2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2021-01-07 15:22:19 +01:00
# Copyright 2007-2021, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Networking
#
#################################################################################
#
FOUNDPROMISC=0 # Promiscuous interfaces
LOCAL_DNSRESOLVER_FOUND=0 # Local DNS resolver
NUMBERACTIVENS=0 # Number of active nameservers
DHCP_CLIENT_RUNNING=0 # DHCP client availability
2015-12-29 16:28:18 +01:00
ARPWATCH_RUNNING=0 # ARP-cache based attack monitoring software
2016-08-29 19:31:17 +02:00
ARPON_RUNNING=0 # ARP-cache based attack monitoring software
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
2020-10-22 00:13:42 +02:00
InsertSection "${SECTION_NETWORKING}"
2014-08-26 17:33:55 +02:00
#
#################################################################################
2020-04-04 15:28:04 +02:00
#
# Test : NETW-2400
# Description : Test hostname for valid characters and length
# Notes : FQDN: max 253 characters
# : component: a-z, 0-9, hyphen, not start with hyphen, max 63 characters
# dots allowed as separator
Register --test-no NETW-2400 --weight L --network YES --category basics --description "Hostname length and value check"
if [ ${SKIPTEST} -eq 0 ]; then
# Test first the fully qualified domain name
if [ ${#FQDN} -gt 253 ]; then
# Too long
LogText "Result: FQDN is more than 253 characters"
Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_WARNING}" --color RED
ReportWarning "${TEST_NO}" "Hostname is too long (more than 253 characters)"
elif [ ${#FQDN} -eq 0 ]; then
# FQDN not defined
LogText "Result: FQDN is not defined"
if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_UNKNOWN}" --color YELLOW; fi
else
# Fine
2020-04-04 15:56:00 +02:00
LogText "Result: FQDN is defined and not longer than 253 characters (${#FQDN} characters)"
2020-04-04 15:28:04 +02:00
if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_OK}" --color GREEN; fi
fi
# Now test short hostname
if [ ${#HOSTNAME} -eq 0 ]; then
if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_NONE}" --color RED; fi
LogText "Result: hostname is not defined"
else
# Test length
if [ ${#HOSTNAME} -gt 63 ]; then
LogText "Result: hostname is more than 63 characters"
Display --indent 2 --text "- Hostname (length)" --result "${STATUS_WARNING}" --color RED
2020-04-04 15:56:00 +02:00
else
LogText "Result: hostnamed is defined and not longer than 63 characters"
2020-04-04 15:28:04 +02:00
fi
# Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name)
2020-10-31 18:36:06 +01:00
FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[:alnum:]\.\-')
2020-04-04 15:28:04 +02:00
if [ -z "${FIND}" ]; then
LogText "Result: good, no unexpected characters discovered in hostname"
if IsVerbose; then Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_OK}" --color GREEN; fi
else
LogText "Result: unexpected characters discovered in hostname (characters: ${FIND}), which may impact network connectivity"
Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_WARNING}" --color RED
ReportWarning "${TEST_NO}" "Hostname contains invalid characters" "hostname" "text:See log file for invalid characters"
fi
fi
fi
#
#################################################################################
2016-01-01 21:38:47 +01:00
#
# Test : NETW-2600
# Description : Gather IPv6 configuration
2016-07-24 17:22:00 +02:00
Register --test-no NETW-2600 --os "Linux" --weight L --network YES --category security --description "Checking IPv6 configuration"
2016-01-01 21:38:47 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
IPV6_CONFIGURED=0
IPV6_ACCEPT_RA=255
IPV6_ACCEPT_REDIRECTS=255
IPV6_MANUAL_CONFIGURED=255
IPV6_ONLY=255
IPV6_MISCONFIGURED=0
IPV6_MISCONFIGURED_MTU=0
2017-03-06 08:41:21 +01:00
FIND=$(sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-01-01 21:38:47 +01:00
IPV6_CONFIGURED=1
for I in ${FIND}; do
2017-03-06 08:41:21 +01:00
SYSCTL_KEY=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
SYSCTL_VALUE=$(echo ${I} | ${AWKBINARY} -F= '{ print $2 }')
2016-01-01 21:38:47 +01:00
case ${SYSCTL_KEY} in
"net.ipv6.conf.default.accept_ra")
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_RA=1; else IPV6_ACCEPT_RA=0; fi
