mirror of https://github.com/CISOfy/lynis.git
386 lines
18 KiB
Bash
386 lines
18 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
|
|
# Web site: https://cisofy.com
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Squid
|
|
#
|
|
#################################################################################
|
|
#
|
|
SQUID_DAEMON_CONFIG_LOCS="/etc /etc/squid /etc/squid3 /usr/local/etc/squid /usr/local/squid/etc"
|
|
SQUID_DAEMON_CONFIG=""
|
|
SQUID_DAEMON_UNSAFE_PORTS_LIST="22 23 25"
|
|
SQUID_DAEMON_RUNNING=0
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "Squid Support"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SQD-3602
|
|
# Description : Check for a running Squid daemon
|
|
# Notes : Search for squid(3) with a space, to avoid SquidGuard and other
|
|
# programs.
|
|
Register --test-no SQD-3602 --weight L --network NO --description "Check for running Squid daemon"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
logtext "Test: Searching for a Squid daemon"
|
|
FOUND=0
|
|
# Check running processes
|
|
FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"`
|
|
if [ ! "${FIND}" = "" ]; then
|
|
SQUID_DAEMON_RUNNING=1
|
|
logtext "Result: Squid daemon is running"
|
|
Display --indent 2 --text "- Checking running Squid daemon" --result FOUND --color GREEN
|
|
else
|
|
logtext "Result: No running Squid daemon found"
|
|
Display --indent 2 --text "- Checking running Squid daemon" --result "NOT FOUND" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SQD-3604
|
|
# Description : Determine Squid daemon configuration file location
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SQD-3604 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid daemon file location"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
logtext "Test: searching for squid.conf or squid3.conf file"
|
|
for I in ${SQUID_DAEMON_CONFIG_LOCS}; do
|
|
# Checking squid.conf
|
|
if [ -f "${I}/squid.conf" ]; then
|
|
logtext "Result: ${I}/squid.conf exists"
|
|
SQUID_DAEMON_CONFIG="${I}/squid.conf"
|
|
fi
|
|
# Checking squid3.conf
|
|
if [ -f "${I}/squid3.conf" ]; then
|
|
logtext "Result: ${I}/squid3.conf exists"
|
|
SQUID_DAEMON_CONFIG="${I}/squid3.conf"
|
|
fi
|
|
done
|
|
if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then
|
|
logtext "Result: No Squid configuration file found"
|
|
Display --indent 4 --text "- Searching Squid configuration file" --result "NOT FOUND" --color YELLOW
|
|
else
|
|
logtext "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}"
|
|
Display --indent 4 --text "- Searching Squid configuration" --result FOUND --color GREEN
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SQD-3606
|
|
# Description : Check Squid version
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
if [ ! "${SQUIDBINARY}" = "" ]; then
|
|
logtext "Result: Squid binary found (${SQUIDBINARY})"
|
|
# Skip check if a setuid/setgid bit is found
|
|
FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print`
|
|
if [ "${FIND}" = "" ]; then
|
|
FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'`
|
|
Display --indent 4 --text "- Checking Squid version" --result "FOUND" --color GREEN
|
|
SQUID_VERSION="${FIND2}"
|
|
else
|
|
logtext "Result: test skipped for security reasons, setuid/setgid bit set"
|
|
Display --indent 4 --text "- Checking Squid version" --result "SKIPPED" --color RED
|
|
fi
|
|
else
|
|
logtext "Result: no Squid binary found"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# # Test : SQD-3608
|
|
# # Description : Check Squid build options
|
|
# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
# Register --test-no SQD-3608 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
|
|
# if [ ${SKIPTEST} -eq 0 ]; then
|
|
# fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SQD-3610
|
|
# Description : Check Squid configuration options
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
logtext "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
|
|
FIND=`cat ${SQUID_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
|
|
for I in ${FIND}; do
|
|
I=`echo ${I} | sed 's/!space!/ /g'`
|
|
logtext "Found Squid option: ${I}"
|
|
report "squid_option=${I}"
|
|
done
|
|
Display --indent 4 --text "- Checking defined Squid options" --result "DONE" --color GREEN
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# # Test : SQD-3612
|
|
# # Description : Check Squid additional configuration files
|
|
# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
# Register --test-no SQD-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check additional Squid configuration files"
|
|
# if [ ${SKIPTEST} -eq 0 ]; then
|
|
# fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SQD-3613
|
|
# Description : Check Squid configuration options
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid file permissions"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
logtext "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
|
|
FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
|
|
if [ ! "${FIND}" = "" ]; then
|
|
logtext "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
|
|
Display --indent 4 --text "- Checking Squid configuration file permissions" --result WARNING --color RED
|
|
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
|
|
ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
|
|
AddHP 0 2
|
|
else
|
|
logtext "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
|
|
Display --indent 4 --text "- Checking Squid configuration file permissions" --result OK --color GREEN
|
|
AddHP 2 2
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
|
|
Display --indent 4 --text "- Checking Squid access control"
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SQD-3614
|
|
# Description : Check Squid authentication
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid authentication methods"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
logtext "Test: check auth_param option for authentication methods"
|
|
FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'`
|
|
if [ "${FIND}" = "" ]; then
|
|
logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
|
|
Display --indent 6 --text "- Checking Squid authentication methods" --result "NONE" --color YELLOW
