lynis/include/tests_dns

74 lines
3.4 KiB
Bash

#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# DNS
#
#################################################################################
#
# # TODO create records on test domain
# # TODO after update even IP match can be checked to detect hijacking
# SIGOKDNS="sigok.example.org" # adress with good DNSSEC signature
# SIGFAILDNS="sigfail.example.org" # adress with bad DNSSEC signature
# TIMEOUT=";; connection timed out; no servers could be reached"
#
#################################################################################
#
# InsertSection "DNS"
#
#################################################################################
#
# # Test : DNS-1600
# # Description : Validate DNSSEC signiture is checked
# Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked"
# if [ "${SKIPTEST}" -eq 0 ]; then
# if [ ! -z "${DIGBINARY}" ]; then
#
# GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS)
# BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS)
#
# if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then
# LogText "Result: received timeout, can't determine DNSSEC validation"
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
# #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
# elif [ -z "${GOOD}" -a ! -z "${BAD}" ]; then
# LogText "Result: good signature failed, yet bad signature was accepted"
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
# #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted"
# elif [ ! -z "${GOOD}" -a ! -z "${BAD}" ]; then
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW
# LogText "Note: Using DNSSEC validation can protect from DNS hijacking"
# #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC valdating name servers"
# AddHP 2 2
# elif [ ! -z "${GOOD}" -a -z "${BAD}" ]; then
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN
# LogText "Result: altered DNS responses were ignored"
# AddHP 0 2
# fi
# else
# Display --indent 4 --text "- DNSSEC validation" --result "${STATUS_SKIPPED}" --color YELLOW
# LogText "Result: dig not installed, test can't be fully performed"
# fi
# else
# LogText "Result: Test was skipped"
# fi
#
#################################################################################
#