tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-04-08 17:15:25 +02:00
Code Issues Packages Projects Releases Wiki Activity
lynis/include/tests_webservers
BlessJah d7d42d9103 remove non printable characters from code (#470) 
Non printable ESC character is required to obtain terminal escape
sequence i.e. for changing output color.

Such sequences (especially ESC character) were replaced by command
substitution producing exactly same result (variable value), but using
only "safe" characters.

Use of printf and especialy '\033' or '\0ddd' sequences is described
here:
http://pubs.opengroup.org/onlinepubs/9699919799/utilities/printf.html#tag_20_94_13

Use of $(command) or command substitution is described here:
http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_06_03

Verbatim TAB characters were replaced with \t escape sequence as
described to avoid problems with editors silently replacing them or
developer accidentialy messing up the regex.
2018-01-17 17:12:36 +01:00

619 lines
31 KiB
Bash
Raw Permalink Blame History

#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2018, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Software: webserver
#
#################################################################################
#
InsertSection "Software: webserver"
#
#################################################################################
#
# Reset Apache status
APACHE_INSTALLED=0
APACHE_MODULES_ENABLED_LOCS="${ROOTDIR}etc/apache2/mods-enabled"
APACHE_MODULES_LOCS="${ROOTDIR}etc/httpd/modules ${ROOTDIR}opt/local/apache2/modules ${ROOTDIR}usr/lib/apache ${ROOTDIR}usr/lib/apache2 ${ROOTDIR}usr/lib/httpd/modules ${ROOTDIR}usr/libexec/apache2 ${ROOTDIR}usr/lib64/apache2 ${ROOTDIR}usr/lib64/apache2/modules ${ROOTDIR}usr/lib64/httpd/modules ${ROOTDIR}usr/local/libexec/apache ${ROOTDIR}usr/local/libexec/apache22"
NGINX_RUNNING=0
NGINX_CONF_LOCS="${ROOTDIR}etc/nginx ${ROOTDIR}usr/local/etc/nginx ${ROOTDIR}usr/local/nginx/conf"
NGINX_CONF_LOCATION=""
NGINX_CONF_FILES=""
NGINX_CONF_FILES_ADDITIONS=""
#
#################################################################################
#
sTEST_APACHE_TARGETS="${ROOTDIR}etc/apache ${ROOTDIR}etc/apache2 ${ROOTDIR}etc/httpd \
${ROOTDIR}opt/apache \
${ROOTDIR}usr/local/apache ${ROOTDIR}usr/local/apache2 \
${ROOTDIR}usr/local/etc/apache ${ROOTDIR}usr/local/etc/apache2 ${ROOTDIR}usr/local/etc/apache22 \
${ROOTDIR}usr/pkg/etc/httpd ${ROOTDIR}etc/sysconfig/apache2"
CreateTempFile || ExitFatal
TMPFILE="${TEMP_FILE}"
CreateTempFile || ExitFatal
TMPFILE2="${TEMP_FILE}"
#
#################################################################################
#
# Test : HTTP-6622
# Description : Test for Apache installation
# Notes : Do not run on NetBSD, -v is unknown option for httpd binary
# On OpenBSD do not run /usr/sbin/httpd with -v: builtin non-Apache
if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache presence"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then HTTPDBINARY=""; fi
if IsEmpty "${HTTPDBINARY}"; then
Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE
else
LogText "Test: Scanning for Apache binary"
IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache')
if IsEmpty "${IS_APACHE}"; then
LogText "Result: ${HTTPDBINARY} is not Apache"
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
else
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon"
APACHE_INSTALLED=1
APACHE_VERSION=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} "^Server version:" | ${AWKBINARY} '{ print $3 }' | ${AWKBINARY} -F/ '{ print $2 }')
LogText "Apache version: ${APACHE_VERSION}"
Report "apache_version=${APACHE_VERSION}"
fi
fi
fi
#
#################################################################################
#
# Test : HTTP-6624
# Description : Testing main Apache configuration file
# Notes : Do not run on OpenBSD/NetBSD, as -V is an unknown option for httpd binary
if [ ${APACHE_INSTALLED} -eq 1 ]; then
if [ ! "${OS}" = "NetBSD" -a ! "${OS}" = "OpenBSD" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
else
PREQS_MET="NO"
fi
Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
APACHE_CONFIGFILE=""
APACHE_TEST=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | ${SEDBINARY} 's/[ ]-D SERVER_CONFIG_FILE=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '[:cntrl:]')
if IsEmpty "${APACHE_TEST}"; then
LogText "Result: Can't find the configuration file, so skipping some Apache related tests"
else
# We found a possible match. Checking if it's valid filename. If not, we need to add a prefix
if [ -f ${APACHE_TEST} ]; then
APACHE_CONFIGFILE="${APACHE_TEST}"
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
else
# Probably the prefix is missing, so we are going to search that
APACHE_HTTPDROOT=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | ${SEDBINARY} 's/[ ]-D HTTPD_ROOT=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ')
APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}"
if [ -f ${APACHE_TESTFILE} ]; then
APACHE_CONFIGFILE="${APACHE_TESTFILE}"
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
LogText "Result: Configuration file found (${APACHE_CONFIGFILE})"
else
LogText "Result: File or directory ${APACHE_CONFIGFILE} does not exist"
Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests"
ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration"
fi
fi
fi
fi
#
#################################################################################
#
# Test : HTTP-6626
# Description : Testing other Apache configuration files
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6626 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing other Apache configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
for DIR in ${sTEST_APACHE_TARGETS}; do
if [ -d ${DIR} ]; then
find ${DIR} -name "*.conf" -print >> ${TMPFILE2}
fi
done
# Sort unsorted list, save it in temp file and then remove unsorted list
if [ -f ${TMPFILE2} ]; then
${SORTBINARY} -u ${TMPFILE2} >> ${TMPFILE}
rm -f ${TMPFILE2}
fi
cVHOSTS=0; tVHOSTS=""
# Check every configuration file
for I in $(cat ${TMPFILE}); do
LogText "Apache config file: ${I}"
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
# Search Virtual Hosts
for J in $(${GREPBINARY} "ServerName" ${I} | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'); do
if HasData "${J}"; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=$((cVHOSTS + 1))
fi
done
# Search Server aliases
for J in $(${GREPBINARY} "ServerAlias" ${I} | ${GREPBINARY} -v "^#" | ${SEDBINARY} "s/\s*ServerAlias //g" | ${SEDBINARY} "s/#.*//g"); do
if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=$((cVHOSTS + 1))
fi
done
else
LogText "Result: can not read configuration file with this user ID"
ReportException "${TEST_NO}:1" "Can not read configuration file $I"
fi
done
# Log all virtual hosts we found
for J in ${tVHOSTS}; do
if [ ! -z ${J} ]; then
LogText "Virtual host: ${J}"
Report "apache_vhost_name[]=${J}"
fi
done
# Show number of vhosts if we found any
LogText "Result: found ${cVHOSTS} virtual hosts"
if [ ${cVHOSTS} -gt 0 ]; then
Display --indent 6 --text "Info: Found ${cVHOSTS} virtual hosts"
else
Display --indent 6 --text "Info: No virtual hosts found"
fi
fi
# Remove temp files
if [ -f ${TMPFILE} -a ! -z "${TMPFILE}" ]; then
rm -f ${TMPFILE}
fi
if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
#
#################################################################################
#
# TODO
# Do you have Apache running and want to contribute? Help us testing this control and send in a pull request
# Test : HTTP-6630
# Description : Search for all loaded modules
#if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no HTTP-6630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining all loaded Apache modules"
#if [ ${SKIPTEST} -eq 0 ]; then
# # Testing Debian style
# LogText "Test: searching loaded/enabled Apache modules"
# apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //'
# for I in ${APACHE_MODULES_ENABLED_LOCS}; do
# LogText "Test: checking ${I}"
# if [ -d ${I} ]; then
# FIND=$(${GREPBINARY} -r LoadModule ${I}/* | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2":"$3 }')
# else
# LogText "Result: ${I} does not exist"
# fi
# done
#fi
#
#################################################################################
#
# Test : HTTP-6632
# Description : Search for available Apache modules
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining all available Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching available Apache modules"
COUNT=0
for DIR in ${APACHE_MODULES_LOCS}; do
DirectoryExists ${DIR}
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=$(${FINDBINARY} ${DIR} -name "mod_*" -print | ${SORTBINARY})
for ITEM in ${FIND}; do
Report "apache_module[]=${ITEM}"
LogText "Result: found Apache module ${ITEM}"
COUNT=$((COUNT + 1))
done
fi
done
if [ ${COUNT} -eq 0 ]; then
Display --indent 4 --text "* Loadable modules" --result "${STATUS_NONE}" --color WHITE
ReportException "${TEST_NO}:1" "No loadable Apache modules found"
else
Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND} (${COUNT})" --color GREEN
Display --indent 8 --text "- Found ${COUNT} loadable modules"
fi
fi
#
#################################################################################
#
# Test : HTTP-6640
# Description : Search for special Apache modules: evasive
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6640 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_evasive([0-9][0-9])?.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_NOT_FOUND}" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
fi
fi
#
#################################################################################
#
# Test : HTTP-6641
# Description : Search for special Apache modules: Quality of Service
# Notes : Was mod_qos before. Since Apache 2.2.15 mod_reqtimeout
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6641 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_(reqtimeout|qos).so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "mod_reqtimeout/mod_qos" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 10 --text "mod_reqtimeout/mod_qos" --result "${STATUS_NOT_FOUND}" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_reqtimeout or mod_qos to guard webserver against Slowloris attacks"
fi
fi
#
#################################################################################
#
# Test : HTTP-6643
# Description : Search for special Apache modules: security
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_security2.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_NOT_FOUND}" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks"
fi
fi
#
#################################################################################
#
# Test : HTTP-6660 TODO
# Description : Search for "TraceEnable off" in configuration files
#
#################################################################################
#
# Test : HTTP-6702
# Description : Search for nginx process
Register --test-no HTTP-6702 --weight L --network NO --category security --description "Check nginx process"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching running nginx process"
if IsRunning "nginx"; then
LogText "Result: found running nginx process(es)"
Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN
NGINX_RUNNING=1
Report "nginx_running=1"
else
LogText "Result: no running nginx process found"
Display --indent 2 --text "- Checking nginx" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : HTTP-6704
# Description : Search for nginx configuration file
if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching nginx configuration file"
for DIR in ${NGINX_CONF_LOCS}; do
if [ -f ${DIR}/nginx.conf ]; then
NGINX_CONF_LOCATION="${DIR}/nginx.conf"
LogText "Found file ${NGINX_CONF_LOCATION}"
NGINX_CONF_FILES="${DIR}/nginx.conf"
fi
done
if HasData "${NGINX_CONF_LOCATION}"; then
LogText "Result: found nginx configuration file"
Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
Display --indent 4 --text "- Searching nginx configuration file" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: no nginx configuration file found"
Display --indent 2 --text "- Searching nginx configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : HTTP-6706
# Description : Search for includes within nginx configuration file
# Notes : Daemon nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for additional nginx configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
CreateTempFile || ExitFatal
TMPFILE="${TEMP_FILE}"
COUNT=0
${SEDBINARY} -e 's/^[ \t]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[\t]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}
# Search for included configuration files (may include directories and wild cards)
FIND=$(${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g')
for I in ${FIND}; do
FIND2=$(${LSBINARY} ${I} 2>/dev/null)
