2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2021-01-07 15:22:19 +01:00
# Copyright 2007-2021, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Firewalls
#
#################################################################################
#
2020-10-22 00:13:42 +02:00
InsertSection "${SECTION_FIREWALLS}"
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
IPTABLES_ACTIVE=0
2017-03-08 21:19:20 +01:00
IP6TABLES_ACTIVE=0
2014-08-26 17:33:55 +02:00
IPTABLES_INKERNEL_ACTIVE=0
IPTABLES_MODULE_ACTIVE=0
FIREWALL_ACTIVE=0
2015-12-30 14:33:50 +01:00
FIREWALL_EMPTY_RULESET=0
NFTABLES_ACTIVE=0
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
2015-12-30 14:33:50 +01:00
# Test : FIRE-4502
2014-08-26 17:33:55 +02:00
# Description : Check iptables kernel module
2016-07-24 17:22:00 +02:00
Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-10 16:12:44 +02:00
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2014-08-26 17:33:55 +02:00
FIREWALL_ACTIVE=1
IPTABLES_ACTIVE=1
IPTABLES_MODULE_ACTIVE=1
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_FOUND}" --color GREEN
2017-03-08 21:19:20 +01:00
Report "firewall_software[]=iptables"
2015-12-21 21:17:15 +01:00
LogText "Result: Found iptables in loaded kernel modules"
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
2017-03-08 21:19:20 +01:00
if [ "${I}" = "ip6_tables" ]; then IP6TABLES_ACTIVE=1; Report "firewall_software[]=ip6tables"; fi
2015-12-21 21:17:15 +01:00
LogText "Found module: ${I}"
2014-08-26 17:33:55 +02:00
done
2017-03-08 21:19:20 +01:00
elif [ -f ${ROOTDIR}proc/net/ip_tables_names ]; then
FIREWALL_ACTIVE=1
Report "firewall_software[]=iptables"
IPTABLES_ACTIVE=1
Display --indent 2 --text "- Checking iptables support" --result "${STATUS_FOUND}" --color GREEN
elif [ -f ${ROOTDIR}proc/net/ip6_tables_names ]; then
FIREWALL_ACTIVE=1
IP6TABLES_ACTIVE=1
Report "firewall_software[]=ip6tables"
Display --indent 2 --text "- Checking ip6tables support" --result "${STATUS_FOUND}" --color GREEN
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-08-26 17:33:55 +02:00
# If we can't find an active module, try to find the Linux configuration file and check that
2017-03-08 21:19:20 +01:00
if [ -f /proc/config.gz ]; then LINUXCONFIGFILE="/proc/config.gz"; tCATCMD="zcat"; fi
2016-09-10 16:12:44 +02:00
sLINUXCONFIGFILE="/boot/config-$(uname -r)"
2017-03-08 21:19:20 +01:00
if [ -f ${sLINUXCONFIGFILE} ]; then LINUXCONFIGFILE=${sLINUXCONFIGFILE}; tCATCMD="cat"; fi
2014-08-26 17:33:55 +02:00
# If we have a kernel configuration file, use it for testing
# Do not perform test if we already found it in kernel module list, to avoid triggered it in the upcoming
# tests, when using iptables --list
2019-07-16 13:20:30 +02:00
if [ -n "${LINUXCONFIGFILE}" ]; then
2014-10-30 18:09:47 +01:00
if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})"
2016-09-10 16:12:44 +02:00
FIND=$(${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-09-10 16:12:44 +02:00
HAVEMOD=$(echo ${FIND} | ${CUTBINARY} -d '=' -f2)
