"Fossies" - the Fresh Open Source Software Archive

Member "lynis/include/tests_squid" (21 Apr 2019, 17307 Bytes) of package /linux/misc/lynis-2.7.4.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "tests_squid": 2.7.2_vs_2.7.3.

    1 #!/bin/sh
    2 
    3 #################################################################################
    4 #
    5 #   Lynis
    6 # ------------------
    7 #
    8 # Copyright 2007-2013, Michael Boelen
    9 # Copyright 2007-2019, CISOfy
   10 #
   11 # Website  : https://cisofy.com
   12 # Blog     : http://linux-audit.com
   13 # GitHub   : https://github.com/CISOfy/lynis
   14 #
   15 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
   16 # welcome to redistribute it under the terms of the GNU General Public License.
   17 # See LICENSE file for usage of this software.
   18 #
   19 #################################################################################
   20 #
   21 # Squid
   22 #
   23 #################################################################################
   24 #
   25     SQUID_DAEMON_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/squid ${ROOTDIR}etc/squid3 ${ROOTDIR}usr/local/etc/squid ${ROOTDIR}usr/local/squid/etc"
   26     SQUID_DAEMON_CONFIG=""
   27     SQUID_DAEMON_UNSAFE_PORTS_LIST="22 23 25"
   28     SQUID_DAEMON_RUNNING=0
   29 #
   30 #################################################################################
   31 #
   32     InsertSection "Squid Support"
   33 #
   34 #################################################################################
   35 #
   36     # Test        : SQD-3602
   37     # Description : Check for a running Squid daemon
   38     # Notes       : Search for squid(3) with a space, to avoid SquidGuard and other
   39     #               programs.
   40     Register --test-no SQD-3602 --weight L --network NO --category security --description "Check for running Squid daemon"
   41     if [ ${SKIPTEST} -eq 0 ]; then
   42         LogText "Test: Searching for a Squid daemon"
   43         FOUND=0
   44         # Check running processes
   45         FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
   46         if [ ! -z "${FIND}" ]; then
   47             SQUID_DAEMON_RUNNING=1
   48             LogText "Result: Squid daemon is running"
   49             Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN
   50         else
   51             LogText "Result: No running Squid daemon found"
   52             Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
   53         fi
   54     fi
   55 #
   56 #################################################################################
   57 #
   58     # Test        : SQD-3604
   59     # Description : Determine Squid daemon configuration file location
   60     if [ ${SQUID_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
   61     Register --test-no SQD-3604 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid daemon file location"
   62     if [ ${SKIPTEST} -eq 0 ]; then
   63         LogText "Test: searching for squid.conf or squid3.conf file"
   64         for I in ${SQUID_DAEMON_CONFIG_LOCS}; do
   65             # Checking squid.conf
   66             if [ -f "${I}/squid.conf" ]; then
   67                 LogText "Result: ${I}/squid.conf exists"
   68                 SQUID_DAEMON_CONFIG="${I}/squid.conf"
   69             fi
   70             # Checking squid3.conf
   71             if [ -f "${I}/squid3.conf" ]; then
   72                 LogText "Result: ${I}/squid3.conf exists"
   73                 SQUID_DAEMON_CONFIG="${I}/squid3.conf"
   74             fi
   75         done
   76         if [ -z "${SQUID_DAEMON_CONFIG}" ]; then
   77             LogText "Result: No Squid configuration file found"
   78             Display --indent 4 --text "- Searching Squid configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
   79         else
   80             LogText "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}"
   81             Display --indent 4 --text "- Searching Squid configuration" --result "${STATUS_FOUND}" --color GREEN
   82         fi
   83     fi
   84 #
   85 #################################################################################
   86 #
   87     # Test        : SQD-3606
   88     # Description : Check Squid version
   89     if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
   90     Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
   91     if [ ${SKIPTEST} -eq 0 ]; then
   92         if [ ! -z "${SQUIDBINARY}" ]; then
   93             LogText "Result: Squid binary found (${SQUIDBINARY})"
   94             # Skip check if a setuid/setgid bit is found
   95             FIND=$(${FINDBINARY} ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print)
   96             if [ -z "${FIND}" ]; then
   97                 FIND2=$(${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }')
   98                 Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN
   99                 SQUID_VERSION="${FIND2}"
  100             else
  101                 LogText "Result: test skipped for security reasons, setuid/setgid bit set"
  102                 Display --indent 4 --text "- Checking Squid version" --result "${STATUS_SKIPPED}" --color RED
  103             fi
  104         else
  105             LogText "Result: no Squid binary found"
  106         fi
  107     fi
  108 #
  109 #################################################################################
