Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/include/tests_networking
diff options
context:
space:
mode:
Diffstat (limited to 'include/tests_networking')
-rw-r--r--include/tests_networking127
1 files changed, 111 insertions, 16 deletions
diff --git a/include/tests_networking b/include/tests_networking
index 51bed912..7a04305f 100644
--- a/include/tests_networking
+++ b/include/tests_networking
@@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@@ -31,7 +31,56 @@
#
#################################################################################
#
- InsertSection "Networking"
+ InsertSection "${SECTION_NETWORKING}"
+#
+#################################################################################
+#
+ # Test : NETW-2400
+ # Description : Test hostname for valid characters and length
+ # Notes : FQDN: max 253 characters
+ # : component: a-z, 0-9, hyphen, not start with hyphen, max 63 characters
+ # dots allowed as separator
+ Register --test-no NETW-2400 --weight L --network YES --category basics --description "Hostname length and value check"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Test first the fully qualified domain name
+ if [ ${#FQDN} -gt 253 ]; then
+ # Too long
+ LogText "Result: FQDN is more than 253 characters"
+ Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_WARNING}" --color RED
+ ReportWarning "${TEST_NO}" "Hostname is too long (more than 253 characters)"
+ elif [ ${#FQDN} -eq 0 ]; then
+ # FQDN not defined
+ LogText "Result: FQDN is not defined"
+ if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_UNKNOWN}" --color YELLOW; fi
+ else
+ # Fine
+ LogText "Result: FQDN is defined and not longer than 253 characters (${#FQDN} characters)"
+ if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_OK}" --color GREEN; fi
+ fi
+ # Now test short hostname
+ if [ ${#HOSTNAME} -eq 0 ]; then
+ if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_NONE}" --color RED; fi
+ LogText "Result: hostname is not defined"
+ else
+ # Test length
+ if [ ${#HOSTNAME} -gt 63 ]; then
+ LogText "Result: hostname is more than 63 characters"
+ Display --indent 2 --text "- Hostname (length)" --result "${STATUS_WARNING}" --color RED
+ else
+ LogText "Result: hostnamed is defined and not longer than 63 characters"
+ fi
+ # Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name)
+ FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[:alnum:]\.\-')
+ if [ -z "${FIND}" ]; then
+ LogText "Result: good, no unexpected characters discovered in hostname"
+ if IsVerbose; then Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_OK}" --color GREEN; fi
+ else
+ LogText "Result: unexpected characters discovered in hostname (characters: ${FIND}), which may impact network connectivity"
+ Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_WARNING}" --color RED
+ ReportWarning "${TEST_NO}" "Hostname contains invalid characters" "hostname" "text:See log file for invalid characters"
+ fi
+ fi
+ fi
#
#################################################################################
#
@@ -91,7 +140,7 @@
Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE
STATUS=$(echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]')
Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE
- if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi
+ if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="${STATUS_YES}"; else STATUS="${STATUS_NO}"; fi
LogText "Result: IPv6 only configuration: ${STATUS}"
Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE
else
@@ -190,6 +239,40 @@
#
#################################################################################
#
+ # Test : NETW-2706
+ # Description : Check systemd-resolve output and upstream DNSSEC status
+ # Notes : Ubuntu 16.04 uses systemd-resolve, newer ones most likely resolvectl
+ if [ -n "${RESOLVECTLBINARY}" ]; then
+ PREQS_MET="YES"
+ RESOLVE_CMD="${RESOLVECTLBINARY}"
+ RESOLVE_CMD_PARAM="statistics"
+ elif [ -n "$(command -v systemd-resolve 2> /dev/null)" ]; then
+ PREQS_MET="YES"
+ RESOLVE_CMD="$(command -v systemd-resolve 2> /dev/null)"
+ RESOLVE_CMD_PARAM="--statistics"
+ else
+ PREQS_MET="NO"
+ fi
+ Register --test-no NETW-2706 --preqs-met "${PREQS_MET}" --weight L --network YES --category security --description "Check systemd-resolved and upstream DNSSEC status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ SKIP=0
+ DNSSEC_STATUS=$(${RESOLVE_CMD} ${RESOLVE_CMD_PARAM} 2> /dev/null | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ')
+ if [ "${DNSSEC_STATUS}" = "yes" ]; then
+ Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_YES}" --color GREEN
+ LogText "Result: DNSSEC supported by systemd-resolved and upstream DNS servers"
+ elif [ "${DNSSEC_STATUS}" = "no" ]; then
+ Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_NO}" --color YELLOW
+ LogText "Result: DNSSEC not supported by systemd-resolved or upstream DNS servers"
+ else
+ Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_UNKNOWN}" --color RED
+ LogText "Result: command '${RESOLVE_CMD} ${RESOLVE_CMD_PARAM}' returned an error. Please run command manually to check for details."
