Welcome to mirror list, hosted at ThFree Co, Russian Federation.

tests_insecure_services « include - github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/include/tests_insecure_services
blob: 129683fd5b452ec2290f023d9e5d1db6bdb5f022 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website  : https://cisofy.com
# Blog     : http://linux-audit.com
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Unsecure services
#
#################################################################################
#
    InsertSection "Insecure services"
#
#################################################################################
#
    INETD_ACTIVE=0
    INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf"
#
#################################################################################
#
    # Test        : INSE-8002
    # Description : Check for inetd status
    Register --test-no INSE-8002 --weight L --network NO --category security --description "Check for enabled inet daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check running processes
        LogText "Test: Searching for active inet daemon"
        IsRunning inetd
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: inetd is running"
            Display --indent 2 --text "- Checking inetd status" --result "ACTIVE" --color GREEN
            INETD_ACTIVE=1
        else
            LogText "Result: inetd is NOT running"
            Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN
        fi
    fi
#
#################################################################################
#
    # Test        : INSE-8004
    # Description : Check for inetd configuration file
    if [ ${INETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check configuration file
        LogText "Test: Searching for file ${INETD_CONFIG_FILE}"
        if [ -f ${INETD_CONFIG_FILE} ]; then
            LogText "Result: ${INETD_CONFIG_FILE} exists"
            Display --indent 4 --text "- Checking inetd.conf" --result "${STATUS_FOUND}" --color WHITE
        else
            LogText "Result: ${INETD_CONFIG_FILE} does not exist"
            Display --indent 4 --text "- Checking inetd.conf" --result "${STATUS_NOT_FOUND}" --color WHITE
        fi
    fi
#
#################################################################################
#
    # Test        : INSE-8006
    # Description : Check for inetd configuration file contents if inetd is NOT active
    if [ ${INETD_ACTIVE} -eq 0 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of inetd when disabled"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002)
        LogText "Test: check if all services are disabled if inetd is disabled"
        FIND=$(${GREPBINARY} -v "^#" ${INETD_CONFIG_FILE} | ${GREPBINARY} -v "^$")
        if [ -z "${FIND}" ]; then
            LogText "Result: no services found in ${INETD_CONFIG_FILE}"
            Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN
        else
            LogText "Result: found services in inetd, even though inetd is not running"
            Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_SUGGESTION}" --color YELLOW
            ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service"
        fi
    fi
#
#################################################################################
#
    # Test        : INSE-8016
    # Description : Check for telnet enabled via inetd
    if [ ${INETD_ACTIVE} -eq 1 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no INSE-8016 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for telnet via inetd"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking telnet presence in inetd configuration"
        FIND=$(${GREPBINARY} "^telnet" ${INETD_CONFIG_FILE})
        if [ "${FIND}" = "" ]; then
            LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
            Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN
            AddHP 3 3
        else
            LogText "Result: telnet enabled in ${INETD_CONFIG_FILE}"
            Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_WARNING}" --color RED
            ReportSuggestion "${TEST_NO}" "Disable telnet in inetd configuration and use SSH instead"
            AddHP 1 3
        fi
    fi
#
#################################################################################
#
    if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
    Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS"
    if [ ${SKIPTEST} -eq 0 ]; then
        TEST_SERVICES="com.apple.fingerd"
        for ITEM in ${TEST_SERVICES}; do
            if ${LAUNCHCTL_BINARY} print-enabled system | grep -sq ${ITEM}; then
                Display --indent 2 --text "- $text" --result "${STATUS_NO}" --color RED
                LogText "Result: found ${ITEM}, which is considered an insecure service"
                AddSuggestion "${TEST_NO}" "Consider disabling service ${ITEM}" "launchctl" "-"
                AddHP 0 1
            else
                Display --indent 2 --text "- $text" --result "${STATUS_OK}" --color GREEN
                LogText "Result: $text, OK"
                AddHP 1 1
            fi
        done
    fi
#
#################################################################################
#

# To do:
# - mark in report when a system was tested for any insecure services

WaitForKeyPress

#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-13 10:21:34 +0300