;;
"net.ipv6.conf.default.accept_redirects")
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_REDIRECTS=1; else IPV6_ACCEPT_REDIRECTS=0; fi
;;
"net.ipv6.bindv6only")
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ONLY=1; else IPV6_ONLY=0; fi
;;
"net.ipv6.conf.all.mtu" | "net.ipv6.conf.default.mtu")
if [ ${SYSCTL_VALUE} -lt 1280 ]; then IPV6_MISCONFIGURED_MTU=1; fi
;;
#if TestValue --function equals --value "${SYSCTL_VALUE}" --search "1"; then
# echo "Found ${SYSCTL_VALUE}"
#else
# echo "Not found"
#fi
esac
done
2016-10-26 12:58:51 +02:00
else
2016-01-01 21:38:47 +01:00
IPV6_MODE="disabled"
fi
# Check if we are manually configured (not accepting automatic configuration)
if [ ${IPV6_ACCEPT_RA} -eq 0 -a ${IPV6_ACCEPT_REDIRECTS} -eq 0 ]; then
IPV6_MANUAL_CONFIGURED=1
IPV6_MODE="manual"
elif [ ${IPV6_ACCEPT_RA} -eq 1 -o ${IPV6_ACCEPT_REDIRECTS} -eq 1 ]; then
IPV6_MODE="auto"
else
IPV6_MODE="disabled"
fi
LogText "Result: IPV6 mode is ${IPV6_MODE}"
if [ ${IPV6_CONFIGURED} -eq 1 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE
2017-03-06 08:41:21 +01:00
STATUS=$(echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]')
2016-01-01 21:38:47 +01:00
Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE
2020-12-16 01:07:27 +01:00
if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="${STATUS_YES}"; else STATUS="${STATUS_NO}"; fi
2016-01-01 21:38:47 +01:00
LogText "Result: IPv6 only configuration: ${STATUS}"
Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE
2016-10-26 12:58:51 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_DISABLED}" --color WHITE
2016-01-01 21:38:47 +01:00
fi
# Configuration errors
if [ ${IPV6_MISCONFIGURED_MTU} -eq 1 ]; then
IPV6_MISCONFIGURED=1
LogText "Result: MTU of IPv6 interfaces should be 1280 or higher"
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "Error: MTU is too low" --result "${STATUS_WARNING}" --color RED
2016-01-01 21:38:47 +01:00
ReportSuggestion "${TEST_NO}" "Check your MTU configuration of IPv6 interfaces"
fi
# Possible improvements:
# - Check if we found IPv6 enabled nameservers
# Report
2016-04-28 09:15:54 +02:00
Report "ipv6_mode=${IPV6_MODE}"
Report "ipv6_only=${IPV6_ONLY}"
2016-01-01 21:38:47 +01:00
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
2015-07-22 16:28:11 +02:00
# Test : NETW-2704
2014-08-26 17:33:55 +02:00
# Description : Basic nameserver configuration tests (connectivity)
2016-07-24 17:22:00 +02:00
Register --test-no NETW-2704 --weight L --network YES --category security --description "Basic nameserver configuration tests"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking configured nameservers"
2015-12-21 21:17:15 +01:00
LogText "Test: Checking /etc/resolv.conf file"
2014-08-26 17:33:55 +02:00
if [ -f /etc/resolv.conf ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Found /etc/resolv.conf file"
2019-02-28 09:51:57 +01:00
FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq | ${CUTBINARY} -d# -f1)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2014-09-15 12:01:09 +02:00
Display --indent 4 --text "- Testing nameservers"
2015-12-21 21:17:15 +01:00
LogText "Test: Querying nameservers"
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
2015-12-21 21:17:15 +01:00
LogText "Found nameserver: ${I}"
Report "nameserver[]=${I}"
2015-07-22 16:28:11 +02:00
# Check if a local resolver is available (like DNSMasq)
2018-05-01 19:57:23 +02:00
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "127.0.0.53" -o "${I}" = "127.0.1.1" -o "${I}" = "0.0.0.0" ]; then
2017-03-07 20:23:08 +01:00
LOCAL_DNSRESOLVER_FOUND=1
2014-08-26 17:33:55 +02:00
fi
2019-07-16 13:20:30 +02:00
if [ -n "${DIGBINARY}" ]; then
2014-08-26 17:33:55 +02:00
# See if we can query something at the nameserver
# 0=good, other=bad
2018-06-26 11:36:55 +02:00
DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${FQDN} > /dev/null ; echo $?)
2014-08-26 17:33:55 +02:00
if [ "${DNSRESPONSE}" = "0" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 8 --text "Nameserver: ${I}" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Nameserver ${I} seems to respond to queries from this host."
2014-08-26 17:33:55 +02:00
# Count responsive nameservers
2016-05-03 14:57:53 +02:00
NUMBERACTIVENS=$((NUMBERACTIVENS + 1))
2016-10-26 12:58:51 +02:00
else
2014-09-15 12:01:09 +02:00
Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED
2015-12-21 21:17:15 +01:00
LogText "Result: nameserver ${I} does NOT respond"
LogText "Exit-code from dig: ${DNSRESPONSE}"
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
ReportWarning "${TEST_NO}" "Nameserver ${I} does not respond"
2014-08-26 17:33:55 +02:00
fi
2016-10-26 12:58:51 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed"
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "Nameserver: ${I}" --result "${STATUS_SKIPPED}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
done
fi
fi
fi
#
#################################################################################
#
# Test : NETW-2705
# Description : Basic nameserver configuration tests (connectivity)
2018-05-01 19:57:23 +02:00
if [ ${LOCAL_DNSRESOLVER_FOUND} -eq 0 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check availability two nameservers"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-09-16 14:25:01 +02:00
SKIP=0
2019-07-16 13:20:30 +02:00
if [ -n "${DIGBINARY}" ]; then
2017-09-16 14:25:01 +02:00
if [ ${NUMBERACTIVENS} -lt 2 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
2015-12-21 21:17:15 +01:00
LogText "Result: less than 2 responsive nameservers found"
2019-12-18 12:17:46 +01:00
ReportWarning "${TEST_NO}" "Couldn't find 2 responsive nameservers"
2015-12-21 21:17:15 +01:00
LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Check your resolv.conf file and fill in a backup nameserver if possible"
2014-08-26 17:33:55 +02:00
AddHP 1 2
2016-10-26 12:58:51 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: found at least 2 responsive nameservers"
2014-08-26 17:33:55 +02:00
AddHP 3 3
fi
2016-10-26 12:58:51 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_SKIPPED}" --color YELLOW
2015-12-21 21:17:15 +01:00
LogText "Result: dig not installed, test can't be fully performed"
2014-08-26 17:33:55 +02:00
fi
2016-10-26 12:58:51 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: Test most likely skipped due having local resolver in /etc/resolv.conf"
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
2020-03-19 22:53:57 +01:00
#
# Test : NETW-2706
2020-04-03 14:02:52 +02:00
# Description : Check systemd-resolve output and upstream DNSSEC status
# Notes : Ubuntu 16.04 uses systemd-resolve, newer ones most likely resolvectl
if [ -n "${RESOLVECTLBINARY}" ]; then
PREQS_MET="YES"
RESOLVE_CMD="${RESOLVECTLBINARY}"
RESOLVE_CMD_PARAM="statistics"
elif [ -n "$(command -v systemd-resolve 2> /dev/null)" ]; then
PREQS_MET="YES"
RESOLVE_CMD="$(command -v systemd-resolve 2> /dev/null)"
RESOLVE_CMD_PARAM="--statistics"
else
PREQS_MET="NO"
fi
Register --test-no NETW-2706 --preqs-met "${PREQS_MET}" --weight L --network YES --category security --description "Check systemd-resolved and upstream DNSSEC status"
2020-03-19 22:53:57 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
SKIP=0
2020-04-03 14:02:52 +02:00
DNSSEC_STATUS=$(${RESOLVE_CMD} ${RESOLVE_CMD_PARAM} 2> /dev/null | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ')
if [ "${DNSSEC_STATUS}" = "yes" ]; then
Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_YES}" --color GREEN
LogText "Result: DNSSEC supported by systemd-resolved and upstream DNS servers"
elif [ "${DNSSEC_STATUS}" = "no" ]; then
Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_NO}" --color YELLOW
LogText "Result: DNSSEC not supported by systemd-resolved or upstream DNS servers"
2020-03-19 22:53:57 +01:00
else
2020-04-03 14:02:52 +02:00
Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_UNKNOWN}" --color RED
LogText "Result: command '${RESOLVE_CMD} ${RESOLVE_CMD_PARAM}' returned an error. Please run command manually to check for details."
2020-03-19 22:53:57 +01:00
fi
else
LogText "Result: Test most likely skipped due to not having resolvectl"
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : NETW-3001
# Description : Find default gateway (route)
# More info : BSD: ^default Linux: 0.0.0.0
2019-07-16 13:20:30 +02:00
if [ -n "${NETSTATBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
2014-08-28 13:59:30 +02:00
if [ $SKIPTEST -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Searching default gateway(s)"
2023-04-23 23:38:21 +02:00
FIND=$(${NETSTATBINARY} -rn | ${GREPBINARY} -E "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
2015-12-21 21:17:15 +01:00
LogText "Result: Found default gateway ${I}"
Report "default_gateway[]=${I}"
2014-08-26 17:33:55 +02:00
done
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking default gateway" --result "${STATUS_DONE}" --color GREEN
2016-10-26 12:58:51 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: No default gateway found"
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking default gateway" --result "NONE FOUND" --color WHITE
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NETW-3004
2017-01-24 19:28:06 +01:00
# Description : Find available network interfaces
Register --test-no NETW-3004 --weight L --network NO --category security --description "Search for available network interfaces"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-10-27 13:33:16 +01:00
FIND=""
case ${OS} in
AIX)
2017-01-24 19:28:06 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }')
2015-10-27 13:33:16 +01:00
;;
Linux)
2019-07-16 13:20:30 +02:00
if [ -n "${IPBINARY}" ]; then
2017-01-24 19:28:06 +01:00
FIND=$(${IPBINARY} link show 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} 's/://g')
2019-07-16 13:20:30 +02:00
elif [ -n "${IFCONFIGBINARY}" ]; then
2017-01-24 19:28:06 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ( $2 == "Link" ) { print $1 }}')
2015-10-27 13:33:16 +01:00
fi
;;
2016-11-05 11:53:22 +01:00
DragonFly|FreeBSD|macOS|NetBSD)
2017-01-24 19:28:06 +01:00
FIND=$(${IFCONFIGBINARY} -l 2> /dev/null)
2015-10-27 13:33:16 +01:00
;;
2016-02-09 13:00:29 +01:00
OpenBSD|Solaris)
2017-01-24 19:28:06 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ": " '{ print $1 }')
2015-10-27 13:33:16 +01:00
;;
*)
# Having a system currently unsupported? Share your details to determine network interfaces
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find available network interfaces"
;;
esac
2017-04-30 17:59:35 +02:00
if HasData "${FIND}"; then
for ITEM in ${FIND}; do
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${ITEM}"
LogText "Found network interface: ${ITEM}"
Report "network_interface[]=${ITEM}"
2015-10-27 13:33:16 +01:00
done
2016-09-10 16:12:44 +02:00
else
2015-10-27 13:33:16 +01:00
ReportException "${TEST_NO}:1" "No interfaces found on this system (OS=${OS})"
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : NETW-3006
# Description : Get network MAC addresses
2016-07-24 17:22:00 +02:00
Register --test-no NETW-3006 --weight L --network NO --category security --description "Get network MAC addresses"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""
case ${OS} in
AIX)
2017-03-06 08:41:21 +01:00
FIND=$(lscfg -vl ent* | ${GREPBINARY} "Network Address" | ${CUTBINARY} -d"." -f14 | ${AWKBINARY} '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }')
2014-08-26 17:33:55 +02:00
;;
DragonFly|FreeBSD)
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
2014-08-26 17:33:55 +02:00
;;
Linux)
2019-07-16 13:20:30 +02:00
if [ -n "${IFCONFIGBINARY}" ]; then
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u)
2017-08-03 20:28:38 +02:00
# CentOS 7.x and others may return nothing. Let's retry with 'ether' field.
if [ -z "${FIND}" ]; then
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
fi
2016-09-10 16:12:44 +02:00
else
2019-07-16 13:20:30 +02:00
if [ -n "${IPBINARY}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Using ip binary to gather hardware addresses"
2017-03-06 08:41:21 +01:00
FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }')
2017-04-30 17:59:35 +02:00
else
2014-09-19 16:28:53 +02:00
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
fi
2014-09-19 11:45:19 +02:00
fi
2014-08-26 17:33:55 +02:00
;;
2016-11-05 11:53:22 +01:00
macOS)
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr" || $1=="ether") print $2 }' | ${SORTBINARY} -u)
2014-08-26 17:33:55 +02:00
;;
NetBSD)
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="address:") print $2 }' | ${SORTBINARY} -u)
2014-08-26 17:33:55 +02:00
;;
OpenBSD)
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr") print $2 }' | ${SORTBINARY} -u)
2014-08-26 17:33:55 +02:00
;;
Solaris)
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
2014-08-26 17:33:55 +02:00
;;
*)
# Having a system currently unsupported? Share your details to determine MAC information
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find MAC information"
;;
esac
2017-04-30 17:59:35 +02:00
for ITEM in ${FIND}; do
LogText "Found MAC address: ${ITEM}"
Report "network_mac_address[]=${ITEM}"
2014-08-26 17:33:55 +02:00
done
fi
#
#################################################################################
#
# Test : NETW-3008
# Description : Get network IPv4/6 addresses
2016-07-24 17:22:00 +02:00
Register --test-no NETW-3008 --weight L --network NO --category security --description "Get network IP addresses"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""; FIND2=""
case ${OS} in
AIX)
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
2014-08-26 17:33:55 +02:00
;;
DragonFly|FreeBSD|NetBSD)
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
2014-08-26 17:33:55 +02:00
;;
Linux)
2019-07-16 13:20:30 +02:00
if [ -n "${IFCONFIGBINARY}" ]; then
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2)
2014-09-19 11:45:19 +02:00
# Version which works for multiple types of ifconfig (e.g. Slackware)
2017-03-06 08:41:21 +01:00
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }')
2016-09-10 16:12:44 +02:00
else
2019-07-16 13:20:30 +02:00
if [ -n "${IPBINARY}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Using ip binary to gather IP addresses"
2017-03-06 08:41:21 +01:00
FIND=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
FIND2=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
2016-09-10 16:12:44 +02:00
else
2014-09-19 16:28:53 +02:00
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
fi
2014-09-19 11:45:19 +02:00
fi
2014-08-26 17:33:55 +02:00
;;
2016-11-05 11:53:22 +01:00
macOS)
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
2014-08-26 17:33:55 +02:00
;;
OpenBSD)
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
2014-08-26 17:33:55 +02:00
;;
Solaris)
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
2014-08-26 17:33:55 +02:00
;;
*)
2015-12-21 21:17:15 +01:00
LogText "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details."
2014-08-26 17:33:55 +02:00
ReportException "${TEST_NO}:1" "IP address information test not implemented for this operating system"
;;
esac
2017-04-30 17:59:35 +02:00
2014-08-26 17:33:55 +02:00
# IPv4
2017-04-30 17:59:35 +02:00
for ITEM in ${FIND}; do
LogText "Found IPv4 address: ${ITEM}"
Report "network_ipv4_address[]=${ITEM}"
2014-08-26 17:33:55 +02:00
done
# IPv6
2017-04-30 17:59:35 +02:00
for ITEM in ${FIND2}; do
LogText "Found IPv6 address: ${ITEM}"
Report "network_ipv6_address[]=${ITEM}"
2014-08-26 17:33:55 +02:00
done
fi
#
#################################################################################
#
# Test : NETW-3012
# Description : Check listening ports
2016-07-24 17:22:00 +02:00
Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-06-24 13:39:30 +02:00
DATA=""
2014-08-26 17:33:55 +02:00
FIND=""; FIND2=""
2017-04-30 17:59:35 +02:00
COUNT=0
2014-08-26 17:33:55 +02:00
case ${OS} in
2019-07-16 19:06:31 +02:00
DragonFly | FreeBSD)
2019-07-16 13:20:30 +02:00
if [ -n "${SOCKSTATBINARY}" ]; then
2017-03-06 08:41:21 +01:00
FIND=$(${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
2016-09-08 21:04:17 +02:00
# To strip off IP's: ${SEDBINARY} 's/|.*:/|/'
2016-10-26 12:58:51 +02:00
else
2014-08-26 17:33:55 +02:00
FIND=""
fi
FIND2=""
2019-06-24 13:39:30 +02:00
;;
2014-08-26 17:33:55 +02:00
Linux)
2019-06-24 13:39:30 +02:00
if [ -n "${SSBINARY}" ]; then
2019-07-16 19:06:31 +02:00
LogText "Test: Retrieving ss information to find listening ports"
DATA=$(${SSBINARY} --query=udp,tcp -plnt | ${AWKBINARY} '{ if ($1!="Netid") { print "raw,ss,v1|"$1"|"$5"|"$7"|" }}' | ${SEDBINARY} 's/pid=[0-9]\{1,\},fd=[0-9]\{1,\}//g' | ${SEDBINARY} 's/users://' | ${SEDBINARY} 's/,)//g' | ${TRBINARY} -d '()"')
2019-06-24 13:39:30 +02:00
elif [ -n "${NETSTATBINARY}" ]; then
2019-07-16 19:06:31 +02:00
LogText "Test: Retrieving netstat information to find listening ports"
2014-08-28 13:59:30 +02:00
# UDP
2017-03-06 08:41:21 +01:00
FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:')
2014-08-28 13:59:30 +02:00
# TCP
2017-03-06 08:41:21 +01:00
FIND2=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:')
2017-04-30 17:59:35 +02:00
else
2019-06-24 13:39:30 +02:00
ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports"
2014-08-28 13:59:30 +02:00
fi
2019-06-24 13:39:30 +02:00
;;
2014-08-26 17:33:55 +02:00
2016-11-05 11:53:22 +01:00
macOS)
2019-07-16 19:06:31 +02:00
if [ -n "${LSOFBINARY}" ]; then
LogText "Test: Retrieving lsof information to find listening ports"
2014-09-21 13:01:29 +02:00
# UDP and TCP combined
2019-09-13 11:47:39 +02:00
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME")
2016-10-26 12:58:51 +02:00
else
2014-09-21 12:58:08 +02:00
FIND=""
fi
2014-09-21 13:01:29 +02:00
# Not needed as we have a combined test
2014-09-21 12:58:08 +02:00
FIND2=""
2019-06-24 13:39:30 +02:00
;;
2014-08-26 17:33:55 +02:00
NetBSD)
2019-07-16 19:06:31 +02:00
if [ -n "${SOCKSTATBINARY}" ]; then
LogText "Test: Retrieving sockstat information to find listening ports"
2017-03-06 08:41:21 +01:00
FIND=$(${SOCKSTATBINARY} 2> /dev/null | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
2016-10-26 12:58:51 +02:00
else
2014-08-26 17:33:55 +02:00
FIND=""
fi
FIND2=""
2019-06-24 13:39:30 +02:00
;;
2014-11-04 00:30:08 +01:00
OpenBSD)
2019-07-16 19:06:31 +02:00
if [ -n "${NETSTATBINARY}" ]; then
LogText "Test: Retrieving netstat information to find listening ports"
2014-11-04 00:30:08 +01:00
# UDP
2017-03-06 08:41:21 +01:00
FIND=$(${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"||" }')
2014-11-04 00:30:08 +01:00
# TCP
2017-03-06 08:41:21 +01:00
FIND2=$(${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"||" }}')
2016-10-26 12:58:51 +02:00
else
2014-11-04 00:30:08 +01:00
ReportException "${TEST_NO}:3" "netstat missing to gather listening ports"
fi
2019-06-24 13:39:30 +02:00
;;
2020-08-09 01:12:51 +02:00
Solaris)
if [ -n "${NETSTATBINARY}" ]; then
LogText "Test: Retrieving netstat information to find listening ports"
FIND=$(${NETSTATBINARY} -an -P udp | ${AWKBINARY} '{ if($7=="LISTEN") { print $1"|udp|LISTEN|" }}')
FIND2=$(${NETSTATBINARY} -an -P tcp | ${AWKBINARY} '{ if($7=="LISTEN") { print $1"|tcp|LISTEN|" }}')
else
ReportException "${TEST_NO}:4" "netstat missing to gather listening ports"
fi
;;
2014-08-26 17:33:55 +02:00
*)
# Got this exception? Provide your details and output of netstat or any other tool to determine this information.
2014-08-28 13:59:30 +02:00
ReportException "${TEST_NO}:2" "Unclear what method to use, to determine listening port information"
2019-06-24 13:39:30 +02:00
;;
2014-08-26 17:33:55 +02:00
esac
2019-07-16 19:06:31 +02:00
if [ -n "${DATA}" ]; then
2019-08-04 19:19:12 +02:00
for ITEM in ${DATA}; do
2019-06-24 13:39:30 +02:00
COUNT=$((COUNT + 1))
Report "network_listen[]=${ITEM}"
done
fi
2019-07-16 19:06:31 +02:00
if [ -n "${FIND}" ]; then
2019-08-04 19:19:12 +02:00
for ITEM in ${FIND}; do
2017-04-30 17:59:35 +02:00
COUNT=$((COUNT + 1))
LogText "Found listening info: ${ITEM}"
Report "network_listen_port[]=${ITEM}"
2014-08-26 17:33:55 +02:00
done
fi
2019-07-16 19:06:31 +02:00
if [ -n "${FIND2}" ]; then
2019-08-04 19:19:12 +02:00
for ITEM in ${FIND2}; do
2017-04-30 17:59:35 +02:00
COUNT=$((COUNT + 1))
LogText "Found listening info: ${ITEM}"
Report "network_listen_port[]=${ITEM}"
2014-08-26 17:33:55 +02:00
done
fi
2019-06-24 13:39:30 +02:00
if [ -z "${DATA}" -a -z "${FIND}" ]; then
2016-10-26 12:58:51 +02:00
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW
else
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NETW-3014
# Description : Checking promiscuous interfaces (BSD)
# Note : FreeBSD and others
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (BSD)"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking promiscuous interfaces (FreeBSD)"
2017-03-06 08:41:21 +01:00
FIND=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1)
2017-04-30 17:59:35 +02:00
if HasData "${FIND}"; then
2015-12-21 21:17:15 +01:00
LogText "Result: Promiscuous interfaces: ${FIND}"
2017-04-30 17:59:35 +02:00
for ITEM in ${FIND}; do
2016-04-13 17:08:58 +02:00
WHITELISTED=0
for PROFILE in ${PROFILES}; do
2017-04-30 17:59:35 +02:00
Debug "Checking if interface ${ITEM} is whitelisted in profile ${PROFILE}"
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${ITEM}:" ${PROFILE})
if HasData "${ISWHITELISTED}"; then
2016-04-13 17:08:58 +02:00
WHITELISTED=1
LogText "Result: this interface was whitelisted in profile (${PROFILE})"
fi
done
# Check if this interface was whitelisted
if [ ${WHITELISTED} -eq 0 ]; then
2014-08-26 17:33:55 +02:00
FOUNDPROMISC=1
2020-01-28 21:29:34 +01:00
ReportWarning "${TEST_NO}" "Found promiscuous interface (${ITEM})"
2015-12-21 21:17:15 +01:00
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
2016-10-26 12:58:51 +02:00
else
2020-01-28 21:29:34 +01:00
LogText "Result: Found promiscuous interface ${ITEM} (*whitelisted via profile*)"
2014-08-26 17:33:55 +02:00
fi
done
fi
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: No promiscuous interfaces found"
2016-10-26 12:58:51 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NETW-3015
# Description : Checking promiscuous interfaces (Linux)
2019-03-21 09:34:26 +01:00
Register --test-no NETW-3015 --os Linux --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-03-21 09:34:26 +01:00
FOUNDPROMISC=99
NETWORK=""
USE_IP_INSTEAD_IFCONFIG=0
2019-07-16 13:20:30 +02:00
if [ -n "${IPBINARY}" ]; then
2019-03-21 09:34:26 +01:00
LogText "Test: Using ip binary to retrieve network interfaces"
NETWORK=$(${IPBINARY} -o link 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{print $2 }' | ${TRBINARY} -d ':')
USE_IP_INSTEAD_IFCONFIG=1
2019-07-16 13:20:30 +02:00
elif [ -n "${IFCONFIGBINARY}" ]; then
2019-03-21 09:34:26 +01:00
LogText "Test: Using ifconfig binary to retrieve network interfaces"
NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
fi
LogText "Test: Checking all interfaces to discover any with promiscuous mode enabled"