  110 #
  111     # Test        : SQD-3610
  112     # Description : Check Squid configuration options
  113     if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  114     Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather Squid settings"
  115     if [ ${SKIPTEST} -eq 0 ]; then
  116         LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
  117         FIND=$(${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
  118         for I in ${FIND}; do
  119             I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
  120             LogText "Found Squid option: ${I}"
  121             Report "squid_option=${I}"
  122         done
  123         Display --indent 4 --text "- Checking defined Squid options" --result "${STATUS_DONE}" --color GREEN
  124     fi
  125 #
  126 #################################################################################
  127 #
  128     # Test        : SQD-3613
  129     # Description : Check Squid configuration file permissions
  130     if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  131     Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
  132     if [ ${SKIPTEST} -eq 0 ]; then
  133         LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
  134         FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
  135         if [ ! -z "${FIND}" ]; then
  136             LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
  137             Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
  138             ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
  139             ReportWarning ${TEST_NO} "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
  140             AddHP 0 2
  141         else
  142             LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
  143             Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_OK}" --color GREEN
  144             AddHP 2 2
  145         fi
  146     fi
  147 #
  148 #################################################################################
  149 #
  150     if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
  151         Display --indent 4 --text "- Checking Squid access control"
  152     fi
  153 #
  154 #################################################################################
  155 #
  156     # Test        : SQD-3614
  157     # Description : Check Squid authentication
  158     if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  159     Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods"
  160     if [ ${SKIPTEST} -eq 0 ]; then
  161         LogText "Test: check auth_param option for authentication methods"
  162         FIND=$(${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }')
  163         if [ -z "${FIND}" ]; then
  164             LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
  165             Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW
  166         else
  167             Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_FOUND}" --color GREEN
  168             for I in ${FIND}; do
  169                 LogText "Result: found authentication method ${I}"
  170                 Report "squid_auth_method=${I}"
  171             done
  172         fi
  173     fi
  174 #
  175 #################################################################################
  176 #
  177     # Test        : SQD-3616
  178     # Description : Check external Squid authentication
  179     if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  180     Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication"
  181     if [ ${SKIPTEST} -eq 0 ]; then
  182         LogText "Test: check external_acl_type option for external authentication helpers"
  183         FIND=$(${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG})
  184         if [ -z "${FIND}" ]; then
  185             LogText "No external_acl_type found"
  186             Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW
  187         else
  188             Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_FOUND}" --color GREEN
  189             for I in ${FIND}; do
  190                 LogText "Result: found external authentication method helper"
  191                 LogText "Output: ${FIND}"
  192                 #Report "squid_external_acl_type=TRUE"
  193             done
  194         fi
  195     fi
  196 #
  197 #################################################################################
  198 #
  199     # Test        : SQD-3620
  200     # Description : Check ACLs
  201     if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  202     Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid access control lists"
  203     if [ ${SKIPTEST} -eq 0 ]; then
  204         COUNT=0
  205         LogText "Test: checking ACLs"
  206         FIND=$(${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
  207         if [ "${FIND}" = "" ]; then
  208             LogText "Result: No ACLs found"
  209             Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED
  210         else
  211             for ITEM in ${FIND}; do
  212                 COUNT=$((COUNT + 1))
  213                 ITEM=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
  214                 LogText "Found ACL: ${ITEM}"
  215                 #Report "squid_acl=${ITEM}" # TODO
  216             done
  217             LogText "Result: Found ${COUNT} ACLs"
