diff options
Diffstat (limited to 'include/tests_ssh')
-rw-r--r-- | include/tests_ssh | 295 |
1 files changed, 295 insertions, 0 deletions
diff --git a/include/tests_ssh b/include/tests_ssh new file mode 100644 index 00000000..91da5f0d --- /dev/null +++ b/include/tests_ssh @@ -0,0 +1,295 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands +# Web site: http://www.rootkit.nl +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# SSH +# +################################################################################# +# + SSH_DAEMON_CONFIG_LOCS="/etc /etc/ssh /usr/local/etc/ssh /opt/csw/etc/ssh" + SSH_DAEMON_CONFIG="" + SSH_DAEMON_PORT="" + SSH_DAEMON_RUNNING=0 +# +################################################################################# +# + InsertSection "SSH Support" +# +################################################################################# +# + # Test : SSH-7402 + # Description : Check for a running SSH daemon + Register --test-no SSH-7402 --weight L --network NO --description "Check for running SSH daemon" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Searching for a SSH daemon..." + IsRunning sshd + if [ ${RUNNING} -eq 1 ]; then + SSH_DAEMON_RUNNING=1 + Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN + else + Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE + fi + fi +# +################################################################################# +# + # Test : SSH-7404 + # Description : Determine SSH daemon configuration file location + if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SSH-7404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH daemon file location" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + logtext "Action: searching for sshd_config file" + for I in ${SSH_DAEMON_CONFIG_LOCS}; do + if [ -f "${I}/sshd_config" ]; then + logtext "Result: ${I}/sshd_config exists" + if [ ${FOUND} -eq 1 ]; then + ReportException "${TEST_NO}:01" + logtext "Result: we already had found another sshd_config file. Using this new file then." + fi + FOUND=1 + SSH_DAEMON_CONFIG="${I}/sshd_config" + fi + done + if [ "${SSH_DAEMON_CONFIG}" = "" ]; then + logtext "Result: No sshd configuration found" + Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW + else + logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" + Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN + fi + fi +# +################################################################################# +# +# # Test : SSH-7406 +# # Description : Check for a running SSH daemon +# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi +# Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port" +# if [ ${SKIPTEST} -eq 0 ]; then +# logtext "Test: Searching for a SSH daemon..." +# CheckOption "^Port " ${SSH_DAEMON_CONFIG} +# if [ ${FOUND} -eq 1 ]; then +# FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'` +# # Check if this output is numeric and usuable for later (e.g. in netstat output) +# Display --indent 2 --text "- Checking SSH listening port..." --result FOUND --color GREEN +# logtext "Result: setting port number to ${FIND}" +# SSH_DAEMON_PORT="${FIND}" +# else +# Display --indent 2 --text "- Checking SSH listening port..." --result "NOT FOUND" --color WHITE +# logtext "Result: setting port to default number, as no other port has been configured" +# SSH_DAEMON_PORT="22" +# fi +# fi +# +################################################################################# +# + # Test : SSH-7408 + # Description : Check SSH specific defined options + if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH defined options" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking all specific defined options in ${SSH_DAEMON_CONFIG}" + FIND=`cat ${SSH_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` + for I in ${FIND}; do + I=`echo ${I} | sed 's/!space!/ /g'` + logtext "Found SSH option: ${I}" + done + Display --indent 4 --text "- Checking defined SSH options..." --result "DONE" --color GREEN + fi +# +################################################################################# +# + # Test : SSH-7412 + # Description : Check SSH PermitRootLogin option + if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SSH-7412 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: PermitRootLogin" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: check PermitRootLogin option" + FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'` + if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then + logtext "Result: PermitRootLogin is enabled, root can login directly" + Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED + ReportWarning ${TEST_NO} "M" "Root can directly login via SSH" + AddHP 0 3 + else + # YYY add test for DenyUsers root + if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then + logtext "Result: PermitRootLogin is disabled. Root can't login directly" + Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN + AddHP 3 3 + else + logtext "Result: Value of PermitRootLogin is unknown (not defined)" + Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE + fi + fi + fi +# +################################################################################# +# + # Test : SSH-7414 + # Description : Check SSH Protocol option + if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SSH-7414 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Protocol" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: check allowed SSH protocol versions" + FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'` + if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then + logtext "Result: Protocol option is set to allow SSH protocol version 1" + Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED + ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed" + AddHP 0 3 + else + if [ "${FIND}" = "2" ]; then + logtext "Result: only protocol 2 is allowed" + Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN + AddHP 3 3 + else + logtext "Result: value of Protocol is unknown (not defined)" + Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE + fi + fi + fi +# +################################################################################# +# + # Test : SSH-7416 + # Description : Check SSH StrictModes option + if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SSH-7416 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: StrictModes" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Check configured StrictModes option" + FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'` + if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then + logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked" + Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED + ReportWarning ${TEST_NO} "M" "StrictModes is turned off" + ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config" + AddHP 0 3 + else + if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then + logtext "Result: StrictModes active, file permissions are checked" + Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN + AddHP 3 3 + else + logtext "Result: value of StrictModes is unknown (not defined)" + Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE + fi + fi + fi +# +################################################################################# +# + # Test : SSH-7418 + # Description : Check SSH Port option +# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi +# Register --test-no SSH-7418 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Port" +# if [ ${SKIPTEST} -eq 0 ]; then +# logtext "Test: check allowed SSH protocol versions" +# FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'` +# if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then +# logtext "Result: Protocol option is set to allow SSH protocol version 1" +# Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED +# ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed" +# AddHP 0 3 +# else +# if [ "${FIND}" = "2" ]; then +# logtext "Result: only protocol 2 is allowed" +# Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN +# AddHP 3 3 +# else +# logtext "Result: value of Protocol is unknown (not defined)" +# Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE +# fi +# fi +# fi +# +################################################################################# +# + # Test : SSH-7440 + # Description : AllowUsers / AllowGroups + # Goal : Check if only a specific amount of users/groups can log in to the system + if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + # AllowUsers + FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: AllowUsers set, with value ${FIND}" + Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN + FOUND=1 + else + logtext "Result: AllowUsers is not set" + Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE + fi + + # AllowGroups + FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: AllowUsers set ${FIND}" + Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN + FOUND=1 + else + logtext "Result: AllowGroups is not set" + Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE + fi + + if [ ${FOUND} -eq 1 ]; then + logtext "Result: SSH is limited to a specific set of users, which is good" + AddHP 2 2 + else + logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine." + AddHP 0 1 + fi + fi +# +################################################################################# +# + # Test : SSH-7464 + # Description : HashKnownHosts + #if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + #Register --test-no SSH-7464 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: HashKnownHosts" + #if [ ${SKIPTEST} -eq 0 ]; then + # /etc/ssh/ssh_config + # ReportSuggestion ${TEST_NO} "HashKnownHosts option can migitate worm attacks" + #AddHP 2 2 + #fi +# +################################################################################# +# + # Test : SSH-7480 + # Description : AllowUsers / AllowGroups + # Goal : Scan SSH daemon + #if [ ! ${SSHKEYSCANBINARY} = "" -a ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + #Register --test-no SSH-7480 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups" + #if [ ${SKIPTEST} -eq 0 ]; then + # First determine what port the local instance of SSH daemon is running on. If unknown, use port 22 + # FIND=`${SSHKEYSCANBINARY} localhost 2>&1 | grep OpenSSH | egrep -i "bsd|debian|ubuntu|redhat"` +# +################################################################################# +# + # sshd -T can provide additional insights +# +################################################################################# +# +report "ssh_daemon_running=${SSH_DAEMON_RUNNING}" +#report "ssh_daemon_port=${SSH_DAEMON_PORT}" + +wait_for_keypress + +# +#================================================================================ +# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands |