#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2007-2019, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # DNS # ################################################################################# # # # TODO create records on test domain # # TODO after update even IP match can be checked to detect hijacking # SIGOKDNS="sigok.example.org" # adress with good DNSSEC signature # SIGFAILDNS="sigfail.example.org" # adress with bad DNSSEC signature # TIMEOUT=";; connection timed out; no servers could be reached" # ################################################################################# # # InsertSection "DNS" # ################################################################################# # # # Test : DNS-1600 # # Description : Validate DNSSEC signiture is checked # Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked" # if [ "${SKIPTEST}" -eq 0 ]; then # if [ -n "${DIGBINARY}" ]; then # # GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS) # BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS) # # if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then # LogText "Result: received timeout, can't determine DNSSEC validation" # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW # #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout" # elif [ -z "${GOOD}" -a -n "${BAD}" ]; then # LogText "Result: good signature failed, yet bad signature was accepted" # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW # #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted" # elif [ -n "${GOOD}" -a -n "${BAD}" ]; then # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW # LogText "Note: Using DNSSEC validation can protect from DNS hijacking" # #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC valdating name servers" # AddHP 2 2 # elif [ -n "${GOOD}" -a -z "${BAD}" ]; then # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN # LogText "Result: altered DNS responses were ignored" # AddHP 0 2 # fi # else # Display --indent 4 --text "- DNSSEC validation" --result "${STATUS_SKIPPED}" --color YELLOW # LogText "Result: dig not installed, test can't be fully performed" # fi # else # LogText "Result: Test was skipped" # fi # ################################################################################# #