lynis/include/tests_networking

629 lines
30 KiB
Plaintext
Raw Normal View History

2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Networking
#
#################################################################################
#
FOUNDPROMISC=0 # Promiscuous interfaces
LOCAL_DNSRESOLVER_FOUND=0 # Local DNS resolver
NUMBERACTIVENS=0 # Number of active nameservers
DHCP_CLIENT_RUNNING=0 # DHCP client availability
2015-12-29 16:28:18 +01:00
ARPWATCH_RUNNING=0 # ARP-cache based attack monitoring software
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
InsertSection "Networking"
#
#################################################################################
#
# Test : NETW-2600
# Description : Gather IPv6 configuration
Register --test-no NETW-2600 --os "Linux" --weight L --network YES --category security --description "Checking IPv6 configuration"
if [ ${SKIPTEST} -eq 0 ]; then
IPV6_CONFIGURED=0
IPV6_ACCEPT_RA=255
IPV6_ACCEPT_REDIRECTS=255
IPV6_MANUAL_CONFIGURED=255
IPV6_ONLY=255
IPV6_MISCONFIGURED=0
IPV6_MISCONFIGURED_MTU=0
FIND=`sysctl -a 2> /dev/null | grep "^net.ipv6" | sed "s/ = /=/"`
if [ ! "${FIND}" = "" ]; then
IPV6_CONFIGURED=1
for I in ${FIND}; do
SYSCTL_KEY=`echo ${I} | awk -F= '{ print $1 }'`
SYSCTL_VALUE=`echo ${I} | awk -F= '{ print $2 }'`
case ${SYSCTL_KEY} in
"net.ipv6.conf.default.accept_ra")
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_RA=1; else IPV6_ACCEPT_RA=0; fi
;;
"net.ipv6.conf.default.accept_redirects")
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_REDIRECTS=1; else IPV6_ACCEPT_REDIRECTS=0; fi
;;
"net.ipv6.bindv6only")
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ONLY=1; else IPV6_ONLY=0; fi
;;
"net.ipv6.conf.all.mtu" | "net.ipv6.conf.default.mtu")
if [ ${SYSCTL_VALUE} -lt 1280 ]; then IPV6_MISCONFIGURED_MTU=1; fi
;;
#if TestValue --function equals --value "${SYSCTL_VALUE}" --search "1"; then
# echo "Found ${SYSCTL_VALUE}"
#else
# echo "Not found"
#fi
esac
done
else
IPV6_MODE="disabled"
fi
# Check if we are manually configured (not accepting automatic configuration)
if [ ${IPV6_ACCEPT_RA} -eq 0 -a ${IPV6_ACCEPT_REDIRECTS} -eq 0 ]; then
IPV6_MANUAL_CONFIGURED=1
IPV6_MODE="manual"
elif [ ${IPV6_ACCEPT_RA} -eq 1 -o ${IPV6_ACCEPT_REDIRECTS} -eq 1 ]; then
IPV6_MODE="auto"
else
IPV6_MODE="disabled"
fi
LogText "Result: IPV6 mode is ${IPV6_MODE}"
if [ ${IPV6_CONFIGURED} -eq 1 ]; then
Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE
STATUS=`echo ${IPV6_MODE} | tr '[:lower:]' '[:upper:]'`
Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE
if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi
LogText "Result: IPv6 only configuration: ${STATUS}"
Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE
else
Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_DISABLED}" --color WHITE
fi
# Configuration errors
if [ ${IPV6_MISCONFIGURED_MTU} -eq 1 ]; then
IPV6_MISCONFIGURED=1
LogText "Result: MTU of IPv6 interfaces should be 1280 or higher"
Display --indent 6 --text "Error: MTU is too low" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Check your MTU configuration of IPv6 interfaces"
fi
# Possible improvements:
# - Check if we found IPv6 enabled nameservers
# Report
2016-04-28 09:15:54 +02:00
Report "ipv6_mode=${IPV6_MODE}"
Report "ipv6_only=${IPV6_ONLY}"
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
2015-07-22 16:28:11 +02:00
# Test : NETW-2704
2014-08-26 17:33:55 +02:00
# Description : Basic nameserver configuration tests (connectivity)
Register --test-no NETW-2704 --weight L --network YES --category security --description "Basic nameserver configuration tests"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking configured nameservers"
LogText "Test: Checking /etc/resolv.conf file"
2014-08-26 17:33:55 +02:00
if [ -f /etc/resolv.conf ]; then
LogText "Result: Found /etc/resolv.conf file"
FIND=`grep '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g' | uniq`
2014-08-26 17:33:55 +02:00
if [ ! "${FIND}" = "" ]; then
2014-09-15 12:01:09 +02:00
Display --indent 4 --text "- Testing nameservers"
LogText "Test: Querying nameservers"
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
LogText "Found nameserver: ${I}"
Report "nameserver[]=${I}"
2015-07-22 16:28:11 +02:00
# Check if a local resolver is available (like DNSMasq)
2014-08-26 17:33:55 +02:00
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then
LOCAL_DNSRESOLVER_FOUND=1
fi
if [ ! "${DIGBINARY}" = "" ]; then
# See if we can query something at the nameserver
# 0=good, other=bad
DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?`
if [ "${DNSRESPONSE}" = "0" ]; then
Display --indent 8 --text "Nameserver: ${I}" --result "${STATUS_OK}" --color GREEN
LogText "Nameserver ${I} seems to respond to queries from this host."
2014-08-26 17:33:55 +02:00
# Count responsive nameservers
NUMBERACTIVENS=$((NUMBERACTIVENS + 1))
2014-08-26 17:33:55 +02:00
else
2014-09-15 12:01:09 +02:00
Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED
LogText "Result: nameserver ${I} does NOT respond"
LogText "Exit-code from dig: ${DNSRESPONSE}"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "Nameserver ${I} does not respond"
2014-08-26 17:33:55 +02:00
fi
else
LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed"
Display --indent 6 --text "Nameserver: ${I}" --result "${STATUS_SKIPPED}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
done
fi
fi
fi
#
#################################################################################
#
# Test : NETW-2705
# Description : Basic nameserver configuration tests (connectivity)
if [ ${LOCAL_DNSRESOLVER_FOUND} -eq 0 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check availability two nameservers"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DIGBINARY}" = "" ]; then
if [ ${NUMBERACTIVENS} -lt 2 ]; then
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
LogText "Result: less than 2 responsive nameservers found"
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "Couldn't find 2 responsive nameservers"
LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
AddHP 1 2
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_OK}" --color GREEN
LogText "Result: found at least 2 responsive nameservers"
2014-08-26 17:33:55 +02:00
AddHP 3 3
fi
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_SKIPPED}" --color YELLOW
LogText "Result: dig not installed, test can't be fully performed"
2014-08-26 17:33:55 +02:00
fi
else
LogText "Result: Test most likely skipped due having local resolver in /etc/resolv.conf"
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : NETW-3001
# Description : Find default gateway (route)
# More info : BSD: ^default Linux: 0.0.0.0
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then
LogText "Test: Searching default gateway(s)"
FIND=`${NETSTATBINARY} -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2`
2014-08-26 17:33:55 +02:00
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
LogText "Result: Found default gateway ${I}"
Report "default_gateway[]=${I}"
2014-08-26 17:33:55 +02:00
done
Display --indent 2 --text "- Checking default gateway" --result "${STATUS_DONE}" --color GREEN
2014-08-26 17:33:55 +02:00
else
LogText "Result: No default gateway found"
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking default gateway" --result "NONE FOUND" --color WHITE
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NETW-3004
# Description : Find available network interfaces on FreeBSD and others
Register --test-no NETW-3004 --weight L --network NO --category security --description "Search available network interfaces"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""
2014-08-26 17:33:55 +02:00
N=0
case ${OS} in
AIX)
FIND=`${IFCONFIGBINARY} -a | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }'`
;;
Linux)
if [ ! "${IPBINARY}" = "" ]; then
FIND=`${IPBINARY} link show | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{ print $2 }' | sed 's/://g'`
elif [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ( $2 == "Link" ) { print $1 }}'`
fi
;;
DragonFly|FreeBSD|NetBSD)
FIND=`${IFCONFIGBINARY} -l`
;;
2016-02-09 13:00:29 +01:00
OpenBSD|Solaris)
FIND=`${IFCONFIGBINARY} -a | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ": " '{ print $1 }'`
;;
*)
# Having a system currently unsupported? Share your details to determine network interfaces
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find available network interfaces"
;;
esac
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${I}"
LogText "Found network interface: ${I}"
N=$((N + 1))
Report "network_interface[]=${I}"
done
else
ReportException "${TEST_NO}:1" "No interfaces found on this system (OS=${OS})"
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : NETW-3006
# Description : Get network MAC addresses
Register --test-no NETW-3006 --weight L --network NO --category security --description "Get network MAC addresses"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""
case ${OS} in
AIX)
FIND=`lscfg -vl ent* | fgrep "Network Address" | cut -d"." -f14 | awk '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }'`
;;
DragonFly|FreeBSD)
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | sort -u`
2014-08-26 17:33:55 +02:00
;;
Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=`${IFCONFIGBINARY} -a | ${GREPBINARY} "HWaddr" | awk '{ if ($4=="HWaddr") print $5 }' | sort -u`
else
if [ ! "${IPBINARY}" = "" ]; then
LogText "Test: Using ip binary to gather hardware addresses"
FIND=`${IPBINARY} link | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }'`
else
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
fi
fi
2014-08-26 17:33:55 +02:00
;;
MacOS)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="lladdr" || $1=="ether") print $2 }' | sort -u`
2014-08-26 17:33:55 +02:00
;;
NetBSD)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="address:") print $2 }' | sort -u`
2014-08-26 17:33:55 +02:00
;;
OpenBSD)
FIND=`${IFCONFIGBINARY} -A | awk '{ if ($1=="lladdr") print $2 }' | sort -u`
2014-08-26 17:33:55 +02:00
;;
Solaris)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="ether") print $2 }' | sort -u`
2014-08-26 17:33:55 +02:00
;;
*)
# Having a system currently unsupported? Share your details to determine MAC information
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find MAC information"
;;
esac
N=0
for I in ${FIND}; do
LogText "Found MAC address: ${I}"
N=$((N + 1))
Report "network_mac_address[]=${I}"
2014-08-26 17:33:55 +02:00
done
fi
#
#################################################################################
#
# Test : NETW-3008
# Description : Get network IPv4/6 addresses
Register --test-no NETW-3008 --weight L --network NO --category security --description "Get network IP addresses"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""; FIND2=""
case ${OS} in
AIX)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
2015-07-22 16:28:11 +02:00
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
2014-08-26 17:33:55 +02:00
;;
DragonFly|FreeBSD|NetBSD)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
;;
Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }' | cut -d ':' -f2`
# Version which works for multiple types of ifconfig (e.g. Slackware)
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'`
else
if [ ! "${IPBINARY}" = "" ]; then
LogText "Test: Using ip binary to gather IP addresses"
FIND=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | sed 's/\/.*//'`
FIND2=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | sed 's/\/.*//'`
else
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
fi
fi
2014-08-26 17:33:55 +02:00
;;
MacOS)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
;;
OpenBSD)
FIND=`${IFCONFIGBINARY} -A | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -A | awk '{ if ($1=="inet6") print $2 }'`
;;
Solaris)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
;;
*)
LogText "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details."