2019-07-16 13:20:30 +02:00
if [ -n "${NETWORK}" ]; then
2019-03-21 09:34:26 +01:00
FOUNDPROMISC=0
2014-08-26 17:33:55 +02:00
for I in ${NETWORK}; do
2019-03-21 09:34:26 +01:00
if [ ${USE_IP_INSTEAD_IFCONFIG} -eq 1 ]; then
2020-01-11 11:31:40 +01:00
FIND=$(${IPBINARY} -o -d link show ${I} 2> /dev/null | ${GREPBINARY} "promiscuity [1-9]")
2019-03-21 09:34:26 +01:00
else
FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
fi
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Promiscuous interface: ${I}"
2017-03-06 08:41:21 +01:00
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
2019-03-21 09:34:26 +01:00
if [ -z "${ISWHITELISTED}" ]; then
2014-08-26 17:33:55 +02:00
FOUNDPROMISC=1
2019-12-18 12:17:46 +01:00
ReportWarning "${TEST_NO}" "Found promiscuous interface" "${I}" "text:Determine if this mode is required or whitelist interface in profile"
2015-12-21 21:17:15 +01:00
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
2016-10-26 12:58:51 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
2014-08-26 17:33:55 +02:00
fi
fi
done
2019-03-21 09:34:26 +01:00
else
LogText "Result: no network interfaces discovered, so nothing tested"
2014-08-26 17:33:55 +02:00
fi
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: No promiscuous interfaces found"
2019-03-21 09:34:26 +01:00
elif [ ${FOUNDPROMISC} -eq 1 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
2019-03-21 09:34:26 +01:00
else
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_UNKNOWN}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
2017-04-30 17:59:35 +02:00
# Do you have a multipath configuration on Linux or other OS? Create a related test and send in a pull request on GitHub
# Test : NETW-3020 TODO
# Description : Checking multipath configuration
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : NETW-3028
# Description : Checking for many waiting connections
# Type : Performance
2015-07-14 00:31:59 +02:00
# Notes : It is common to see a healthy web server seeing to have several thousands of TCP connections in WAIT state
2014-08-28 13:59:30 +02:00
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking connections in WAIT state"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Using netstat for check for connections in WAIT state"
2016-09-10 16:12:44 +02:00
FIND=$(${NETSTATBINARY} -an | ${GREPBINARY} WAIT | ${WCBINARY} -l | ${AWKBINARY} '{ print $1 }')
2017-04-30 17:59:35 +02:00
if IsEmpty "${OPTIONS_CONN_MAX_WAIT_STATE}"; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
2015-12-21 21:17:15 +01:00
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
2014-08-26 17:33:55 +02:00
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW
2015-07-14 00:31:59 +02:00
ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})"
2016-09-10 16:12:44 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: ${FIND} connections are in WAIT state"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
2015-12-29 16:28:18 +01:00
#
2015-12-29 16:30:31 +01:00
# Test : NETW-3030
# Description : Checking for DHCP client
2016-07-24 17:22:00 +02:00
Register --test-no NETW-3030 --weight L --network NO --category security --description "Checking DHCP client status"
2015-12-29 16:28:18 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-07-26 11:32:48 +02:00
if IsRunning "dhclient" || IsRunning "dhcpcd" || IsRunning "udhcpc"; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE
2015-12-29 16:30:31 +01:00
DHCP_CLIENT_RUNNING=1
2016-09-10 16:12:44 +02:00
else
2020-11-14 21:27:39 +01:00
Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_NOT_ACTIVE}" --color WHITE
2015-12-29 16:28:18 +01:00
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
2015-12-29 16:30:31 +01:00
# Test : NETW-3032
# Description : Checking for ARP spoofing and related monitoring software
2016-07-24 17:22:00 +02:00
Register --test-no NETW-3032 --os Linux --weight L --network NO --category security --description "Checking for ARP monitoring software"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-08-29 19:31:17 +02:00
FOUND=0
2016-09-10 16:12:44 +02:00
2019-07-14 08:28:49 +02:00
# addrwatch
if IsRunning "addrwatch"; then
FOUND=1
fi
2016-08-29 19:31:17 +02:00
# arpwatch
2019-07-14 08:28:49 +02:00
if IsRunning "arpwatch"; then
2016-08-29 19:31:17 +02:00
FOUND=1
2015-12-29 16:30:31 +01:00
ARPWATCH_RUNNING=1
2016-08-29 19:31:17 +02:00
fi
2016-09-10 16:12:44 +02:00
2016-08-29 19:31:17 +02:00
# arpon
2019-07-14 08:28:49 +02:00
if IsRunning "arpon"; then
2016-08-29 19:31:17 +02:00
FOUND=1
ARPON_RUNNING=1
fi
2019-07-14 08:28:49 +02:00
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_NOT_FOUND}" --color YELLOW
2019-08-28 15:43:10 +02:00
#ReportSuggestion "${TEST_NO}" "Consider running ARP monitoring software (addrwatch,arpwatch,arpon)"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
2019-08-22 14:12:53 +02:00
# Test : NETW-3200
# Description : Determine available network protocols
2020-03-25 15:19:21 +01:00
# Notes : See all available supported modules: ls -d /lib/modules/$(uname -r )/kernel/net
# To see active/enabled protocols: ls -d /proc/sys/net
2019-08-22 14:12:53 +02:00
Register --test-no NETW-3200 --weight L --network YES --category security --description "Determine available network protocols"
if [ ${SKIPTEST} -eq 0 ]; then
TESTED=0
2020-03-25 15:15:42 +01:00
FOUND_UNCOMMON_PROTOCOL_ENABLED=0
2019-08-22 14:12:53 +02:00
case ${OS} in
Linux)
TESTED=1
LogText "Test: checking the status of some network protocols that typically are not used"
UNCOMMON_PROTOCOLS="dccp sctp rds tipc"
for P in ${UNCOMMON_PROTOCOLS}; do
2020-03-25 15:15:42 +01:00
LogText "Test: now checking module '${P}'"
2019-08-22 14:12:53 +02:00
if ! SkipAtomicTest "${TEST_NO}:${P}"; then
2020-03-25 15:15:42 +01:00
UNCOMMON_PROTOCOL_DISABLED=0
# First check modprobe.conf
2019-08-22 14:12:53 +02:00
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
2021-10-26 10:53:33 +02:00
DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf)
2019-08-22 14:12:53 +02:00
if [ -n "${DATA}" ]; then
2020-03-25 15:15:42 +01:00
LogText "Result: found ${P} module disabled via modprobe.conf"
UNCOMMON_PROTOCOL_DISABLED=1
2019-08-22 14:12:53 +02:00
fi
fi
2020-03-25 15:15:42 +01:00
# Then additional modprobe configuration files
2019-08-22 14:12:53 +02:00
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
2021-07-29 14:52:29 +02:00
# Return file names (-l) and suppress errors (-s)
2021-10-26 10:53:33 +02:00
DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*)
2019-08-22 14:12:53 +02:00
if [ -n "${DATA}" ]; then
2020-03-25 15:15:42 +01:00
UNCOMMON_PROTOCOL_DISABLED=1
2019-08-22 14:12:53 +02:00
for F in ${DATA}; do
2020-03-25 15:15:42 +01:00
LogText "Result: found ${P} module disabled via ${F}"
2019-08-22 14:12:53 +02:00
done
fi
fi
2020-03-25 15:15:42 +01:00
if [ ${UNCOMMON_PROTOCOL_DISABLED} -eq 0 ]; then
ReportSuggestion "${TEST_NO}" "Determine if protocol '${P}' is really needed on this system"
2019-08-22 14:12:53 +02:00
Report "uncommon_network_protocol_enabled=${P}"
2020-03-25 15:15:42 +01:00
FOUND_UNCOMMON_PROTOCOL_ENABLED=1
2019-08-22 14:12:53 +02:00
fi
fi
done
;;
*)
LogText "This test has no routine yet for this operating system."
Debug "No routine implemented yet for this operating system to check for available network protocols"
;;
esac
if [ ${TESTED} -eq 1 ]; then
2020-03-25 15:15:42 +01:00
if [ ${FOUND_UNCOMMON_PROTOCOL_ENABLED} -eq 1 ]; then
2019-08-22 14:12:53 +02:00
Display --indent 2 --text "- Uncommon network protocols" --result "${FOUND}" --color YELLOW
else
Display --indent 2 --text "- Uncommon network protocols" --result "${STATUS_NOT_FOUND}" --color GREEN
fi
fi
unset DATA F FOUND TESTED UNCOMMON_PROTOCOLS
fi
#
#################################################################################
#
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-03-13 16:03:46 +01:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com