#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Name services # ################################################################################# # InsertSection "${SECTION_NAME_SERVICES}" # ################################################################################# # BIND_RUNNING=0 BIND_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/bind ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/namedb" BIND_CONFIG_LOCATION="" POWERDNS_RUNNING=0 POWERDNS_CONFIG_LOCS="${ROOTDIR}etc/powerdns ${ROOTDIR}usr/local/etc" POWERDNS_AUTH_CONFIG_LOCATION="" POWERDNS_AUTH_MASTER=0 POWERDNS_AUTH_SLAVE=0 UNBOUND_CONFIG_OK=0 YPBIND_RUNNING=0 # ################################################################################# # # Test : NAME-4016 # Description : Check main domain (domain in /etc/resolv.conf) Register --test-no NAME-4016 --weight L --network NO --category security --description "Check /etc/resolv.conf default domain" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check ${ROOTDIR}etc/resolv.conf for default domain" if [ -f ${ROOTDIR}etc/resolv.conf ]; then LogText "Result: ${ROOTDIR}etc/resolv.conf found" FIND=$(${AWKBINARY} '/^domain/ { print $2 }' ${ROOTDIR}etc/resolv.conf) if [ -z "${FIND}" ]; then LogText "Result: no default domain found" if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_NONE}" --color WHITE; fi else LogText "Result: found default domain" LogText "Output: ${FIND}" Report "resolv_conf_domain=${FIND}" Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_FOUND}" --color GREEN RESOLV_DOMAINNAME="${FIND}" fi fi fi # ################################################################################# # # Test : NAME-4018 # Description : Check search domains in /etc/resolv.conf # Notes : Maximum of one search keyword is allowed in /etc/resolv.conf Register --test-no NAME-4018 --weight L --network NO --category security --description "Check /etc/resolv.conf search domains" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 LogText "Test: check ${ROOTDIR}etc/resolv.conf for search domains" if [ -f ${ROOTDIR}etc/resolv.conf ]; then LogText "Result: ${ROOTDIR}etc/resolv.conf found" FIND=$(${AWKBINARY} '/^search/ { print $2 }' ${ROOTDIR}etc/resolv.conf) if IsEmpty "${FIND}"; then LogText "Result: no search domains found, default domain is being used" else for ITEM in ${FIND}; do LogText "Found search domain: ${ITEM}" Report "resolv_conf_search_domain[]=${ITEM}" COUNT=$((COUNT + 1)) done # Warn if we have more than 6 search domains, which is maximum in most resolvers if [ ${COUNT} -gt 6 ]; then LogText "Result: Found ${COUNT} search domains" Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW ReportWarning "${TEST_NO}" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers" else LogText "Result: Found ${COUNT} search domains" Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN fi fi # Check amount of search domains (max 1) FIND=$(${GREPBINARY} -c "^search" ${ROOTDIR}etc/resolv.conf) if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW ReportWarning "${TEST_NO}" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" else LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" fi else LogText "Result: ${ROOTDIR}etc/resolv.conf does not exist, skipping test" Display --indent 2 --text "- Checking search domains" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # ################################################################################# # # Test : NAME-4020 # Description : Check non default resolv.conf options Register --test-no NAME-4020 --weight L --network NO --category security --description "Check non default options" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check ${ROOTDIR}etc/resolv.conf for non default options" if [ -f ${ROOTDIR}etc/resolv.conf ]; then LogText "Result: ${ROOTDIR}etc/resolv.conf found" FIND=$(${GREPBINARY} "^options" ${ROOTDIR}etc/resolv.conf | ${AWKBINARY} '{ print $2 }') if IsEmpty "${FIND}"; then LogText "Result: no specific other options configured in /etc/resolv.conf" if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi else for ITEM in ${FIND}; do LogText "Found option: ${ITEM}" Report "resolv_conf_option[]=${ITEM}" # TODO add suggestions for the related options # rotate --> add performance tune point # timeout --> add performance tune point when smaller than 3 seconds done Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN fi else LogText "Result: /etc/resolv.conf not found, test skipped" Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # ################################################################################# # # Test : NAME-4024 # Description : Check Solaris uname -n output Register --test-no NAME-4024 --os Solaris --weight L --network NO --category security --description "Solaris uname -n output" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${UNAMEBINARY} -n) LogText "Result: 'uname -n' returned ${FIND}" Display --indent 2 --text "- Checking uname -n output" --result "${STATUS_DONE}" --color GREEN fi # ################################################################################# # # Test : NAME-4026 # Description : Check Solaris /etc/nodename # Notes : If a system is standalone, /etc/nodename should contain a system name only, not FQDN Register --test-no NAME-4026 --os Solaris --weight L --network NO --category security --description "Check /etc/nodename" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking /etc/nodename" if [ -f /etc/nodename ]; then LogText "Result: file /etc/nodename exists" FIND=$(cat /etc/nodename) LogText "Output: ${FIND}" Display --indent 2 --text "- Checking /etc/nodename" --result "${STATUS_DONE}" --color GREEN else LogText "Result: file /etc/nodename could not be found" Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW fi fi # ################################################################################# # # Test : NAME-4028 # Description : Check DNS domain name # To Do : ${GREPBINARY} ^DOMAINNAME /etc/conf.d/domainname (remove "'s) Register --test-no NAME-4028 --weight L --network NO --category security --description "Check domain name" if [ ${SKIPTEST} -eq 0 ]; then DOMAINNAME="" LogText "Test: Checking if dnsdomainname command is available" if HasData "${DNSDOMAINNAMEBINARY}"; then FIND2=$(${DNSDOMAINNAMEBINARY} 2> /dev/null) if HasData "${FIND2}"; then LogText "Result: dnsdomainname command returned a value" LogText "Found domain name: ${FIND2}" DOMAINNAME="${FIND2}" else LogText "Result: dnsdomainname command returned no value" fi else LogText "Result: dnsdomainname binary not found, skip specific test" fi # If files and commands can't be found, use defined value from resolv.conf if [ -z "${DOMAINNAME}" ]; then if [ -n "${RESOLV_DOMAINNAME}" ]; then LogText "Result: using domain name from ${ROOTDIR}etc/resolv.conf" DOMAINNAME=${RESOLV_DOMAINNAME} else LogText "Result: using domain name from FQDN hostname (${FQDN})" DOMAINNAME=$(echo ${FQDN} | ${AWKBINARY} -F. '{print $2}') fi fi if [ -n "${DOMAINNAME}" ]; then LogText "Result: found domain name" Report "domainname=${DOMAINNAME}" Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN Display --indent 6 --text "Domain name: ${DOMAINNAME}" else Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_UNKNOWN}" --color YELLOW ReportSuggestion "${TEST_NO}" "Check DNS configuration for the dns domain name" fi fi # ################################################################################# # # Test : NAME-4032 # Description : Check name service caching daemon (NSCD) status Register --test-no NAME-4032 --weight L --network NO --category security --description "Check nscd status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking nscd status" if IsRunning "nscd"; then NAME_CACHE_USED=1 LogText "Result: nscd is running" Display --indent 2 --text "- Checking nscd status" --result "${STATUS_RUNNING}" --color GREEN else LogText "Result: nscd is not running" if IsVerbose; then Display --indent 2 --text "- Checking nscd status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : NAME-4034 # Description : Check name service caching daemon (Unbound) status Register --test-no NAME-4034 --weight L --network NO --category security --description "Check Unbound status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking Unbound (unbound) status" if IsRunning "unbound"; then UNBOUND_RUNNING=1 NAME_CACHE_USED=1 LogText "Result: Unbound daemon is running" Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_RUNNING}" --color GREEN else LogText "Result: Unbound daemon is not running" if IsVerbose; then Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : NAME-4036 # Description : Checking Unbound configuration file if [ ${UNBOUND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Unbound configuration file" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(which unbound-checkconf | grep -v "no [^ ]* in ") if [ ! "${FIND}" = "" ]; then LogText "Test: running unbound-checkconf" # Don't capture any output, just gather exit code (0 is fine, otherwise bad) FIND=$(unbound-checkconf > /dev/null 2>&1) if [ $? -eq 0 ]; then UNBOUND_CONFIG_OK=1 LogText "Result: Configuration is fine" Display --indent 2 --text "- Checking configuration file" --result "${STATUS_OK}" --color GREEN else LogText "Result: Unbound daemon is not running" Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW ReportWarning "${TEST_NO}" "Found Unbound configuration file issues (run unbound-checkconf)" fi else LogText "Result: skipped, can't find unbound-checkconf utility" fi fi # ################################################################################# # # Test : NAME-4202 # Description : Check if BIND is running Register --test-no NAME-4202 --weight L --network