blob: 1ee7581f1a95df7a32508c05589e299342328d25 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2018, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Unsecure services
#
#################################################################################
#
InsertSection "Insecure services"
#
#################################################################################
#
INETD_ACTIVE=0
INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf"
#
#################################################################################
#
# Test : INSE-8002
# Description : Check for inetd status
Register --test-no INSE-8002 --weight L --network NO --category security --description "Check for enabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check running processes
LogText "Test: Searching for active inet daemon"
IsRunning inetd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: inetd is running"
Display --indent 2 --text "- Checking inetd status" --result "ACTIVE" --color GREEN
INETD_ACTIVE=1
else
LogText "Result: inetd is NOT running"
Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8004
# Description : Check for inetd configuration file
if [ ${INETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check configuration file
LogText "Test: Searching for file ${INETD_CONFIG_FILE}"
if [ -f ${INETD_CONFIG_FILE} ]; then
LogText "Result: ${INETD_CONFIG_FILE} exists"
Display --indent 4 --text "- Checking inetd.conf" --result "${STATUS_FOUND}" --color WHITE
else
LogText "Result: ${INETD_CONFIG_FILE} does not exist"
Display --indent 4 --text "- Checking inetd.conf" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : INSE-8006
# Description : Check for inetd configuration file contents if inetd is NOT active
if [ ${INETD_ACTIVE} -eq 0 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of inetd when disabled"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002)
LogText "Test: check if all services are disabled if inetd is disabled"
FIND=$(${GREPBINARY} -v "^#" ${INETD_CONFIG_FILE} | ${GREPBINARY} -v "^$")
if [ -z "${FIND}" ]; then
LogText "Result: no services found in ${INETD_CONFIG_FILE}"
Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found services in inetd, even though inetd is not running"
Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service"
fi
fi
#
#################################################################################
#
# Test : INSE-8016
# Description : Check for telnet enabled via inetd
if [ ${INETD_ACTIVE} -eq 1 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8016 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for telnet via inetd"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking telnet presence in inetd configuration"
FIND=$(${GREPBINARY} "^telnet" ${INETD_CONFIG_FILE})
if [ "${FIND}" = "" ]; then
LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 3 3
else
LogText "Result: telnet enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Disable telnet in inetd configuration and use SSH instead"
AddHP 1 3
fi
fi
#
#################################################################################
#
if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS"
if [ ${SKIPTEST} -eq 0 ]; then
TEST_SERVICES="com.apple.fingerd"
for ITEM in ${TEST_SERVICES}; do
if ${LAUNCHCTL_BINARY} print-enabled system | grep -sq ${ITEM}; then
Display --indent 2 --text "- $text" --result "${STATUS_NO}" --color RED
LogText "Result: found ${ITEM}, which is considered an insecure service"
AddSuggestion "${TEST_NO}" "Consider disabling service ${ITEM}" "launchctl" "-"
AddHP 0 1
else
Display --indent 2 --text "- $text" --result "${STATUS_OK}" --color GREEN
LogText "Result: $text, OK"
AddHP 1 1
fi
done
fi
#
#################################################################################
#
# To do:
# - mark in report when a system was tested for any insecure services
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|