DNS-1600 Check for DNSSEC validation (#535)

4 files changed, 76 insertions, 1 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 11b3135b..6c15fa2a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ Tests:
 * [PHP-2379]  - Suhosin test disbled
 * [SSH-7408]  - Removed 'DELAYED' from OpenSSH Compression setting
 * [TIME-3160] - Improvements to detect step-tickers file and entries
+* [DNS-1600] - Add DNSSEC validation
 
 
 ---------------------------------------------------------------------------------
diff --git a/db/tests.db b/db/tests.db
index 53d9e70f..dec1cff1 100644
--- a/db/tests.db
+++ b/db/tests.db
@@ -79,6 +79,7 @@ CONT-8107:test:performance:containers::Check number of unused Docker containers:
 CONT-8108:test:security:containers::Check file permissions for Docker files:
 CORE-1000:test:performance:system_integrity::Check all system binaries:
 CRYP-7902:test:security:crypto::Check expire date of SSL certificates:
+DNS-1600:test:security:dns::Validating that the DNSSEC signatures are checked:
 DBS-1804:test:security:databases::Checking active MySQL process:
 DBS-1816:test:security:databases::Checking MySQL root password:
 DBS-1818:test:security:databases::MongoDB status:
diff --git a/include/tests_dns b/include/tests_dns
new file mode 100644
index 00000000..4fbc7caa
--- /dev/null
+++ b/include/tests_dns
@@ -0,0 +1,73 @@
+#!/bin/sh
+
+#################################################################################
+#
+#   Lynis
+# ------------------
+#
+# Copyright 2007-2013, Michael Boelen
+# Copyright 2007-2018, CISOfy
+#
+# Website  : https://cisofy.com
+# Blog     : http://linux-audit.com
+# GitHub   : https://github.com/CISOfy/lynis
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# DNS
+#
+#################################################################################
+#
+    SIGOKDNS="sigok.verteiltesysteme.net"      # adress with good DESSEC signiture
+    SIGFAILDNS="sigfail.verteiltesysteme.net"  # adress with bad  DESSEC signiture
+    # TODO update it once cisofy.com records are created
+    # TODO after update even IP match can be checked to detect highjacking
+    TIMEOUT=";; connection timed out; no servers could be reached"
+#
+#################################################################################
+#
+    InsertSection "DNS"
+#
+#################################################################################
+#
+    # Test        : DNS-1600
+    # Description : Validate DNSSEC signiture is checked
+    Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked"
+    if [ "${SKIPTEST}" -eq 0 ]; then
+        if [ ! -z "${DIGBINARY}" ]; then
+
+            GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS)
+            BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS)
+
+            if [ "$GOOD" = "$TIMEOUT" ] && [ "$BAD" = "$TIMEOUT" ]; then
+                LogText "Result: Exception found, can't determine DNSSEC validation"
+                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
+                ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
+            elif [ -z "$GOOD" ] && ! [ -z "$BAD" ]; then
+                LogText "Result: Exception found, can't determine DNSSEC validation"
+                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
+                ReportException "${TEST_NO}" "Exception found, OK failed, Bad signiture was accepted"
+            elif ! [ -z "$GOOD" ] && ! [ -z "$BAD" ]; then
+                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW
+                LogText "Note: Useing DNSsec validation can protect from DNS highjacking"
+                ReportSuggestion "${TEST_NO}" "Malformated DNS querys are accepted, Configure DNSSEC valdating name servers"
+                AddHP 2 2
+            elif ! [ -z "$GOOD" ] && [ -z "$BAD" ]; then
+                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN
+                LogText "Result: Malformated DNS responses were ignored"
+                AddHP 0 2
+            fi
+        else
+            Display --indent 4 --text "- DESSEC validation" --result "${STATUS_SKIPPED}" --color YELLOW
+            LogText "Result: dig not installed, test can't be fully performed"
+        fi
+    else
+        LogText "Result: Test was skipped"
+    fi
+#
+#################################################################################
+#
diff --git a/lynis b/lynis
index 9f6a3b92..ca702a34 100755
--- a/lynis
+++ b/lynis
@@ -925,7 +925,7 @@ ${NORMAL}
             LogText "Info: perform tests from all categories"
 
             INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
-                           filesystems usb storage storage_nfs nameservices ports_packages networking printers_spools \
+                           filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spools \
                            mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
                            insecure_services banners scheduling accounting time crypto virtualization containers \
                            mac_frameworks file_integrity tooling malware file_permissions homedirs \