tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-26 23:34:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add support for multiple Redis configuration files and permission check

Browse Source
This commit is contained in:
Michael Boelen 2016-08-13 17:03:36 +02:00
parent e06db1477d
commit 05585fab62
1 changed files with 82 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
include/tests_databases
View File

@ -26,7 +26,7 @@
sMYSQLDBPATHS="/var/lib/mysql" sMYSQLDBPATHS="/var/lib/mysql"
# Paths to my.cnf # Paths to my.cnf
sMYCNFLOCS="/etc/mysql/my.cnf /usr/etc/my.cnf" sMYCNFLOCS="/etc/mysql/my.cnf /usr/etc/my.cnf"
REDIS_CONFIGURATION="" REDIS_CONFIGURATION_FILES=""
REDIS_CONFIGURATION_FOUND=0 REDIS_CONFIGURATION_FOUND=0
# #
################################################################################# #################################################################################
@ -191,14 +191,44 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
PATHS="${ROOTDIR}etc/redis ${ROOTDIR}usr/local/etc/redis" PATHS="${ROOTDIR}etc/redis ${ROOTDIR}usr/local/etc/redis"
FOUND=0 FOUND=0
REDIS_CONFIGURATION=""
for DIR in ${PATHS}; do for DIR in ${PATHS}; do
if [ -f ${DIR}/redis.conf ]; then LogText "Action: scanning directory (${DIR}) for Redis configuration files"
REDIS_CONFIGURATION="${DIR}/redis.conf" FILES=$(ls ${DIR}/*.conf 2> /dev/null)
REDIS_CONFIGURATION_FOUND=1 if [ ! -z "${FILES}" ]; then
LogText "Result: found configuration file (${REDIS_CONFIGURATION})" for CONFFILE in ${FILES}; do
if FileIsReadable ${CONFFILE}; then
LogText "Action: checking if ${CONFFILE} this is a Sentinel configuration file"
# Exclude Sentinel configuration file
FIND=$(grep "^sentinel " ${CONFFILE})
if [ ! -z "${FIND}" ]; then
LogText "Result: file is a Sentinel configuration file, skipping"
else else
LogText "Result: no redis.conf in ${DIR}" LogText "Result: not a Sentinel configuration file. Now scanning if it is a Redis configuration file"
FIND=$(grep "Redis" ${CONFFILE})
if [ ! -z "${FIND}" ]; then
REDIS_CONFIGURATION_FILES="${REDIS_CONFIGURATION_FILES} ${CONFFILE}"
REDIS_CONFIGURATION_FOUND=1
LogText "Result: found a Redis configuration file (${CONFFILE})"
else
LogText "Result: this file does not look like a Redis file (${CONFFILE})"
fi
fi
else
LogText "Could not read this file, so skipping it"
fi
done
else
LogText "Result: no configuration files found in this directory"
fi
done
# Sort the list of discovered configuration files so we can make them unique
REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | sed 's/^ //' | tr ' ' '\n' | sort | uniq | tr '\n' ' ')
for FILE in ${REDIS_CONFIGURATION_FILES}; do
if IsWorldReadable ${FILE}; then
LogText "Result: configuration file ${FILE} is world readable, this might leak sensitive information!"
ReportWarning "${TEST_NO}" "Redis configuration file ${FILE} is world readable and might leak sensitive details" "${FILE}" "Use chmod 640 to change file permissions"
else
LogText "Result: great, configuration file ${FILE} is not world readable"
fi fi
done done
if [ ${REDIS_CONFIGURATION_FOUND} -eq 0 ]; then ReportException "${TEST_NO}" "Found Redis, but no configuration file. Report this if you know where it is located on your system."; fi if [ ${REDIS_CONFIGURATION_FOUND} -eq 0 ]; then ReportException "${TEST_NO}" "Found Redis, but no configuration file. Report this if you know where it is located on your system."; fi
@ -211,8 +241,9 @@
if [ ${REDIS_RUNNING} -eq 1 -a ${REDIS_CONFIGURATION_FOUND} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running, or no configuration file found"; fi if [ ${REDIS_RUNNING} -eq 1 -a ${REDIS_CONFIGURATION_FOUND} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running, or no configuration file found"; fi
Register --test-no DBS-1884 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis: requirepass option configured" Register --test-no DBS-1884 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis: requirepass option configured"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if FileIsReadable ${REDIS_CONFIGURATION}; then for FILE in ${REDIS_CONFIGURATION_FILES}; do
if SearchItem "^requirepass" "${REDIS_CONFIGURATION}" "--sensitive"; then if FileIsReadable ${FILE}; then
if SearchItem "^requirepass" "${FILE}" "--sensitive"; then
LogText "Result: found 'requirepass' configured" LogText "Result: found 'requirepass' configured"
AddHP 3 3 AddHP 3 3
Display --indent 4 --text "- Redis (requirepass configured)" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Redis (requirepass configured)" --result "${STATUS_FOUND}" --color GREEN
@ -220,12 +251,13 @@
else else
AddHP 0 3 AddHP 0 3
Display --indent 4 --text "- Redis (requirepass configured)" --result "${STATUS_NOT_FOUND}" --color YELLOW Display --indent 4 --text "- Redis (requirepass configured)" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Configure the 'requirepass' setting for Redis" "${REDIS_CONFIGURATION}" "text:configure 'requirepass' setting in ${REDIS_CONFIGURATION}" ReportSuggestion "${TEST_NO}" "Configure the 'requirepass' setting for Redis" "${FILE}" "text:configure 'requirepass' setting in ${FILE}"
