tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-25 06:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added solution, extended timestamps key values, allow multiple values

Browse Source
This commit is contained in:
Michael Boelen 2018-01-11 10:19:16 +01:00
parent 66f8cb2441
commit 1504370e41
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
2 changed files with 28 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
default.prf
View File

@ -253,7 +253,7 @@ config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets
config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security; config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
#config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security; #config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security;
config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security; config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security;
config-data=sysctl;net.ipv4.tcp_timestamps;0;1;Do not use TCP time stamps;-;category:security; config-data=sysctl;net.ipv4.tcp_timestamps;0|1;1;Disable TCP time stamps or enable them with different offsets;-;category:security;
config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security; config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security; config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security; config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;

44
include/tests_kernel_hardening
View File

@ -71,32 +71,42 @@
for I in ${DATA_TO_SCAN}; do for I in ${DATA_TO_SCAN}; do
tFINDkey=$(echo ${I} | ${AWKBINARY} -F\; '{ print $2 }') tFINDkey=$(echo ${I} | ${AWKBINARY} -F\; '{ print $2 }')
tFINDexpvalue=$(echo ${I} | ${AWKBINARY} -F\; '{ print $3 }') if ! SkipAtomicTest "${TEST_NO}:${tFINDkey}"; then
tFINDhp=$(echo ${I} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]") tFINDexpvalue=$(echo ${I} | ${AWKBINARY} -F\; '{ print $3 }' | ${TRBINARY} '|' ' ')
tFINDdesc=$(echo ${I} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g') tFINDhp=$(echo ${I} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]")
tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null) tFINDdesc=$(echo ${I} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g')
if [ ! "${tFINDcurvalue}" = "" ]; then tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then if [ ! -z "${tFINDcurvalue}" ]; then
LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})" positive_match=0
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN for value in ${tFINDexpvalue}; do
AddHP ${tFINDhp} ${tFINDhp} if [ "${value}" = "${tFINDcurvalue}" ]; then
positive_match=1
fi
done
if [ ${positive_match} -eq 1 ]; then
LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN
AddHP ${tFINDhp} ${tFINDhp}
else
LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
AddHP 0 ${tFINDhp}
FOUND=1
N=$((N + 1))
ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}"
fi
else else
LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}" LogText "Result: key ${tFINDkey} does not exist on this machine"
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
AddHP 0 ${tFINDhp}
FOUND=1
N=$((N + 1))
ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}"
fi fi
else else
LogText "Result: key ${tFINDkey} does not exist on this machine" LogText "Skipped test for ${tFINDkey} via profile"
fi fi
done done
# Add suggestion if one or more sysctls have a different value than scan profile # Add suggestion if one or more sysctls have a different value than scan profile
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
LogText "Result: found ${N} keys that can use tuning, according scan profile" LogText "Result: found ${N} keys that can use tuning, according scan profile"
ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked" ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked" "" "Change sysctl value or disable test (skip-test=${TEST_NO}:<sysctl-key>)"
fi fi
fi fi
# #