mirror of https://github.com/CISOfy/lynis.git
Added test NETW-2600 to collect IPv6 configuration
This commit is contained in:
mboelen
parent
8591b6b046
commit
d167fe2782
|
|
@ -29,6 +29,87 @@
|
||||||
InsertSection "Networking"
|
InsertSection "Networking"
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
#
|
||||||
|
# Test : NETW-2600
|
||||||
|
# Description : Gather IPv6 configuration
|
||||||
|
Register --test-no NETW-2600 --os "Linux" --weight L --network YES --description "Checking IPv6 configuration"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
IPV6_CONFIGURED=0
|
||||||
|
IPV6_ACCEPT_RA=255
|
||||||
|
IPV6_ACCEPT_REDIRECTS=255
|
||||||
|
IPV6_MANUAL_CONFIGURED=255
|
||||||
|
IPV6_ONLY=255
|
||||||
|
IPV6_MISCONFIGURED=0
|
||||||
|
IPV6_MISCONFIGURED_MTU=0
|
||||||
|
FIND=`sysctl -a --pattern "^net.ipv6" | sed "s/ = /=/"`
|
||||||
|
if [ ! "${FIND}" = "" ]; then
|
||||||
|
IPV6_CONFIGURED=1
|
||||||
|
for I in ${FIND}; do
|
||||||
|
SYSCTL_KEY=`echo ${I} | awk -F= '{ print $1 }'`
|
||||||
|
SYSCTL_VALUE=`echo ${I} | awk -F= '{ print $2 }'`
|
||||||
|
case ${SYSCTL_KEY} in
|
||||||
|
"net.ipv6.conf.default.accept_ra")
|
||||||
|
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_RA=1; else IPV6_ACCEPT_RA=0; fi
|
||||||
|
;;
|
||||||
|
"net.ipv6.conf.default.accept_redirects")
|
||||||
|
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_REDIRECTS=1; else IPV6_ACCEPT_REDIRECTS=0; fi
|
||||||
|
;;
|
||||||
|
"net.ipv6.bindv6only")
|
||||||
|
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ONLY=1; else IPV6_ONLY=0; fi
|
||||||
|
;;
|
||||||
|
"net.ipv6.conf.all.mtu" | "net.ipv6.conf.default.mtu")
|
||||||
|
if [ ${SYSCTL_VALUE} -lt 1280 ]; then IPV6_MISCONFIGURED_MTU=1; fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
#if TestValue --function equals --value "${SYSCTL_VALUE}" --search "1"; then
|
||||||
|
# echo "Found ${SYSCTL_VALUE}"
|
||||||
|
#else
|
||||||
|
# echo "Not found"
|
||||||
|
#fi
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
else
|
||||||
|
IPV6_MODE="disabled"
|
||||||
|
fi
|
||||||
|
# Check if we are manually configured (not accepting automatic configuration)
|
||||||
|
if [ ${IPV6_ACCEPT_RA} -eq 0 -a ${IPV6_ACCEPT_REDIRECTS} -eq 0 ]; then
|
||||||
|
IPV6_MANUAL_CONFIGURED=1
|
||||||
|
IPV6_MODE="manual"
|
||||||
|
elif [ ${IPV6_ACCEPT_RA} -eq 1 -o ${IPV6_ACCEPT_REDIRECTS} -eq 1 ]; then
|
||||||
|
IPV6_MODE="auto"
|
||||||
|
else
|
||||||
|
IPV6_MODE="disabled"
|
||||||
|
fi
|
||||||
|
|
||||||
|
LogText "Result: IPV6 mode is ${IPV6_MODE}"
|
||||||
|
if [ ${IPV6_CONFIGURED} -eq 1 ]; then
|
||||||
|
Display --indent 2 --text "- Checking IPv6 configuration" --result "ENABLED" --color WHITE
|
||||||
|
STATUS=`echo ${IPV6_MODE} | tr '[:lower:]' '[:upper:]'`
|
||||||
|
|
||||||
|
Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE
|
||||||
|
if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi
|
||||||
|
LogText "Result: IPv6 only configuration: ${STATUS}"
|
||||||
|
Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE
|
||||||
|
else
|
||||||
|
Display --indent 2 --text "- Checking IPv6 configuration" --result "DISABLED" --color WHITE
|
||||||
|
fi
|
||||||
|
# Configuration errors
|
||||||
|
if [ ${IPV6_MISCONFIGURED_MTU} -eq 1 ]; then
|
||||||
|
IPV6_MISCONFIGURED=1
|
||||||
|
LogText "Result: MTU of IPv6 interfaces should be 1280 or higher"
|
||||||
|
Display --indent 6 --text "Error: MTU is too low" --result "WARNING" --color RED
|
||||||
|
ReportSuggestion "${TEST_NO}" "Check your MTU configuration of IPv6 interfaces"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Possible improvements:
|
||||||
|
# - Check if we found IPv6 enabled nameservers
|
||||||
|
|
||||||
|
# Report
|
||||||
|
report "ipv6_mode=${IPV6_MODE}"
|
||||||
|
report "ipv6_only=${IPV6_ONLY}"
|
||||||
|
fi
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Test : NETW-2704
|
# Test : NETW-2704
|
||||||
# Description : Basic nameserver configuration tests (connectivity)
|
# Description : Basic nameserver configuration tests (connectivity)
|
||||||
|
|
@ -515,9 +596,9 @@
|
||||||
IsRunning arpwatch
|
IsRunning arpwatch
|
||||||
if [ ${RUNNING} -eq 1 ]; then
|
if [ ${RUNNING} -eq 1 ]; then
|
||||||
ARPWATCH_RUNNING=1
|
ARPWATCH_RUNNING=1
|
||||||
Display --indent 2 --text "Checking for ARP monitoring software" --result RUNNING --color GREEN
|
Display --indent 2 --text "- Checking for ARP monitoring software" --result RUNNING --color GREEN
|
||||||
else
|
else
|
||||||
Display --indent 2 --text "Checking for ARP monitoring software" --result "NOT FOUND" --color YELLOW
|
Display --indent 2 --text "- Checking for ARP monitoring software" --result "NOT FOUND" --color YELLOW
|
||||||
ReportSuggestion ${TEST_NO} "Install ARP monitoring software like arpwatch"
|
ReportSuggestion ${TEST_NO} "Install ARP monitoring software like arpwatch"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue