1#!/bin/sh 2 3################################################################################# 4# 5# Lynis 6# ------------------ 7# 8# Copyright 2007-2013, Michael Boelen 9# Copyright 2007-2021, CISOfy 10# 11# Website : https://cisofy.com 12# Blog : http://linux-audit.com 13# GitHub : https://github.com/CISOfy/lynis 14# 15# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are 16# welcome to redistribute it under the terms of the GNU General Public License. 17# See LICENSE file for usage of this software. 18# 19################################################################################# 20# 21# Squid 22# 23################################################################################# 24# 25 SQUID_DAEMON_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/squid ${ROOTDIR}etc/squid3 ${ROOTDIR}usr/local/etc/squid ${ROOTDIR}usr/local/squid/etc" 26 SQUID_DAEMON_CONFIG="" 27 SQUID_DAEMON_UNSAFE_PORTS_LIST="22 23 25" 28 SQUID_DAEMON_RUNNING=0 29# 30################################################################################# 31# 32 InsertSection "${SECTION_SQUID_SUPPORT}" 33# 34################################################################################# 35# 36 # Test : SQD-3602 37 # Description : Check for a running Squid daemon 38 # Notes : Search for squid(3) with a space, to avoid SquidGuard and other 39 # programs. 40 Register --test-no SQD-3602 --weight L --network NO --category security --description "Check for running Squid daemon" 41 if [ ${SKIPTEST} -eq 0 ]; then 42 LogText "Test: Searching for a Squid daemon" 43 FOUND=0 44 # Check running processes 45 FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep") 46 if [ -n "${FIND}" ]; then 47 SQUID_DAEMON_RUNNING=1 48 LogText "Result: Squid daemon is running" 49 Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN 50 else 51 LogText "Result: No running Squid daemon found" 52 Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_NOT_FOUND}" --color WHITE 53 fi 54 fi 55# 56################################################################################# 57# 58 # Test : SQD-3604 59 # Description : Determine Squid daemon configuration file location 60 if [ ${SQUID_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 61 Register --test-no SQD-3604 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid daemon file location" 62 if [ ${SKIPTEST} -eq 0 ]; then 63 LogText "Test: searching for squid.conf or squid3.conf file" 64 for I in ${SQUID_DAEMON_CONFIG_LOCS}; do 65 # Checking squid.conf 66 if [ -f "${I}/squid.conf" ]; then 67 LogText "Result: ${I}/squid.conf exists" 68 SQUID_DAEMON_CONFIG="${I}/squid.conf" 69 fi 70 # Checking squid3.conf 71 if [ -f "${I}/squid3.conf" ]; then 72 LogText "Result: ${I}/squid3.conf exists" 73 SQUID_DAEMON_CONFIG="${I}/squid3.conf" 74 fi 75 done 76 if [ -z "${SQUID_DAEMON_CONFIG}" ]; then 77 LogText "Result: No Squid configuration file found" 78 Display --indent 4 --text "- Searching Squid configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW 79 else 80 LogText "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}" 81 Display --indent 4 --text "- Searching Squid configuration" --result "${STATUS_FOUND}" --color GREEN 82 fi 83 fi 84# 85################################################################################# 86# 87 # Test : SQD-3606 88 # Description : Check Squid version 89 if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 90 Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version" 91 if [ ${SKIPTEST} -eq 0 ]; then 92 if [ -n "${SQUIDBINARY}" ]; then 93 LogText "Result: Squid binary found (${SQUIDBINARY})" 94 # Skip check if a setuid/setgid bit is found 95 FIND=$(${FINDBINARY} ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print) 96 if [ -z "${FIND}" ]; then 97 FIND2=$(${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }') 98 Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN 99 SQUID_VERSION="${FIND2}" 100 else 101 LogText "Result: test skipped for security reasons, setuid/setgid bit set" 102 Display --indent 4 --text "- Checking Squid version" --result "${STATUS_SKIPPED}" --color RED 103 fi 104 else 105 LogText "Result: no Squid binary found" 106 fi 107 fi 108# 109################################################################################# 110# 111 # Test : SQD-3610 112 # Description : Check Squid configuration options 113 if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 114 Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather Squid settings" 115 if [ ${SKIPTEST} -eq 0 ]; then 116 LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" 117 FIND=$(${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g') 118 for I in ${FIND}; do 119 I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') 120 LogText "Found Squid option: ${I}" 121 Report "squid_option=${I}" 122 done 123 Display --indent 4 --text "- Checking defined Squid options" --result "${STATUS_DONE}" --color GREEN 124 fi 125# 126################################################################################# 127# 128 # Test : SQD-3613 129 # Description : Check Squid configuration file permissions 130 if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 131 Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions" 132 if [ ${SKIPTEST} -eq 0 ]; then 133 LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}" 134 FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)) 135 if [ -n "${FIND}" ]; then 136 LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" 137 Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED 138 ReportSuggestion "${TEST_NO}" "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access" 139 ReportWarning "${TEST_NO}" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive" 140 AddHP 0 2 141 else 142 LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions" 143 Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_OK}" --color GREEN 144 AddHP 2 2 145 fi 146 fi 147# 148################################################################################# 149# 150 if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then 151 Display --indent 4 --text "- Checking Squid access control" 152 fi 153# 154################################################################################# 155# 156 # Test : SQD-3614 157 # Description : Check Squid authentication 158 if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 159 Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods" 160 if [ ${SKIPTEST} -eq 0 ]; then 161 LogText "Test: check auth_param option for authentication methods" 162 FIND=$(${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }') 163 if [ -z "${FIND}" ]; then 164 LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" 165 Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW 166 else 167 Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_FOUND}" --color GREEN 168 for I in ${FIND}; do 169 LogText "Result: found authentication method ${I}" 170 Report "squid_auth_method=${I}" 171 done 172 fi 173 fi 174# 175################################################################################# 176# 177 # Test : SQD-3616 178 # Description : Check external Squid authentication 179 if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 180 Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication" 181 if [ ${SKIPTEST} -eq 0 ]; then 182 LogText "Test: check external_acl_type option for external authentication helpers" 183 FIND=$(${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG}) 184 if [ -z "${FIND}" ]; then 185 LogText "No external_acl_type found" 186 Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW 187 else 188 Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_FOUND}" --color GREEN 189 for I in ${FIND}; do 190 LogText "Result: found external authentication method helper" 191 LogText "Output: ${FIND}" 192 #Report "squid_external_acl_type=TRUE" 193 done 194 fi 195 fi 196# 197################################################################################# 198# 199 # Test : SQD-3620 200 # Description : Check ACLs 201 if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 202 Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid access control lists" 203 if [ ${SKIPTEST} -eq 0 ]; then 204 COUNT=0 205 LogText "Test: checking ACLs" 206 FIND=$(${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g') 207 if [ "${FIND}" = "" ]; then 208 LogText "Result: No ACLs found" 209 Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED 210 else 211 for ITEM in ${FIND}; do 212 COUNT=$((COUNT + 1)) 213 ITEM=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g') 214 LogText "Found ACL: ${ITEM}" 215 #Report "squid_acl=${ITEM}" # TODO 216 done 217 LogText "Result: Found ${COUNT} ACLs" 218 Display --indent 6 --text "- Checking Access Control Lists" --result "${COUNT} ACLs FOUND" --color GREEN 219 fi 220 fi 221# 222################################################################################# 223# 224 # Test : SQD-3624 225 # Description : Check insecure ports in Safe_ports list 226 if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 227 Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid safe ports" 228 if [ ${SKIPTEST} -eq 0 ]; then 229 LogText "Test: checking ACL Safe_ports http_access option" 230 FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports") 231 if IsEmpty "${FIND}"; then 232 LogText "Result: no Safe_ports found" 233 Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW 234 ReportSuggestion "${TEST_NO}" "Check if Squid has been configured to restrict access to all safe ports" 235 else 236 LogText "Result: checking ACL safe ports" 237 FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }') 238 if IsEmpty "${FIND2}"; then 239 Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW 240 ReportSuggestion "${TEST_NO}" "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" 241 AddHP 0 1 242 else 243 LogText "Result: Safe_ports found" 244 for ITEM in ${FIND}; do 245 LogText "Found safe port: ${ITEM}" 246 done 247 Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "${STATUS_FOUND}" --color GREEN 248 AddHP 1 1 249 fi 250 251 for ITEM in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do 252 LogText "Test: Checking port ${ITEM} in Safe_ports list" 253 FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${ITEM}" ${SQUID_DAEMON_CONFIG}) 254 if IsEmpty "${FIND2}"; then 255 Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_NOT_FOUND}" --color GREEN 256 AddHP 1 1 257 else 258 Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_FOUND}" --color RED 259 ReportWarning "${TEST_NO}" "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}" 260 AddHP 0 1 261 fi 262 done 263 fi 264 fi 265# 266################################################################################# 267# 268 if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then 269 Display --indent 4 --text "- Checking Squid Denial of Service tuning options" 270 fi 271# 272################################################################################# 273# 274 # Test : SQD-3630 [T] 275 # Description : Check reply_body_max_size value 276 if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 277 Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option" 278 if [ ${SKIPTEST} -eq 0 ]; then 279 LogText "Test: checking option reply_body_max_size" 280 FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g') 281 if IsEmpty "${FIND}"; then 282 LogText "Result: option reply_body_max_size not configured" 283 Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED 284 AddHP 1 2 285 ReportSuggestion "${TEST_NO}" "Configure Squid option reply_body_max_size to limit the upper size of requests." 286 else 287 LogText "Result: option reply_body_max_size configured" 288 LogText "Output: ${FIND}" 289 Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_FOUND}" --color GREEN 290 AddHP 2 2 291 fi 292 fi 293# 294################################################################################# 295# 296 if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then 297 Display --indent 4 --text "- Checking Squid general options" 298 fi 299# 300################################################################################# 301# 302 # Test : SQD-3680 303 # Description : Check httpd_suppress_version_string 304 if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 305 Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppression" 306 if [ ${SKIPTEST} -eq 0 ]; then 307 FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on") 308 if [ -z "${FIND}" ]; then 309 LogText "Result: option httpd_suppress_version_string not configured" 310 Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW 311 AddHP 1 2 312 ReportSuggestion "${TEST_NO}" "Configure Squid option httpd_suppress_version_string (on) to suppress the version." 313 else 314 LogText "Result: option httpd_suppress_version_string configured" 315 LogText "Output: ${FIND}" 316 Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_FOUND}" --color GREEN 317 AddHP 2 2 318 fi 319 fi 320# 321################################################################################# 322# 323 324WaitForKeyPress 325 326# 327#================================================================================ 328# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com 329