2014-10-30 18:09:47 +01:00
# Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
# active list.
if [ "${HAVEMOD}" = "y" ]; then
2017-03-07 20:23:08 +01:00
LogText "Result: iptables available as a module in the configuration"
IPTABLES_ACTIVE=1
IPTABLES_INKERNEL_ACTIVE=1
FIREWALL_ACTIVE=1
Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN
2017-03-08 21:19:20 +01:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no iptables found in Linux kernel config file"
2014-10-30 18:09:47 +01:00
fi
2017-03-08 21:19:20 +01:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no Linux configuration file found"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-08-26 17:33:55 +02:00
fi
fi
fi
fi
fi
#
#################################################################################
2015-12-30 14:33:50 +01:00
#
# Test : FIRE-4508
# Description : Check iptables chain policies
# Notes : Suggestions are currently disabled, until related page and documentation is available
2018-09-17 11:47:07 +02:00
# TODO : grep -z is not supported on BusyBox
2015-12-30 14:33:50 +01:00
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains"
2015-12-30 14:33:50 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN
2024-10-09 00:57:16 +02:00
tables="filter nat mangle raw security"
for t in ${tables}
do
2024-10-09 09:40:01 +02:00
${IPTABLESBINARY} -t "${t}" -S -v -w 1 2>/dev/zero | while read -r line
2024-10-09 00:57:16 +02:00
do
set -- ${line}
while [ $# -gt 0 ]
do
if [ "${1}" = "!" ]
then
not="${1}"
if [ "${2}" = "-d" ]
then
d="${not} ${3}"
shift 3
elif [ "${2}" = "-s" ]
then
s="${not} ${3}"
shift 3
elif [ "${2}" = "-i" ]
then
p="${not} ${3}"
shift 3
elif [ "${2}" = "-o" ]
then
o="${not} ${3}"
shift 3
elif [ "${2}" = "-f" ]
then
p="${not} ${3}"
2024-10-08 11:29:48 +02:00
shift 3
2024-10-08 01:36:39 +02:00
fi
2024-10-09 00:57:16 +02:00
shift
elif [ "${1}" = "-P" ]
then
c="${2}"
j="${3}"
shift 3
elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ]
then
c="${2}"
shift 2
elif [ "${1}" = "-j" ]
then
j="${2}"
shift
elif [ "${1}" = "-p" ]
then
p="${2}"
shift
elif [ "${1}" = "-d" ]
then
d="${2}"
shift
elif [ "${1}" = "-s" ]
then
s="${2}"
shift
elif [ "${1}" = "-m" ]
then
m="${2}"
shift
elif [ "${1}" = "-g" ]
then
g="${2}"
shift
elif [ "${1}" = "-i" ]
then
i="${2}"
shift
elif [ "${1}" = "-o" ]
then
o="${2}"
shift
elif [ "${1}" = "-f" ]
then
f="${2}"
shift
elif [ "${1}" = "-c" ]
then
pc="${2}"
bc="${3}"
shift 3
else
shift
2024-10-08 01:36:39 +02:00
fi
2024-10-09 00:57:16 +02:00
done
# logics
if [ "${t}" = "filter" ] || [ "${t}" = "security" ]
then
2024-10-09 09:40:01 +02:00
if [ "${c}" = "INPUT" ]
2024-10-09 00:57:16 +02:00
then
2024-10-09 09:40:01 +02:00
if [ "${j}" = "ACCEPT" ]
then
LogText "Result: Found ${j} for ${c} (table: ${t})"
Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color YELLOW
AddHP 1 3
elif [ "${j}" = "DROP" ]
then
LogText "Result: Found ${j} for ${c} (table: ${t})"
Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color GREEN
AddHP 3 3
fi
elif [ "${c}" = "FORWARD" ]
then
:
elif [ "${c}" = "OUTPUT" ]
2024-10-09 00:57:16 +02:00
then
2024-10-09 09:40:01 +02:00
:
2024-10-09 12:24:18 +02:00
fi
if [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ]
2024-10-09 00:57:16 +02:00
then
if [ "${j}" = "NFQUEUE" ]
then
LogText "Result: Found ${j} for ${c} (table: ${t})"
Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color RED
ReportSuggestion "${TEST_NO}" "Consider avoid ${j} target if possible (iptables chain ${c}, table: ${t})"
AddHP 0 3
fi
2024-10-08 01:36:39 +02:00
fi
2024-10-09 00:57:16 +02:00
fi
done
done
2024-10-09 12:24:18 +02:00
# resume
2015-12-30 14:33:50 +01:00
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : FIRE-4512
2017-10-24 13:39:41 +02:00
# Description : Check iptables for empty ruleset (should have at least 5 or more rules)
2019-07-16 13:20:30 +02:00
if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2023-04-23 23:38:21 +02:00
FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${GREPBINARY} -E -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2014-08-26 17:33:55 +02:00
FIREWALL_ACTIVE=1
2017-02-14 16:19:44 +01:00
if [ ${FIND} -le 5 ]; then
# Firewall is active, but needs configuration
2015-12-30 14:33:50 +01:00
FIREWALL_EMPTY_RULESET=1
2015-12-21 21:17:15 +01:00
