This commit is contained in:
Michael Boelen 2018-05-02 13:19:32 +02:00
commit 235ec1c8d4
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
4 changed files with 76 additions and 1 deletions

View File

@ -16,6 +16,7 @@ Tests:
* [PHP-2379] - Suhosin test disbled * [PHP-2379] - Suhosin test disbled
* [SSH-7408] - Removed 'DELAYED' from OpenSSH Compression setting * [SSH-7408] - Removed 'DELAYED' from OpenSSH Compression setting
* [TIME-3160] - Improvements to detect step-tickers file and entries * [TIME-3160] - Improvements to detect step-tickers file and entries
* [DNS-1600] - Add DNSSEC validation
--------------------------------------------------------------------------------- ---------------------------------------------------------------------------------

View File

@ -79,6 +79,7 @@ CONT-8107:test:performance:containers::Check number of unused Docker containers:
CONT-8108:test:security:containers::Check file permissions for Docker files: CONT-8108:test:security:containers::Check file permissions for Docker files:
CORE-1000:test:performance:system_integrity::Check all system binaries: CORE-1000:test:performance:system_integrity::Check all system binaries:
CRYP-7902:test:security:crypto::Check expire date of SSL certificates: CRYP-7902:test:security:crypto::Check expire date of SSL certificates:
DNS-1600:test:security:dns::Validating that the DNSSEC signatures are checked:
DBS-1804:test:security:databases::Checking active MySQL process: DBS-1804:test:security:databases::Checking active MySQL process:
DBS-1816:test:security:databases::Checking MySQL root password: DBS-1816:test:security:databases::Checking MySQL root password:
DBS-1818:test:security:databases::MongoDB status: DBS-1818:test:security:databases::MongoDB status:

73
include/tests_dns Normal file
View File

@ -0,0 +1,73 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2018, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# DNS
#
#################################################################################
#
SIGOKDNS="sigok.verteiltesysteme.net" # adress with good DESSEC signiture
SIGFAILDNS="sigfail.verteiltesysteme.net" # adress with bad DESSEC signiture
# TODO update it once cisofy.com records are created
# TODO after update even IP match can be checked to detect highjacking
TIMEOUT=";; connection timed out; no servers could be reached"
#
#################################################################################
#
InsertSection "DNS"
#
#################################################################################
#
# Test : DNS-1600
# Description : Validate DNSSEC signiture is checked
Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked"
if [ "${SKIPTEST}" -eq 0 ]; then
if [ ! -z "${DIGBINARY}" ]; then
GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS)
BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS)
if [ "$GOOD" = "$TIMEOUT" ] && [ "$BAD" = "$TIMEOUT" ]; then
LogText "Result: Exception found, can't determine DNSSEC validation"
Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
elif [ -z "$GOOD" ] && ! [ -z "$BAD" ]; then
LogText "Result: Exception found, can't determine DNSSEC validation"
Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
ReportException "${TEST_NO}" "Exception found, OK failed, Bad signiture was accepted"
elif ! [ -z "$GOOD" ] && ! [ -z "$BAD" ]; then
Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Note: Useing DNSsec validation can protect from DNS highjacking"
ReportSuggestion "${TEST_NO}" "Malformated DNS querys are accepted, Configure DNSSEC valdating name servers"
AddHP 2 2
elif ! [ -z "$GOOD" ] && [ -z "$BAD" ]; then
Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN
LogText "Result: Malformated DNS responses were ignored"
AddHP 0 2
fi
else
Display --indent 4 --text "- DESSEC validation" --result "${STATUS_SKIPPED}" --color YELLOW
LogText "Result: dig not installed, test can't be fully performed"
fi
else
LogText "Result: Test was skipped"
fi
#
#################################################################################
#

2
lynis
View File

@ -925,7 +925,7 @@ ${NORMAL}
LogText "Info: perform tests from all categories" LogText "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
filesystems usb storage storage_nfs nameservices ports_packages networking printers_spools \ filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spools \
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting time crypto virtualization containers \ insecure_services banners scheduling accounting time crypto virtualization containers \
mac_frameworks file_integrity tooling malware file_permissions homedirs \ mac_frameworks file_integrity tooling malware file_permissions homedirs \