tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-24 22:34:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

Changed the Kerberos plugin into a category

Browse Source 
According to @mboelen's recommendations:
https://github.com/CISOfy/lynis/pull/1456#issuecomment-2110761098
This commit is contained in:
pyllyukko 2024-05-15 21:51:44 +03:00
parent 4d5b41cb4e
commit 5182ce31fb
3 changed files with 67 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
db/languages/en
View File

@ -63,6 +63,7 @@ SECTION_USB_DEVICES="USB Devices"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
SECTION_VIRTUALIZATION="Virtualization" SECTION_VIRTUALIZATION="Virtualization"
SECTION_WEBSERVER="Software: webserver" SECTION_WEBSERVER="Software: webserver"
SECTION_KERBEROS="Kerberos"
STATUS_ACTIVE="ACTIVE" STATUS_ACTIVE="ACTIVE"
STATUS_CHECK_NEEDED="CHECK NEEDED" STATUS_CHECK_NEEDED="CHECK NEEDED"
STATUS_DEBUG="DEBUG" STATUS_DEBUG="DEBUG"

92
plugins/plugin_krb5_phase1 → include/tests_kerberos
View File

@ -1,22 +1,14 @@
#!/bin/sh #!/bin/sh
######################################################################### InsertSection "${SECTION_KERBEROS}"
#
# * DO NOT REMOVE *
#-----------------------------------------------------
# PLUGIN_AUTHOR="pyllyukko"
# PLUGIN_CATEGORY=security
# PLUGIN_DATE=2024-02-14
# PLUGIN_DESC=Kerberos
# PLUGIN_NAME=krb5
# PLUGIN_REQUIRED_TESTS=
# PLUGIN_VERSION=0.2
#-----------------------------------------------------
# #
######################################################################### #########################################################################
# #
# Test for the prerequisites first # Test : KRB-1000
# Description : Check that Kerberos principals have passwords that expire
Register --test-no KRB-1000 --weight L --network NO --description "Check for Kerberos KDC tools"
if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ] if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ]
then then
PREQS_MET="YES" PREQS_MET="YES"
@ -30,10 +22,16 @@
else else
PREQS_MET="NO" PREQS_MET="NO"
fi fi
if [ "${PREQS_MET}" = "YES" ]; then
Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
# Test : KRB5-0001 # Test : KRB-1010
# Description : Check that Kerberos principals have passwords that expire # Description : Check that Kerberos principals have passwords that expire
Register --test-no KRB5-0001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire" --progress Register --test-no KRB-1010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire"
FOUND=0
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
for I in ${PRINCS} for I in ${PRINCS}
do do
@ -41,59 +39,84 @@
if [ "${FIND}" = "Password expiration date: [never]" ] if [ "${FIND}" = "Password expiration date: [never]" ]
then then
LogText "Result: Kerberos principal ${I} has a password/key that never expires" LogText "Result: Kerberos principal ${I} has a password/key that never expires"
FOUND=1
fi fi
done done
fi fi
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords"
else
Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN
fi
# #
################################################################################# #################################################################################
# #
# Test : KRB5-0002 # Test : KRB-1020
# Description : Check last password change for Kerberos principals # Description : Check last password change for Kerberos principals
Register --test-no KRB5-0002 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals" --progress Register --test-no KRB-1020 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS} for I in ${PRINCS}
do do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')" FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')"
if [ "${FIND}" = "[never]" ] if [ "${FIND}" = "[never]" ]
then then
LogText "Result: Kerberos principal ${I} has a password/key that has never been changed" LogText "Result: Kerberos principal ${I} has a password/key that has never been changed"
FOUND=1
else else
J="$(date -d "${FIND}" +%s)" J="$(date -d "${FIND}" +%s)"
if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ] if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ]
then then
LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago" LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago"
FOUND=1
fi fi
fi fi
done done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Principals with late password change" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Enforce frequent password/key change for your Kerberos principals"
else
Display --indent 4 --text "- Principals with late password change" --result "${STATUS_OK}" --color GREEN
fi
fi fi
# #
################################################################################# #################################################################################
# #
# Test : KRB5-0003 # Test : KRB-1030
# Description : Check that Kerberos principals have a policy associated to them # Description : Check that Kerberos principals have a policy associated to them
Register --test-no KRB5-0003 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them" --progress Register --test-no KRB5-1030 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS} for I in ${PRINCS}
do do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')" FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')"
if [ "${FIND}" = "Policy: [none]" ] if [ "${FIND}" = "Policy: [none]" ]
then then
LogText "Result: Kerberos principal ${I} does not have a policy associated to it" LogText "Result: Kerberos principal ${I} does not have a policy associated to it"
FOUND=1
fi fi
done done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have a policy associated to them"
else
Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_OK}" --color GREEN
fi
fi fi
# #
################################################################################# #################################################################################
# #
# Test : KRB5-0004 # Test : KRB-1040
# Description : Check various attributes for Kerberos principals # Description : Check various attributes for Kerberos principals
Register --test-no KRB5-0004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals" --progress Register --test-no KRB5-1040 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS} for I in ${PRINCS}
do do
J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')" J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')"
@ -105,38 +128,53 @@
if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}" if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}"
then then
LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute" LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
FOUND=1
fi fi
elif ContainsString "/admin@" "${I}" elif ContainsString "/admin@" "${I}"
then then
if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}" if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}"
then then
LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute" LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute"
FOUND=1
fi fi
elif ContainsString "^[^/$]+@" "${I}" elif ContainsString "^[^/$]+@" "${I}"
then then
if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}" if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}"
then then
LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute" LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute"
FOUND=1
fi fi
fi fi
done done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Harden your Kerberos principals with appropriate attributes"
else
Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_OK}" --color GREEN
fi
fi fi
# #
################################################################################# #################################################################################
# #
# Test : KRB5-0005 # Test : KRB-1050
# Description : Check for weak crypto # Description : Check for weak crypto
Register --test-no KRB5-0005 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto" --progress Register --test-no KRB-1050 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}') FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}')
while read I J if [ -n "${FIND}" ]; then
do while read I J
LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}" do
done << EOF LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}"
done << EOF
${FIND} ${FIND}
EOF EOF
Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Remove weak (des|arcfour|cbc|sha1) cryptographic keys from principals"
else
Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_OK}" --color GREEN
fi
fi fi
# #

2
lynis
View File

@ -1018,7 +1018,7 @@ ${NORMAL}
if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then
LogText "Info: perform tests from all categories" LogText "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ INCLUDE_TESTS="boot_services kernel memory_processes authentication kerberos shells \
filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \ filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting time crypto virtualization containers \ insecure_services banners scheduling accounting time crypto virtualization containers \