mirror of https://github.com/CISOfy/lynis.git
New tests and renumbering
This commit is contained in:
parent
6b3c32b61f
commit
5b25317767
|
@ -26,13 +26,15 @@
|
|||
IPTABLES_INKERNEL_ACTIVE=0
|
||||
IPTABLES_MODULE_ACTIVE=0
|
||||
FIREWALL_ACTIVE=0
|
||||
FIREWALL_EMPTY_RULESET=0
|
||||
FIREWALL_SOFTWARE=""
|
||||
NFTABLES_ACTIVE=0
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FIRE-4511
|
||||
# Test : FIRE-4502
|
||||
# Description : Check iptables kernel module
|
||||
Register --test-no FIRE-4511 --os Linux --weight L --network NO --description "Check iptables kernel module"
|
||||
Register --test-no FIRE-4502 --os Linux --weight L --network NO --description "Check iptables kernel module"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=`lsmod | awk '{ print $1 }' | grep "^ip*_tables"`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
|
@ -88,6 +90,53 @@
|
|||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FIRE-4508
|
||||
# Description : Check iptables chain policies
|
||||
# Notes : Suggestions are currently disabled, until related page and documentation is available
|
||||
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check used policies of iptables chains"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
Display --indent 4 --text "- Checking iptables policies of chains" --result FOUND --color GREEN
|
||||
TABLES="filter"
|
||||
for TABLE in ${TABLES}; do
|
||||
LogText "Test: gathering information from table ${TABLE}"
|
||||
FIND="$FIND""\n"`${IPTABLESBINARY} -t ${TABLE} --numeric --list | egrep -z -o -w '[A-Z]+' | awk -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1'`
|
||||
done
|
||||
|
||||
echo "${FIND}" | while read line; do
|
||||
table=`echo ${line} | awk '{ print $1 }'`
|
||||
chainname=`echo ${line} | awk '{ print $2 }'`
|
||||
policy=`echo ${line} | awk '{ print $3 }'`
|
||||
LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}."
|
||||
LogText "Result: ${policy}"
|
||||
|
||||
if [ "${TABLE}" = "filter" ]; then
|
||||
if [ "${chainname}" = "INPUT" ]; then
|
||||
case ${policy} in
|
||||
"ACCEPT")
|
||||
LogText "Result: Found ACCEPT for ${chainname} (table: ${table})"
|
||||
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}) policy" --result ${policy} --color YELLOW
|
||||
#ReportSuggestion ${TEST_NO} "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})"
|
||||
AddHP 1 3
|
||||
;;
|
||||
"DROP")
|
||||
LogText "Result: Found DROP for ${chainname} (table: ${table})"
|
||||
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}) policy" --result ${policy} --color GREEN
|
||||
AddHP 3 3
|
||||
;;
|
||||
*)
|
||||
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}) policy" --result ${policy} --color YELLOW
|
||||
LogText "Result: Unknown policy: ${policy}"
|
||||
#ReportSuggestion ${TEST_NO} "Check iptables ${chainname} (table: ${table}) chain policy"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FIRE-4512
|
||||
# Description : Check iptables for empty ruleset (should have at least 10 or more rules)
|
||||
|
@ -99,6 +148,7 @@
|
|||
FIREWALL_ACTIVE=1
|
||||
if [ ${FIND} -le 10 ]; then
|
||||
# Firewall is active, but clearly needs configuration
|
||||
FIREWALL_EMPTY_RULESET=1
|
||||
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
|
||||
Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED
|
||||
ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
|
||||
|
@ -320,6 +370,42 @@
|
|||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FIRE-4536
|
||||
# Description : Check nftables kernel module
|
||||
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nftables status"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=`lsmod | awk '{ print $1 }' | grep "^nf*_tables"`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
FIREWALL_SOFTWARE="nftables"
|
||||
NFTABLES_ACTIVE=1
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FIRE-4538
|
||||
# Description : Check nftables configuration
|
||||
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nftables basic configuration"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Retrieve nft version
|
||||
NFT_VERSION=`${NFTBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="nftables") { print $2 }}' | tr -d 'v'`
|
||||
report "nft_version=${NFT_VERSION}"
|
||||
|
||||
# Check for empty ruleset
|
||||
NFT_RULES_LENGTH=`${NFTBINARY} export json 2> /dev/null | wc -c`
|
||||
if [ ${NFT_RULES_LENGTH} -le 16 ]; then
|
||||
FIREWALL_EMPTY_RULESET=1
|
||||
fi
|
||||
# Ideas:
|
||||
# Suggestion to disable iptables if nftables is enabled
|
||||
# Check for specific features in nftables releases
|
||||
fi
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FIRE-4590
|
||||
# Description : Check if at least one firewall if active
|
||||
|
@ -346,11 +432,11 @@
|
|||
#
|
||||
|
||||
# Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.
|
||||
Report "firewall_installed=${FIREWALL_ACTIVE}"
|
||||
Report "firewall_active=${FIREWALL_ACTIVE}"
|
||||
Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}"
|
||||
Report "firewall_installed=${FIREWALL_ACTIVE}"
|
||||
Report "firewall_software=${FIREWALL_SOFTWARE}"
|
||||
|
||||
|
||||
wait_for_keypress
|
||||
|
||||
#
|
||||
|
|
Loading…
Reference in New Issue