tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-09-26 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
lynis/plugins/plugin_krb5_phase1
pyllyukko 4d5b41cb4e plugin_krb5_phase1: Added few more tests 
* Check that admin principals have disallow_tgt_based attribute
* Check that regular user principals have requires_pre_auth and
  disallow_svr attributes
* Check for weak crypto
    * Use kdb5_util for this
2024-05-15 21:52:30 +03:00

151 lines
5.6 KiB
Bash
Raw Blame History

#!/bin/sh
#########################################################################
#
# * DO NOT REMOVE *
#-----------------------------------------------------
# PLUGIN_AUTHOR="pyllyukko"
# PLUGIN_CATEGORY=security
# PLUGIN_DATE=2024-02-14
# PLUGIN_DESC=Kerberos
# PLUGIN_NAME=krb5
# PLUGIN_REQUIRED_TESTS=
# PLUGIN_VERSION=0.2
#-----------------------------------------------------
#
#########################################################################
#
# Test for the prerequisites first
if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ]
then
PREQS_MET="YES"
# Make sure krb5 debugging doesn't mess up the output
unset KRB5_TRACE
PRINCS="$(${KADMINLOCALBINARY} listprincs | ${TRBINARY:-tr} '\n' ' ')"
if [ -z "${PRINCS}" ]
then
PREQS_MET="NO"
fi
else
PREQS_MET="NO"
fi
# Test : KRB5-0001
# Description : Check that Kerberos principals have passwords that expire
Register --test-no KRB5-0001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire" --progress
if [ ${SKIPTEST} -eq 0 ]; then
for I in ${PRINCS}
do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')"
if [ "${FIND}" = "Password expiration date: [never]" ]
then
LogText "Result: Kerberos principal ${I} has a password/key that never expires"
fi
done
fi
#
#################################################################################
#
# Test : KRB5-0002
# Description : Check last password change for Kerberos principals
Register --test-no KRB5-0002 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals" --progress
if [ ${SKIPTEST} -eq 0 ]; then
for I in ${PRINCS}
do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')"
if [ "${FIND}" = "[never]" ]
then
LogText "Result: Kerberos principal ${I} has a password/key that has never been changed"
else
J="$(date -d "${FIND}" +%s)"
if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ]
then
LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago"
fi
fi
done
fi
#
#################################################################################
#
# Test : KRB5-0003
# Description : Check that Kerberos principals have a policy associated to them
Register --test-no KRB5-0003 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them" --progress
if [ ${SKIPTEST} -eq 0 ]; then
for I in ${PRINCS}
do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')"
if [ "${FIND}" = "Policy: [none]" ]
then
LogText "Result: Kerberos principal ${I} does not have a policy associated to it"
fi
done
fi
#
#################################################################################
#
# Test : KRB5-0004
# Description : Check various attributes for Kerberos principals
Register --test-no KRB5-0004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals" --progress
if [ ${SKIPTEST} -eq 0 ]; then
for I in ${PRINCS}
do
J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')"
if ContainsString "^K/M@" "${I}" || \
ContainsString "^kadmin/admin@" "${I}" || \
ContainsString "^kadmin/changepw@" "${I}" || \
ContainsString "^krbtgt/" "${I}"
then
if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}"
then
LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
fi
elif ContainsString "/admin@" "${I}"
then
if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}"
then
LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute"
fi
elif ContainsString "^[^/$]+@" "${I}"
then
if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}"
then
LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute"
fi
fi
done
fi
#
#################################################################################
#
# Test : KRB5-0005
# Description : Check for weak crypto
Register --test-no KRB5-0005 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}')
while read I J
do
LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}"
done << EOF
${FIND}
EOF
fi
#
#################################################################################
#
unset PRINCS
unset I
unset J
#EOF
Reference in New Issue View Git Blame Copy Permalink