tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[NETW-2706] allow usage of systemd-resolve and resolvectl, improved screen output and logging

This commit is contained in:
Michael Boelen 2020-04-03 14:02:52 +02:00
parent 235dbd3805
commit 4680f94d11
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
1 changed files with 23 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
include/tests_networking
View File

@ -191,23 +191,32 @@
################################################################################# #################################################################################
# #
# Test : NETW-2706 # Test : NETW-2706
# Description : Check systemd-resolved and upstream DNSSEC status # Description : Check systemd-resolve output and upstream DNSSEC status
if [ -n "${RESOLVECTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi # Notes : Ubuntu 16.04 uses systemd-resolve, newer ones most likely resolvectl
Register --test-no NETW-2706 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check systemd-resolved and upstream DNSSEC status" if [ -n "${RESOLVECTLBINARY}" ]; then
PREQS_MET="YES"
RESOLVE_CMD="${RESOLVECTLBINARY}"
RESOLVE_CMD_PARAM="statistics"
elif [ -n "$(command -v systemd-resolve 2> /dev/null)" ]; then
PREQS_MET="YES"
RESOLVE_CMD="$(command -v systemd-resolve 2> /dev/null)"
RESOLVE_CMD_PARAM="--statistics"
else
PREQS_MET="NO"
fi
Register --test-no NETW-2706 --preqs-met "${PREQS_MET}" --weight L --network YES --category security --description "Check systemd-resolved and upstream DNSSEC status"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
SKIP=0 SKIP=0
if [ -n "${RESOLVECTLBINARY}" ]; then DNSSEC_STATUS=$(${RESOLVE_CMD} ${RESOLVE_CMD_PARAM} 2> /dev/null | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ')
DNSSEC_STATUS=$(${RESOLVECTLBINARY} statistics 2> /dev/null | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ') if [ "${DNSSEC_STATUS}" = "yes" ]; then
if [ "${DNSSEC_STATUS}" = "yes" ]; then Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_YES}" --color GREEN
Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_OK}" --color GREEN LogText "Result: DNSSEC supported by systemd-resolved and upstream DNS servers"
LogText "Result: DNSSEC supported by systemd-resolved and upstream DNS servers" elif [ "${DNSSEC_STATUS}" = "no" ]; then
else Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_NO}" --color YELLOW
Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_WARNING}" --color RED LogText "Result: DNSSEC not supported by systemd-resolved or upstream DNS servers"
LogText "Result: DNSSEC not supported by systemd-resolved or upstream DNS servers"
fi
else else
Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_SKIPPED}" --color YELLOW Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_UNKNOWN}" --color RED
LogText "Result: resolvectl not installed, test can't be fully performed" LogText "Result: command '${RESOLVE_CMD} ${RESOLVE_CMD_PARAM}' returned an error. Please run command manually to check for details."
fi fi
else else
LogText "Result: Test most likely skipped due to not having resolvectl" LogText "Result: Test most likely skipped due to not having resolvectl"