tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added NETW-3200

This commit is contained in:
Michael Boelen 2019-08-22 14:12:53 +02:00
parent a72650252f
commit d2deb63ebb
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
3 changed files with 61 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -49,6 +49,7 @@ Using the relevant options, the scan will change base on the intended goal.
- New test: CRYP-7930 - test for LUKS encryption
- New test: INSE-8314 - test for NIS client
- New test: INSE-8316 - test for NIS server
- New test: NETW-3200 - determine avilable network protocols
- New test: PROC-3802 - check presence of prelink tooling
- New report key: openssh_daemon_running
- New command: lynis generate systemd-units

1
db/tests.db
View File

@ -288,6 +288,7 @@ NETW-3015:test:security:networking:Linux:Checking promiscuous interfaces (Linux)
NETW-3028:test:security:networking::Checking connections in WAIT state:
NETW-3030:test:security:networking::Checking DHCP client status:
NETW-3032:test:security:networking:Linux:Checking for ARP monitoring software:
NETW-3200:test:security:networking::Determine available network protocols:
PHP-2211:test:security:php::Check php.ini presence:
PHP-2320:test:security:php::Check PHP disabled functions:
PHP-2368:test:security:php::Check PHP register_globals option:

59
include/tests_networking
View File

@ -639,6 +639,65 @@
#
#################################################################################
#
# Test : NETW-3200
# Description : Determine available network protocols
Register --test-no NETW-3200 --weight L --network YES --category security --description "Determine available network protocols"
if [ ${SKIPTEST} -eq 0 ]; then
TESTED=0
case ${OS} in
Linux)
TESTED=1
LogText "Test: checking the status of some network protocols that typically are not used"
UNCOMMON_PROTOCOLS="dccp sctp rds tipc"
for P in ${UNCOMMON_PROTOCOLS}; do
if ! SkipAtomicTest "${TEST_NO}:${P}"; then
FOUND_UNCOMMON_PROTOCOL=0
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
DATA=$(${GREPBINARY} "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.conf)
if [ -n "${DATA}" ]; then
LogText "Result: found ${P} module loaded via modprobe.conf"
FOUND_UNCOMMON_PROTOCOL=1
fi
fi
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
DATA=$(${GREPBINARY} --files-with-matches --no-messages "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.d/*)
if [ -n "${DATA}" ]; then
FOUND_UNCOMMON_PROTOCOL=1
for F in ${DATA}; do
LogText "Result: found ${P} module loaded via ${F}"
done
fi
fi
# Although a protocol may not been enabled using install, it can be loaded. This may be revealed using /proc
#/proc/sys/net/
if [ ${FOUND_UNCOMMON_PROTOCOL} -eq 1 ]; then
ReportSuggestion "${TEST_NO}" "Determine if network protocol ${P} needs to be used on this system"
Report "uncommon_network_protocol_enabled=${P}"
fi
fi
done
;;
*)
LogText "This test has no routine yet for this operating system."
Debug "No routine implemented yet for this operating system to check for available network protocols"
;;
esac
if [ ${TESTED} -eq 1 ]; then
if [ ${FOUND_UNCOMMON_PROTOCOL} -eq 1 ]; then
Display --indent 2 --text "- Uncommon network protocols" --result "${FOUND}" --color YELLOW
else
Display --indent 2 --text "- Uncommon network protocols" --result "${STATUS_NOT_FOUND}" --color GREEN
fi
fi
unset DATA F FOUND TESTED UNCOMMON_PROTOCOLS
fi
#
#################################################################################
#
WaitForKeyPress