13 16:00:39 +01:00			`# Copyright 2007-2013, Michael Boelen`
Preparation for release 3.0.3 2021-01-07 15:22:19 +01:00			`# Copyright 2007-2021, CISOfy`
Added link to website, blog, github 2016-03-13 16:00:39 +01:00			`#`
			`# Website : https://cisofy.com`
			`# Blog : http://linux-audit.com`
			`# GitHub : https://github.com/CISOfy/lynis`
Initial import 2014-08-26 17:33:55 +02:00			`#`
			`# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are`
			`# welcome to redistribute it under the terms of the GNU General Public License.`
			`# See LICENSE file for usage of this software.`
			`#`
			`#################################################################################`
			`#`
			`# Kernel`
			`#`
			`#################################################################################`
			`#`
Add translate function for all sections + add EN and FR up to date languages files 2020-10-22 00:13:42 +02:00			`InsertSection "${SECTION_KERNEL_HARDENING}"`
Initial import 2014-08-26 17:33:55 +02:00			`#`
			`#################################################################################`
			`#`
			`# Test : KRNL-6000`
			`# Description : Check sysctl parameters`
spelling: ignore Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> 2020-11-09 05:16:51 +01:00			`# Sysctl : net.ipv4.icmp_ignore_bogus_error_responses (=1)`
Initial import 2014-08-26 17:33:55 +02:00			`if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi`
Rename of categories, introduction of groups 2016-07-24 17:22:00 +02:00			`Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile"`
Initial import 2014-08-26 17:33:55 +02:00			`if [ ${SKIPTEST} -eq 0 ]; then`
[KRNL-6000] Change test to allow parsing multiple profiles and storing more details 2016-04-13 16:13:04 +02:00			`FOUND=0`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00			`DATA_TO_SCAN=""`
Initial import 2014-08-26 17:33:55 +02:00			`N=0`
Code cleanup and small enhancements 2014-09-15 12:01:09 +02:00			`Display --indent 2 --text "- Comparing sysctl key pairs with scan profile"`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00
			`# First scan optional profiles only (ignore default and custom)`
[KRNL-6000] Change test to allow parsing multiple profiles and storing more details 2016-04-13 16:13:04 +02:00			`for PROFILE in ${PROFILES}; do`
Use detected binaries 2016-08-25 15:31:33 +02:00			`FILE=$(echo ${PROFILE} \| ${AWKBINARY} -F/ '{print $NF}')`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00			`if [ ! "${FILE}" = "default.prf" -a ! "${FILE}" = "custom.prf" ]; then`
Style improvements and command replacements 2016-09-08 21:04:17 +02:00			`FIND=$(${GREPBINARY} "^config-data=sysctl;" ${PROFILE} \| ${SEDBINARY} 's/ /-space-/g')`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00			`DATA_TO_SCAN="${DATA_TO_SCAN} ${FIND}"`
			`fi`
			`done`

			`# Scan custom profile`
Use -n instead of ! -z 2019-07-16 13:20:30 +02:00			`if [ -n "${CUSTOM_PROFILE}" ]; then`
Style improvements and command replacements 2016-09-08 21:04:17 +02:00			`FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} \| ${SEDBINARY} 's/ /-space-/g')`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00			`for LINE in ${FIND}; do`
Use detected binaries 2016-08-25 15:31:33 +02:00			`SYSCTLKEY=$(echo ${LINE} \| ${AWKBINARY} -F\; '{ print $2 }')`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00			`HAS_KEY=$(echo ${DATA_TO_SCAN} \| ${GREPBINARY} ";${SYSCTLKEY};")`
			`if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi`
[KRNL-6000] Change test to allow parsing multiple profiles and storing more details 2016-04-13 16:13:04 +02:00			`done`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00			`fi`

			`# Last, use data from default profile`
Use -n instead of ! -z 2019-07-16 13:20:30 +02:00			`if [ -n "${DEFAULT_PROFILE}" ]; then`
Style improvements and command replacements 2016-09-08 21:04:17 +02:00			`FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} \| ${SEDBINARY} 's/ /-space-/g')`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00			`for LINE in ${FIND}; do`
Use detected binaries 2016-08-25 15:31:33 +02:00			`SYSCTLKEY=$(echo ${LINE} \| ${AWKBINARY} -F\; '{ print $2 }')`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00			`HAS_KEY=$(echo ${DATA_TO_SCAN} \| ${GREPBINARY} ";${SYSCTLKEY};")`
			`if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi`
			`done`
			`fi`