2014-08-26 17:33:55 +02:00
ReportException "${TEST_NO}:1" "IP address information test not implemented for this operating system"
;;
esac
N=0
# IPv4
for I in ${FIND}; do
LogText "Found IPv4 address: ${I}"
N=$((N + 1))
Report "network_ipv4_address[]=${I}"
2014-08-26 17:33:55 +02:00
done
# IPv6
for I in ${FIND2}; do
LogText "Found IPv6 address: ${I}"
N=$((N + 1))
Report "network_ipv6_address[]=${I}"
2014-08-26 17:33:55 +02:00
done
fi
#
#################################################################################
#
# Test : NETW-3012
# Description : Check listening ports
Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""; FIND2=""
N=0
case ${OS} in
DragonFly|FreeBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then
FIND=`${SOCKSTATBINARY} | awk '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | sort -u`
2014-08-26 17:33:55 +02:00
# To strip off IP's: sed 's/|.*:/|/'
else
FIND=""
fi
FIND2=""
;;
Linux)
if [ ! "${NETSTATBINARY}" = "" ]; then
# UDP
FIND=`${NETSTATBINARY} -nlp 2> /dev/null | grep "^udp" | awk '{ print $4"|"$1"|"$6"|" }' | sed 's:|[0-9]*/:|:'`
# TCP
FIND2=`${NETSTATBINARY} -nlp 2> /dev/null | grep "^tcp" | awk '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | sed 's:|[0-9]*/:|:'`
else
if [ ! "${SSBINARY}" = "" ]; then
# UDP
FIND=`${SSBINARY} -u -a -n | awk '{ print $4 }' | grep -v Local`
# TCP
FIND2=`${SSBINARY} -t -a -n | awk '{ print $4 }' | grep -v Local`
else
ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports"
fi
fi
2014-08-26 17:33:55 +02:00
;;
MacOS)
if [ ! "${LSOFBINARY}" = "" ]; then
2014-09-21 13:01:29 +02:00
# UDP and TCP combined
FIND=`${LSOFBINARY} -i -P | awk '{ print $9"|"$8"|"$1"|" }' | sed 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | sed 's/\*/'$IP'/' | sort -u | grep -v "NAME"`
else
FIND=""
fi
2014-09-21 13:01:29 +02:00
# Not needed as we have a combined test
FIND2=""
;;
2014-08-26 17:33:55 +02:00
NetBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then
FIND=`${SOCKSTATBINARY} | awk '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | sort -u`
2014-08-26 17:33:55 +02:00
else
FIND=""
fi
FIND2=""
;;
OpenBSD)
if [ ! "${NETSTATBINARY}" = "" ]; then
# UDP
FIND=`${NETSTATBINARY} -an 2> /dev/null | grep "^udp" | awk '{ print $4"|"$1"||" }'`
# TCP
FIND2=`${NETSTATBINARY} -an 2> /dev/null | grep "^tcp" | awk '{ if($6=="LISTEN") { print $4"|"$1"||" }}'`
else
ReportException "${TEST_NO}:3" "netstat missing to gather listening ports"
fi
;;
2014-08-26 17:33:55 +02:00
*)
# Got this exception? Provide your details and output of netstat or any other tool to determine this information.
ReportException "${TEST_NO}:2" "Unclear what method to use, to determine listening port information"
2014-08-26 17:33:55 +02:00
;;
esac
# Retrieve information from sockstat, when available
LogText "Test: Retrieving sockstat information to find listening ports"
2014-08-26 17:33:55 +02:00
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
N=$((N + 1))
LogText "Found listening info: ${I}"
Report "network_listen_port[]=${I}"
2014-08-26 17:33:55 +02:00
done
fi
if [ ! "${FIND2}" = "" ]; then
for I in ${FIND2}; do
N=$((N + 1))
LogText "Found listening info: ${I}"
Report "network_listen_port[]=${I}"
2014-08-26 17:33:55 +02:00
done
fi
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW
2014-08-26 17:33:55 +02:00
else
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN
2014-08-26 17:33:55 +02:00
Display --indent 6 --text "* Found ${N} ports"
fi
fi
#
#################################################################################
#
# Test : NETW-3014
# Description : Checking promiscuous interfaces (BSD)
# Note : FreeBSD and others
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (BSD)"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (FreeBSD)"
2014-08-26 17:33:55 +02:00
FIND=`${IFCONFIGBINARY} | grep PROMISC | cut -d ':' -f1`
if [ ! "${FIND}" = "" ]; then
LogText "Result: Promiscuous interfaces: ${FIND}"
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
WHITELISTED=0
for PROFILE in ${PROFILES}; do
Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}"
ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
if [ ! "${ISWHITELISTED}" = "" ]; then
WHITELISTED=1
LogText "Result: this interface was whitelisted in profile (${PROFILE})"
fi
done
# Check if this interface was whitelisted
if [ ${WHITELISTED} -eq 0 ]; then
2014-08-26 17:33:55 +02:00
FOUNDPROMISC=1
