#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Software: webserver # ################################################################################# # InsertSection "${SECTION_WEBSERVER}" # ################################################################################# # # Reset Apache status APACHE_INSTALLED=0 APACHE_MODULES_ENABLED_LOCS="${ROOTDIR}etc/apache2/mods-enabled" APACHE_MODULES_LOCS="${ROOTDIR}etc/httpd/modules ${ROOTDIR}opt/local/apache2/modules ${ROOTDIR}usr/lib/apache ${ROOTDIR}usr/lib/apache2 ${ROOTDIR}usr/lib/httpd/modules ${ROOTDIR}usr/libexec/apache2 ${ROOTDIR}usr/lib64/apache2 ${ROOTDIR}usr/lib64/apache2/modules ${ROOTDIR}usr/lib64/httpd/modules ${ROOTDIR}usr/local/libexec/apache ${ROOTDIR}usr/local/libexec/apache22 ${ROOTDIR}usr/local/libexec/apache24" NGINX_RUNNING=0 NGINX_CONF_LOCS="${ROOTDIR}etc/nginx ${ROOTDIR}usr/local/etc/nginx ${ROOTDIR}usr/local/nginx/conf" NGINX_CONF_LOCATION="" NGINX_CONF_FILES="" NGINX_CONF_FILES_ADDITIONS="" # ################################################################################# # sTEST_APACHE_TARGETS="${ROOTDIR}etc/apache ${ROOTDIR}etc/apache2 ${ROOTDIR}etc/httpd \ ${ROOTDIR}opt/apache \ ${ROOTDIR}usr/local/apache ${ROOTDIR}usr/local/apache2 \ ${ROOTDIR}usr/local/etc/apache ${ROOTDIR}usr/local/etc/apache2 ${ROOTDIR}usr/local/etc/apache22 \ ${ROOTDIR}usr/pkg/etc/httpd ${ROOTDIR}etc/sysconfig/apache2 ${ROOTDIR}usr/local/etc/apache24" CreateTempFile || ExitFatal TMPFILE="${TEMP_FILE}" CreateTempFile || ExitFatal TMPFILE2="${TEMP_FILE}" CreateTempFile || ExitFatal TMPFILE3="${TEMP_FILE}" # ################################################################################# # # Test : HTTP-6622 # Description : Test for Apache installation # Notes : Do not run on NetBSD, -v is unknown option for httpd binary # On OpenBSD do not run /usr/sbin/httpd with -v: builtin non-Apache if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache presence" if [ ${SKIPTEST} -eq 0 ]; then if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then HTTPDBINARY=""; fi if IsEmpty "${HTTPDBINARY}"; then Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE else LogText "Test: Scanning for Apache binary" IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} -E '[aA]pache') if IsEmpty "${IS_APACHE}"; then LogText "Result: ${HTTPDBINARY} is not Apache" Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE else Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "${STATUS_FOUND}" --color GREEN LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon" APACHE_INSTALLED=1 APACHE_VERSION=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} "^Server version:" | ${AWKBINARY} '{ print $3 }' | ${AWKBINARY} -F/ '{ print $2 }') LogText "Apache version: ${APACHE_VERSION}" Report "apache_version=${APACHE_VERSION}" fi fi fi # ################################################################################# # # Test : HTTP-6624 # Description : Testing main Apache configuration file # Notes : Do not run on OpenBSD/NetBSD, as -V is an unknown option for httpd binary if [ ${APACHE_INSTALLED} -eq 1 ]; then if [ ! "${OS}" = "NetBSD" -a ! "${OS}" = "OpenBSD" ]; then PREQS_MET="YES" else PREQS_MET="NO" fi else PREQS_MET="NO" fi Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file" if [ ${SKIPTEST} -eq 0 ]; then APACHE_CONFIGFILE="" APACHE_TEST=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | ${SEDBINARY} 's/[ ]-D SERVER_CONFIG_FILE=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '[:cntrl:]') if IsEmpty "${APACHE_TEST}"; then LogText "Result: Can't find the configuration file, so skipping some Apache related tests" else # We found a possible match. Checking if it's valid filename. If not, we need to add a prefix if [ -f ${APACHE_TEST} ]; then APACHE_CONFIGFILE="${APACHE_TEST}" Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})" else # Probably the prefix is missing, so we are going to search that APACHE_HTTPDROOT=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | ${SEDBINARY} 's/[ ]-D HTTPD_ROOT=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ') APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}" if [ -f ${APACHE_TESTFILE} ]; then APACHE_CONFIGFILE="${APACHE_TESTFILE}" Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})" LogText "Result: Configuration file found (${APACHE_CONFIGFILE})" else LogText "Result: File or directory ${APACHE_TESTFILE} does not exist" Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests" ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration" LogText "Note: if only the Apache binary package has been installed, then the configuration might be missing. Is the Apache package really needed?" fi fi fi fi # ################################################################################# # # Test : HTTP-6626 # Description : Testing other Apache configuration files if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6626 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing other Apache configuration file" if [ ${SKIPTEST} -eq 0 ]; then for DIR in ${sTEST_APACHE_TARGETS}; do if [ -d ${DIR} ]; then find ${DIR} -name "*.conf" -print >> ${TMPFILE2} fi done # Sort unsorted list, save it in temp file and then remove unsorted list if [ -f ${TMPFILE2} ]; then ${SORTBINARY} -u ${TMPFILE2} >> ${TMPFILE} rm -f ${TMPFILE2} fi cVHOSTS=0; tVHOSTS="" # Check every configuration file for I in $(cat ${TMPFILE}); do LogText "Apache config file: ${I}" FileIsReadable ${I} if [ ${CANREAD} -eq 1 ]; then # Search Virtual Hosts for J in $(${GREPBINARY} "ServerName" ${I} | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'); do if HasData "${J}"; then tVHOSTS="${tVHOSTS} ${J}" cVHOSTS=$((cVHOSTS + 1)) fi done # Search Server aliases for J in $(${GREPBINARY} "ServerAlias" ${I} | ${GREPBINARY} -v "^#" | ${SEDBINARY} "s/\s*ServerAlias //g" | ${SEDBINARY} "s/#.*//g"); do if [ -n "${J}" ]; then tVHOSTS="${tVHOSTS} ${J}" cVHOSTS=$((cVHOSTS + 1)) fi done else LogText "Result: can not read configuration file with this user ID" ReportException "${TEST_NO}:1" "Can not read configuration file $I" fi done # Log all virtual hosts we found for J in ${tVHOSTS}; do if [ -n "${J}" ]; then LogText "Virtual host: ${J}" #Report "apache_vhost_name[]=${J}" fi done # Show number of vhosts if we found any LogText "Result: found ${cVHOSTS} virtual hosts" if [ ${cVHOSTS} -gt 0 ]; then Display --indent 6 --text "Info: Found ${cVHOSTS} virtual hosts" else Display --indent 6 --text "Info: No virtual hosts found" fi fi # Remove temp files if [ -f ${TMPFILE} -a -n "${TMPFILE}" ]; then rm -f ${TMPFILE} fi if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi # ################################################################################# # # TODO # Do you have Apache running and want to contribute? Help us testing this control and send in a pull request # Test : HTTP-6630 # Description : Search for all loaded modules #if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi #Register --test-no HTTP-6630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining all loaded Apache modules" #if [ ${SKIPTEST} -eq 0 ]; then # # Testing Debian style # LogText "Test: searching loaded/enabled Apache modules" # apachectl -t -D DUMP_MODULES 2>&1 | ${GREPBINARY} -E -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //' # for I in ${APACHE_MODULES_ENABLED_LOCS}; do # LogText "Test: checking ${I}" # if [ -d ${I} ]; then # FIND=$(${GREPBINARY} -r LoadModule ${I}/* | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2":"$3 }') # else # LogText "Result: ${I} does not exist" # fi # done #fi # ################################################################################# # # Test : HTTP-6632 # Description : Search for available Apache modules if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining all available Apache modules" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching available Apache modules" COUNT=0 for DIR in ${APACHE_MODULES_LOCS}; do DirectoryExists ${DIR} if [ ${DIRECTORY_FOUND} -eq 1 ]; then FIND=$(${FINDBINARY} ${DIR} -name "mod_*" -print | ${SORTBINARY}) for ITEM in ${FIND}; do Report "apache_module[]=${ITEM}" LogText "Result: found Apache module ${ITEM}" COUNT=$((COUNT + 1)) done fi done if [ ${COUNT} -eq 0 ]; then Display --indent 4 --text "* Loadable modules" --result "${STATUS_NONE}" --color WHITE ReportException "${TEST_NO}:1" "No loadable Apache modules found" else Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND} (${COUNT})" --color GREEN Display --indent 8 --text "- Found ${COUNT} loadable modules" fi fi # ################################################################################# # # Test : HTTP-6640 # Description : Search for special Apache modules: evasive if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6640 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules" if [ ${SKIPTEST} -eq 0 ]; then # Check modules, module if CheckItem "apache_module" "/mod_evasive([0-9][0-9])?.so"; then Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_NOT_FOUND}" --color WHITE AddHP 2 3 ReportSuggestion "${TEST_NO}" "Install Apache mod_evasive to guard webserver against DoS/brute force attempts" fi fi # ################################################################################# # # Test : HTTP-6641 # Description : Search for special Apache modules: Quality of Service # Notes : Was mod_qos before. Since Apache 2.2.15 mod_reqtimeout if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6641 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules" if [ ${SKIPTEST} -eq 0 ]; then # Check modules, module if CheckItem "apache_module" "/mod_(reqtimeout|qos).so"; then Display --indent 10 --text "mod_reqtimeout/mod_qos" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else Display --indent 10 --text "mod_reqtimeout/mod_qos" --result "${STATUS_NOT_FOUND}" --color WHITE AddHP 2 3 ReportSuggestion "${TEST_NO}" "Install Apache mod_reqtimeout or mod_qos to guard webserver against Slowloris attacks" fi fi # ################################################################################# # # Test : HTTP-6643 # Description : Search for special Apache modules: security if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules" if [ ${SKIPTEST} -eq 0 ]; then # Check modules, module if CheckItem "apache_module" "/mod_security(2|3).so" ; then Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_NOT_FOUND}" --color WHITE AddHP 2 3 ReportSuggestion "${TEST_NO}" "Install Apache modsecurity to guard webserver against web application attacks" fi fi # ################################################################################# # # Test : HTTP-6660 # Description : Search for "TraceEnable off" in configuration files if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6660 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache security setting: TraceEnable" if [ ${SKIPTEST} -eq 0 ]; then for DIR in ${sTEST_APACHE_TARGETS}; do if [ -d ${DIR} ]; then find ${DIR} -name "*.conf" -print >> ${TMPFILE3} fi done # Check all Apache conf-files for TraceEnable if [ -f ${TMPFILE3} ]; then Display --indent 2 --text '- Checking TraceEnable setting in:' for APACHE_CONFFILE in $(cat ${TMPFILE3}); do TRACEENABLE=$( ${GREPBINARY} -i -E '^TraceEnable' ${APACHE_CONFFILE} | ${AWKBINARY} '{print $2}' ) if [ ! ${TRACEENABLE} ]; then LogText "Result: no TraceEnable setting found in ${APACHE_CONFFILE}" Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_NOT_FOUND}" --color WHITE else TRACEENABLED_SETTING=$( echo ${TRACEENABLE} | tr 'A-Z' 'a-z' ) if [ "x${TRACEENABLED_SETTING}" = 'xoff' ]; then LogText "Result: found TraceEnable setting set to 'off' in ${APACHE_CONFFILE}" Report "Apache setting: 'TraceEnable Off' in ${APACHE_CONFFILE}" Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: found TraceEnable setting set to '"${TRACEENABLE}"' in ${APACHE_CONFFILE}" Report "Apache setting: 'TraceEnable "${TRACEENABLE}"' in ${APACHE_CONFFILE}" Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion "${TEST_NO}" "Consider setting 'TraceEnable Off' in ${APACHE_CONFFILE}" "Set TraceEnable to 'On' or 'extended' for testing and diagnostic purposes only." fi fi done rm -f ${TMPFILE3} fi fi # ################################################################################# # # Test : HTTP-6702 # Description : Search for nginx process Register --test-no HTTP-6702 --weight L --network NO --category security --description "Check nginx process" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching running nginx process" if IsRunning "nginx"; then LogText "Result: found running nginx process(es)" Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN NGINX_RUNNING=1 Report "nginx_running=1" else LogText "Result: no running nginx process found" Display --indent 2 --text "- Checking nginx" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # ################################################################################# # # Test : HTTP-6704 # Description : Search for nginx configuration file if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching nginx configuration file" for DIR in ${NGINX_CONF_LOCS}; do if [ -f ${DIR}/nginx.conf ]; then NGINX_CONF_LOCATION="${DIR}/nginx.conf" LogText "Found file ${NGINX_CONF_LOCATION}" NGINX_CONF_FILES="${DIR}/nginx.conf" fi done if HasData "${NGINX_CONF_LOCATION}"; then LogText "Result: found nginx configuration file" Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}" Display --indent 4 --text "- Searching nginx configuration file" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: no nginx configuration file found" Display --indent 2 --text "- Searching nginx configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # ################################################################################# # # Test : HTTP-6706 # Description : Search for includes within nginx configuration file # Notes : Daemon nginx should be running, nginx.conf should be found if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for additional nginx configuration files" if [ ${SKIPTEST} -eq 0 ]; then CreateTempFile || ExitFatal TMPFILE="${TEMP_FILE}" COUNT=0 ${SEDBINARY} -e 's/^[ \t]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[\t]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE} # Search for included configuration files (may include directories and wild cards) FIND=$(${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g') for I in ${FIND}; do FIND2=$(${LSBINARY} ${I} 2>/dev/null) for J in ${FIND2}; do # Ensure that we are parsing normal files if [ -f ${J} ]; then COUNT=$((COUNT + 1)) LogText "Result: found Nginx configuration file ${J}" Report "nginx_sub_conf_file[]=${J}" FileIsReadable ${J} if [ ${CANREAD} -eq 1 ]; then NGINX_CONF_FILES="${NGINX_CONF_FILES} ${J}" FIND3=$(sed -e 's/^[ \t]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[\t]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}) else ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable" fi fi done done # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${GREPBINARY} -E -v "(application|audio|image|text|video)/" | ${GREPBINARY} -E -v "({|})") for I in ${SORTFILE}; do I=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g') Report "nginx_config_option[]=${I}"; done # Remove unsorted file for next tests if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi if [ ${COUNT} -eq 0 ]; then LogText "Result: no nginx include statements found" else Display --indent 6 --text "- Found nginx includes" --result "${COUNT} FOUND" --color GREEN fi fi # ################################################################################# # # Test : HTTP-6708 # Description : Check discovered nginx configuration settings for further hardening # Notes : Daemon of nginx should be running, nginx.conf should be found if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: start parsing all discovered nginx options" Display --indent 4 --text "- Parsing configuration options" for FILE in ${NGINX_CONF_FILES}; do FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}') if [ ! "${FILENAME}" = "mime.types" ]; then if FileIsReadable ${FILE}; then Display --indent 8 --text "- ${FILE}" ParseNginx ${FILE} else Display --indent 8 --text "- ${FILE}" --result "SKIPPED (NOT READABLE)" --color YELLOW fi else LogText "Result: this configuration file is skipped, as it contains usually no interesting details" fi done if [ -n "${NGINX_CONF_FILES_ADDITIONS}" ]; then for I in ${NGINX_CONF_FILES_ADDITIONS}; do FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}') if [ ! "${FILENAME}" = "mime.types" ]; then if FileIsReadable ${I}; then Display --indent 8 --text "- ${I}" ParseNginx ${I} else Display --indent 8 --text "- ${I}" --result "SKIPPED (NOT READABLE)" --color YELLOW fi else LogText "Result: this configuration file is skipped, as it contains usually no interesting details" fi done fi fi # ################################################################################# # # Test : HTTP-6710 # Description : Check SSL configuration of nginx # Notes : Daemon of nginx should be running, nginx.conf should be found if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx SSL configuration settings" if [ ${SKIPTEST} -eq 0 ]; then NGINX_SSL_SUGGESTION=0 if [ ${NGINX_SSL_ON} -eq 1 ]; then LogText "Result: SSL is configured in nginx on one or more virtual hosts" Display --indent 6 --text "- SSL configured" --result "${STATUS_YES}" --color GREEN AddHP 5 5 # Cipher tests if [ ${NGINX_SSL_CIPHERS} -eq 1 ]; then Display --indent 8 --text "- Ciphers configured" --result "${STATUS_YES}" --color GREEN else Display --indent 8 --text "- Ciphers configured" --result "${STATUS_NO}" --color RED NGINX_SSL_SUGGESTION=1 fi if [ ${NGINX_SSL_PREFER_SERVER_CIPHERS} -eq 1 ]; then Display --indent 8 --text "- Prefer server ciphers" --result "${STATUS_YES}" --color GREEN else Display --indent 8 --text "- Prefer server ciphers" --result "${STATUS_NO}" --color RED NGINX_SSL_SUGGESTION=1 fi if [ ${NGINX_SSL_PROTOCOLS} -eq 1 ]; then Display --indent 8 --text "- Protocols configured" --result "${STATUS_YES}" --color GREEN if [ ${NGINX_WEAK_SSL_PROTOCOL_FOUND} -eq 0 ]; then Display --indent 10 --text "- Insecure protocols found" --result "${STATUS_NO}" --color GREEN else Display --indent 10 --text "- Insecure protocols found" --result "${STATUS_YES}" --color RED ReportSuggestion "${TEST_NO}" "Disable weak protocol in nginx configuration" fi else Display --indent 8 --text "- Protocols configured" --result "${STATUS_NO}" --color RED NGINX_SSL_SUGGESTION=1 fi else LogText "Result: No SSL configuration found" Display --indent 6 --text "- SSL configured" --result "${STATUS_NO}" --color RED ReportSuggestion "${TEST_NO}" "Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy" AddHP 1 5 fi if [ ${NGINX_SSL_SUGGESTION} -eq 1 ]; then LogText "Result: one or more parts of the nginx configuration could be enhanced