1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
#!/bin/sh
InsertSection "${SECTION_KERBEROS}"
#
#########################################################################
#
# Test : KRB-1000
# Description : Check that Kerberos principals have passwords that expire
Register --test-no KRB-1000 --weight L --network NO --description "Check for Kerberos KDC tools"
if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ]
then
PREQS_MET="YES"
# Make sure krb5 debugging doesn't mess up the output
unset KRB5_TRACE
PRINCS="$(${KADMINLOCALBINARY} listprincs 2>/dev/null | ${TRBINARY:-tr} '\n' ' ')"
if [ -z "${PRINCS}" ]
then
PREQS_MET="NO"
fi
else
PREQS_MET="NO"
fi
if [ "${PREQS_MET}" = "YES" ]; then
Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
# Test : KRB-1010
# Description : Check that Kerberos principals have passwords that expire
Register --test-no KRB-1010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS}
do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')"
if [ "${FIND}" = "Password expiration date: [never]" ]
then
LogText "Result: Kerberos principal ${I} has a password/key that never expires"
FOUND=1
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords"
else
Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : KRB-1020
# Description : Check last password change for Kerberos principals
Register --test-no KRB-1020 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS}
do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')"
if [ "${FIND}" = "[never]" ]
then
LogText "Result: Kerberos principal ${I} has a password/key that has never been changed"
FOUND=1
else
J="$(date -d "${FIND}" +%s)"
if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ]
then
LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago"
FOUND=1
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Principals with late password change" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Enforce frequent password/key change for your Kerberos principals"
else
Display --indent 4 --text "- Principals with late password change" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : KRB-1030
# Description : Check that Kerberos principals have a policy associated to them
Register --test-no KRB5-1030 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS}
do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')"
if [ "${FIND}" = "Policy: [none]" ]
then
LogText "Result: Kerberos principal ${I} does not have a policy associated to it"
FOUND=1
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have a policy associated to them"
else
Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : KRB-1040
# Description : Check various attributes for Kerberos principals
Register --test-no KRB5-1040 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS}
do
J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')"
if ContainsString "^K/M@" "${I}" || \
ContainsString "^kadmin/admin@" "${I}" || \
ContainsString "^kadmin/changepw@" "${I}" || \
ContainsString "^krbtgt/" "${I}"
then
if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}"
then
LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
FOUND=1
fi
elif ContainsString "/admin@" "${I}"
then
if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}"
then
LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute"
FOUND=1
fi
elif ContainsString "^[^/$]+@" "${I}"
then
if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}"
then
LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute"
FOUND=1
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Harden your Kerberos principals with appropriate attributes"
else
Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : KRB-1050
# Description : Check for weak crypto
Register --test-no KRB-1050 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}')
if [ -n "${FIND}" ]; then
while read I J
do
LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}"
done << EOF
${FIND}
EOF
Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Remove weak (des|arcfour|cbc|sha1) cryptographic keys from principals"
else
Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
unset PRINCS
unset I
unset J
#EOF
|
