1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# NFS
#
#################################################################################
#
InsertSection "NFS"
#
#################################################################################
#
NFS_DAEMON_RUNNING=0
NFS_EXPORTS_EMPTY=0
#
#################################################################################
#
# Test : STRG-1902
# Description : Check rpcinfo
if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking rpcinfo registered programs"
FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${TRBINARY} -s ' ' ',')
for I in ${FIND}; do
LogText "rpcinfo: ${I}"
done
Display --indent 2 --text "- Query rpc registered programs" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
#
# Test : STRG-1904
# Description : Check nfs versions in rpcinfo
if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NFS registered versions"
FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort)
for I in ${FIND}; do
LogText "Found version: ${I}"
done
Display --indent 2 --text "- Query NFS versions" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
#
# Test : STRG-1906
# Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NFS registered protocols"
FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort)
for I in ${FIND}; do
LogText "Found protocol: ${I}"
done
if [ -z "${FIND}" ]; then
LogText "Output: no NFS protocols found"
fi
# Check port number
LogText "Test: Checking NFS registered ports"
FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort)
for I in ${FIND}; do
LogText "Found port: ${I}"
done
if [ -z "${FIND}" ]; then
LogText "Output: no NFS port number found"
fi
Display --indent 2 --text "- Query NFS protocols" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
#
# Test : STRG-1920
# Description : Check for running NFS daemons
Register --test-no STRG-1920 --weight L --network NO --category security --description "Checking NFS daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking running NFS daemon"
FIND=$(${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep")
if [ -z "${FIND}" ]; then
LogText "Output: NFS daemon is not running"
Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
else
LogText "Output: NFS daemon is running"
Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_FOUND}" --color GREEN
NFS_DAEMON_RUNNING=1
fi
fi
#
#################################################################################
#
# Test : STRG-1924
# Description : Check missing nfs in rpcinfo while NFS is running
#Register --test-no STRG-1924 --weight L --network NO --category security --description "Checking NFS daemon"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : STRG-1926
# Description : Check NFS exports
if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking NFS exports"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check /etc/exports"
if [ -f ${ROOTDIR}etc/exports ]; then
LogText "Result: ${ROOTDIR}etc/exports exists"
FIND=$(${GREPBINARY} -v "^$" ${ROOTDIR}etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g')
if [ -n "${FIND}" ]; then
for I in ${FIND}; do
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found line: ${I}"
done
else
LogText "Result: ${ROOTDIR}etc/exports does not contain exported file systems"
NFS_EXPORTS_EMPTY=1
fi
Display --indent 4 --text "- Checking ${ROOTDIR}etc/exports" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: file /etc/exports does not exist"
Display --indent 4 --text "- Checking ${ROOTDIR}etc/exports" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : STRG-1928
# Description : Check for empty exports file while NFS is running
if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking empty /etc/exports"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
Display --indent 6 --text "- Checking empty /etc/exports" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: ${ROOTDIR}etc/exports seems to have no exported file systems"
ReportSuggestion "${TEST_NO}" "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
fi
fi
#
#################################################################################
#
# Test : STRG-1930
# Description : Check client access to nfs share
if [ ${NFS_DAEMON_RUNNING} -eq 1 -a ${NFS_EXPORTS_EMPTY} -eq 0 -a ! "${SHOWMOUNTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share"
if [ ${SKIPTEST} -eq 0 ]; then
sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d' | ${GREPBINARY} "\*")
if [ -n "${sFIND}" ]; then
LogText "Result: all client are allowed to access a NFS share in /etc/exports"
Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW
ReportSuggestion "${TEST_NO}" "Specify clients that are allowed to access a NFS share /etc/exports"
AddHP 2 3
else
LogText "Result: only some clients are allowed to access a NFS share"
Display --indent 4 --text "- Checking NFS client access" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|