  218             Display --indent 6 --text "- Checking Access Control Lists" --result "${COUNT} ACLs FOUND" --color GREEN
  219         fi
  220     fi
  221 #
  222 #################################################################################
  223 #
  224     # Test        : SQD-3624
  225     # Description : Check unsecure ports in Safe_ports list
  226     if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  227     Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid safe ports"
  228     if [ ${SKIPTEST} -eq 0 ]; then
  229         LogText "Test: checking ACL Safe_ports http_access option"
  230         FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports")
  231         if IsEmpty "${FIND}"; then
  232             LogText "Result: no Safe_ports found"
  233             Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
  234             ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
  235         else
  236             LogText "Result: checking ACL safe ports"
  237             FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }')
  238             if IsEmpty "${FIND2}"; then
  239                 Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
  240                 ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
  241                 AddHP 0 1
  242             else
  243                 LogText "Result: Safe_ports found"
  244                 for ITEM in ${FIND}; do
  245                     LogText "Found safe port: ${ITEM}"
  246                 done
  247                 Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "${STATUS_FOUND}" --color GREEN
  248                 AddHP 1 1
  249             fi
  250 
  251             for ITEM in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
  252                 LogText "Test: Checking port ${ITEM} in Safe_ports list"
  253                 FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${ITEM}" ${SQUID_DAEMON_CONFIG})
  254                 if IsEmpty "${FIND2}"; then
  255                     Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_NOT_FOUND}" --color GREEN
  256                     AddHP 1 1
  257                 else
  258                     Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_FOUND}" --color RED
  259                     ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}"
  260                     AddHP 0 1
  261                 fi
  262             done
  263         fi
  264     fi
  265 #
  266 #################################################################################
  267 #
  268     if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
  269         Display --indent 4 --text "- Checking Squid Denial of Service tuning options"
  270     fi
  271 #
  272 #################################################################################
  273 #
  274     # Test        : SQD-3630 [T]
  275     # Description : Check reply_body_max_size value
  276     if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  277     Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option"
  278     if [ ${SKIPTEST} -eq 0 ]; then
  279         LogText "Test: checking option reply_body_max_size"
  280         FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
  281         if IsEmpty "${FIND}"; then
  282             LogText "Result: option reply_body_max_size not configured"
  283             Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
  284             AddHP 1 2
  285             ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests."
  286         else
  287             LogText "Result: option reply_body_max_size configured"
  288             LogText "Output: ${FIND}"
  289             Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_FOUND}" --color GREEN
  290             AddHP 2 2
  291         fi
  292     fi
  293 #
  294 #################################################################################
  295 #
  296     if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
  297         Display --indent 4 --text "- Checking Squid general options"
  298     fi
  299 #
  300 #################################################################################
  301 #
  302     # Test        : SQD-3680
  303     # Description : Check httpd_suppress_version_string
  304     if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
  305     Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppression"
  306     if [ ${SKIPTEST} -eq 0 ]; then
  307         FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on")
  308         if [ -z "${FIND}" ]; then
  309             LogText "Result: option httpd_suppress_version_string not configured"
  310             Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW
  311             AddHP 1 2
  312             ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
  313         else
  314             LogText "Result: option httpd_suppress_version_string configured"
  315             LogText "Output: ${FIND}"
  316             Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_FOUND}" --color GREEN
  317             AddHP 2 2
  318         fi
  319     fi
  320 #
  321 #################################################################################
  322 #
  323 
  324 WaitForKeyPress
  325 
  326 #
  327 #================================================================================
  328 # Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com