mirror of https://github.com/CISOfy/lynis.git
Added tooling tests for Fail2Ban (#162)
* Added binary for Fail2Ban * Added test for Fail2Ban (presence and configuration) * Added test to check for enabled Fail2Ban jails * Added test to confirm at least one enabled jail. Fixed regex. * Added check to confirm iptables has a fail2ban chain
This commit is contained in:
Eric Light
Michael Boelen
parent
59bbacd59b
commit
3b3a852122
|
|
@ -107,6 +107,7 @@
|
|||
dpkg) DPKGBINARY="${BINARY}"; logtext " Found known binary: dpkg (package management) - ${BINARY}" ;;
|
||||
egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; logtext " Found known binary: egrep (text search) - ${BINARY}" ;;
|
||||
exim) EXIMFOUND=1; EXIMBINARY="${BINARY}"; EXIMVERSION=`${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs`; logtext "Found ${BINARY} (version ${EXIMVERSION})" ;;
|
||||
fail2ban-server) FAIL2BANFOUND=1; FAIL2BANBINARY="${BINARY}"; logtext " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;;
|
||||
find) FINDFOUND=1; FINDBINARY="${BINARY}"; logtext " Found known binary: find (search tool) - ${BINARY}" ;;
|
||||
g++) GPLUSPLUSFOUND=1; GPLUSPLUSBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: g++ (compiler) - ${BINARY}" ;;
|
||||
# additional file check due to existance /usr/libexec/gcc (directory)
|
||||
|
|
|
|||
|
|
@ -26,6 +26,10 @@
|
|||
PUPPET_MASTER_RUNNING=0
|
||||
SALT_MASTER_RUNNING=0
|
||||
SALT_MINION_RUNNING=0
|
||||
IPS_TOOL_FOUND=0
|
||||
FAIL2BAN_FOUND=0
|
||||
FAIL2BAN_EMAIL=0
|
||||
FAIL2BAN_SILENT=0
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
|
@ -142,6 +146,149 @@
|
|||
ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Intrusion Prevention tools
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Fail2Ban
|
||||
# Denyhosts? (deprecated)
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
# Test : TOOL-5004
|
||||
# Description : Check for Fail2Ban
|
||||
|
||||
Register --test-no TOOL-5004 --weight L --network NO --description "Check for presence of Fail2Ban"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
|
||||
# Fail2Ban presence
|
||||
if [ ! "${FAIL2BANBINARY}" = "" ]; then
|
||||
LogText "Result: Fail2Ban is installed (${FAIL2BANBINARY})"
|
||||
IPS_TOOL_FOUND=1
|
||||
FAIL2BAN_FOUND=1
|
||||
Report "IPS_tool_running[]=fail2ban-server"
|
||||
Display --indent 2 --text "- Checking presence of Fail2Ban" --result FOUND --color GREEN
|
||||
else
|
||||
LogText "Result: Fail2Ban not present (fail2ban-server not found)"
|
||||
Display --indent 2 --text "- Checking presence of Fail2Ban" --result "NOT FOUND" --color WHITE
|
||||
fi
|
||||
|
||||
# Fail2Ban configuration
|
||||
if [ ${FAIL2BAN_FOUND} -eq 1 ]; then
|
||||
LogText "Checking Fail2Ban configuration"
|
||||
|
||||
if [ -f /etc/fail2ban/jail.local ]; then
|
||||
FAIL2BAN_CONFIG="/etc/fail2ban/jail.local"
|
||||
else
|
||||
FAIL2BAN_CONFIG="/etc/fail2ban/jail.conf"
|
||||
fi
|
||||
|
||||
# Check email alert configuration
|
||||
|
||||
LogText "Checking for email actions within $FAIL2BAN_CONFIG"
|
||||
|
||||
FIND=`egrep "^action = \%\(action_m.*\)s" $FAIL2BAN_CONFIG`
|
||||
FIND2=`egrep "^action = \%\(action_\)s" $FAIL2BAN_CONFIG`
|
||||
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
FAIL2BAN_EMAIL=1
|
||||
LogText "Result: found at least one jail which sends an email alert"
|
||||
fi
|
||||
|
||||
if [ ! "${FIND2}" = "" ]; then
|
||||
FAIL2BAN_SILENT=1
|
||||
LogText "Result: found at least one jail which does NOT send an email alert"
|
||||
fi
|
||||
|
||||
if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
|
||||
LogText "No registered actions found in $FAIL2BAN_CONFIG"
|
||||
Display --indent 4 --text "- Checking Fail2Ban actions" --result NONE --color RED
|
||||
ReportWarning "${TEST_NO}" "M" "$FAIL2BAN_CONFIG" "There are no actions configured for Fail2Ban."
|
||||
AddHP 0 3
|
||||
fi
|
||||
|
||||
if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
|
||||
LogText "All actions in $FAIL2BAN_CONFIG are configured to send email alerts"
|
||||
Display --indent 4 --text "- Checking Fail2Ban actions" --result OK --color GREEN
|
||||
AddHP 3 3
|
||||
fi
|
||||
|
||||
if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
|
||||
LogText "Some actions found in $FAIL2BAN_CONFIG are configured to send email alerts"
|
||||
Display --indent 4 --text "- Checking Fail2Ban actions" --result PARTIAL --color YELLOW
|
||||
ReportSuggestion "${TEST_NO}" "Some Fail2Ban jails are configured with non-notified actions. Consider changing these to emailed alerts."
|
||||
AddHP 2 3
|
||||
fi
|
||||
|
||||
if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
|
||||
LogText "None of the actions found in $FAIL2BAN_CONFIG are configured to send email alerts"
|
||||
Display --indent 4 --text "- Checking Fail2Ban actions" --result NONE --color YELLOW
|
||||
ReportSuggestion "${TEST_NO}" "None of the Fail2Ban jails are configured to send email notifications. Consider changing these to emailed alerts."
|
||||
AddHP 1 3
|
||||
fi
|
||||
|
||||
# Check at least one enabled Jail
|
||||
|
||||
LogText "Checking for enabled Jails within $FAIL2BAN_CONFIG"
|
||||
|
||||
FIND=`egrep "^enabled\s*=\s*true" $FAIL2BAN_CONFIG`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found at least one enabled jail"
|
||||
Display --indent 4 --text "- Checking Fail2Ban jails" --result ENABLED --color GREEN
|
||||
AddHP 3 3
|
||||
else
|
||||
LogText "Result: Fail2Ban installed but completely disabled"
|
||||
Display --indent 4 --text "- Checking Fail2Ban jails" --result DISABLED --color RED
|
||||
AddHP 0 3
|
||||
ReportWarning "${TEST_NO}" "M" "All jails in Fail2Ban are disabled" "$FAIL2BAN_CONFIG"
|
||||
fi
|
||||
|
||||
# Confirm at least one iptables chain for fail2ban
|
||||
|
||||
LogText "Checking for fail2ban iptables chains"
|
||||
|
||||
CHECK_CHAINS=`iptables -L | grep fail2ban`
|
||||
if [ ! "${CHECK_CHAINS}" = "" ]; then
|
||||
LogText "Result: found at least one iptables chain for fail2ban"
|
||||
Display --indent 4 --text "- Checking for Fail2Ban iptables chain" --result OK --color GREEN
|
||||
else
|
||||
LogText "Result: Fail2Ban installed but iptables chain not present - fail2ban will not work"
|
||||
Display --indent 4 --text "- Checking for Fail2Ban iptables chain" --result WARNING --color RED
|
||||
AddHP 0 3
|
||||
ReportWarning "${TEST_NO}" "M" "Check config to see why iptables does not have a fail2ban chain" "$FAIL2BAN_CONFIG"
|
||||
fi
|
||||
|
||||
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
# Test : TOOL-5014
|
||||
# Description : Check for an IPS tool
|
||||
|
||||
Register --test-no TOOL-5014 --weight L --network NO --description "Check presence of IPS tool"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
|
||||
if [ ${IPS_TOOL_FOUND} -eq 1 ]; then
|
||||
Display --indent 2 --text "- Checking for implemented IPS" --result FOUND --color GREEN
|
||||
AddHP 2 2
|
||||
else
|
||||
Display --indent 2 --text "- Checking for implemented IPS" --result NONE --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Ensure that automatic intrusion prevention tools are installed"
|
||||
AddHP 0 2
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
|
|
|||
Loading…
Reference in New Issue