NO --category security --description "Check BIND status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for running BIND instance" if IsRunning "named"; then LogText "Result: found BIND process" Display --indent 2 --text "- Checking BIND status" --result "${STATUS_FOUND}" --color GREEN BIND_RUNNING=1 else LogText "Result: BIND not running" if IsVerbose; then Display --indent 2 --text "- Checking BIND status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : NAME-4204 # Description : Check configuration file of BIND if [ ${BIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search BIND configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Search BIND configuration file" for I in ${BIND_CONFIG_LOCS}; do if [ -f ${I}/named.conf ]; then BIND_CONFIG_LOCATION="${I}/named.conf" LogText "Result: found configuration file (${BIND_CONFIG_LOCATION})" fi done if [ -n "${BIND_CONFIG_LOCATION}" ]; then Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN else Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # ################################################################################# # # Test : NAME-4206 # Description : Check BIND configuration file consistency if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4206 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check BIND configuration consistency" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching for named-checkconf binary" if [ ! "${NAMEDCHECKCONFBINARY}" = "" ]; then LogText "Result: named-checkconf is installed" FIND=$(${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine" Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_OK}" --color GREEN else LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}" Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_WARNING}" --color RED ReportWarning "${TEST_NO}" "Errors discovered in BIND configuration file" fi else LogText "Result: named-checkconf not found, skipping test" fi fi # ################################################################################# # # Test : NAME-4210 # Description : Check if we can determine useful information from banner if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Trying to determine version from banner" FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${GREPBINARY} -E "[0-9].[0-9].[0-9]*") if [ "${FIND}" = "" ]; then LogText "Result: no useful information in banner found" Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else LogText "Result: possible BIND version available in version banner" Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_WARNING}" --color RED ReportWarning "${TEST_NO}" "Found BIND version in banner" ReportSuggestion "${TEST_NO}" "The version in BIND can be masked by defining 'version none' in the configuration file" AddHP 0 2 fi fi # ################################################################################# # # Test : NAME-4212 TODO # Description : Check version option in BIND configuration #if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi #Register --test-no NAME-4212 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check version setting in configuration" # ################################################################################# # # Test : NAME-4220 TODO # Description : Check if we can perform a zone transfer of primary domain #Register --test-no NAME-4220 --weight L --network NO --category security --description "Check zone transfer" #if [ ${SKIPTEST} -eq 0 ]; then # ################################################################################# # # Test : NAME-4222 TODO # Description : Check if we can perform a zone transfer of PTR (of primary domain) #Register --test-no NAME-4222 --weight L --network NO --category security --description "Check zone transfer" #if [ ${SKIPTEST} -eq 0 ]; then # ################################################################################# # # Test : NAME-4230 # Description : Check if PowerDNS is running Register --test-no NAME-4230 --weight L --network NO --category security --description "Check PowerDNS status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for running PowerDNS instance" if IsRunning "pdns_server"; then LogText "Result: found PowerDNS process" Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_RUNNING}" --color GREEN POWERDNS_RUNNING=1 else LogText "Result: PowerDNS not running" if IsVerbose; then Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : NAME-4232 # Description : Check PowerDNS configuration file if [ ${POWERDNS_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search PowerDNS configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Search PowerDNS configuration file" for DIR in ${POWERDNS_CONFIG_LOCS}; do if [ -f ${DIR}/pdns.conf ]; then POWERDNS_AUTH_CONFIG_LOCATION="${DIR}/pdns.conf" LogText "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})" fi