			`# Sort the results`
Style improvements and command replacements 2016-09-08 21:04:17 +02:00			`DATA_TO_SCAN=$(echo ${DATA_TO_SCAN} \| ${TRBINARY} ' ' '\n' \| sort)`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00
Rename variable 2018-01-11 10:38:11 +01:00			`for line in ${DATA_TO_SCAN}; do`
			`tFINDkey=$(echo ${line} \| ${AWKBINARY} -F\; '{ print $2 }')`
Added solution, extended timestamps key values, allow multiple values 2018-01-11 10:19:16 +01:00			`if ! SkipAtomicTest "${TEST_NO}:${tFINDkey}"; then`
Rename variable 2018-01-11 10:38:11 +01:00			`tFINDexpvalue=$(echo ${line} \| ${AWKBINARY} -F\; '{ print $3 }' \| ${TRBINARY} '\|' ' ')`
			`tFINDhp=$(echo ${line} \| ${AWKBINARY} -F\; '{ print $4 }' \| ${GREPBINARY} "[0-9]")`
			`tFINDdesc=$(echo ${line} \| ${AWKBINARY} -F\; '{ print $5 }' \| ${SEDBINARY} 's/-space-/ /g')`
Added solution, extended timestamps key values, allow multiple values 2018-01-11 10:19:16 +01:00			`tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)`
Use -n instead of ! -z 2019-07-16 13:20:30 +02:00			`if [ -n "${tFINDcurvalue}" ]; then`
Added solution, extended timestamps key values, allow multiple values 2018-01-11 10:19:16 +01:00			`positive_match=0`
			`for value in ${tFINDexpvalue}; do`
			`if [ "${value}" = "${tFINDcurvalue}" ]; then`
			`positive_match=1`
			`fi`
			`done`
			`if [ ${positive_match} -eq 1 ]; then`
			`LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"`
			`Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN`
			`AddHP ${tFINDhp} ${tFINDhp}`
			`else`
			`LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"`
Adding and improvement translated strings 2020-12-16 01:07:27 +01:00			`Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_DIFFERENT}" --color RED`
Added solution, extended timestamps key values, allow multiple values 2018-01-11 10:19:16 +01:00			`AddHP 0 ${tFINDhp}`
			`FOUND=1`
			`N=$((N + 1))`
			`ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}"`
			`fi`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00			`else`
Added solution, extended timestamps key values, allow multiple values 2018-01-11 10:19:16 +01:00			`LogText "Result: key ${tFINDkey} does not exist on this machine"`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00			`fi`
			`else`
Added solution, extended timestamps key values, allow multiple values 2018-01-11 10:19:16 +01:00			`LogText "Skipped test for ${tFINDkey} via profile"`
Support sysctl checks with multiple profiles 2016-08-18 14:35:20 +02:00			`fi`
Initial import 2014-08-26 17:33:55 +02:00			`done`

			`# Add suggestion if one or more sysctls have a different value than scan profile`
[KRNL-6000] Change test to allow parsing multiple profiles and storing more details 2016-04-13 16:13:04 +02:00			`if [ ${FOUND} -eq 1 ]; then`
			`LogText "Result: found ${N} keys that can use tuning, according scan profile"`
Code style improvement: quote argument 2019-12-18 12:17:46 +01:00			`ReportSuggestion "${TEST_NO}" "One or more sysctl values differ from the scan profile and could be tweaked" "" "Change sysctl value or disable test (skip-test=${TEST_NO}:<sysctl-key>)"`
Initial import 2014-08-26 17:33:55 +02:00			`fi`
			`fi`
			`#`
			`#################################################################################`
			`#`

Replaced old function names with new ones 2016-04-28 12:31:57 +02:00			`WaitForKeyPress`
Initial import 2014-08-26 17:33:55 +02:00
			`#`
			`#================================================================================`
Removed copyright line, added description 2016-03-13 16:03:46 +01:00			`# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com`