File: tests_dns

package info (click to toggle)
lynis 3.1.6-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 2,260 kB
  • sloc: sh: 20,568; makefile: 2
file content (72 lines) | stat: -rw-r--r-- 3,467 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website  : https://cisofy.com
# Blog     : https://linux-audit.com/
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# DNS
#
#################################################################################
#
#    # TODO create records on test domain
#    # TODO after update even IP match can be checked to detect hijacking
#    SIGOKDNS="sigok.example.org"      # address with good DNSSEC signature
#    SIGFAILDNS="sigfail.example.org"  # address with bad  DNSSEC signature
#    TIMEOUT=";; connection timed out; no servers could be reached"
#
#################################################################################
#
#    InsertSection "DNS"
#
#################################################################################
#
#    # Test        : DNS-1600
#    # Description : Validate DNSSEC signature is checked
#    Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked"
#    if [ "${SKIPTEST}" -eq 0 ]; then
#        if [ -n "${DIGBINARY}" ]; then
#
#            GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS)
#            BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS)
#
#            if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then
#                LogText "Result: received timeout, can't determine DNSSEC validation"
#                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW
#                #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
#            elif [ -z "${GOOD}" -a -n "${BAD}" ]; then
#                LogText "Result: good signature failed, yet bad signature was accepted"
#                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW
#                #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted"
#            elif [ -n "${GOOD}" -a -n "${BAD}" ]; then
#                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW
#                LogText "Note: Using DNSSEC validation can protect from DNS hijacking"
#                #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC validating name servers"
#                AddHP 2 2
#            elif [ -n "${GOOD}" -a -z "${BAD}" ]; then
#                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN
#                LogText "Result: altered DNS responses were ignored"
#                AddHP 0 2
#            fi
#        else
#            Display --indent 4 --text "- DNSSEC validation" --result "${STATUS_SKIPPED}" --color YELLOW
#            LogText "Result: dig not installed, test can't be fully performed"
#        fi
#    else
#        LogText "Result: Test was skipped"
#    fi
#
#################################################################################
#