2014-08-26 17:33:55 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Lynis
|
|
|
|
# ------------------
|
|
|
|
#
|
2016-03-13 16:00:39 +01:00
|
|
|
# Copyright 2007-2013, Michael Boelen
|
|
|
|
# Copyright 2013-2016, CISOfy
|
|
|
|
#
|
|
|
|
# Website : https://cisofy.com
|
|
|
|
# Blog : http://linux-audit.com
|
|
|
|
# GitHub : https://github.com/CISOfy/lynis
|
2014-08-26 17:33:55 +02:00
|
|
|
#
|
|
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
|
|
# See LICENSE file for usage of this software.
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Kernel
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
InsertSection "Kernel Hardening"
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : KRNL-6000
|
|
|
|
# Description : Check sysctl parameters
|
|
|
|
# Sysctl : net.ipv4.icmp_ingore_bogus_error_responses (=1)
|
|
|
|
if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
2016-07-24 17:22:00 +02:00
|
|
|
Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2016-04-13 16:13:04 +02:00
|
|
|
FOUND=0
|
2016-08-18 14:35:20 +02:00
|
|
|
DATA_TO_SCAN=""
|
2014-08-26 17:33:55 +02:00
|
|
|
N=0
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Comparing sysctl key pairs with scan profile"
|
2016-08-18 14:35:20 +02:00
|
|
|
|
|
|
|
# First scan optional profiles only (ignore default and custom)
|
2016-04-13 16:13:04 +02:00
|
|
|
for PROFILE in ${PROFILES}; do
|
2016-08-25 15:31:33 +02:00
|
|
|
FILE=$(echo ${PROFILE} | ${AWKBINARY} -F/ '{print $NF}')
|
2016-08-18 14:35:20 +02:00
|
|
|
if [ ! "${FILE}" = "default.prf" -a ! "${FILE}" = "custom.prf" ]; then
|
2016-09-08 21:04:17 +02:00
|
|
|
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${PROFILE} | ${SEDBINARY} 's/ /-space-/g')
|
2016-08-18 14:35:20 +02:00
|
|
|
DATA_TO_SCAN="${DATA_TO_SCAN} ${FIND}"
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
|
|
|
# Scan custom profile
|
|
|
|
if [ ! -z "${CUSTOM_PROFILE}" ]; then
|
2016-09-08 21:04:17 +02:00
|
|
|
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
|
2016-08-18 14:35:20 +02:00
|
|
|
for LINE in ${FIND}; do
|
2016-08-25 15:31:33 +02:00
|
|
|
SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
|
2016-08-18 14:35:20 +02:00
|
|
|
HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};")
|
|
|
|
if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi
|
2016-04-13 16:13:04 +02:00
|
|
|
done
|
2016-08-18 14:35:20 +02:00
|
|
|
fi
|
|
|
|
|
|
|
|
# Last, use data from default profile
|
|
|
|
if [ ! -z "${DEFAULT_PROFILE}" ]; then
|
2016-09-08 21:04:17 +02:00
|
|
|
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
|
2016-08-18 14:35:20 +02:00
|
|
|
for LINE in ${FIND}; do
|
2016-08-25 15:31:33 +02:00
|
|
|
SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
|
2016-08-18 14:35:20 +02:00
|
|
|
HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};")
|
|
|
|
if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Sort the results
|
2016-09-08 21:04:17 +02:00
|
|
|
DATA_TO_SCAN=$(echo ${DATA_TO_SCAN} | ${TRBINARY} ' ' '\n' | sort)
|
2016-08-18 14:35:20 +02:00
|
|
|
|
|
|
|
for I in ${DATA_TO_SCAN}; do
|
2016-08-25 15:31:33 +02:00
|
|
|
tFINDkey=$(echo ${I} | ${AWKBINARY} -F\; '{ print $2 }')
|
|
|
|
tFINDexpvalue=$(echo ${I} | ${AWKBINARY} -F\; '{ print $3 }')
|
|
|
|
tFINDhp=$(echo ${I} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]")
|
2016-09-08 21:04:17 +02:00
|
|
|
tFINDdesc=$(echo ${I} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g')
|
2016-08-18 14:35:20 +02:00
|
|
|
tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
|
|
|
|
if [ ! "${tFINDcurvalue}" = "" ]; then
|
|
|
|
if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then
|
|
|
|
LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
|
|
|
|
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN
|
|
|
|
AddHP ${tFINDhp} ${tFINDhp}
|
|
|
|
else
|
|
|
|
LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
|
|
|
|
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
|
|
|
|
AddHP 0 ${tFINDhp}
|
|
|
|
FOUND=1
|
|
|
|
N=$((N + 1))
|
|
|
|
ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}"
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
LogText "Result: key ${tFINDkey} does not exist on this machine"
|
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
done
|
|
|
|
|
|
|
|
# Add suggestion if one or more sysctls have a different value than scan profile
|
2016-04-13 16:13:04 +02:00
|
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
|
|
LogText "Result: found ${N} keys that can use tuning, according scan profile"
|
2014-08-26 17:33:55 +02:00
|
|
|
ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
|
2016-04-28 12:31:57 +02:00
|
|
|
WaitForKeyPress
|
2014-08-26 17:33:55 +02:00
|
|
|
|
|
|
|
#
|
|
|
|
#================================================================================
|
2016-03-13 16:03:46 +01:00
|
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|