+ fi
+ else
+ LogText "Result: Test most likely skipped due to not having resolvectl"
+ fi
+#
+#################################################################################
+#
# Test : NETW-3001
# Description : Find default gateway (route)
# More info : BSD: ^default Linux: 0.0.0.0
@@ -429,6 +512,15 @@
ReportException "${TEST_NO}:3" "netstat missing to gather listening ports"
fi
;;
+ Solaris)
+ if [ -n "${NETSTATBINARY}" ]; then
+ LogText "Test: Retrieving netstat information to find listening ports"
+ FIND=$(${NETSTATBINARY} -an -P udp | ${AWKBINARY} '{ if($7=="LISTEN") { print $1"|udp|LISTEN|" }}')
+ FIND2=$(${NETSTATBINARY} -an -P tcp | ${AWKBINARY} '{ if($7=="LISTEN") { print $1"|tcp|LISTEN|" }}')
+ else
+ ReportException "${TEST_NO}:4" "netstat missing to gather listening ports"
+ fi
+ ;;
*)
# Got this exception? Provide your details and output of netstat or any other tool to determine this information.
ReportException "${TEST_NO}:2" "Unclear what method to use, to determine listening port information"
@@ -600,7 +692,7 @@
Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE
DHCP_CLIENT_RUNNING=1
else
- Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
+ Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_NOT_ACTIVE}" --color WHITE
fi
fi
#
@@ -641,40 +733,44 @@
#
# Test : NETW-3200
# Description : Determine available network protocols
+ # Notes : See all available supported modules: ls -d /lib/modules/$(uname -r )/kernel/net
+ # To see active/enabled protocols: ls -d /proc/sys/net
Register --test-no NETW-3200 --weight L --network YES --category security --description "Determine available network protocols"
if [ ${SKIPTEST} -eq 0 ]; then
TESTED=0
+ FOUND_UNCOMMON_PROTOCOL_ENABLED=0
case ${OS} in
Linux)
TESTED=1
LogText "Test: checking the status of some network protocols that typically are not used"
UNCOMMON_PROTOCOLS="dccp sctp rds tipc"
for P in ${UNCOMMON_PROTOCOLS}; do
+ LogText "Test: now checking module '${P}'"
if ! SkipAtomicTest "${TEST_NO}:${P}"; then
- FOUND_UNCOMMON_PROTOCOL=0
+ UNCOMMON_PROTOCOL_DISABLED=0
+ # First check modprobe.conf
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
DATA=$(${GREPBINARY} "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.conf)
if [ -n "${DATA}" ]; then
- LogText "Result: found ${P} module loaded via modprobe.conf"
- FOUND_UNCOMMON_PROTOCOL=1
+ LogText "Result: found ${P} module disabled via modprobe.conf"
+ UNCOMMON_PROTOCOL_DISABLED=1
fi
fi
+ # Then additional modprobe configuration files
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
DATA=$(${GREPBINARY} --files-with-matches --no-messages "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.d/*)
if [ -n "${DATA}" ]; then
- FOUND_UNCOMMON_PROTOCOL=1
+ UNCOMMON_PROTOCOL_DISABLED=1
for F in ${DATA}; do
- LogText "Result: found ${P} module loaded via ${F}"
+ LogText "Result: found ${P} module disabled via ${F}"
done
fi
fi
- # Although a protocol may not been enabled using install, it can be loaded. This may be revealed using /proc
- #/proc/sys/net/
-
- if [ ${FOUND_UNCOMMON_PROTOCOL} -eq 1 ]; then
- ReportSuggestion "${TEST_NO}" "Determine if network protocol ${P} needs to be used on this system"
+ if [ ${UNCOMMON_PROTOCOL_DISABLED} -eq 0 ]; then
+ ReportSuggestion "${TEST_NO}" "Determine if protocol '${P}' is really needed on this system"
Report "uncommon_network_protocol_enabled=${P}"
+ FOUND_UNCOMMON_PROTOCOL_ENABLED=1
fi
fi
done
@@ -686,7 +782,7 @@
;;
esac
if [ ${TESTED} -eq 1 ]; then
- if [ ${FOUND_UNCOMMON_PROTOCOL} -eq 1 ]; then
+ if [ ${FOUND_UNCOMMON_PROTOCOL_ENABLED} -eq 1 ]; then
Display --indent 2 --text "- Uncommon network protocols" --result "${FOUND}" --color YELLOW
else
Display --indent 2 --text "- Uncommon network protocols" --result "${STATUS_NOT_FOUND}" --color GREEN
@@ -698,7 +794,6 @@
#################################################################################
#
-
WaitForKeyPress
#
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-20 17:32:50 +0300