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
2014-08-26 17:33:55 +02:00
else
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
2014-08-26 17:33:55 +02:00
fi
done
fi
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
LogText "Result: No promiscuous interfaces found"
2014-08-26 17:33:55 +02:00
else
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NETW-3015
# Description : Checking promiscuous interfaces (Linux)
# Note : Need ifconfig binary at this moment (does not work on Arch Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (Linux)"
2014-08-26 17:33:55 +02:00
NETWORK=`${IFCONFIGBINARY} | grep Link | tr -s ' ' | cut -d ' ' -f1`
if [ ! "${NETWORK}" = "" ]; then
for I in ${NETWORK}; do
FIND=`${IFCONFIGBINARY} ${I} | grep PROMISC`
if [ ! "${FIND}" = "" ]; then
LogText "Result: Promiscuous interface: ${I}"
2014-08-26 17:33:55 +02:00
ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
if [ "${ISWHITELISTED}" = "" ]; then
FOUNDPROMISC=1
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
2014-08-26 17:33:55 +02:00
else
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
2014-08-26 17:33:55 +02:00
fi
fi
done
fi
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
LogText "Result: No promiscuous interfaces found"
2014-08-26 17:33:55 +02:00
else
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NETW-3020
# Description : Checking multipath configuration (Solaris)
#
#################################################################################
#
# Test : NETW-3024
# Description : Netstat/socktstat compare (FreeBSD)
2014-09-15 12:01:09 +02:00
# echo -n " - Comparing output sockstat and netstat"
# LogText "Comparing output of sockstat and netstat"
# NETSTATOUTPUT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort -u`
2014-08-26 17:33:55 +02:00
#
# if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then
# ShowResult OK
# else
# echo "[ ${BAD}Warning!${NORMAL} ]"
# LogText "WARNING!"
# LogText "Sockstat tested output: ${SOCKSTAT}"
# LogText "Netstat tested output: ${NETSTAT}"
2014-08-26 17:33:55 +02:00
# fi
#
#################################################################################
#
# Test : NETW-3028
# Description : Checking for many waiting connections
# Type : Performance
# Notes : It is common to see a healthy web server seeing to have several thousands of TCP connections in WAIT state
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking connections in WAIT state"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Using netstat for check for connections in WAIT state"
FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'`
if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
2014-08-26 17:33:55 +02:00
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})"
2014-08-26 17:33:55 +02:00
else
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_OK}" --color GREEN
LogText "Result: ${FIND} connections are in WAIT state"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
2015-12-29 16:28:18 +01:00
#
# Test : NETW-3030
# Description : Checking for DHCP client
Register --test-no NETW-3030 --weight L --network NO --category security --description "Checking DHCP client status"
2015-12-29 16:28:18 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning dhclient
2015-12-29 16:28:18 +01:00
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE
DHCP_CLIENT_RUNNING=1
2015-12-29 16:28:18 +01:00
else
Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
2015-12-29 16:28:18 +01:00
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : NETW-3032
# Description : Checking for ARP spoofing and related monitoring software
Register --test-no NETW-3032 --os Linux --weight L --network NO --category security --description "Checking for ARP monitoring software"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning arpwatch
2014-08-26 17:33:55 +02:00
if [ ${RUNNING} -eq 1 ]; then
ARPWATCH_RUNNING=1
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
2014-08-26 17:33:55 +02:00
else
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_NOT_FOUND}" --color YELLOW
2016-07-27 09:55:06 +02:00
ReportSuggestion ${TEST_NO} "Consider running ARP monitoring software (arpwatch)"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
2016-04-28 09:15:54 +02:00
Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
Report "arpwatch_running=${ARPWATCH_RUNNING}"
2015-12-29 16:28:18 +01:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com