blob: 3930332616cc6fa6945a687922895b2a911128c1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Kernel
#
#################################################################################
#
InsertSection "Kernel Hardening"
#
#################################################################################
#
# Test : KRNL-6000
# Description : Check sysctl parameters
# Sysctl : net.ipv4.icmp_ingore_bogus_error_responses (=1)
if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
N=0
Display --indent 2 --text "- Comparing sysctl key pairs with scan profile"
for PROFILE in ${PROFILES}; do
FIND=`grep "^sysctl:" ${PROFILE} | sed 's/ /-space-/g'`
for I in ${FIND}; do
tFINDkey=`echo ${I} | awk -F: '{ print $2 }'`
tFINDexpvalue=`echo ${I} | awk -F: '{ print $3 }'`
tFINDhp=`echo ${I} | awk -F: '{ print $4 }' | grep "[0-9]"`
tFINDdesc=`echo ${I} | awk -F: '{ print $5 }' | sed 's/-space-/ /g'`
tFINDcurvalue=`${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null`
if [ ! "${tFINDcurvalue}" = "" ]; then
if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then
LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN
AddHP ${tFINDhp} ${tFINDhp}
else
LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
AddHP 0 ${tFINDhp}
FOUND=1
N=$((N + 1))
ReportDetails --test "${TEST_NO}" --service "sysctl" --field "${tFINDkey}" --value "${tFINDcurvalue}" --preferredvalue "${tFINDexpvalue}" --description "${tFINDdesc}"
fi
else
LogText "Result: key ${tFINDkey} does not exist on this machine"
fi
done
done
# Add suggestion if one or more sysctls have a different value than scan profile
if [ ${FOUND} -eq 1 ]; then
LogText "Result: found ${N} keys that can use tuning, according scan profile"
ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked"
fi
fi
#
#################################################################################
#
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|