for J in ${FIND2}; do
# Ensure that we are parsing normal files
if [ -f ${J} ]; then
COUNT=$((COUNT + 1))
LogText "Result: found Nginx configuration file ${J}"
Report "nginx_sub_conf_file[]=${J}"
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
NGINX_CONF_FILES="${NGINX_CONF_FILES} ${J}"
FIND3=$(sed -e 's/^[ \t]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[\t]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE})
else
ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
fi
fi
done
done
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})")
for I in ${SORTFILE}; do
I=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g')
Report "nginx_config_option[]=${I}";
done
# Remove unsorted file for next tests
if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi
if [ ${COUNT} -eq 0 ]; then
LogText "Result: no nginx include statements found"
else
Display --indent 6 --text "- Found nginx includes" --result "${COUNT} FOUND" --color GREEN
fi
fi
#
#################################################################################
#
# Test : HTTP-6708
# Description : Check discovered nginx configuration settings for further hardening
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: start parsing all discovered nginx options"
Display --indent 4 --text "- Parsing configuration options"
for FILE in ${NGINX_CONF_FILES}; do
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
if [ ! "${FILENAME}" = "mime.types" ]; then
if FileIsReadable ${FILE}; then
Display --indent 8 --text "- ${FILE}"
ParseNginx ${FILE}
else
Display --indent 8 --text "- ${FILE}" --result "SKIPPED (NOT READABLE)" --color YELLOW
fi
else
LogText "Result: this configuration file is skipped, as it contains usually no interesting details"
fi
done
if [ ! -z "${NGINX_CONF_FILES_ADDITIONS}" ]; then
for I in ${NGINX_CONF_FILES_ADDITIONS}; do
FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}')
if [ ! "${FILENAME}" = "mime.types" ]; then
if FileIsReadable ${I}; then
Display --indent 8 --text "- ${I}"
ParseNginx ${I}
else
Display --indent 8 --text "- ${I}" --result "SKIPPED (NOT READABLE)" --color YELLOW
fi
else
LogText "Result: this configuration file is skipped, as it contains usually no interesting details"
fi
done
fi
fi
#
#################################################################################
#
# Test : HTTP-6710
# Description : Check SSL configuration of nginx
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx SSL configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_SSL_SUGGESTION=0
if [ ${NGINX_SSL_ON} -eq 1 ]; then
LogText "Result: SSL is configured in nginx on one or more virtual hosts"
Display --indent 6 --text "- SSL configured" --result "${STATUS_YES}" --color GREEN
AddHP 5 5
# Cipher tests
if [ ${NGINX_SSL_CIPHERS} -eq 1 ]; then
Display --indent 8 --text "- Ciphers configured" --result "${STATUS_YES}" --color GREEN
else
Display --indent 8 --text "- Ciphers configured" --result "${STATUS_NO}" --color RED
NGINX_SSL_SUGGESTION=1
fi
if [ ${NGINX_SSL_PREFER_SERVER_CIPHERS} -eq 1 ]; then
Display --indent 8 --text "- Prefer server ciphers" --result "${STATUS_YES}" --color GREEN
else
Display --indent 8 --text "- Prefer server ciphers" --result "${STATUS_NO}" --color RED
NGINX_SSL_SUGGESTION=1
fi
if [ ${NGINX_SSL_PROTOCOLS} -eq 1 ]; then
Display --indent 8 --text "- Protocols configured" --result "${STATUS_YES}" --color GREEN
if [ ${NGINX_WEAK_SSL_PROTOCOL_FOUND} -eq 0 ]; then
Display --indent 10 --text "- Insecure protocols found" --result "${STATUS_NO}" --color GREEN
else
Display --indent 10 --text "- Insecure protocols found" --result "${STATUS_YES}" --color RED
ReportSuggestion "${TEST_NO}" "Disable weak protocol in nginx configuration"
fi
else
Display --indent 8 --text "- Protocols configured" --result "${STATUS_NO}" --color RED
NGINX_SSL_SUGGESTION=1
fi
else
LogText "Result: No SSL configuration found"
Display --indent 6 --text "- SSL configured" --result "${STATUS_NO}" --color RED
ReportSuggestion ${TEST_NO} "Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy"
AddHP 1 5
fi
if [ ${NGINX_SSL_SUGGESTION} -eq 1 ]; then
LogText "Result: one or more parts of the nginx configuration could be enhanced regarding SSL"
ReportSuggestion "${TEST_NO}" "Change the HTTPS and SSL settings for enhanced protection of sensitive data and privacy"
fi
fi
#
#################################################################################
#
# Test : HTTP-6712
# Description : Check logging configuration of nginx
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx access logging"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
Display --indent 6 --text "- Checking log file configuration"
# Check for missing access log
if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
Display --indent 8 --text "- Missing log files (access_log)" --result "${STATUS_YES}" --color RED
else
Display --indent 8 --text "- Missing log files (access_log)" --result "${STATUS_NO}" --color GREEN
fi
# Access log disabled
if [ ${NGINX_ACCESS_LOG_DISABLED} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
LogText "Result: found one or more virtual hosts which have their access log disabled"
Display --indent 8 --text "- Disabled access logging" --result "${STATUS_YES}" --color RED
AddHP 2 3
else
LogText "Result: no virtual hosts found which have their access log disabled"
Display --indent 8 --text "- Disabled access logging" --result "${STATUS_NO}" --color GREEN
AddHP 3 3
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "Check your nginx access log for proper functioning"
fi
fi
#
#################################################################################
#
# Test : HTTP-6714
# Description : Check missing error logs in nginx
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for missing error logs in nginx"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
# Check for missing access log
if [ ${NGINX_ERROR_LOG_MISSING} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
Display --indent 8 --text "- Missing log files (error_log)" --result "${STATUS_YES}" --color RED
else
Display --indent 8 --text "- Missing log files (error_log)" --result "${STATUS_NO}" --color GREEN
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "Check your nginx error_log statements"
fi
fi
#
#################################################################################
#
# Test : HTTP-6716
# Description : Check debug mode on error log in nginx
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for debug mode on error log in nginx"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
# Access log in debug mode
if [ ${NGINX_ERROR_LOG_DEBUG} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
LogText "Result: found one or more virtual hosts which have their error log in debug mode"
Display --indent 8 --text "- Debugging mode on error_log" --result "${STATUS_YES}" --color RED
AddHP 2 3
else
LogText "Result: no virtual hosts found which have their error log in debug mode"
Display --indent 8 --text "- Debugging mode on error_log" --result "${STATUS_NO}" --color GREEN
AddHP 3 3
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "Check your nginx error_log statements and disable debug mode"
fi
fi
#
#################################################################################
#
# Test : HTTP-6720
# Description : Search for nginx log files
if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6720 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Nginx log files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking directories for files with log file definitions"
for DIR in ${NGINX_CONF_LOCS}; do
LogText "Test: Checking ${DIR}"
if [ -d ${DIR} ]; then
LogText "Result: Directory ${DIR} exists, so will be used as search path"
FIND=$(find ${DIR} -type f -exec ${GREPBINARY} access_log \{\} \; | ${GREPBINARY} -v "#" | ${AWKBINARY} '{ if($1=="access_log") { print $2 } }' | ${SEDBINARY} 's/;$//g' | ${SORTBINARY} -u)
if IsEmpty "${FIND}"; then
LogText "Result: no log files found"
else
LogText "Result: found one or more log files"
for FILE in ${FIND}; do
if [ -f ${FILE} ]; then
LogText "Found log file: ${FILE}"
Report "log_file=${FILE}"
else
LogText "Found non existing log file: ${FILE}"
fi
done
fi
else
LogText "Result: directory ${DIR} not found, skipping search in this directory."
fi
done
unset DIR; unset FILE; unset FIND
fi
#
#################################################################################
#
# Remove temp file (double check)
if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
Reference in New Issue View Git Blame Copy Permalink