#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2013-2016, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Kernel # ################################################################################# # InsertSection "Kernel Hardening" # ################################################################################# # # Test : KRNL-6000 # Description : Check sysctl parameters # Sysctl : net.ipv4.icmp_ingore_bogus_error_responses (=1) if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 DATA_TO_SCAN="" N=0 Display --indent 2 --text "- Comparing sysctl key pairs with scan profile" # First scan optional profiles only (ignore default and custom) for PROFILE in ${PROFILES}; do FILE=$(echo ${PROFILE} | ${AWKBINARY} -F/ '{print $NF}') if [ ! "${FILE}" = "default.prf" -a ! "${FILE}" = "custom.prf" ]; then FIND=$(${GREPBINARY} "^config-data=sysctl;" ${PROFILE} | sed 's/ /-space-/g') DATA_TO_SCAN="${DATA_TO_SCAN} ${FIND}" fi done # Scan custom profile if [ ! -z "${CUSTOM_PROFILE}" ]; then FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | sed 's/ /-space-/g') for LINE in ${FIND}; do SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }') HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};") if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi done fi # Last, use data from default profile if [ ! -z "${DEFAULT_PROFILE}" ]; then FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | sed 's/ /-space-/g') for LINE in ${FIND}; do SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }') HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};") if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi done fi # Sort the results DATA_TO_SCAN=$(echo ${DATA_TO_SCAN} | tr ' ' '\n' | sort) for I in ${DATA_TO_SCAN}; do tFINDkey=$(echo ${I} | ${AWKBINARY} -F\; '{ print $2 }') tFINDexpvalue=$(echo ${I} | ${AWKBINARY} -F\; '{ print $3 }') tFINDhp=$(echo ${I} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]") tFINDdesc=$(echo ${I} | ${AWKBINARY} -F\; '{ print $5 }' | sed 's/-space-/ /g') tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null) if [ ! "${tFINDcurvalue}" = "" ]; then if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})" Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN AddHP ${tFINDhp} ${tFINDhp} else LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}" Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED AddHP 0 ${tFINDhp} FOUND=1 N=$((N + 1)) ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}" fi else LogText "Result: key ${tFINDkey} does not exist on this machine" fi done # Add suggestion if one or more sysctls have a different value than scan profile if [ ${FOUND} -eq 1 ]; then LogText "Result: found ${N} keys that can use tuning, according scan profile" ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked" fi fi # ################################################################################# # WaitForKeyPress # #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com