From 4d5b41cb4e92365c27b4e738ba70f8d9f4cf9f8a Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 22 Feb 2024 11:59:02 +0200 Subject: [PATCH] plugin_krb5_phase1: Added few more tests * Check that admin principals have disallow_tgt_based attribute * Check that regular user principals have requires_pre_auth and disallow_svr attributes * Check for weak crypto * Use kdb5_util for this --- include/binaries | 1 + plugins/plugin_krb5_phase1 | 33 +++++++++++++++++++++++++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/include/binaries b/include/binaries index b65d5159..46359b3c 100644 --- a/include/binaries +++ b/include/binaries @@ -197,6 +197,7 @@ istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;; journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;; kadmin.local) KADMINLOCALBINARY="${BINARY}"; LogText " Found known binary: kadmin.local (krb5) - ${BINARY}" ;; + kdb5_util) KDB5UTILBINARY="${BINARY}"; LogText " Found known binary: kdb5_util (krb5) - ${BINARY}" ;; kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;; kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;; launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;; diff --git a/plugins/plugin_krb5_phase1 b/plugins/plugin_krb5_phase1 index 5a480dcb..625a3bc9 100644 --- a/plugins/plugin_krb5_phase1 +++ b/plugins/plugin_krb5_phase1 @@ -10,14 +10,14 @@ # PLUGIN_DESC=Kerberos # PLUGIN_NAME=krb5 # PLUGIN_REQUIRED_TESTS= -# PLUGIN_VERSION=0.1 +# PLUGIN_VERSION=0.2 #----------------------------------------------------- # ######################################################################### # # Test for the prerequisites first - if [ -n "${KADMINLOCALBINARY}" ] + if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ] then PREQS_MET="YES" # Make sure krb5 debugging doesn't mess up the output @@ -106,10 +106,39 @@ then LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute" fi + elif ContainsString "/admin@" "${I}" + then + if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}" + then + LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute" + fi + elif ContainsString "^[^/$]+@" "${I}" + then + if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}" + then + LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute" + fi fi done fi +# +################################################################################# +# + + # Test : KRB5-0005 + # Description : Check for weak crypto + Register --test-no KRB5-0005 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto" --progress + if [ ${SKIPTEST} -eq 0 ]; then + FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}') + while read I J + do + LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}" + done << EOF +${FIND} +EOF + fi + # ################################################################################# #