|
|
else
|
|
Display --indent 6 --text "- Checking Squid authentication methods" --result "FOUND" --color GREEN
|
|
for I in ${FIND}; do
|
|
logtext "Result: found authentication method ${I}"
|
|
report "squid_auth_method=${I}"
|
|
done
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SQD-3616
|
|
# Description : Check external Squid authentication
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check external Squid authentication"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
logtext "Test: check external_acl_type option for external authentication helpers"
|
|
FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}`
|
|
if [ "${FIND}" = "" ]; then
|
|
logtext "No external_acl_type found"
|
|
Display --indent 6 --text "- Checking Squid external authentication methods" --result "NONE" --color YELLOW
|
|
else
|
|
Display --indent 6 --text "- Checking Squid external authentication methods" --result "FOUND" --color GREEN
|
|
for I in ${FIND}; do
|
|
logtext "Result: found external authentication method helper"
|
|
logtext "Output: ${FIND}"
|
|
#report "squid_external_acl_type=TRUE"
|
|
done
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SQD-3620
|
|
# Description : Check ACLs
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid access control lists"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
N=0
|
|
logtext "Test: checking ACLs"
|
|
FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
|
|
if [ "${FIND}" = "" ]; then
|
|
logtext "Result: No ACLs found"
|
|
Display --indent 6 --text "- Checking Access Control Lists" --result "NONE" --color RED
|
|
else
|
|
for I in ${FIND}; do
|
|
N=`expr ${N} + 1`
|
|
I=`echo ${I} | sed 's/!space!/ /g'`
|
|
logtext "Found ACL: ${I}"
|
|
#report "squid_acl=${I}"
|
|
done
|
|
logtext "Result: Found ${N} ACLs"
|
|
Display --indent 6 --text "- Checking Access Control Lists" --result "${N} ACLs FOUND" --color GREEN
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SQD-3624 [T]
|
|
# Description : Check unsecure ports in Safe_ports list
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid safe ports"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
N=0
|
|
logtext "Test: checking ACL Safe_ports http_access option"
|
|
FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"`
|
|
if [ "${FIND}" = "" ]; then
|
|
logtext "Result: no Safe_ports found"
|
|
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "NOT FOUND" --color YELLOW
|
|
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
|
|
else
|
|
logtext "Result: checking ACL safe ports"
|
|
FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'`
|
|
if [ "${FIND2}" = "" ]; then
|
|
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
|
|
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
|
|
AddHP 0 1
|
|
else
|
|
logtext "Result: Safe_ports found"
|
|
for I in ${FIND}; do
|
|
logtext "Found safe port: ${I}"
|
|
done
|
|
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "FOUND" --color GREEN
|
|
AddHP 1 1
|
|
fi
|
|
#SQUID_DAEMON_UNSAFE_PORTS_LIST
|
|
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
|
|
logtext "Test: Checking port ${I} in Safe_ports list"
|
|
FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
|
|
if [ "${FIND2}" = "" ]; then
|
|
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN
|
|
AddHP 1 1
|
|
else
|
|
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "FOUND" --color RED
|
|
ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
|
|
AddHP 0 1
|
|
fi
|
|
done
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
|
|
Display --indent 4 --text "- Checking Squid Denial of Service tuning options"
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SQD-3630 [T]
|
|
# Description : Check reply_body_max_size value
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid reply_body_max_size option"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
N=0
|
|
logtext "Test: checking option reply_body_max_size"
|
|
FIND=`grep "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
|
|
if [ "${FIND}" = "" ]; then
|
|
logtext "Result: option reply_body_max_size not configured"
|
|
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "NONE" --color RED
|
|
AddHP 1 2
|
|
ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests."
|
|
else
|
|
logtext "Result: option reply_body_max_size configured"
|
|
logtext "Output: ${FIND}"
|
|
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "FOUND" --color GREEN
|
|
AddHP 2 2
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
|
|
Display --indent 4 --text "- Checking Squid general options"
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
# Test : SQD-3680
|
|
# Description : Check httpd_suppress_version_string
|
|
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version suppresion"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"`
|
|
if [ "${FIND}" = "" ]; then
|
|
logtext "Result: option httpd_suppress_version_string not configured"
|
|
Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "NOT FOUND" --color YELLOW
|
|
AddHP 1 2
|
|
ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
|
|
else
|
|
logtext "Result: option httpd_suppress_version_string configured"
|
|
logtext "Output: ${FIND}"
|
|
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "FOUND" --color GREEN
|
|
AddHP 2 2
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
|
|
# Squid
|
|
#Hardening:
|
|
# $1 $3
|
|
# acl snmp_community
|
|
# acl maxconn
|
|
# acl max_user_ip
|
|
#
|
|
# follow_x_forwarded_for
|
|
#Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well)
|
|
#Read cache_peer_domain
|
|
#Read cache_peer_access
|
|
#Read icp_access
|
|
#Read icp_port
|
|
#Read htcp_access
|
|
#Read htcp_port
|
|
#Read http_port
|
|
#Read https_port
|
|
#Read cache_dir
|
|
#Read access_log
|
|
#Read coredump_dir
|
|
#Read quick_abort_min / max /pct
|
|
#
|
|
# Memory tuning
|
|
#Read cache_mem
|
|
#Read maximum_object_size_in_memory
|
|
#Read maximum_object_size
|
|
#Read cache_swap_low
|
|
#Read cache_swap_high
|
|
|
|
# Security
|
|
#cache_effective_user
|
|
# off
|
|
#forwarded_for
|
|
|
|
#wccp
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
wait_for_keypress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
|