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
2019-12-18 12:17:46 +01:00
ReportWarning "${TEST_NO}" "iptables module(s) loaded, but no rules active"
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: one or more rules are available (${FIND} rules)"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
2015-12-02 16:55:41 +01:00
fi
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : FIRE-4513
# Description : Check iptables for unused rules
2019-07-16 13:20:30 +02:00
if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-10 16:12:44 +02:00
FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
2017-04-30 17:59:35 +02:00
if IsEmpty "${FIND}"; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: There are no unused rules present"
2017-04-30 17:59:35 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW
2015-12-21 21:17:15 +01:00
LogText "Result: Found one or more possible unused rules"
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
LogText "Output: iptables rule numbers: ${FIND}"
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Check iptables rules to see which rules are currently not used"
2015-12-21 21:17:15 +01:00
LogText "Tip: iptables --list --numeric --line-numbers --verbose"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
2017-03-08 21:19:20 +01:00
# Test : FIRE-4514
# Notes :
# Check if ipv6 is active on any network interface
# If ip_tables is active, and ip6_tables is not, show warning about missing filtering
#
#################################################################################
#
2014-08-26 17:33:55 +02:00
# Test : FIRE-4518
# Description : Checking status of pf firewall components
2016-10-15 15:26:15 +02:00
# Notes : Use /dev/pf as first detection method if pf is available
2016-10-15 15:28:22 +02:00
if [ -e /dev/pf ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /dev/pf device"; fi
2016-10-27 10:08:43 +02:00
Register --test-no FIRE-4518 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --root-only YES --category security --description "Check pf firewall components"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
PFFOUND=0; PFLOGDFOUND=0
# Check status with pfctl
2015-12-21 21:17:15 +01:00
LogText "Test: checking pf status via pfctl"
2019-07-16 13:20:30 +02:00
if [ -n "${PFCTLBINARY}" ]; then
2016-09-10 16:12:44 +02:00
FIND=$(${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | ${HEADBINARY} -1 | ${AWKBINARY} '{ print $2 }')
2016-10-15 15:26:15 +02:00
if [ "${FIND}" = "Disabled" ]; then
if IsVerbose; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED; fi
LogText "Result: pf is disabled"
AddHP 0 3
elif [ "${FIND}" = "Enabled" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_ENABLED}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: pf is enabled"
2014-08-26 17:33:55 +02:00
PFFOUND=1
AddHP 3 3
2017-04-30 17:59:35 +02:00
else
2016-10-15 15:26:15 +02:00
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportException ${TEST_NO} "Unknown status of pf firewall"
2014-08-26 17:33:55 +02:00
fi
fi
# If we didn't find the status to be enabled, stop searching
2015-04-07 17:19:49 +02:00
if [ ${PFFOUND} -eq 0 ]; then
2014-08-26 17:33:55 +02:00
# Check for pf kernel module (FreeBSD and similar)
2015-12-21 21:17:15 +01:00
LogText "Test: searching for pf kernel module"
2019-07-16 13:20:30 +02:00
if [ -n "${KLDSTATBINARY}" ]; then
2016-09-10 16:12:44 +02:00
FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko')
if [ -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Can not find pf KLD"
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: pf KLD loaded"
2014-08-26 17:33:55 +02:00
PFFOUND=1
fi
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no kldstat binary, skipping this part"
2014-08-26 17:33:55 +02:00
fi
2019-07-26 11:32:48 +02:00
if IsRunning "pflogd"; then
2015-12-21 21:17:15 +01:00
LogText "Result: found pflog daemon in process list"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN
2014-08-26 17:33:55 +02:00
PFFOUND=1
PFLOGDFOUND=1
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: pflog daemon not found in process list"
2014-08-26 17:33:55 +02:00
fi
fi
if [ ${PFFOUND} -eq 1 ]; then
FIREWALL_ACTIVE=1
2016-04-27 10:52:45 +02:00
Report "firewall_software[]=pf"
