1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
|
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2017, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Networking
#
#################################################################################
#
FOUNDPROMISC=0 # Promiscuous interfaces
LOCAL_DNSRESOLVER_FOUND=0 # Local DNS resolver
NUMBERACTIVENS=0 # Number of active nameservers
DHCP_CLIENT_RUNNING=0 # DHCP client availability
ARPWATCH_RUNNING=0 # ARP-cache based attack monitoring software
ARPON_RUNNING=0 # ARP-cache based attack monitoring software
#
#################################################################################
#
InsertSection "Networking"
#
#################################################################################
#
# Test : NETW-2600
# Description : Gather IPv6 configuration
Register --test-no NETW-2600 --os "Linux" --weight L --network YES --category security --description "Checking IPv6 configuration"
if [ ${SKIPTEST} -eq 0 ]; then
IPV6_CONFIGURED=0
IPV6_ACCEPT_RA=255
IPV6_ACCEPT_REDIRECTS=255
IPV6_MANUAL_CONFIGURED=255
IPV6_ONLY=255
IPV6_MISCONFIGURED=0
IPV6_MISCONFIGURED_MTU=0
FIND=$(sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/")
if [ ! "${FIND}" = "" ]; then
IPV6_CONFIGURED=1
for I in ${FIND}; do
SYSCTL_KEY=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
SYSCTL_VALUE=$(echo ${I} | ${AWKBINARY} -F= '{ print $2 }')
case ${SYSCTL_KEY} in
"net.ipv6.conf.default.accept_ra")
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_RA=1; else IPV6_ACCEPT_RA=0; fi
;;
"net.ipv6.conf.default.accept_redirects")
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_REDIRECTS=1; else IPV6_ACCEPT_REDIRECTS=0; fi
;;
"net.ipv6.bindv6only")
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ONLY=1; else IPV6_ONLY=0; fi
;;
"net.ipv6.conf.all.mtu" | "net.ipv6.conf.default.mtu")
if [ ${SYSCTL_VALUE} -lt 1280 ]; then IPV6_MISCONFIGURED_MTU=1; fi
;;
#if TestValue --function equals --value "${SYSCTL_VALUE}" --search "1"; then
# echo "Found ${SYSCTL_VALUE}"
#else
# echo "Not found"
#fi
esac
done
else
IPV6_MODE="disabled"
fi
# Check if we are manually configured (not accepting automatic configuration)
if [ ${IPV6_ACCEPT_RA} -eq 0 -a ${IPV6_ACCEPT_REDIRECTS} -eq 0 ]; then
IPV6_MANUAL_CONFIGURED=1
IPV6_MODE="manual"
elif [ ${IPV6_ACCEPT_RA} -eq 1 -o ${IPV6_ACCEPT_REDIRECTS} -eq 1 ]; then
IPV6_MODE="auto"
else
IPV6_MODE="disabled"
fi
LogText "Result: IPV6 mode is ${IPV6_MODE}"
if [ ${IPV6_CONFIGURED} -eq 1 ]; then
Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE
STATUS=$(echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]')
Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE
if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi
LogText "Result: IPv6 only configuration: ${STATUS}"
Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE
else
Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_DISABLED}" --color WHITE
fi
# Configuration errors
if [ ${IPV6_MISCONFIGURED_MTU} -eq 1 ]; then
IPV6_MISCONFIGURED=1
LogText "Result: MTU of IPv6 interfaces should be 1280 or higher"
Display --indent 6 --text "Error: MTU is too low" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Check your MTU configuration of IPv6 interfaces"
fi
# Possible improvements:
# - Check if we found IPv6 enabled nameservers
# Report
Report "ipv6_mode=${IPV6_MODE}"
Report "ipv6_only=${IPV6_ONLY}"
fi
#
#################################################################################
#
# Test : NETW-2704
# Description : Basic nameserver configuration tests (connectivity)
Register --test-no NETW-2704 --weight L --network YES --category security --description "Basic nameserver configuration tests"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking configured nameservers"
LogText "Test: Checking /etc/resolv.conf file"
if [ -f /etc/resolv.conf ]; then
LogText "Result: Found /etc/resolv.conf file"
FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq)
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Testing nameservers"
LogText "Test: Querying nameservers"
for I in ${FIND}; do
LogText "Found nameserver: ${I}"
Report "nameserver[]=${I}"
# Check if a local resolver is available (like DNSMasq)
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then
LOCAL_DNSRESOLVER_FOUND=1
fi
if [ ! "${DIGBINARY}" = "" ]; then
# See if we can query something at the nameserver
# 0=good, other=bad
DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?)
if [ "${DNSRESPONSE}" = "0" ]; then
Display --indent 8 --text "Nameserver: ${I}" --result "${STATUS_OK}" --color GREEN
LogText "Nameserver ${I} seems to respond to queries from this host."
