Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/include/tests_firewalls
diff options
context:
space:
mode:
Diffstat (limited to 'include/tests_firewalls')
-rw-r--r--include/tests_firewalls104
1 files changed, 52 insertions, 52 deletions
diff --git a/include/tests_firewalls b/include/tests_firewalls
index 6c8192eb..2a01e410 100644
--- a/include/tests_firewalls
+++ b/include/tests_firewalls
@@ -5,7 +5,7 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -41,9 +41,9 @@
IPTABLES_ACTIVE=1
IPTABLES_MODULE_ACTIVE=1
Display --indent 2 --text "- Checking iptables kernel module" --result FOUND --color GREEN
- logtext "Result: Found iptables in loaded kernel modules"
+ LogText "Result: Found iptables in loaded kernel modules"
for I in ${FIND}; do
- logtext "Found module: ${I}"
+ LogText "Found module: ${I}"
done
else
Display --indent 2 --text "- Checking iptables kernel module" --result "NOT FOUND" --color WHITE
@@ -62,24 +62,24 @@
# tests, when using iptables --list
if [ ! "${LINUXCONFIGFILE}" = "" ]; then
if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
- logtext "Result: found kernel configuration file (${LINUXCONFIGFILE})"
+ LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})"
FIND=`${tCATCMD} ${LINUXCONFIGFILE} | grep -v '^#' | grep "CONFIG_IP_NF_IPTABLES" | head -n 1`
if [ ! "${FIND}" = "" ]; then
HAVEMOD=`echo ${FIND} | cut -d '=' -f2`
# Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
# active list.
if [ "${HAVEMOD}" = "y" ]; then
- logtext "Result: iptables available as a module in the configuration"
+ LogText "Result: iptables available as a module in the configuration"
IPTABLES_ACTIVE=1
IPTABLES_INKERNEL_ACTIVE=1
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="iptables"
Display --indent 2 --text "- Checking iptables in config file" --result FOUND --color GREEN
else
- logtext "Result: no iptables found in Linux kernel config file"
+ LogText "Result: no iptables found in Linux kernel config file"
fi
else
- logtext "Result: no Linux configuration file found"
+ LogText "Result: no Linux configuration file found"
Display --indent 2 --text "- Checking iptables in config file" --result "NOT FOUND" --color WHITE
fi
fi
@@ -99,11 +99,11 @@
FIREWALL_ACTIVE=1
if [ ${FIND} -le 10 ]; then
# Firewall is active, but clearly needs configuration
- logtext "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
+ LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
else
- logtext "Result: one or more rules are available (${FIND} rules)"
+ LogText "Result: one or more rules are available (${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN
fi
fi
@@ -119,16 +119,16 @@
FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN
- logtext "Result: There are no unused rules present"
+ LogText "Result: There are no unused rules present"
else
Display --indent 4 --text "- Checking for unused rules" --result FOUND --color YELLOW
- logtext "Result: Found one or more possible unused rules"
- logtext "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
- logtext "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
- logtext "Output: iptables rule numbers: ${FIND}"
+ LogText "Result: Found one or more possible unused rules"
+ LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
+ LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
+ LogText "Output: iptables rule numbers: ${FIND}"
#ReportWarning ${TEST_NO} "L" "Found possible unused iptables rules ($FIND)"
ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used"
- logtext "Tip: iptables --list --numeric --line-numbers --verbose"
+ LogText "Tip: iptables --list --numeric --line-numbers --verbose"
fi
fi
#
@@ -142,18 +142,18 @@
PFFOUND=0; PFLOGDFOUND=0
# Check status with pfctl
- logtext "Test: checking pf status via pfctl"
+ LogText "Test: checking pf status via pfctl"
if [ ! "${PFCTLBINARY}" = "" ]; then
FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'`
if [ "${FIND}" = "Enabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result ENABLED --color GREEN
- logtext "Result: pf is enabled"
+ LogText "Result: pf is enabled"
PFFOUND=1
AddHP 3 3
else
if [ "${FIND}" = "Disabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result DISABLED --color RED
- logtext "Result: pf is disabled"
+ LogText "Result: pf is disabled"
AddHP 0 3
else
Display --indent 2 --text "- Checking pf status (pfctl)" --result UNKNOWN --color YELLOW
@@ -165,27 +165,27 @@
# If we didn't find the status to be enabled, stop searching
if [ ${PFFOUND} -eq 0 ]; then
# Check for pf kernel module (FreeBSD and similar)
- logtext "Test: searching for pf kernel module"
+ LogText "Test: searching for pf kernel module"
if [ ! "${KLDSTATBINARY}" = "" ]; then
FIND=`${KLDSTATBINARY} | grep 'pf.ko'`
if [ "${FIND}" = "" ]; then
- logtext "Result: Can not find pf KLD"
+ LogText "Result: Can not find pf KLD"
else
- logtext "Result: pf KLD loaded"
+ LogText "Result: pf KLD loaded"
PFFOUND=1
fi
else
- logtext "Result: no kldstat binary, skipping this part"
+ LogText "Result: no kldstat binary, skipping this part"
fi
IsRunning pflogd
if [ ${RUNNING} -eq 1 ]; then
- logtext "Result: found pflog daemon in process list"
+ LogText "Result: found pflog daemon in process list"
Display --indent 4 --text "- Checking pflogd status" --result ACTIVE --color GREEN
PFFOUND=1
PFLOGDFOUND=1
else
- logtext "Result: pflog daemon not found in process list"
+ LogText "Result: pflog daemon not found in process list"
fi
fi
@@ -193,7 +193,7 @@
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="pf"
else
- logtext "Result: pf not running on this system"
+ LogText "Result: pf not running on this system"
fi
fi
#
@@ -204,23 +204,23 @@
if [ ${PFFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4520 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check pf configuration consistency"
if [ ${SKIPTEST} -eq 0 ]; then
- logtext "Test: check /etc/pf.conf"
+ LogText "Test: check /etc/pf.conf"
# Test for warnings (-n don't load the rules)
if [ -f /etc/pf.conf ]; then
- logtext "Result: /etc/pf.conf exists"
+ LogText "Result: /etc/pf.conf exists"
# Check results from pfctl
PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'`
if [ "${PFWARNINGS}" = "" ]; then
Display --indent 4 --text "- Checking pf configuration consistency" --result OK --color GREEN
- logtext "Result: no pf filter warnings found"
+ LogText "Result: no pf filter warnings found"
else
Display --indent 4 --text "- Checking pf configuration consistency" --result WARNING --color RED
- logtext "Result: found one or more warnings in the pf filter rules"
+ LogText "Result: found one or more warnings in the pf filter rules"
ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file"
ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
fi
else
- logtext "Result: /etc/pf.conf does NOT exist"
+ LogText "Result: /etc/pf.conf does NOT exist"
fi
fi
#
@@ -236,14 +236,14 @@
Register --test-no FIRE-4524 --weight L --network NO --description "Check for CSF presence"
if [ ${SKIPTEST} -eq 0 ]; then
FILE="/etc/csf/csf.conf"
- logtext "Test: check ${FILE}"
+ LogText "Test: check ${FILE}"
if [ -f ${FILE} ]; then
- logtext "Result: ${FILE} exists"
+ LogText "Result: ${FILE} exists"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="csf"
Display --indent 2 --text "- Checking CSF status (configuration file)" --result FOUND --color GREEN
else
- logtext "Result: ${FILE} does NOT exist"
+ LogText "Result: ${FILE} does NOT exist"
fi
fi
#
@@ -257,12 +257,12 @@
FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'`
if [ "${FIND}" = "yes" ]; then
Display --indent 4 --text "- Checking ipf status" --result RUNNING --color GREEN
- logtext "Result: ipf is enabled and running"
+ LogText "Result: ipf is enabled and running"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipf"
else
Display --indent 4 --text "- Checking ipf status" --result "NOT RUNNING" --color YELLOW
- logtext "Result: ipf is not running"
+ LogText "Result: ipf is not running"
fi
fi
#
@@ -277,20 +277,20 @@
FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'`
if [ "${FIND}" = "1" ]; then
Display --indent 2 --text "- Checking IPFW status" --result RUNNING --color GREEN
- logtext "Result: IPFW is running for IPv4"
+ LogText "Result: IPFW is running for IPv4"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipfw"
IPFW_ENABLED=`service -e | grep -o ipfw`
if [ "${IPFW_ENABLED}" = "ipfw" ]; then
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result YES --color GREEN
- logtext "Result: IPFW is enabled at start-up for IPv4"
+ LogText "Result: IPFW is enabled at start-up for IPv4"
else
Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW
- logtext "Result: IPFW is disabled at start-up for IPv4"
+ LogText "Result: IPFW is disabled at start-up for IPv4"
fi
else
Display --indent 2 --text "- Checking IPFW status" --result "NOT RUNNING" --color YELLOW
- logtext "Result: IPFW is not running for IPv4"
+ LogText "Result: IPFW is not running for IPv4"
fi
else
Display --indent 2 --text "- Checking IPFW" --result SKIPPED --color YELLOW
@@ -309,13 +309,13 @@
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result ENABLED --color GREEN
AddHP 3 3
- logtext "Result: application firewall of Mac OS X is enabled"
+ LogText "Result: application firewall of Mac OS X is enabled"
APPLICATION_FIREWALL_ACTIVE=1
- report "app_fw[]=macosx-app-fw"
+ Report "app_fw[]=macosx-app-fw"
else
Display --indent 2 --text "- Checking IPFW" --result DISABLED --color YELLOW
AddHP 1 3
- logtext "Result: application firewall of Mac OS X is disabled"
+ LogText "Result: application firewall of Mac OS X is disabled"
fi
fi
#
@@ -327,16 +327,16 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then
Display --indent 2 --text "- Checking host based firewall" --result ACTIVE --color GREEN
- logtext "Result: host based firewall or packet filter is active"
- report "manual[]=Verify if there is a formal process for testing and applying firewall rules"
- report "manual[]=Verify all traffic is filtered the right way between the different security zones"
- report "manual[]=Verify if a list is available with all required services"
+ LogText "Result: host based firewall or packet filter is active"
+ Report "manual[]=Verify if there is a formal process for testing and applying firewall rules"
+ Report "manual[]=Verify all traffic is filtered the right way between the different security zones"
+ Report "manual[]=Verify if a list is available with all required services"
# YYY Solaris ipf (determine default policy)
- report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
+ Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
AddHP 5 5
else
Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
- logtext "Result: no host based firewall/packet filter found or configured"
+ LogText "Result: no host based firewall/packet filter found or configured"
ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic"
AddHP 0 5
fi
@@ -346,13 +346,13 @@
#
# Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.
-report "firewall_installed=${FIREWALL_ACTIVE}"
-report "firewall_active=${FIREWALL_ACTIVE}"
-report "firewall_software=${FIREWALL_SOFTWARE}"
+Report "firewall_installed=${FIREWALL_ACTIVE}"
+Report "firewall_active=${FIREWALL_ACTIVE}"
+Report "firewall_software=${FIREWALL_SOFTWARE}"
wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-15 20:39:58 +0300