done if HasData "${POWERDNS_AUTH_CONFIG_LOCATION}"; then Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_FOUND}" --color GREEN else Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # ################################################################################# # # # Test : NAME-4234 # # Description : Check PowerDNS configuration file consistency # if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi # Register --test-no NAME-4234 --weight L --network NO --category security --description "Check PowerDNS configuration consistency" # if [ ${SKIPTEST} -eq 0 ]; then # fi # ################################################################################# # # Test : NAME-4236 # Description : Check PowerDNS server backends if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS backends" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for PowerDNS backends" FIND=$(${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}) if HasData "${FIND}"; then for ITEM in ${FIND}; do LogText "Found backend: ${ITEM}" done Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: no PowerDNS backends found" Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # ################################################################################# # # Test : NAME-4238 # Description : Check PowerDNS authoritative status if [ ${POWERDNS_RUNNING} -eq 1 -a -n "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritative status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for PowerDNS master status" FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}) if [ -n "${FIND}" ]; then LogText "Found master=yes in configuration file" Display --indent 4 --text "- PowerDNS authoritative master: YES" POWERDNS_AUTH_MASTER=1 else LogText "Result: most likely not master (no master=yes)" Display --indent 4 --text "- PowerDNS authoritative master: NO" fi LogText "Test: Checking for PowerDNS slave status" FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}) if [ -n "${FIND}" ]; then LogText "Found slave=yes in configuration file" Display --indent 4 --text "- PowerDNS authoritative slave: YES" POWERDNS_AUTH_SLAVE=1 else LogText "Result: most likely not slave (no slave=yes)" Display --indent 4 --text "- PowerDNS authoritative slave: NO" fi fi # ################################################################################# # # Test : NAME-4304 # Description : Check NIS ypbind daemon status Register --test-no NAME-4304 --weight L --network NO --category security --description "Check NIS ypbind status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking status of ypbind daemon" if IsRunning "ypbind"; then LogText "Result: ypbind is running" Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_FOUND}" --color GREEN YPBIND_RUNNING=1 if IsRunning "ypldap"; then LogText "Result: ypldap is running" Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN else ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead" fi else LogText "Result: ypbind is not active" if IsVerbose; then Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : NAME-4306 # Description : Check NIS domain # Notes : FreeBSD: sysctl kern.domainname if [ ${YPBIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking $(domainname) for NIS domain value" FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)") if [ -n "${FIND}" ]; then LogText "Value: ${FIND}" NISDOMAIN="${FIND}" else LogText "Result: no NIS domain found in command output" fi # Solaris / Linux style LogText "Test: Checking file ${ROOTDIR}etc/defaultdomain" if [ -f ${ROOTDIR}etc/defaultdomain ]; then LogText "Result: file ${ROOTDIR}etc/defaultdomain exists" FIND2=$(cat ${ROOTDIR}etc/defaultdomain) if [ -n "${FIND2}" ]; then LogText "Output: ${FIND2}" NISDOMAIN="${FIND2}" else LogText "Result: no NIS domain found in file" fi fi # Red Hat style LogText "Test: checking ${ROOTDIR}etc/sysconfig/network" if [ -f ${ROOTDIR}etc/sysconfig/network ]; then LogText "Result: file ${ROOTDIR}etc/sysconfig/network exists" LogText "Test: checking NISDOMAIN value in file" FIND3=$(${GREPBINARY} "^NISDOMAIN" ${ROOTDIR}etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g') if [ -n "${FIND3}" ]; then LogText "Found NIS domain: ${FIND3}" NISDOMAIN="${FIND3}" else LogText "Result: No NIS domain found in file" fi else LogText "Result: file ${ROOTDIR}etc/sysconfig/network does not exist" fi if [ ! "${SYSCTLBINARY}" = "" ]; then # Check sysctl (e.g. FreeBSD) LogText "Test: checking sysctl for kern.domainname" FIND=$(${SYSCTLBINARY} -a 2>&1 | ${GREPBINARY} "^kern.domainname" | ${AWKBINARY} -F: '{ print $2 }' | ${SEDBINARY} 's/ //g' | ${GREPBINARY} -v "^$") if [ ! "${FIND}" = "" ]; then LogText "Result: found NIS domain via sysctl" NISDOMAIN="${FIND}" fi fi # Check if we found any NIS domain if [ -n "${NISDOMAIN}" ]; then LogText "Found NIS domain: ${NISDOMAIN}" Report "nisdomain=${NISDOMAIN}" Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: No NIS domain found" Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_UNKNOWN}" --color YELLOW fi fi # ################################################################################# # if [ -f ${ROOTDIR}etc/hosts ]; then Display --indent 2 --text "- Checking /etc/hosts" else LogText "Result: no /etc/hosts file found" fi # Test : NAME-4402 # Description : Check /etc/hosts configuration if [ -f ${ROOTDIR}etc/hosts ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check duplicate line in /etc/hosts" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts" OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E -v '^(#|$)' | ${GREPBINARY} -E "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d) if [ -z "${OUTPUT}" ]; then LogText "Result: OK, no duplicate lines found" Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_NONE}" --color GREEN else LogText "Found duplicate line: ${OUTPUT}" LogText "Result: found duplicate line" Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts" fi fi # ################################################################################# # # Test : NAME-4404 # Description : Check /etc/hosts contains an entry for this server name if [ -f ${ROOTDIR}etc/hosts ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4404 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/hosts contains an entry for this server name" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check /etc/hosts contains an entry for this server name" if [ -n "${HOSTNAME}" ]; then DATA=$(${GREPBINARY} -E -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME}) if [ -n "${DATA}" ]; then LogText "Result: Found entry for ${HOSTNAME} in ${ROOTDIR}etc/hosts" Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: No entry found for ${HOSTNAME} in ${ROOTDIR}etc/hosts" Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Add the IP name and FQDN to /etc/hosts for proper name resolving" LogText "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections" fi else LogText "Result: Skipping test, no hostname configured" fi fi # ################################################################################# # # Test : NAME-4406 # Description : Check server hostname mapping if [ -n "${HOSTNAME}" -a -f ${ROOTDIR}etc/hosts ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check server hostname not locally mapped in ${ROOTDIR}etc/hosts" DATA=$(${GREPBINARY} -E -v '^(#|$)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}) if [ -n "${DATA}" ]; then LogText "Result: Found this server hostname mapped to a local address" LogText "Output: ${DATA}" Display --indent 4 --text "- Hostname mapped to localhost" --result "${STATUS_FOUND}" --color YELLOW LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface." ReportSuggestion "${TEST_NO}" "Split resolving between localhost and the hostname of the system" else LogText "Result: this server hostname is not mapped to a local address" Display --indent 4 --text "- Hostname mapped to localhost" --result "${STATUS_NOT_FOUND}" --color GREEN fi fi # ################################################################################# # # Test : NAME-4408 # Description : Check localhost entry if [ -n "${GETENT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON="No getent binary"; else PREQS_MET="NO"; SKIPREASON=""; fi Register --test-no NAME-4408 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check localhost entry" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check server hostname not locally mapped in /etc/hosts" FIND=$(${GETENT_BINARY} hosts localhost | ${AWKBINARY} '{print $1}' | ${SORTBINARY} | ${TRBINARY} -d '\n') if [ "${FIND}" = "127.0.0.1" ]; then LogText "Result: localhost mapped to 127.0.0.1" Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_OK}" --color GREEN Report "localhost-mapped-to=${FIND}" elif [ "${FIND}" = "::1" ]; then LogText "Result: localhost mapped to ::1" Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_OK}" --color GREEN Report "localhost-mapped-to=${FIND}" elif [ "${FIND}" = "127.0.0.1::1" ]; then LogText "Result: localhost mapped to 127.0.0.1 and ::1" Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_OK}" --color GREEN Report "localhost-mapped-to=${FIND}" else LogText "Output: ${FIND}" LogText "Result: this server hostname is not mapped to a local address" Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Information: Ensure that localhost resolves back to 127.0.0.1 (and/or ::1)." ReportSuggestion "${TEST_NO}" "Split resolving between localhost and the hostname of the system" "/etc/hosts" "text:Check your localhost line" fi fi # ################################################################################# # Report "name_cache_used=${NAME_CACHE_USED}" WaitForKeyPress # #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com