diff options
| author | mboelen <michael@cisofy.com> | 2014-08-26 19:33:55 +0400 |
|---|---|---|
| committer | mboelen <michael@cisofy.com> | 2014-08-26 19:33:55 +0400 |
| commit | c0ae2e217b7f1fb0171017ce5afb8eb8898470db (patch) | |
| tree | 545aa150c35c5fb74d7bb4c2d3b0ae41cfa7b4e5 /include/tests_squid | |
Initial import
Diffstat (limited to 'include/tests_squid')
| -rw-r--r-- | include/tests_squid | 384 |
1 files changed, 384 insertions, 0 deletions
diff --git a/include/tests_squid b/include/tests_squid new file mode 100644 index 00000000..eedd23e2 --- /dev/null +++ b/include/tests_squid @@ -0,0 +1,384 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands +# Web site: http://www.rootkit.nl +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Squid +# +################################################################################# +# + SQUID_DAEMON_CONFIG_LOCS="/etc /etc/squid /etc/squid3 /usr/local/etc/squid /usr/local/squid/etc" + SQUID_DAEMON_CONFIG="" + SQUID_DAEMON_UNSAFE_PORTS_LIST="22 23 25" + SQUID_DAEMON_RUNNING=0 +# +################################################################################# +# + InsertSection "Squid Support" +# +################################################################################# +# + # Test : SQD-3602 + # Description : Check for a running Squid daemon + # Notes : Search for squid(3) with a space, to avoid SquidGuard and other + # programs. + Register --test-no SQD-3602 --weight L --network NO --description "Check for running Squid daemon" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Searching for a Squid daemon..." + FOUND=0 + # Check running processes + FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"` + if [ ! "${FIND}" = "" ]; then + SQUID_DAEMON_RUNNING=1 + logtext "Result: Squid daemon is running" + Display --indent 2 --text "- Checking running Squid daemon..." --result FOUND --color GREEN + else + logtext "Result: No running Squid daemon found" + Display --indent 2 --text "- Checking running Squid daemon..." --result "NOT FOUND" --color WHITE + fi + fi +# +################################################################################# +# + # Test : SQD-3604 + # Description : Determine Squid daemon configuration file location + if [ ${SQUID_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SQD-3604 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid daemon file location" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Action: searching for squid.conf or squid3.conf file" + for I in ${SQUID_DAEMON_CONFIG_LOCS}; do + # Checking squid.conf + if [ -f "${I}/squid.conf" ]; then + logtext "Result: ${I}/squid.conf exists" + SQUID_DAEMON_CONFIG="${I}/squid.conf" + fi + # Checking squid3.conf + if [ -f "${I}/squid3.conf" ]; then + logtext "Result: ${I}/squid3.conf exists" + SQUID_DAEMON_CONFIG="${I}/squid3.conf" + fi + done + if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then + logtext "Result: No Squid configuration file found" + Display --indent 4 --text "- Searching Squid configuration file..." --result "NOT FOUND" --color YELLOW + else + logtext "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}" + Display --indent 4 --text "- Searching Squid configuration..." --result FOUND --color GREEN + fi + fi +# +################################################################################# +# + # Test : SQD-3606 + # Description : Check Squid version + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" + if [ ${SKIPTEST} -eq 0 ]; then + if [ ! "${SQUIDBINARY}" = "" ]; then + logtext "Result: Squid binary found (${SQUIDBINARY})" + # Skip check if a setuid/setgid bit is found + FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print` + if [ "${FIND}" = "" ]; then + FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'` + Display --indent 4 --text "- Checking Squid version..." --result "FOUND" --color GREEN + SQUID_VERSION="${FIND2}" + else + logtext "Result: test skipped for security reasons, setuid/setgid bit set" + Display --indent 4 --text "- Checking Squid version..." --result "SKIPPED" --color RED + fi + else + logtext "Result: no Squid binary found" + fi + fi +# +################################################################################# +# +# # Test : SQD-3608 +# # Description : Check Squid build options +# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi +# Register --test-no SQD-3608 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" +# if [ ${SKIPTEST} -eq 0 ]; then +# fi +# +################################################################################# +# + # Test : SQD-3610 + # Description : Check Squid configuration options + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" + FIND=`cat ${SQUID_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` + for I in ${FIND}; do + I=`echo ${I} | sed 's/!space!/ /g'` + logtext "Found Squid option: ${I}" + done + Display --indent 4 --text "- Checking defined Squid options..." --result "DONE" --color GREEN + fi +# +################################################################################# +# +# # Test : SQD-3612 +# # Description : Check Squid additional configuration files +# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi +# Register --test-no SQD-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check additional Squid configuration files" +# if [ ${SKIPTEST} -eq 0 ]; then +# fi +# +################################################################################# +# + # Test : SQD-3613 + # Description : Check Squid configuration options + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid file permissions" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}" + FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` + if [ ! "${FIND}" = "" ]; then + logtext "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" + Display --indent 4 --text "- Checking Squid configuration file permissions..." --result WARNING --color RED + ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access" + ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive" + AddHP 0 2 + else + logtext "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions" + Display --indent 4 --text "- Checking Squid configuration file permissions..." --result OK --color GREEN + AddHP 2 2 + fi + fi +# +################################################################################# +# + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then + Display --indent 4 --text "- Checking Squid access control..." + fi +# +################################################################################# +# + # Test : SQD-3614 + # Description : Check Squid authentication + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid authentication methods" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: check auth_param option for authentication