# Count responsive nameservers
NUMBERACTIVENS=$((NUMBERACTIVENS + 1))
else
Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED
LogText "Result: nameserver ${I} does NOT respond"
LogText "Exit-code from dig: ${DNSRESPONSE}"
ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
ReportWarning ${TEST_NO} "Nameserver ${I} does not respond"
fi
else
LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed"
Display --indent 6 --text "Nameserver: ${I}" --result "${STATUS_SKIPPED}" --color YELLOW
fi
done
fi
fi
fi
#
#################################################################################
#
# Test : NETW-2705
# Description : Basic nameserver configuration tests (connectivity)
if [ ${LOCAL_DNSRESOLVER_FOUND} -eq 0 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check availability two nameservers"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DIGBINARY}" = "" ]; then
if [ ${NUMBERACTIVENS} -lt 2 ]; then
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
LogText "Result: less than 2 responsive nameservers found"
ReportWarning ${TEST_NO} "Couldn't find 2 responsive nameservers"
LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
AddHP 1 2
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_OK}" --color GREEN
LogText "Result: found at least 2 responsive nameservers"
AddHP 3 3
fi
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_SKIPPED}" --color YELLOW
LogText "Result: dig not installed, test can't be fully performed"
fi
else
LogText "Result: Test most likely skipped due having local resolver in /etc/resolv.conf"
fi
#
#################################################################################
#
# Test : NETW-3001
# Description : Find default gateway (route)
# More info : BSD: ^default Linux: 0.0.0.0
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then
LogText "Test: Searching default gateway(s)"
FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
LogText "Result: Found default gateway ${I}"
Report "default_gateway[]=${I}"
done
Display --indent 2 --text "- Checking default gateway" --result "${STATUS_DONE}" --color GREEN
else
LogText "Result: No default gateway found"
Display --indent 2 --text "- Checking default gateway" --result "NONE FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : NETW-3004
# Description : Find available network interfaces
Register --test-no NETW-3004 --weight L --network NO --category security --description "Search for available network interfaces"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""
N=0
case ${OS} in
AIX)
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }')
;;
Linux)
if [ ! "${IPBINARY}" = "" ]; then
FIND=$(${IPBINARY} link show 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} 's/://g')
elif [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ( $2 == "Link" ) { print $1 }}')
fi
;;
DragonFly|FreeBSD|macOS|NetBSD)
FIND=$(${IFCONFIGBINARY} -l 2> /dev/null)
;;
OpenBSD|Solaris)
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ": " '{ print $1 }')
;;
*)
# Having a system currently unsupported? Share your details to determine network interfaces
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find available network interfaces"
;;
esac
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${I}"
LogText "Found network interface: ${I}"
N=$((N + 1))
Report "network_interface[]=${I}"
done
else
ReportException "${TEST_NO}:1" "No interfaces found on this system (OS=${OS})"
fi
fi
#
#################################################################################
#
# Test : NETW-3006
# Description : Get network MAC addresses
Register --test-no NETW-3006 --weight L --network NO --category security --description "Get network MAC addresses"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""
case ${OS} in
AIX)
FIND=$(lscfg -vl ent* | ${GREPBINARY} "Network Address" | ${CUTBINARY} -d"." -f14 | ${AWKBINARY} '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }')
;;
DragonFly|FreeBSD)
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
;;
Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u)
else
if [ ! "${IPBINARY}" = "" ]; then
LogText "Test: Using ip binary to gather hardware addresses"
FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }')
else
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
fi
fi
;;
macOS)
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr" || $1=="ether") print $2 }' | ${SORTBINARY} -u)
;;
NetBSD)
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="address:") print $2 }' | ${SORTBINARY} -u)
;;
OpenBSD)
FIND=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="lladdr") print $2 }' | ${SORTBINARY} -u)
;;
Solaris)
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
;;
*)
# Having a system currently unsupported? Share your details to determine MAC information
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find MAC information"
;;
esac
N=0
for I in ${FIND}; do
LogText "Found MAC address: ${I}"
N=$((N + 1))
Report "network_mac_address[]=${I}"
done
fi
#
#################################################################################
#
# Test : NETW-3008
# Description : Get network IPv4/6 addresses
Register --test-no NETW-3008 --weight L --network NO --category security --description "Get network IP addresses"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""; FIND2=""
case ${OS} in
AIX)
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;;
DragonFly|FreeBSD|NetBSD)
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;;
Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2)
# Version which works for multiple types of ifconfig (e.g. Slackware)
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }')
else
if [ ! "${IPBINARY}" = "" ]; then
LogText "Test: Using ip binary to gather IP addresses"
FIND=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
FIND2=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
else
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
fi
fi
;;
macOS)
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;;
OpenBSD)
FIND=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -A 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;;
Solaris)
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }')
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;;
*)
LogText "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details."
ReportException "${TEST_NO}:1" "IP address information test not implemented for this operating system"
;;
esac
N=0
# IPv4
for I in ${FIND}; do
LogText "Found IPv4 address: ${I}"
N=$((N + 1))
Report "network_ipv4_address[]=${I}"
done
# IPv6
for I in ${FIND2}; do
LogText "Found IPv6 address: ${I}"
N=$((N + 1))
Report "network_ipv6_address[]=${I}"
done
fi
#
#################################################################################
#
# Test : NETW-3012
# Description : Check listening ports
Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""; FIND2=""
N=0
case ${OS} in
DragonFly|FreeBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then
FIND=$(${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
# To strip off IP's: ${SEDBINARY} 's/|.*:/|/'
else
FIND=""
fi
FIND2=""
;;
Linux)
if [ ! "${NETSTATBINARY}" = "" ]; then
# UDP
FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:')
# TCP
FIND2=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:')
else
if [ ! "${SSBINARY}" = "" ]; then
# UDP
FIND=$(${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
# TCP
FIND2=$(${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
else
ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports"
fi
fi
;;
macOS)
if [ ! "${LSOFBINARY}" = "" ]; then
# UDP and TCP combined
FIND=$(${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME")
else
FIND=""
fi
# Not needed as we have a combined test
FIND2=""
;;
NetBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then
FIND=$(${SOCKSTATBINARY} 2> /dev/null | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
else
FIND=""
fi
FIND2=""
;;
OpenBSD)
if [ ! "${NETSTATBINARY}" = "" ]; then
# UDP
FIND=$(${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"||" }')
# TCP
FIND2=$(${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"||" }}')
else
ReportException "${TEST_NO}:3" "netstat missing to gather listening ports"
fi
;;
*)
# Got this exception? Provide your details and output of netstat or any other tool to determine this information.
ReportException "${TEST_NO}:2" "Unclear what method to use, to determine listening port information"
;;
esac
# Retrieve information from sockstat, when available
LogText "Test: Retrieving sockstat information to find listening ports"
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
N=$((N + 1))
LogText "Found listening info: ${I}"
Report "network_listen_port[]=${I}"
done
fi
if [ ! "${FIND2}" = "" ]; then
for I in ${FIND2}; do
N=$((N + 1))
LogText "Found listening info: ${I}"
Report "network_listen_port[]=${I}"
done
fi
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW
else
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN
Display --indent 6 --text "* Found ${N} ports"
fi
fi
#
#################################################################################
#
# Test : NETW-3014
# Description : Checking promiscuous interfaces (BSD)
# Note : FreeBSD and others
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (BSD)"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (FreeBSD)"
FIND=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1)
if [ ! "${FIND}" = "" ]; then
LogText "Result: Promiscuous interfaces: ${FIND}"
for I in ${FIND}; do
WHITELISTED=0
for PROFILE in ${PROFILES}; do
Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}"
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
if [ ! "${ISWHITELISTED}" = "" ]; then
WHITELISTED=1
LogText "Result: this interface was whitelisted in profile (${PROFILE})"
fi
done
# Check if this interface was whitelisted
if [ ${WHITELISTED} -eq 0 ]; then
FOUNDPROMISC=1
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
else
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
fi
done
fi
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
LogText "Result: No promiscuous interfaces found"
else
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
fi
fi
#
#################################################################################
#
# Test : NETW-3015
# Description : Checking promiscuous interfaces (Linux)
# Note : Need ifconfig binary at this moment (does not work on Arch Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (Linux)"
NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
if [ ! "${NETWORK}" = "" ]; then
for I in ${NETWORK}; do
FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
if [ ! "${FIND}" = "" ]; then
LogText "Result: Promiscuous interface: ${I}"
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
if [ "${ISWHITELISTED}" = "" ]; then
FOUNDPROMISC=1
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
else
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
fi
fi
done
fi
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
LogText "Result: No promiscuous interfaces found"
else
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
fi
fi
#
#################################################################################
#
# Test : NETW-3020
# Description : Checking multipath configuration (Solaris)
#
#################################################################################
#
# Test : NETW-3028
# Description : Checking for many waiting connections
# Type : Performance
# Notes : It is common to see a healthy web server seeing to have several thousands of TCP connections in WAIT state
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking connections in WAIT state"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Using netstat for check for connections in WAIT state"
FIND=$(${NETSTATBINARY} -an | ${GREPBINARY} WAIT | ${WCBINARY} -l | ${AWKBINARY} '{ print $1 }')
if [ -z "${OPTIONS_CONN_MAX_WAIT_STATE}" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})"
else
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_OK}" --color GREEN
LogText "Result: ${FIND} connections are in WAIT state"
fi
fi
#
#################################################################################
#
# Test : NETW-3030
# Description : Checking for DHCP client
Register --test-no NETW-3030 --weight L --network NO --category security --description "Checking DHCP client status"
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning dhclient || IsRunning dhcpd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE
DHCP_CLIENT_RUNNING=1
else
Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
fi
fi
#
#################################################################################
#
# Test : NETW-3032
# Description : Checking for ARP spoofing and related monitoring software
Register --test-no NETW-3032 --os Linux --weight L --network NO --category security --description "Checking for ARP monitoring software"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# arpwatch
IsRunning arpwatch
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
ARPWATCH_RUNNING=1
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
fi
# arpon
IsRunning arpon
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
ARPON_RUNNING=1
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
fi
if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Consider running ARP monitoring software (arpwatch,arpon)"
fi
fi
#
#################################################################################
#
Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
Report "arpwatch_running=${ARPWATCH_RUNNING}"
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|