mirror of https://github.com/CISOfy/lynis.git
Added initial version of a Kerberos plugin
This commit is contained in:
pyllyukko
parent
24679bee9a
commit
ac526be452
|
|
@ -144,6 +144,7 @@ plugin=software
|
|||
plugin=system-integrity
|
||||
plugin=systemd
|
||||
plugin=users
|
||||
plugin=krb5
|
||||
|
||||
# Disable a particular plugin (will overrule an enabled plugin)
|
||||
#disable-plugin=authentication
|
||||
|
|
|
|||
|
|
@ -196,6 +196,7 @@
|
|||
iptables-save) IPTABLESSAVEBINARY="${BINARY}"; LogText " Found known binary: iptables-save (firewall) - ${BINARY}" ;;
|
||||
istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;;
|
||||
journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;;
|
||||
kadmin.local) KADMINLOCALBINARY="${BINARY}"; LogText " Found known binary: kadmin.local (krb5) - ${BINARY}" ;;
|
||||
kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
|
||||
kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
|
||||
launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;;
|
||||
|
|
|
|||
|
|
@ -0,0 +1,121 @@
|
|||
#!/bin/sh
|
||||
|
||||
#########################################################################
|
||||
#
|
||||
# * DO NOT REMOVE *
|
||||
#-----------------------------------------------------
|
||||
# PLUGIN_AUTHOR="pyllyukko"
|
||||
# PLUGIN_CATEGORY=security
|
||||
# PLUGIN_DATE=2024-02-14
|
||||
# PLUGIN_DESC=Kerberos
|
||||
# PLUGIN_NAME=krb5
|
||||
# PLUGIN_REQUIRED_TESTS=
|
||||
# PLUGIN_VERSION=0.1
|
||||
#-----------------------------------------------------
|
||||
#
|
||||
#########################################################################
|
||||
#
|
||||
|
||||
# Test for the prerequisites first
|
||||
if [ -n "${KADMINLOCALBINARY}" ]
|
||||
then
|
||||
PREQS_MET="YES"
|
||||
# Make sure krb5 debugging doesn't mess up the output
|
||||
unset KRB5_TRACE
|
||||
PRINCS="$(${KADMINLOCALBINARY} listprincs | ${TRBINARY:-tr} '\n' ' ')"
|
||||
if [ -z "${PRINCS}" ]
|
||||
then
|
||||
PREQS_MET="NO"
|
||||
fi
|
||||
else
|
||||
PREQS_MET="NO"
|
||||
fi
|
||||
|
||||
# Test : KRB5-0001
|
||||
# Description : Check that Kerberos principals have passwords that expire
|
||||
Register --test-no KRB5-0001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
for I in ${PRINCS}
|
||||
do
|
||||
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')"
|
||||
if [ "${FIND}" = "Password expiration date: [never]" ]
|
||||
then
|
||||
LogText "Result: Kerberos principal ${I} has a password/key that never expires"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
# Test : KRB5-0002
|
||||
# Description : Check last password change for Kerberos principals
|
||||
Register --test-no KRB5-0002 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
for I in ${PRINCS}
|
||||
do
|
||||
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')"
|
||||
if [ "${FIND}" = "[never]" ]
|
||||
then
|
||||
LogText "Result: Kerberos principal ${I} has a password/key that has never been changed"
|
||||
else
|
||||
J="$(date -d "${FIND}" +%s)"
|
||||
if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ]
|
||||
then
|
||||
LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
# Test : KRB5-0003
|
||||
# Description : Check that Kerberos principals have a policy associated to them
|
||||
Register --test-no KRB5-0003 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
for I in ${PRINCS}
|
||||
do
|
||||
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')"
|
||||
if [ "${FIND}" = "Policy: [none]" ]
|
||||
then
|
||||
LogText "Result: Kerberos principal ${I} does not have a policy associated to it"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
# Test : KRB5-0004
|
||||
# Description : Check various attributes for Kerberos principals
|
||||
Register --test-no KRB5-0004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
for I in ${PRINCS}
|
||||
do
|
||||
J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')"
|
||||
if ContainsString "^K/M@" "${I}" || \
|
||||
ContainsString "^kadmin/admin@" "${I}" || \
|
||||
ContainsString "^kadmin/changepw@" "${I}" || \
|
||||
ContainsString "^krbtgt/" "${I}"
|
||||
then
|
||||
if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}"
|
||||
then
|
||||
LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
unset PRINCS
|
||||
unset I
|
||||
unset J
|
||||
|
||||
#EOF
|
||||
Loading…
Reference in New Issue