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: pf not running on this system"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : FIRE-4520
# Description : Check pf configuration consistency
if [ ${PFFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no FIRE-4520 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check pf configuration consistency"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: check /etc/pf.conf"
2014-08-26 17:33:55 +02:00
# Test for warnings (-n don't load the rules)
if [ -f /etc/pf.conf ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: /etc/pf.conf exists"
2014-08-26 17:33:55 +02:00
# Check results from pfctl
2016-09-05 11:22:39 +02:00
PFWARNINGS=$(${PFCTLBINARY} -n -f /etc/pf.conf -vvv 2>&1 | ${GREPBINARY} -i 'warning')
2016-09-10 16:12:44 +02:00
if [ -z "${PFWARNINGS}" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: no pf filter warnings found"
2017-04-30 17:59:35 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
2015-12-21 21:17:15 +01:00
LogText "Result: found one or more warnings in the pf filter rules"
2019-12-18 12:17:46 +01:00
ReportWarning "${TEST_NO}" "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
2014-08-26 17:33:55 +02:00
fi
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: /etc/pf.conf does NOT exist"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : FIRE-4522
# Description : Check ipchains
#
#################################################################################
2015-03-17 18:06:00 +01:00
#
# Test : FIRE-4524
# Description : Check for CSF (ConfigServer Security & Firewall)
2016-07-24 17:22:00 +02:00
Register --test-no FIRE-4524 --weight L --network NO --category security --description "Check for CSF presence"
2015-03-17 18:06:00 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-03-18 10:40:59 +01:00
FILE="/etc/csf/csf.conf"
2015-12-21 21:17:15 +01:00
LogText "Test: check ${FILE}"
2015-03-18 10:40:59 +01:00
if [ -f ${FILE} ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: ${FILE} exists"
2015-03-17 18:06:00 +01:00
FIREWALL_ACTIVE=1
2016-04-27 10:52:45 +02:00
Report "firewall_software[]=csf"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN
2017-05-31 15:47:21 +02:00
2017-05-31 15:37:22 +02:00
LogText "Test: check if CSF testing mode is disabled"
FIND=$(${GREPBINARY} -P "^TESTING(\s|=)" ${FILE} | ${CUTBINARY} -d= -f2 | ${XARGSBINARY})
if [ "${FIND}" = "0" ]; then
2017-05-31 15:47:21 +02:00
Display --indent 4 --text "- Check if CSF testing mode is disabled" --result "${STATUS_OK}" --color GREEN
2017-05-31 15:37:22 +02:00
else
2017-05-31 15:47:21 +02:00
Display --indent 4 --text "- Check if CSF testing mode is disabled" --result "${STATUS_WARNING}" --color RED
2017-05-31 15:37:22 +02:00
fi
2017-07-10 15:23:32 +02:00
LogText "Test: check if CSF is running"
if [ ! -f /etc/csf/csf.disable ]; then
Display --indent 4 --text "- Check if CSF is running" --result "${STATUS_OK}" --color GREEN
else
Display --indent 4 --text "- Check if CSF is running" --result "${STATUS_WARNING}" --color RED
fi
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: ${FILE} does NOT exist"
2015-03-17 18:06:00 +01:00
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : FIRE-4526
# Description : Check ipf (Solaris)
if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check ipf status"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-10 16:12:44 +02:00
FIND=$(${IPFBINARY} -n -V | ${GREPBINARY} "^Running" | ${AWKBINARY} '{ print $2 }')
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "yes" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking ipf status" --result "${STATUS_RUNNING}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: ipf is enabled and running"
2014-08-26 17:33:55 +02:00
FIREWALL_ACTIVE=1
2016-04-27 10:52:45 +02:00
Report "firewall_software[]=ipf"
2017-04-30 17:59:35 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
2015-12-21 21:17:15 +01:00
LogText "Result: ipf is not running"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : FIRE-4530
2015-09-06 17:42:56 +02:00
# Description : Check IPFW (FreeBSD)
2016-07-24 17:22:00 +02:00
Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status"
2015-04-27 18:26:39 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-07-16 13:20:30 +02:00
if [ -n "${SYSCTLBINARY}" ]; then
2015-04-27 18:26:39 +02:00
# For now, only check for IPv4.
2016-10-15 15:34:03 +02:00
FIND=$(${SYSCTLBINARY} net.inet.ip.fw.enable 2> /dev/null | ${AWKBINARY} '{ print $2 }')
2015-04-27 18:26:39 +02:00
if [ "${FIND}" = "1" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_RUNNING}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: IPFW is running for IPv4"
2015-04-27 18:26:39 +02:00
FIREWALL_ACTIVE=1
2016-04-27 10:52:45 +02:00
Report "firewall_software[]=ipfw"
2017-03-06 08:41:21 +01:00
IPFW_ENABLED=$(service -e | ${GREPBINARY} -o ipfw)
2015-04-27 18:26:39 +02:00
if [ "${IPFW_ENABLED}" = "ipfw" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: IPFW is enabled at start-up for IPv4"
2017-04-30 17:59:35 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW
2015-12-21 21:17:15 +01:00
LogText "Result: IPFW is disabled at start-up for IPv4"
2015-04-27 18:26:39 +02:00
fi
2017-04-30 17:59:35 +02:00
else
2016-10-15 15:34:03 +02:00
if IsVerbose; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW; fi
2015-12-21 21:17:15 +01:00
LogText "Result: IPFW is not running for IPv4"
2015-04-27 12:00:58 +02:00
fi
2017-04-30 17:59:35 +02:00
else
2015-09-06 17:42:56 +02:00
ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)"
2015-04-27 11:32:09 +02:00
fi
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
2015-12-02 17:37:58 +01:00
#
# Test : FIRE-4532
2016-11-05 11:53:22 +01:00
# Description : Check Application Firewall in macOS
2015-12-02 17:37:58 +01:00
if [ -x /usr/libexec/ApplicationFirewall/socketfilterfw ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-11-05 11:53:22 +01:00
Register --test-no FIRE-4532 --weight L --os "macOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check macOS application firewall"
2015-12-02 17:37:58 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-10 16:12:44 +02:00
FIND=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-10-15 11:26:51 +02:00
Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN
2015-12-02 17:37:58 +01:00
AddHP 3 3
2016-10-15 11:26:51 +02:00
LogText "Result: application firewall of macOS is enabled"
FIREWALL_ACTIVE=1
2015-12-02 17:37:58 +01:00
APPLICATION_FIREWALL_ACTIVE=1
2016-10-15 11:26:51 +02:00
Report "firewall_software[]=macosx-app-fw"
2015-12-21 21:17:15 +01:00
Report "app_fw[]=macosx-app-fw"
2017-04-30 17:59:35 +02:00
else
2016-10-15 11:35:07 +02:00
if IsVerbose; then Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_DISABLED}" --color YELLOW; fi
2016-10-15 11:26:51 +02:00
AddHP 1 3
LogText "Result: application firewall of macOS is disabled"
fi
fi
#
#################################################################################
#
# Test : FIRE-4534
2018-12-14 13:20:01 +01:00
# Description : Check outbound firewalls on macOS
Register --test-no FIRE-4534 --weight L --os "macOS" --network NO --category security --description "Check for presence of outbound firewalls on macOS"
2016-10-15 11:26:51 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2018-12-14 13:20:01 +01:00
2020-06-26 09:44:39 +02:00
FOUND=0
2018-12-14 13:20:01 +01:00
# Little Snitch Daemon (macOS)
LogText "Test: checking process Little Snitch Daemon"
2019-07-26 11:32:48 +02:00
if IsRunning --full "Little Snitch Daemon"; then
2016-10-15 11:26:51 +02:00
Display --indent 2 --text "- Checking Little Snitch Daemon" --result "${STATUS_ENABLED}" --color GREEN
2018-12-14 13:20:01 +01:00
LogText "Result: Little Snitch found"
FOUND=1
2016-10-15 11:26:51 +02:00
FIREWALL_ACTIVE=1
APPLICATION_FIREWALL_ACTIVE=1
Report "app_fw[]=little-snitch"
Report "firewall_software[]=little-snitch"
2018-12-14 13:20:01 +01:00
fi
# HandsOff! Daemon (macOS)
LogText "Test: checking process HandsOffDaemon"
2019-07-26 11:32:48 +02:00
if IsRunning "HandsOffDaemon"; then
2018-12-14 13:20:01 +01:00
Display --indent 2 --text "- Checking Hands Off! Daemon" --result "${STATUS_ENABLED}" --color GREEN
LogText "Result: Hands Off! found"
FOUND=1
FIREWALL_ACTIVE=1
APPLICATION_FIREWALL_ACTIVE=1
Report "app_fw[]=hands-off"
Report "firewall_software[]=hands-off"
fi
# LuLu Daemon (macOS)
LogText "Test: checking process LuLu"
2019-07-26 11:32:48 +02:00
if IsRunning "LuLu"; then
2018-12-14 13:20:01 +01:00
Display --indent 2 --text "- Checking LuLu Daemon" --result "${STATUS_ENABLED}" --color GREEN
LogText "Result: LuLu found"
FOUND=1
FIREWALL_ACTIVE=1
APPLICATION_FIREWALL_ACTIVE=1
Report "app_fw[]=lulu"
Report "firewall_software[]=lulu"
fi
# Radio Silence (macOS)
LogText "Test: checking process Radio Silence"
2019-07-26 11:32:48 +02:00
if IsRunning --full "Radio Silence"; then
2018-12-14 13:20:01 +01:00
Display --indent 2 --text "- Checking Radio Silence" --result "${STATUS_ENABLED}" --color GREEN
LogText "Result: Radio Silence found"
FOUND=1
FIREWALL_ACTIVE=1
APPLICATION_FIREWALL_ACTIVE=1
Report "app_fw[]=radio-silence"
Report "firewall_software[]=radio-silence"
fi
if [ ${FOUND} -eq 0 ]; then
LogText "Result: outbound firewall not found"
2015-12-02 17:37:58 +01:00
AddHP 1 3
2018-12-14 13:20:01 +01:00
else
LogText "Result: found one or more macOS outbound firewall"
AddHP 3 3
2015-12-02 17:37:58 +01:00
fi
2018-12-14 13:20:01 +01:00
2015-12-02 17:37:58 +01:00
fi
#
#################################################################################
2015-12-30 14:33:50 +01:00
#
# Test : FIRE-4536
# Description : Check nftables kernel module
2017-04-30 17:59:35 +02:00
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
2015-12-30 14:33:50 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-05 12:29:04 +02:00
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-09-05 12:29:04 +02:00
LogText "Result: found nftables kernel module"
2016-09-06 20:58:30 +02:00
FIREWALL_ACTIVE=1
2015-12-30 14:33:50 +01:00
NFTABLES_ACTIVE=1
2016-04-27 10:52:45 +02:00
Report "firewall_software[]=nftables"
2017-04-30 17:59:35 +02:00
else
2016-09-05 12:29:04 +02:00
LogText "Result: no nftables kernel module found"
2015-12-30 14:33:50 +01:00
fi
fi
#
#################################################################################
#
# Test : FIRE-4538
# Description : Check nftables configuration
2017-04-30 17:59:35 +02:00
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables basic configuration"
2015-12-30 14:33:50 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
# Retrieve nft version
2016-09-06 20:58:30 +02:00
NFT_VERSION=$(${NFTBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="nftables") { print $2 }}' | ${TRBINARY} -d 'v')
2016-04-27 10:52:45 +02:00
Report "nft_version=${NFT_VERSION}"
2016-09-05 12:29:04 +02:00
LogText "Result: found version ${NFT_VERSION} of nft"
fi
#
#################################################################################
#
# Test : FIRE-4540
# Description : Check nftables configuration
2017-04-30 17:59:35 +02:00
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2019-03-05 18:57:58 +01:00
Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration"
2016-09-05 12:29:04 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-30 14:33:50 +01:00
# Check for empty ruleset
2023-04-23 23:38:21 +02:00
NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${GREPBINARY} -E -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
2019-03-05 18:57:58 +01:00
if [ ${NFT_RULES_LENGTH} -le 3 ]; then
2015-12-30 14:33:50 +01:00
FIREWALL_EMPTY_RULESET=1
2019-03-05 18:57:58 +01:00
LogText "Result: this firewall set has 3 rules or less and is considered to be empty"
2017-04-30 17:59:35 +02:00
else
2016-09-05 12:29:04 +02:00
LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration"
2015-12-30 14:33:50 +01:00
fi
fi
2016-09-05 12:29:04 +02:00
#
#################################################################################
2017-01-28 15:46:42 +01:00
