mirror of https://github.com/CISOfy/lynis.git
74 lines
3.4 KiB
Bash
74 lines
3.4 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2021, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# DNS
|
|
#
|
|
#################################################################################
|
|
#
|
|
# # TODO create records on test domain
|
|
# # TODO after update even IP match can be checked to detect hijacking
|
|
# SIGOKDNS="sigok.example.org" # address with good DNSSEC signature
|
|
# SIGFAILDNS="sigfail.example.org" # address with bad DNSSEC signature
|
|
# TIMEOUT=";; connection timed out; no servers could be reached"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# InsertSection "DNS"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# # Test : DNS-1600
|
|
# # Description : Validate DNSSEC signature is checked
|
|
# Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked"
|
|
# if [ "${SKIPTEST}" -eq 0 ]; then
|
|
# if [ -n "${DIGBINARY}" ]; then
|
|
#
|
|
# GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS)
|
|
# BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS)
|
|
#
|
|
# if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then
|
|
# LogText "Result: received timeout, can't determine DNSSEC validation"
|
|
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW
|
|
# #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
|
|
# elif [ -z "${GOOD}" -a -n "${BAD}" ]; then
|
|
# LogText "Result: good signature failed, yet bad signature was accepted"
|
|
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW
|
|
# #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted"
|
|
# elif [ -n "${GOOD}" -a -n "${BAD}" ]; then
|
|
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW
|
|
# LogText "Note: Using DNSSEC validation can protect from DNS hijacking"
|
|
# #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC validating name servers"
|
|
# AddHP 2 2
|
|
# elif [ -n "${GOOD}" -a -z "${BAD}" ]; then
|
|
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN
|
|
# LogText "Result: altered DNS responses were ignored"
|
|
# AddHP 0 2
|
|
# fi
|
|
# else
|
|
# Display --indent 4 --text "- DNSSEC validation" --result "${STATUS_SKIPPED}" --color YELLOW
|
|
# LogText "Result: dig not installed, test can't be fully performed"
|
|
# fi
|
|
# else
|
|
# LogText "Result: Test was skipped"
|
|
# fi
|
|
#
|
|
#################################################################################
|
|
#
|