tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

New tests and renumbering

This commit is contained in:
mboelen 2015-12-30 14:33:50 +01:00
parent 6b3c32b61f
commit 5b25317767
1 changed files with 90 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
include/tests_firewalls
View File

@ -26,13 +26,15 @@
IPTABLES_INKERNEL_ACTIVE=0
IPTABLES_MODULE_ACTIVE=0
FIREWALL_ACTIVE=0
FIREWALL_EMPTY_RULESET=0
FIREWALL_SOFTWARE=""
NFTABLES_ACTIVE=0
#
#################################################################################
#
# Test : FIRE-4511
# Test : FIRE-4502
# Description : Check iptables kernel module
Register --test-no FIRE-4511 --os Linux --weight L --network NO --description "Check iptables kernel module"
Register --test-no FIRE-4502 --os Linux --weight L --network NO --description "Check iptables kernel module"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`lsmod | awk '{ print $1 }' | grep "^ip*_tables"`
if [ ! "${FIND}" = "" ]; then
@ -88,6 +90,53 @@
fi
#
#################################################################################
#
# Test : FIRE-4508
# Description : Check iptables chain policies
# Notes : Suggestions are currently disabled, until related page and documentation is available
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check used policies of iptables chains"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Checking iptables policies of chains" --result FOUND --color GREEN
TABLES="filter"
for TABLE in ${TABLES}; do
LogText "Test: gathering information from table ${TABLE}"
FIND="$FIND""\n"`${IPTABLESBINARY} -t ${TABLE} --numeric --list | egrep -z -o -w '[A-Z]+' | awk -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1'`
done
echo "${FIND}" | while read line; do
table=`echo ${line} | awk '{ print $1 }'`
chainname=`echo ${line} | awk '{ print $2 }'`
policy=`echo ${line} | awk '{ print $3 }'`
LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}."
LogText "Result: ${policy}"
if [ "${TABLE}" = "filter" ]; then
if [ "${chainname}" = "INPUT" ]; then
case ${policy} in
"ACCEPT")
LogText "Result: Found ACCEPT for ${chainname} (table: ${table})"
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}) policy" --result ${policy} --color YELLOW
#ReportSuggestion ${TEST_NO} "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})"
AddHP 1 3
;;
"DROP")
LogText "Result: Found DROP for ${chainname} (table: ${table})"
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}) policy" --result ${policy} --color GREEN
AddHP 3 3
;;
*)
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}) policy" --result ${policy} --color YELLOW
LogText "Result: Unknown policy: ${policy}"
#ReportSuggestion ${TEST_NO} "Check iptables ${chainname} (table: ${table}) chain policy"
;;
esac
fi
fi
done
fi
#
#################################################################################
#
# Test : FIRE-4512
# Description : Check iptables for empty ruleset (should have at least 10 or more rules)
@ -99,6 +148,7 @@
FIREWALL_ACTIVE=1
if [ ${FIND} -le 10 ]; then
# Firewall is active, but clearly needs configuration
FIREWALL_EMPTY_RULESET=1
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
@ -320,6 +370,42 @@
fi
#
#################################################################################
#
# Test : FIRE-4536
# Description : Check nftables kernel module
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nftables status"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`lsmod | awk '{ print $1 }' | grep "^nf*_tables"`
if [ ! "${FIND}" = "" ]; then
FIREWALL_SOFTWARE="nftables"
NFTABLES_ACTIVE=1
fi
fi
#
#################################################################################
#
# Test : FIRE-4538
# Description : Check nftables configuration
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nftables basic configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Retrieve nft version
NFT_VERSION=`${NFTBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="nftables") { print $2 }}' | tr -d 'v'`
report "nft_version=${NFT_VERSION}"
# Check for empty ruleset
NFT_RULES_LENGTH=`${NFTBINARY} export json 2> /dev/null | wc -c`
if [ ${NFT_RULES_LENGTH} -le 16 ]; then
FIREWALL_EMPTY_RULESET=1
fi
# Ideas:
# Suggestion to disable iptables if nftables is enabled
# Check for specific features in nftables releases
fi
#
#################################################################################
#
# Test : FIRE-4590
# Description : Check if at least one firewall if active
@ -346,11 +432,11 @@
#
# Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.
Report "firewall_installed=${FIREWALL_ACTIVE}"
Report "firewall_active=${FIREWALL_ACTIVE}"
Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}"
Report "firewall_installed=${FIREWALL_ACTIVE}"
Report "firewall_software=${FIREWALL_SOFTWARE}"
wait_for_keypress
#