methods" + FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'` + if [ "${FIND}" = "" ]; then + logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" + Display --indent 6 --text "- Checking Squid authentication methods..." --result "NONE" --color YELLOW + else + Display --indent 6 --text "- Checking Squid authentication methods..." --result "FOUND" --color GREEN + for I in ${FIND}; do + logtext "Result: found authentication method ${I}" + report "squid_auth_method=${I}" + done + fi + fi +# +################################################################################# +# + # Test : SQD-3616 + # Description : Check external Squid authentication + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check external Squid authentication" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: check external_acl_type option for external authentication helpers" + FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}` + if [ "${FIND}" = "" ]; then + logtext "No external_acl_type found" + Display --indent 6 --text "- Checking Squid external authentication methods..." --result "NONE" --color YELLOW + else + Display --indent 6 --text "- Checking Squid external authentication methods..." --result "FOUND" --color GREEN + for I in ${FIND}; do + logtext "Result: found external authentication method helper" + logtext "Output: ${FIND}" + #report "squid_external_acl_type=TRUE" + done + fi + fi +# +################################################################################# +# + # Test : SQD-3620 + # Description : Check ACLs + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid access control lists" + if [ ${SKIPTEST} -eq 0 ]; then + N=0 + logtext "Test: checking ACLs" + FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` + if [ "${FIND}" = "" ]; then + logtext "Result: No ACLs found" + Display --indent 6 --text "- Checking Access Control Lists..." --result "NONE" --color RED + else + for I in ${FIND}; do + N=`expr ${N} + 1` + I=`echo ${I} | sed 's/!space!/ /g'` + logtext "Found ACL: ${I}" + #report "squid_acl=${I}" + done + logtext "Result: Found ${N} ACLs" + Display --indent 6 --text "- Checking Access Control Lists..." --result "${N} ACLs FOUND" --color GREEN + fi + fi +# +################################################################################# +# + # Test : SQD-3624 [T] + # Description : Check unsecure ports in Safe_ports list + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid safe ports" + if [ ${SKIPTEST} -eq 0 ]; then + N=0 + logtext "Test: checking ACL Safe_ports http_access option" + FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"` + if [ "${FIND}" = "" ]; then + logtext "Result: no Safe_ports found" + Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option..." --result "NOT FOUND" --color YELLOW + ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" + else + logtext "Result: checking ACL safe ports" + FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'` + if [ "${FIND2}" = "" ]; then + Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "NONE FOUND" --color YELLOW + ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" + AddHP 0 1 + else + logtext "Result: Safe_ports found" + for I in ${FIND}; do + logtext "Found safe port: ${I}" + done + Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "FOUND" --color GREEN + AddHP 1 1 + fi + #SQUID_DAEMON_UNSAFE_PORTS_LIST + for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do + logtext "Test: Checking port ${I} in Safe_ports list" + FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` + if [ "${FIND2}" = "" ]; then + Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "NOT FOUND" --color GREEN + AddHP 1 1 + else + Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "FOUND" --color RED + ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}" + AddHP 0 1 + fi + done + fi + fi +# +################################################################################# +# + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then + Display --indent 4 --text "- Checking Squid Denial of Service tuning options..." + fi +# +################################################################################# +# + # Test : SQD-3630 [T] + # Description : Check reply_body_max_size value + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid reply_body_max_size option" + if [ ${SKIPTEST} -eq 0 ]; then + N=0 + logtext "Test: checking option reply_body_max_size" + FIND=`grep "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` + if [ "${FIND}" = "" ]; then + logtext "Result: option reply_body_max_size not configured" + Display --indent 6 --text "- Checking option: reply_body_max_size" --result "NONE" --color RED + AddHP 1 2 + ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests." + else + logtext "Result: option reply_body_max_size configured" + logtext "Output: ${FIND}" + Display --indent 6 --text "- Checking option: reply_body_max_size" --result "FOUND" --color GREEN + AddHP 2 2 + fi + fi +# +################################################################################# +# + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then + Display --indent 4 --text "- Checking Squid general options..." + fi +# +################################################################################# +# + + # Test : SQD-3680 + # Description : Check httpd_suppress_version_string + if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version suppresion" + if [ ${SKIPTEST} -eq 0 ]; then + FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"` + if [ "${FIND}" = "" ]; then + logtext "Result: option httpd_suppress_version_string not configured" + Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "NOT FOUND" --color YELLOW + AddHP 1 2 + ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version." + else + logtext "Result: option httpd_suppress_version_string configured" + logtext "Output: ${FIND}" + Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "FOUND" --color GREEN + AddHP 2 2 + fi + fi +# +################################################################################# +# + + +# Squid +#Hardening: +# $1 $3 +# acl snmp_community +# acl maxconn +# acl max_user_ip +# +# follow_x_forwarded_for +#Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well) +#Read cache_peer_domain +#Read cache_peer_access +#Read icp_access +#Read icp_port +#Read htcp_access +#Read htcp_port +#Read http_port +#Read https_port +#Read cache_dir +#Read access_log +#Read coredump_dir +#Read quick_abort_min / max /pct +# +# Memory tuning +#Read cache_mem +#Read maximum_object_size_in_memory +#Read maximum_object_size +#Read cache_swap_low +#Read cache_swap_high + +# Security +#cache_effective_user +# off +#forwarded_for + +#wccp +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ +# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands |