mirror of
https://github.com/CISOfy/lynis.git
synced 2025-07-22 21:34:38 +02:00
Support sysctl checks with multiple profiles
This commit is contained in:
Michael Boelen
parent
4368b59a1d
commit
d95ab3d253
131
default.prf
131
default.prf
@ -153,74 +153,83 @@ plugin=users
|
|||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
|
||||||
|
# Config
|
||||||
|
# - Type (sysctl)
|
||||||
|
# - Setting (kernel.sysrq)
|
||||||
|
# - Expected value (0)
|
||||||
|
# - Hardening Points (1)
|
||||||
|
# - Description (Disable magic SysRQ)
|
||||||
|
# - Related file or command (sysctl -a)
|
||||||
|
# - Solution field (url:URL, text:TEXT, or -)
|
||||||
|
|
||||||
# Processes
|
# Processes
|
||||||
#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value:
|
config-data=sysctl;security.bsd.see_other_gids;0;1;Disable display of processes of other groups;sysctl -a;-;category:security;
|
||||||
sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups:
|
config-data=sysctl;security.bsd.see_other_uids;0;1;Disable display of processes of other users;sysctl -a;-;category:security;
|
||||||
sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users:
|
|
||||||
|
|
||||||
# Kernel
|
# Kernel
|
||||||
sysctl:kern.sugid_coredump:0:1:XXX:
|
config-data=sysctl;kern.sugid_coredump;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
sysctl:kernel.core_setuid_ok:0:1:XXX:
|
config-data=sysctl;kernel.core_setuid_ok;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
sysctl:kernel.core_uses_pid:1:1:XXX:
|
config-data=sysctl;kernel.core_uses_pid;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
sysctl:kernel.ctrl-alt-del:0:1:XXX:
|
config-data=sysctl;kernel.ctrl-alt-del;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
sysctl:kernel.exec-shield-randomize:1:1:XXX:
|
config-data=sysctl;kernel.exec-shield-randomize;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
sysctl:kernel.exec-shield:1:1:XXX:
|
config-data=sysctl;kernel.exec-shield;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
sysctl:kernel.kptr_restrict:2:1:Restrict access to kernel symbols:
|
config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
sysctl:kernel.sysrq:0:1:Disable magic SysRQ:
|
config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
sysctl:kernel.use-nx:0:1:XXX:
|
config-data=sysctl;kernel.use-nx;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
|
||||||
|
|
||||||
# Network
|
# Network
|
||||||
sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:
|
config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security;
|
||||||
sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
|
config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
|
||||||
sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing:
|
config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security;
|
||||||
sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:
|
config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
|
||||||
sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:
|
config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security;
|
||||||
sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:
|
config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
|
||||||
sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic:
|
config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic;-;category:security;
|
||||||
sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic:
|
config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic;-;category:security;
|
||||||
sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
|
config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
|
||||||
sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects:
|
config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security;
|
||||||
sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
|
config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
|
||||||
sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing:
|
config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
|
||||||
sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets:
|
config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do not relay BOOTP packets;-;category:security;
|
||||||
sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing:
|
config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable IP source routing;-;category:security;
|
||||||
sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
|
config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
|
||||||
sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing:
|
config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable IP source routing;-;category:security;
|
||||||
sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets:
|
config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do not relay ARP packets;-;category:security;
|
||||||
sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets:
|
config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce ingress/egress filtering for packets;-;category:security;
|
||||||
sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects:
|
config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
|
||||||
sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
|
config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
|
||||||
sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing:
|
config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
|
||||||
sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
|
config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
|
||||||
sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address:
|
config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets directed to broadcast address;-;category:security;
|
||||||
sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore
|
config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
|
||||||
#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic:
|
#config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security;
|
||||||
sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:
|
config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security;
|
||||||
sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:
|
config-data=sysctl;net.ipv4.tcp_timestamps;0;1;Do not use TCP time stamps;-;category:security;
|
||||||
sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:
|
config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security;
