1#!/bin/sh 2 3################################################################################# 4# 5# Lynis 6# ------------------ 7# 8# Copyright 2007-2013, Michael Boelen 9# Copyright 2007-2021, CISOfy 10# 11# Website : https://cisofy.com 12# Blog : http://linux-audit.com 13# GitHub : https://github.com/CISOfy/lynis 14# 15# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are 16# welcome to redistribute it under the terms of the GNU General Public License. 17# See LICENSE file for usage of this software. 18# 19################################################################################# 20# 21# NFS 22# 23################################################################################# 24# 25 InsertSection "NFS" 26# 27################################################################################# 28# 29 NFS_DAEMON_RUNNING=0 30 NFS_EXPORTS_EMPTY=0 31# 32################################################################################# 33# 34 # Test : STRG-1902 35 # Description : Check rpcinfo 36 if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 37 Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs" 38 if [ ${SKIPTEST} -eq 0 ]; then 39 LogText "Test: Checking rpcinfo registered programs" 40 FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${TRBINARY} -s ' ' ',') 41 for I in ${FIND}; do 42 LogText "rpcinfo: ${I}" 43 done 44 Display --indent 2 --text "- Query rpc registered programs" --result "${STATUS_DONE}" --color GREEN 45 fi 46# 47################################################################################# 48# 49 # Test : STRG-1904 50 # Description : Check nfs versions in rpcinfo 51 if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 52 Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc" 53 if [ ${SKIPTEST} -eq 0 ]; then 54 LogText "Test: Checking NFS registered versions" 55 FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort) 56 for I in ${FIND}; do 57 LogText "Found version: ${I}" 58 done 59 Display --indent 2 --text "- Query NFS versions" --result "${STATUS_DONE}" --color GREEN 60 fi 61# 62################################################################################# 63# 64 # Test : STRG-1906 65 # Description : Check nfs protocols (TCP/UDP) and port in rpcinfo 66 if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 67 Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc" 68 if [ ${SKIPTEST} -eq 0 ]; then 69 LogText "Test: Checking NFS registered protocols" 70 FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort) 71 for I in ${FIND}; do 72 LogText "Found protocol: ${I}" 73 done 74 if [ -z "${FIND}" ]; then 75 LogText "Output: no NFS protocols found" 76 fi 77 78 # Check port number 79 LogText "Test: Checking NFS registered ports" 80 FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort) 81 for I in ${FIND}; do 82 LogText "Found port: ${I}" 83 done 84 if [ -z "${FIND}" ]; then 85 LogText "Output: no NFS port number found" 86 fi 87 Display --indent 2 --text "- Query NFS protocols" --result "${STATUS_DONE}" --color GREEN 88 fi 89# 90################################################################################# 91# 92 # Test : STRG-1920 93 # Description : Check for running NFS daemons 94 Register --test-no STRG-1920 --weight L --network NO --category security --description "Checking NFS daemon" 95 if [ ${SKIPTEST} -eq 0 ]; then 96 LogText "Test: Checking running NFS daemon" 97 FIND=$(${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep") 98 if [ -z "${FIND}" ]; then 99 LogText "Output: NFS daemon is not running" 100 Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE 101 else 102 LogText "Output: NFS daemon is running" 103 Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_FOUND}" --color GREEN 104 NFS_DAEMON_RUNNING=1 105 fi 106 fi 107# 108################################################################################# 109# 110 # Test : STRG-1924 111 # Description : Check missing nfs in rpcinfo while NFS is running 112 #Register --test-no STRG-1924 --weight L --network NO --category security --description "Checking NFS daemon" 113 #if [ ${SKIPTEST} -eq 0 ]; then 114# 115################################################################################# 116# 117 # Test : STRG-1926 118 # Description : Check NFS exports 119 if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 120 Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking NFS exports" 121 if [ ${SKIPTEST} -eq 0 ]; then 122 LogText "Test: check /etc/exports" 123 if [ -f ${ROOTDIR}etc/exports ]; then 124 LogText "Result: ${ROOTDIR}etc/exports exists" 125 FIND=$(${GREPBINARY} -v "^$" ${ROOTDIR}etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g') 126 if [ -n "${FIND}" ]; then 127 for I in ${FIND}; do 128 I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') 129 LogText "Found line: ${I}" 130 done 131 else 132 LogText "Result: ${ROOTDIR}etc/exports does not contain exported file systems" 133 NFS_EXPORTS_EMPTY=1 134 fi 135 Display --indent 4 --text "- Checking ${ROOTDIR}etc/exports" --result "${STATUS_FOUND}" --color GREEN 136 else 137 LogText "Result: file /etc/exports does not exist" 138 Display --indent 4 --text "- Checking ${ROOTDIR}etc/exports" --result "${STATUS_NOT_FOUND}" --color WHITE 139 fi 140 fi 141# 142################################################################################# 143# 144 # Test : STRG-1928 145 # Description : Check for empty exports file while NFS is running 146 if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 147 Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking empty /etc/exports" 148 if [ ${SKIPTEST} -eq 0 ]; then 149 if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then 150 Display --indent 6 --text "- Checking empty /etc/exports" --result "${STATUS_SUGGESTION}" --color YELLOW 151 LogText "Result: ${ROOTDIR}etc/exports seems to have no exported file systems" 152 ReportSuggestion "${TEST_NO}" "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system" 153 fi 154 fi 155# 156################################################################################# 157# 158 # Test : STRG-1930 159 # Description : Check client access to nfs share 160 if [ ${NFS_DAEMON_RUNNING} -eq 1 -a ${NFS_EXPORTS_EMPTY} -eq 0 -a ! "${SHOWMOUNTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 161 Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share" 162 if [ ${SKIPTEST} -eq 0 ]; then 163 sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d' | ${GREPBINARY} "\*") 164 if [ -n "${sFIND}" ]; then 165 LogText "Result: all client are allowed to access a NFS share in /etc/exports" 166 Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW 167 ReportSuggestion "${TEST_NO}" "Specify clients that are allowed to access a NFS share /etc/exports" 168 AddHP 2 3 169 else 170 LogText "Result: only some clients are allowed to access a NFS share" 171 Display --indent 4 --text "- Checking NFS client access" --result "${STATUS_OK}" --color GREEN 172 AddHP 3 3 173 fi 174 fi 175# 176################################################################################# 177# 178 179WaitForKeyPress 180 181# 182#================================================================================ 183# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com 184