Report "redis_requirepass=0" Report "redis_requirepass=0"
fi fi
else else
LogText "Result: test skipped, as we can't read configuration file" LogText "Result: test skipped, as we can't read configuration file"
fi fi
done
fi fi
# #
################################################################################# #################################################################################
@ -235,8 +267,9 @@
if [ ${REDIS_RUNNING} -eq 1 -a ${REDIS_CONFIGURATION_FOUND} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running, or no configuration found"; fi if [ ${REDIS_RUNNING} -eq 1 -a ${REDIS_CONFIGURATION_FOUND} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running, or no configuration found"; fi
Register --test-no DBS-1886 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis: rename-command CONFIG used" Register --test-no DBS-1886 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis: rename-command CONFIG used"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if FileIsReadable ${REDIS_CONFIGURATION}; then for FILE in ${REDIS_CONFIGURATION_FILES}; do
if SearchItem "^rename-command CONFIG" "${REDIS_CONFIGURATION}" "--sensitive"; then if FileIsReadable ${FILE}; then
if SearchItem "^rename-command CONFIG" "${FILE}" "--sensitive"; then
LogText "Result: found 'rename-command CONFIG' configured" LogText "Result: found 'rename-command CONFIG' configured"
AddHP 3 3 AddHP 3 3
Display --indent 4 --text "- Redis (rename of CONFIG command)" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Redis (rename of CONFIG command)" --result "${STATUS_FOUND}" --color GREEN
@ -244,12 +277,13 @@
else else
AddHP 0 3 AddHP 0 3
Display --indent 4 --text "- Redis (rename of CONFIG command)" --result "${STATUS_NOT_FOUND}" --color YELLOW Display --indent 4 --text "- Redis (rename of CONFIG command)" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Use the 'rename-command CONFIG' setting for Redis" "${REDIS_CONFIGURATION}" "text:configure 'rename-command CONFIG' in ${REDIS_CONFIGURATION}" ReportSuggestion "${TEST_NO}" "Use the 'rename-command CONFIG' setting for Redis" "${FILE}" "text:configure 'rename-command CONFIG' in ${FILE}"
Report "redis_rename_command_config=0" Report "redis_rename_command_config=0"
fi fi
else else
LogText "Result: test skipped, as we can't read configuration file" LogText "Result: test skipped, as we can't read configuration file"
fi fi
done
fi fi
# #
################################################################################# #################################################################################
@ -259,8 +293,9 @@
if [ ${REDIS_RUNNING} -eq 1 -a ${REDIS_CONFIGURATION_FOUND} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running, or no configuration found"; fi if [ ${REDIS_RUNNING} -eq 1 -a ${REDIS_CONFIGURATION_FOUND} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running, or no configuration found"; fi
Register --test-no DBS-1888 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis: bind on localhost" Register --test-no DBS-1888 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis: bind on localhost"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if FileIsReadable ${REDIS_CONFIGURATION}; then for FILE in ${REDIS_CONFIGURATION_FILES}; do
if SearchItem "^bind (localhost|127\.)" "${REDIS_CONFIGURATION}" "--sensitive"; then if FileIsReadable ${FILE}; then
if SearchItem "^bind (localhost|127\.)" "${FILE}" "--sensitive"; then
LogText "Result: found 'bind on localhost' configured" LogText "Result: found 'bind on localhost' configured"
AddHP 3 3 AddHP 3 3
Display --indent 4 --text "- Redis (bind on localhost)" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Redis (bind on localhost)" --result "${STATUS_FOUND}" --color GREEN
@ -268,17 +303,17 @@
else else
AddHP 0 3 AddHP 0 3
Display --indent 4 --text "- Redis (bind on localhost)" --result "${STATUS_NOT_FOUND}" --color YELLOW Display --indent 4 --text "- Redis (bind on localhost)" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Use 'bind' setting to listen on localhost for Redis instance" "${REDIS_CONFIGURATION}" "text:configure 'bind localhost' in ${REDIS_CONFIGURATION}" ReportSuggestion "${TEST_NO}" "Use 'bind' setting to listen on localhost for Redis instance" "${FILE}" "text:configure 'bind localhost' in ${FILE}"
Report "redis_bind_localhost=0" Report "redis_bind_localhost=0"
fi fi
else else
LogText "Result: test skipped, as we can't read configuration file" LogText "Result: test skipped, as we can't read configuration file"
fi fi
done
fi fi
# #
################################################################################# #################################################################################
# #
if [ ${DATABASE_ENGINE_RUNNING} -eq 0 ]; then if [ ${DATABASE_ENGINE_RUNNING} -eq 0 ]; then
Display --indent 4 --text "No database engines found" Display --indent 4 --text "No database engines found"
fi fi