|
||||||
sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
|
config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
|
||||||
sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing:
|
config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
|
||||||
sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
|
config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
|
||||||
sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing:
|
config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
|
||||||
|
|
||||||
[security]
|
[security]
|
||||||
#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:
|
#sysctl;kern.securelevel;1^2^3;1;FreeBSD security level;
|
||||||
#security.jail.jailed: 0
|
#security.jail.jailed; 0
|
||||||
#security.jail.jail_max_af_ips: 255
|
#security.jail.jail_max_af_ips; 255
|
||||||
#security.jail.mount_allowed: 0
|
#security.jail.mount_allowed; 0
|
||||||
#security.jail.chflags_allowed: 0
|
#security.jail.chflags_allowed; 0
|
||||||
#security.jail.allow_raw_sockets: 0
|
#security.jail.allow_raw_sockets; 0
|
||||||
#security.jail.enforce_statfs: 2
|
#security.jail.enforce_statfs; 2
|
||||||
#security.jail.sysvipc_allowed: 0
|
#security.jail.sysvipc_allowed; 0
|
||||||
#security.jail.socket_unixiproute_only: 1
|
#security.jail.socket_unixiproute_only; 1
|
||||||
#security.jail.set_hostname_allowed: 1
|
#security.jail.set_hostname_allowed; 1
|
||||||
#security.bsd.suser_enabled: 1
|
#security.bsd.suser_enabled; 1
|
||||||
#security.bsd.unprivileged_proc_debug: 1
|
#security.bsd.unprivileged_proc_debug; 1
|
||||||
#security.bsd.conservative_signals: 1
|
#security.bsd.conservative_signals; 1
|
||||||
#security.bsd.unprivileged_read_msgbuf: 1
|
#security.bsd.unprivileged_read_msgbuf; 1
|
||||||
#security.bsd.hardlink_check_gid: 0
|
#security.bsd.hardlink_check_gid; 0
|
||||||
#security.bsd.hardlink_check_uid: 0
|
#security.bsd.hardlink_check_uid; 0
|
||||||
#security.bsd.unprivileged_get_quota: 0
|
#security.bsd.unprivileged_get_quota; 0
|
||||||
|
#sysctl;kern.randompid;1234;1;Increase the next PID with an amount close to the given value;sysctl -a;-;category:security;
|
||||||
|
|
||||||
|
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
|||||||
@ -64,6 +64,12 @@
|
|||||||
STRING=$(echo ${VALUE} | tr -d "[" | tr -d "]" | sed "s/, /,/g")
|
STRING=$(echo ${VALUE} | tr -d "[" | tr -d "]" | sed "s/, /,/g")
|
||||||
CHECK_VALUE_ARRAY="${CHECK_OPTION_ARRAY} ${STRING}"
|
CHECK_VALUE_ARRAY="${CHECK_OPTION_ARRAY} ${STRING}"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
# Ignore configuration data
|
||||||
|
config-data)
|
||||||
|
Debug "Ignoring configuration option, as it will be used by a specific test"
|
||||||
|
;;
|
||||||
|
|
||||||
# Maximum number of WAITing connections
|
# Maximum number of WAITing connections
|
||||||
connections-max-wait-state | connections_max_wait_state)
|
connections-max-wait-state | connections_max_wait_state)
|
||||||
OPTIONS_CONN_MAX_WAIT_STATE="${VALUE}"
|
OPTIONS_CONN_MAX_WAIT_STATE="${VALUE}"
|
||||||
|
|||||||
@ -33,16 +33,48 @@
|
|||||||
Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile"
|
Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FOUND=0
|
FOUND=0
|
||||||
|
DATA_TO_SCAN=""
|
||||||
N=0
|
N=0
|
||||||
Display --indent 2 --text "- Comparing sysctl key pairs with scan profile"
|
Display --indent 2 --text "- Comparing sysctl key pairs with scan profile"
|
||||||
|
|
||||||
|
# First scan optional profiles only (ignore default and custom)
|
||||||
for PROFILE in ${PROFILES}; do
|
for PROFILE in ${PROFILES}; do
|
||||||
FIND=`grep "^sysctl:" ${PROFILE} | sed 's/ /-space-/g'`
|
FILE=$(echo ${PROFILE} | awk -F/ '{print $NF}')
|
||||||
for I in ${FIND}; do
|
if [ ! "${FILE}" = "default.prf" -a ! "${FILE}" = "custom.prf" ]; then
|
||||||
tFINDkey=`echo ${I} | awk -F: '{ print $2 }'`
|
FIND=$(grep "^config-data=sysctl;" ${PROFILE} | sed 's/ /-space-/g')
|
||||||
tFINDexpvalue=`echo ${I} | awk -F: '{ print $3 }'`
|
DATA_TO_SCAN="${DATA_TO_SCAN} ${FIND}"
|
||||||
tFINDhp=`echo ${I} | awk -F: '{ print $4 }' | grep "[0-9]"`
|
fi
|
||||||
tFINDdesc=`echo ${I} | awk -F: '{ print $5 }' | sed 's/-space-/ /g'`
|
done
|
||||||
tFINDcurvalue=`${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null`
|
|
||||||
|
# Scan custom profile
|
||||||
|
if [ ! -z "${CUSTOM_PROFILE}" ]; then
|
||||||
|
FIND=$(grep "^config-data=sysctl;" ${CUSTOM_PROFILE} | sed 's/ /-space-/g')
|
||||||
|
for LINE in ${FIND}; do
|
||||||
|
SYSCTLKEY=$(echo ${LINE} | awk -F\; '{ print $2 }')
|
||||||
|
HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};")
|
||||||
|
if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Last, use data from default profile
|
||||||
|
if [ ! -z "${DEFAULT_PROFILE}" ]; then
|
||||||
|
FIND=$(grep "^config-data=sysctl;" ${DEFAULT_PROFILE} | sed 's/ /-space-/g')
|
||||||
|
for LINE in ${FIND}; do
|
||||||
|
SYSCTLKEY=$(echo ${LINE} | awk -F\; '{ print $2 }')
|
||||||
|
HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};")
|
||||||
|
if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Sort the results
|
||||||
|
DATA_TO_SCAN=$(echo ${DATA_TO_SCAN} | tr ' ' '\n' | sort)
|
||||||
|
|
||||||
|
for I in ${DATA_TO_SCAN}; do
|
||||||
|
tFINDkey=$(echo ${I} | awk -F\; '{ print $2 }')
|
||||||
|
tFINDexpvalue=$(echo ${I} | awk -F\; '{ print $3 }')
|
||||||
|
tFINDhp=$(echo ${I} | awk -F\; '{ print $4 }' | grep "[0-9]")
|
||||||
|
tFINDdesc=$(echo ${I} | awk -F\; '{ print $5 }' | sed 's/-space-/ /g')
|
||||||
|
tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
|
||||||
if [ ! "${tFINDcurvalue}" = "" ]; then
|
if [ ! "${tFINDcurvalue}" = "" ]; then
|
||||||
if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then
|
if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then
|
||||||
LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
|
LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
|
||||||
@ -60,7 +92,6 @@
|
|||||||
LogText "Result: key ${tFINDkey} does not exist on this machine"
|
LogText "Result: key ${tFINDkey} does not exist on this machine"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# Add suggestion if one or more sysctls have a different value than scan profile
|
# Add suggestion if one or more sysctls have a different value than scan profile
|
||||||
if [ ${FOUND} -eq 1 ]; then
|
if [ ${FOUND} -eq 1 ]; then
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user