diff options
Diffstat (limited to 'include/tests_firewalls')
-rw-r--r-- | include/tests_firewalls | 104 |
1 files changed, 52 insertions, 52 deletions
diff --git a/include/tests_firewalls b/include/tests_firewalls index 6c8192eb..2a01e410 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -41,9 +41,9 @@ IPTABLES_ACTIVE=1 IPTABLES_MODULE_ACTIVE=1 Display --indent 2 --text "- Checking iptables kernel module" --result FOUND --color GREEN - logtext "Result: Found iptables in loaded kernel modules" + LogText "Result: Found iptables in loaded kernel modules" for I in ${FIND}; do - logtext "Found module: ${I}" + LogText "Found module: ${I}" done else Display --indent 2 --text "- Checking iptables kernel module" --result "NOT FOUND" --color WHITE @@ -62,24 +62,24 @@ # tests, when using iptables --list if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then - logtext "Result: found kernel configuration file (${LINUXCONFIGFILE})" + LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})" FIND=`${tCATCMD} ${LINUXCONFIGFILE} | grep -v '^#' | grep "CONFIG_IP_NF_IPTABLES" | head -n 1` if [ ! "${FIND}" = "" ]; then HAVEMOD=`echo ${FIND} | cut -d '=' -f2` # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the # active list. if [ "${HAVEMOD}" = "y" ]; then - logtext "Result: iptables available as a module in the configuration" + LogText "Result: iptables available as a module in the configuration" IPTABLES_ACTIVE=1 IPTABLES_INKERNEL_ACTIVE=1 FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="iptables" Display --indent 2 --text "- Checking iptables in config file" --result FOUND --color GREEN else - logtext "Result: no iptables found in Linux kernel config file" + LogText "Result: no iptables found in Linux kernel config file" fi else - logtext "Result: no Linux configuration file found" + LogText "Result: no Linux configuration file found" Display --indent 2 --text "- Checking iptables in config file" --result "NOT FOUND" --color WHITE fi fi @@ -99,11 +99,11 @@ FIREWALL_ACTIVE=1 if [ ${FIND} -le 10 ]; then # Firewall is active, but clearly needs configuration - logtext "Result: iptables ruleset seems to be empty (found ${FIND} rules)" + LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active" else - logtext "Result: one or more rules are available (${FIND} rules)" + LogText "Result: one or more rules are available (${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN fi fi @@ -119,16 +119,16 @@ FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN - logtext "Result: There are no unused rules present" + LogText "Result: There are no unused rules present" else Display --indent 4 --text "- Checking for unused rules" --result FOUND --color YELLOW - logtext "Result: Found one or more possible unused rules" - logtext "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" - logtext "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." - logtext "Output: iptables rule numbers: ${FIND}" + LogText "Result: Found one or more possible unused rules" + LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" + LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." + LogText "Output: iptables rule numbers: ${FIND}" #ReportWarning ${TEST_NO} "L" "Found possible unused iptables rules ($FIND)" ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used" - logtext "Tip: iptables --list --numeric --line-numbers --verbose" + LogText "Tip: iptables --list --numeric --line-numbers --verbose" fi fi # @@ -142,18 +142,18 @@ PFFOUND=0; PFLOGDFOUND=0 # Check status with pfctl - logtext "Test: checking pf status via pfctl" + LogText "Test: checking pf status via pfctl" if [ ! "${PFCTLBINARY}" = "" ]; then FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'` if [ "${FIND}" = "Enabled" ]; then Display --indent 2 --text "- Checking pf status (pfctl)" --result ENABLED --color GREEN - logtext "Result: pf is enabled" + LogText "Result: pf is enabled" PFFOUND=1 AddHP 3 3 else if [ "${FIND}" = "Disabled" ]; then Display --indent 2 --text "- Checking pf status (pfctl)" --result DISABLED --color RED - logtext "Result: pf is disabled" + LogText "Result: pf is disabled" AddHP 0 3 else Display --indent 2 --text "- Checking pf status (pfctl)" --result UNKNOWN --color YELLOW @@ -165,27 +165,27 @@ # If we didn't find the status to be enabled, stop searching if [ ${PFFOUND} -eq 0 ]; then # Check for pf kernel module (FreeBSD and similar) - logtext "Test: searching for pf kernel module" + LogText "Test: searching for pf kernel module" if [ ! "${KLDSTATBINARY}" = "" ]; then FIND=`${KLDSTATBINARY} | grep 'pf.ko'` if [ "${FIND}" = "" ]; then - logtext "Result: Can not find pf KLD" + LogText "Result: Can not find pf KLD" else - logtext "Result: pf KLD loaded" + LogText "Result: pf KLD loaded" PFFOUND=1 fi else - logtext "Result: no kldstat binary, skipping this part" + LogText "Result: no kldstat binary, skipping this part" fi IsRunning pflogd if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found pflog daemon in process list" + LogText "Result: found pflog daemon in process list" Display --indent 4 --text "- Checking pflogd status" --result ACTIVE --color GREEN PFFOUND=1 PFLOGDFOUND=1 else - logtext "Result: pflog daemon not found in process list" + LogText "Result: pflog daemon not found in process list" fi fi @@ -193,7 +193,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="pf" else - logtext "Result: pf not running on this system" + LogText "Result: pf not running on this system" fi fi # @@ -204,23 +204,23 @@ if [ ${PFFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4520 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check pf configuration consistency" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check /etc/pf.conf" + LogText "Test: check /etc/pf.conf" # Test for warnings (-n don't load the rules) if [ -f /etc/pf.conf ]; then - logtext "Result: /etc/pf.conf exists" + LogText "Result: /etc/pf.conf exists" # Check results from pfctl PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'` if [ "${PFWARNINGS}" = "" ]; then Display --indent 4 --text "- Checking pf configuration consistency" --result OK --color GREEN - logtext "Result: no pf filter warnings found" + LogText "Result: no pf filter warnings found" else Display --indent 4 --text "- Checking pf configuration consistency" --result WARNING --color RED - logtext "Result: found one or more warnings in the pf filter rules" + LogText "Result: found one or more warnings in the pf filter rules" ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file" ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" fi else - logtext "Result: /etc/pf.conf does NOT exist" + LogText "Result: /etc/pf.conf does NOT exist" fi fi # @@ -236,14 +236,14 @@ Register --test-no FIRE-4524 --weight L --network NO --description "Check for CSF presence" if [ ${SKIPTEST} -eq 0 ]; then FILE="/etc/csf/csf.conf" - logtext "Test: check ${FILE}" + LogText "Test: check ${FILE}" if [ -f ${FILE} ]; then - logtext "Result: ${FILE} exists" + LogText "Result: ${FILE} exists" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="csf" Display --indent 2 --text "- Checking CSF status (configuration file)" --result FOUND --color GREEN else - logtext "Result: ${FILE} does NOT exist" + LogText "Result: ${FILE} does NOT exist" fi fi # @@ -257,12 +257,12 @@ FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'` if [ "${FIND}" = "yes" ]; then Display --indent 4 --text "- Checking ipf status" --result RUNNING --color GREEN - logtext "Result: ipf is enabled and running" + LogText "Result: ipf is enabled and running" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipf" else Display --indent 4 --text "- Checking ipf status" --result "NOT RUNNING" --color YELLOW - logtext "Result: ipf is not running" + LogText "Result: ipf is not running" fi fi # @@ -277,20 +277,20 @@ FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` if [ "${FIND}" = "1" ]; then Display --indent 2 --text "- Checking IPFW status" --result RUNNING --color GREEN - logtext "Result: IPFW is running for IPv4" + LogText "Result: IPFW is running for IPv4" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipfw" IPFW_ENABLED=`service -e | grep -o ipfw` if [ "${IPFW_ENABLED}" = "ipfw" ]; then Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result YES --color GREEN - logtext "Result: IPFW is enabled at start-up for IPv4" + LogText "Result: IPFW is enabled at start-up for IPv4" else Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW - logtext "Result: IPFW is disabled at start-up for IPv4" + LogText "Result: IPFW is disabled at start-up for IPv4" fi else Display --indent 2 --text "- Checking IPFW status" --result "NOT RUNNING" --color YELLOW - logtext "Result: IPFW is not running for IPv4" + LogText "Result: IPFW is not running for IPv4" fi else Display --indent 2 --text "- Checking IPFW" --result SKIPPED --color YELLOW @@ -309,13 +309,13 @@ if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result ENABLED --color GREEN AddHP 3 3 - logtext "Result: application firewall of Mac OS X is enabled" + LogText "Result: application firewall of Mac OS X is enabled" APPLICATION_FIREWALL_ACTIVE=1 - report "app_fw[]=macosx-app-fw" + Report "app_fw[]=macosx-app-fw" else Display --indent 2 --text "- Checking IPFW" --result DISABLED --color YELLOW AddHP 1 3 - logtext "Result: application firewall of Mac OS X is disabled" + LogText "Result: application firewall of Mac OS X is disabled" fi fi # @@ -327,16 +327,16 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ${FIREWALL_ACTIVE} -eq 1 ]; then Display --indent 2 --text "- Checking host based firewall" --result ACTIVE --color GREEN - logtext "Result: host based firewall or packet filter is active" - report "manual[]=Verify if there is a formal process for testing and applying firewall rules" - report "manual[]=Verify all traffic is filtered the right way between the different security zones" - report "manual[]=Verify if a list is available with all required services" + LogText "Result: host based firewall or packet filter is active" + Report "manual[]=Verify if there is a formal process for testing and applying firewall rules" + Report "manual[]=Verify all traffic is filtered the right way between the different security zones" + Report "manual[]=Verify if a list is available with all required services" # YYY Solaris ipf (determine default policy) - report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" + Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" AddHP 5 5 else Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW - logtext "Result: no host based firewall/packet filter found or configured" + LogText "Result: no host based firewall/packet filter found or configured" ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic" AddHP 0 5 fi @@ -346,13 +346,13 @@ # # Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks. -report "firewall_installed=${FIREWALL_ACTIVE}" -report "firewall_active=${FIREWALL_ACTIVE}" -report "firewall_software=${FIREWALL_SOFTWARE}" +Report "firewall_installed=${FIREWALL_ACTIVE}" +Report "firewall_active=${FIREWALL_ACTIVE}" +Report "firewall_software=${FIREWALL_SOFTWARE}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com |