Merge pull request #1456 from pyllyukko/krb5-plugin

Added initial version of a Kerberos plugin

db/languages/en

@@ -63,6 +63,7 @@ SECTION_USB_DEVICES="USB Devices"
 SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
 SECTION_VIRTUALIZATION="Virtualization"
 SECTION_WEBSERVER="Software: webserver"
+SECTION_KERBEROS="Kerberos"
 STATUS_ACTIVE="ACTIVE"
 STATUS_CHECK_NEEDED="CHECK NEEDED"
 STATUS_DEBUG="DEBUG"

default.prf

@@ -144,6 +144,7 @@ plugin=software
 plugin=system-integrity
 plugin=systemd
 plugin=users
+plugin=krb5
 
 # Disable a particular plugin (will overrule an enabled plugin)
 #disable-plugin=authentication

include/binaries

@@ -196,6 +196,8 @@
                             iptables-save)          IPTABLESSAVEBINARY="${BINARY}";    LogText "  Found known binary: iptables-save (firewall) - ${BINARY}" ;;
                             istat)                  ISTATBINARY="${BINARY}";           LogText "  Found known binary: istat (file information) - ${BINARY}" ;;
                             journalctl)             JOURNALCTLBINARY="${BINARY}";      LogText "  Found known binary: journalctl (systemd journal) - ${BINARY}" ;;
+                            kadmin.local)           KADMINLOCALBINARY="${BINARY}";     LogText "  Found known binary: kadmin.local (krb5) - ${BINARY}" ;;
+                            kdb5_util)              KDB5UTILBINARY="${BINARY}";        LogText "  Found known binary: kdb5_util (krb5) - ${BINARY}" ;;
                             kldstat)                KLDSTATBINARY="${BINARY}";         LogText "  Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
                             kstat)                  KSTATBINARY="${BINARY}";           LogText "  Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
                             launchctl)              LAUNCHCTL_BINARY="${BINARY}";      SERVICE_MANAGER="launchd"; LogText "  Found known binary: launchctl (launchd client) - ${BINARY}" ;;

include/tests_kerberos

@@ -0,0 +1,188 @@
+#!/bin/sh
+
+InsertSection "${SECTION_KERBEROS}"
+
+#
+#########################################################################
+#
+
+    # Test        : KRB-1000
+    # Description : Check that Kerberos principals have passwords that expire
+    Register --test-no KRB-1000 --weight L --network NO --description "Check for Kerberos KDC tools"
+    if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ]
+    then
+        PREQS_MET="YES"
+        # Make sure krb5 debugging doesn't mess up the output
+        unset KRB5_TRACE
+        PRINCS="$(${KADMINLOCALBINARY} listprincs | ${TRBINARY:-tr} '\n' ' ')"
+        if [ -z "${PRINCS}" ]
+        then
+            PREQS_MET="NO"
+        fi
+    else
+        PREQS_MET="NO"
+    fi
+    if [ "${PREQS_MET}" = "YES" ]; then
+        Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_FOUND}" --color GREEN
+    else
+        Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_NOT_FOUND}" --color WHITE
+    fi
+
+    # Test        : KRB-1010
+    # Description : Check that Kerberos principals have passwords that expire
+    Register --test-no KRB-1010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire"
+    FOUND=0
+    if [ ${SKIPTEST} -eq 0 ]; then
+        for I in ${PRINCS}
+        do
+            FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')"
+            if [ "${FIND}" = "Password expiration date: [never]" ]
+            then
+                LogText "Result: Kerberos principal ${I} has a password/key that never expires"
+                FOUND=1
+            fi
+        done
+    fi
+    if [ ${FOUND} -eq 1 ]; then
+        Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED
+        ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords"
+    else
+        Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN
+    fi
+#
+#################################################################################
+#
+
+    # Test        : KRB-1020
+    # Description : Check last password change for Kerberos principals
+    Register --test-no KRB-1020 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        for I in ${PRINCS}
+        do
+            FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')"
+            if [ "${FIND}" = "[never]" ]
+            then
+                LogText "Result: Kerberos principal ${I} has a password/key that has never been changed"
+                FOUND=1
+            else
+                J="$(date -d "${FIND}" +%s)"
+                if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ]
+                then
+                    LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago"
+                    FOUND=1
+                fi
+            fi
+        done
+        if [ ${FOUND} -eq 1 ]; then
+            Display --indent 4 --text "- Principals with late password change" --result "${STATUS_WARNING}" --color RED
+            ReportSuggestion "${TEST_NO}" "Enforce frequent password/key change for your Kerberos principals"
+        else
+            Display --indent 4 --text "- Principals with late password change" --result "${STATUS_OK}" --color GREEN
+        fi
+    fi
+
+#
+#################################################################################
+#
+
+    # Test        : KRB-1030
+    # Description : Check that Kerberos principals have a policy associated to them
+    Register --test-no KRB5-1030 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        for I in ${PRINCS}
+        do
+            FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')"
+            if [ "${FIND}" = "Policy: [none]" ]
+            then
+                LogText "Result: Kerberos principal ${I} does not have a policy associated to it"
+                FOUND=1
+            fi
+        done
+        if [ ${FOUND} -eq 1 ]; then
+            Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_WARNING}" --color RED
+            ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have a policy associated to them"
+        else
+            Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_OK}" --color GREEN
+        fi
+    fi
+
+#
+#################################################################################
+#
+
+    # Test        : KRB-1040
+    # Description : Check various attributes for Kerberos principals
+    Register --test-no KRB5-1040 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        for I in ${PRINCS}
+        do
+            J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')"
+            if ContainsString "^K/M@" "${I}" || \
+                ContainsString "^kadmin/admin@" "${I}" || \
+                ContainsString "^kadmin/changepw@" "${I}" || \
+                ContainsString "^krbtgt/" "${I}"
+            then
+                if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}"
+                then
+                    LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
+                    FOUND=1
+                fi
+            elif ContainsString "/admin@" "${I}"
+            then
+                if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}"
+                then
+                    LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute"
+                    FOUND=1
+                fi
+            elif ContainsString "^[^/$]+@" "${I}"
+            then
+                if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}"
+                then
+                    LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute"
+                    FOUND=1
+                fi
+            fi
+        done
+        if [ ${FOUND} -eq 1 ]; then
+            Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_WARNING}" --color RED
+            ReportSuggestion "${TEST_NO}" "Harden your Kerberos principals with appropriate attributes"
+        else
+            Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_OK}" --color GREEN
+        fi
+    fi
+
+#
+#################################################################################
+#
+
+    # Test        : KRB-1050
+    # Description : Check for weak crypto
+    Register --test-no KRB-1050 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}')
+        if [ -n "${FIND}" ]; then
+            while read I J
+            do
+                LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}"
+            done << EOF
+${FIND}
+EOF
+            Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_WARNING}" --color RED
+            ReportSuggestion "${TEST_NO}" "Remove weak (des|arcfour|cbc|sha1) cryptographic keys from principals"
+        else
+            Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_OK}" --color GREEN
+        fi
+    fi
+
+#
+#################################################################################
+#
+
+unset PRINCS
+unset I
+unset J
+
+#EOF

lynis

@@ -1018,7 +1018,7 @@ ${NORMAL}
         if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then
             LogText "Info: perform tests from all categories"
 
-            INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
+            INCLUDE_TESTS="boot_services kernel memory_processes authentication kerberos shells \
                            filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \
                            mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
                            insecure_services banners scheduling accounting time crypto virtualization containers \