#
# Test : FIRE-4586
# Description : Check firewall logging
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4586 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check firewall logging"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${IPTABLES_ACTIVE} -eq 1 ]; then
2019-07-16 13:20:30 +02:00
if [ -n "${IPTABLESSAVEBINARY}" ]; then
2017-02-10 11:14:01 +01:00
HAS_LOGGING=$(${IPTABLESSAVEBINARY} | ${GREPBINARY} "\-j LOG")
2017-01-28 15:46:42 +01:00
if [ -z "${HAS_LOGGING}" ]; then
Report "firewall_no_logging[]=iptables"
fi
fi
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : FIRE-4590
# Description : Check if at least one firewall if active
2016-07-24 17:22:00 +02:00
Register --test-no FIRE-4590 --weight L --network NO --category security --description "Check firewall status"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then
2020-11-14 21:27:39 +01:00
Display --indent 2 --text "- Checking host based firewall" --result "${STATUS_ACTIVE}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: host based firewall or packet filter is active"
Report "manual[]=Verify if there is a formal process for testing and applying firewall rules"
Report "manual[]=Verify all traffic is filtered the right way between the different security zones"
Report "manual[]=Verify if a list is available with all required services"
2014-08-26 17:33:55 +02:00
# YYY Solaris ipf (determine default policy)
2015-12-21 21:17:15 +01:00
Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
2014-08-26 17:33:55 +02:00
AddHP 5 5
2017-04-30 17:59:35 +02:00
else
2020-11-14 21:27:39 +01:00
Display --indent 2 --text "- Checking host based firewall" --result "${STATUS_NOT_ACTIVE}" --color YELLOW
2015-12-21 21:17:15 +01:00
LogText "Result: no host based firewall/packet filter found or configured"
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Configure a firewall/packet filter to filter incoming and outgoing traffic"
2014-08-26 17:33:55 +02:00
AddHP 0 5
fi
fi
#
#################################################################################
2017-07-10 15:23:32 +02:00
#
# Test : FIRE-4594
# Description : Check for APF (Advanced Policy Firewall)
2018-02-09 12:37:10 +01:00
Register --test-no FIRE-4594 --weight L --network NO --category security --description "Check for APF presence"
2019-07-16 13:20:30 +02:00
if [ -n "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2017-07-10 15:23:32 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FILE="/etc/apf/conf.apf"
LogText "Test: check ${FILE}"
if [ -f ${FILE} ]; then
LogText "Result: ${FILE} exists"
FIREWALL_ACTIVE=1
Report "firewall_software[]=apf"
Display --indent 2 --text "- Checking APF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: check if APF testing mode is disabled"
FIND=$(${GREPBINARY} -P "^DEVEL_MODE(\s|=)" ${FILE} | ${CUTBINARY} -d= -f2 | ${XARGSBINARY})
if [ "${FIND}" = "0" ]; then
Display --indent 4 --text "- Check if APF testing mode is disabled" --result "${STATUS_OK}" --color GREEN
else
Display --indent 4 --text "- Check if APF testing mode is disabled" --result "${STATUS_WARNING}" --color RED
fi
LogText "Test: check if APF is running"
FIND=$(${IPTABLESBINARY} -L -n | ${GREPBINARY} -iom1 sanity | ${WCBINARY} -l)
if [ "${FIND}" = "1" ]; then
Display --indent 4 --text "- Check if APF is running" --result "${STATUS_OK}" --color GREEN
else
Display --indent 4 --text "- Check if APF is running" --result "${STATUS_WARNING}" --color RED
fi
else
LogText "Result: ${FILE} does NOT exist"
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
2017-04-30 17:59:35 +02:00
#
#################################################################################
#
# TODO
# Suggestion to disable iptables if nftables is enabled
# Check for specific features in nftables releases
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-03-13 16:03:46 +01:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com