regarding SSL" ReportSuggestion "${TEST_NO}" "Change the HTTPS and SSL settings for enhanced protection of sensitive data and privacy" fi fi # ################################################################################# # # Test : HTTP-6712 # Description : Check logging configuration of nginx # Notes : Daemon of nginx should be running, nginx.conf should be found if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx access logging" if [ ${SKIPTEST} -eq 0 ]; then NGINX_LOG_SUGGESTION=0 Display --indent 6 --text "- Checking log file configuration" # Check for missing access log if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then NGINX_LOG_SUGGESTION=1 Display --indent 8 --text "- Missing log files (access_log)" --result "${STATUS_YES}" --color RED else Display --indent 8 --text "- Missing log files (access_log)" --result "${STATUS_NO}" --color GREEN fi # Access log disabled if [ ${NGINX_ACCESS_LOG_DISABLED} -eq 1 ]; then NGINX_LOG_SUGGESTION=1 LogText "Result: found one or more virtual hosts which have their access log disabled" Display --indent 8 --text "- Disabled access logging" --result "${STATUS_YES}" --color RED AddHP 2 3 else LogText "Result: no virtual hosts found which have their access log disabled" Display --indent 8 --text "- Disabled access logging" --result "${STATUS_NO}" --color GREEN AddHP 3 3 fi # Report suggestion if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then ReportSuggestion "${TEST_NO}" "Check your nginx access log for proper functioning" fi fi # ################################################################################# # # Test : HTTP-6714 # Description : Check missing error logs in nginx if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for missing error logs in nginx" if [ ${SKIPTEST} -eq 0 ]; then NGINX_LOG_SUGGESTION=0 # Check for missing access log if [ ${NGINX_ERROR_LOG_MISSING} -eq 1 ]; then NGINX_LOG_SUGGESTION=1 Display --indent 8 --text "- Missing log files (error_log)" --result "${STATUS_YES}" --color RED else Display --indent 8 --text "- Missing log files (error_log)" --result "${STATUS_NO}" --color GREEN fi # Report suggestion if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then ReportSuggestion "${TEST_NO}" "Check your nginx error_log statements" fi fi # ################################################################################# # # Test : HTTP-6716 # Description : Check debug mode on error log in nginx if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for debug mode on error log in nginx" if [ ${SKIPTEST} -eq 0 ]; then NGINX_LOG_SUGGESTION=0 # Access log in debug mode if [ ${NGINX_ERROR_LOG_DEBUG} -eq 1 ]; then NGINX_LOG_SUGGESTION=1 LogText "Result: found one or more virtual hosts which have their error log in debug mode" Display --indent 8 --text "- Debugging mode on error_log" --result "${STATUS_YES}" --color RED AddHP 2 3 else LogText "Result: no virtual hosts found which have their error log in debug mode" Display --indent 8 --text "- Debugging mode on error_log" --result "${STATUS_NO}" --color GREEN AddHP 3 3 fi # Report suggestion if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then ReportSuggestion "${TEST_NO}" "Check your nginx error_log statements and disable debug mode" fi fi # ################################################################################# # # Test : HTTP-6720 # Description : Search for nginx log files if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6720 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Nginx log files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking directories for files with log file definitions" for DIR in ${NGINX_CONF_LOCS}; do LogText "Test: Checking ${DIR}" if [ -d ${DIR} ]; then LogText "Result: Directory ${DIR} exists, so will be used as search path" FIND=$(find ${DIR} -type f -exec ${GREPBINARY} access_log \{\} \; | ${GREPBINARY} -v "#" | ${AWKBINARY} '{ if($1=="access_log") { print $2 } }' | ${SEDBINARY} 's/;$//g' | ${SORTBINARY} -u) if IsEmpty "${FIND}"; then LogText "Result: no log files found" else LogText "Result: found one or more log files" for FILE in ${FIND}; do if [ -f ${FILE} ]; then LogText "Found log file: ${FILE}" Report "log_file=${FILE}" else LogText "Found non existing log file: ${FILE}" fi done fi else LogText "Result: directory ${DIR} not found, skipping search in this directory." fi done unset DIR FILE FIND fi # ################################################################################# # # Remove temp file (double check) if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi if [ -n "${TMPFILE3}" ]; then if [ -f ${TMPFILE3} ]; then rm -f ${TMPFILE3}; fi; fi WaitForKeyPress # #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com