tiger 1:3.2.3-12 / usr / lib / tiger / systems / Linux / 2 / check_network_config

This file is indexed.

/usr/lib/tiger/systems/Linux/2/check_network_config is in tiger 1:3.2.3-12.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
#!/bin/sh
#
#     tiger - A UN*X security checking system
#     Copyright (C) 2002 Javier Fernandez-Sanguino 
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2, or (at your option)
#    any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#     Please see the file `COPYING' for the complete copyright notice.
#
# check_network_config: checks for security configuration paramenters of the
#                network environment (using /proc)
#
# 11/25/2002 jfs - Initial version derived from Hispasec's bulletin
#                  (which is based on documentation online)
# 15/04/2003 jfs - Changed ERROR into FAIL
# 10/15/2003 jfs - Return '1' instead of '-1' (Debian bug #215891)
# 04/16/2005 jfs - Fixed check of ICMP redirects (Debian bug #304957).
#                  Also fixed call to message so that everything appears
#                  in one line.
# 04/17/2005 jfs - Added check for local firewall rules
#
# References:
# http://www.linuxsecurity.com/articles/network_security_article-4528.html
# http://linux.oreillynet.com/pub/a/linux/2000/11/16/LinuxAdmin.html
# 
#-----------------------------------------------------------------------------
# TODO
# 
# - Check if conf/all have the same information as conf/default, conf/ethX...
#   (since a given interface might be different from the others)
#
#-----------------------------------------------------------------------------
#
TigerInstallDir="/usr/lib/tiger"

#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
   case $parm in
   -B) basedir=$2; break;;
   esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
  echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
  exit 1
}
. $basedir/config

. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
  haveallcmds CAT || exit 1
  haveallfiles PROCDIR BASEDIR WORKDIR || exit 1
  
  echo "--CONFIG-- [init003c] $0: Configuration ok..."
  exit 0
}
#------------------------------------------------------------------------
haveallcmds CAT || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
haveallfiles PROCDIR || {
        message ERROR lin008e "" "The $PROCDIR filesystem is not available. Please make sure you have configured support for this pseudo-filesystem."
	exit 1
}
echo
echo "# Checking network configuration"

# Instead of using the sysctl interface we are going to $CAT from the
# specified locations

read_if_exist() {
# Reads a file if it exists
# Otherwise returns 1
	file=$1
	value=1
	[ -f $1 ] && value=`$CAT $file`
	return $value
}

read_if_exist /proc/sys/net/ipv4/icmp_echo_ignore_all
icmp_echo_ignore=$?
read_if_exist /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
icmp_broadcast_ignore=$?
read_if_exist /proc/sys/net/ipv4/icmp_bogus_error_responses
icmp_bogus_error=$?
read_if_exist /proc/sys/net/ipv4/conf/all/accept_redirects
icmp_redirect=$?
read_if_exist /proc/sys/net/ipv4/conf/default/accept_redirects
icmp_redirect_def=$?
read_if_exist /proc/sys/net/ipv4/tcp_syncookies
tcp_syncookies=$?
read_if_exist /proc/sys/net/ipv4/conf/all/rp_filter
rp_filter_all=$?
read_if_exist /proc/sys/net/ipv4/default/all/rp_filter
rp_filter_def=$?
read_if_exist /proc/sys/net/ipv4/ip_forward
ip_fwd=$?
read_if_exist /proc/sys/net/ipv4/conf/all/accept_source_route
ip_source_route_all=$?
read_if_exist /proc/sys/net/ipv4/conf/default/accept_source_route
ip_source_route_def=$?
read_if_exist /proc/sys/net/ipv4/conf/all/log_martians
log_martian_all=$?
read_if_exist /proc/sys/net/ipv4/conf/default/log_martians
log_martian_def=$?
# Only useful for kernel's 2.2 and previous
read_if_exist /proc/sys/net/ipv4/conf/all/hidden
ip_weak_end=$?

# Aff info on this
read_if_exist /proc/sys/net/ipv4/ip_always_defrag
ip_always_defrag=$?
read_if_exist /proc/sys/net/ipv4/conf/all/bootp_relay
bootp_relay=$?
read_if_exist /proc/sys/net/ipv4/conf/all/mc_forwarding
mc_forwarding=$?
read_if_exist /proc/sys/net/ipv4/conf/all/proxy_arp
proxy_arp=$?
read_if_exist /proc/sys/net/ipv4/conf/all/secure_redirects
secure_redirects=$?

# Now start checking and sending messages

[ $icmp_echo_ignore -eq 0 ] && \
	message INFO lin009i "" "The system is configured to answer ICMP ECHO requests"
[ $icmp_broadcast_ignore -eq 0 ] && \
	message FAIL lin010f "" "The system is configured to answer to ICMP broadcasts"
[ $icmp_bogus_error -eq 0 ] && \
	message FAIL lin011f "" "The system is configured to answer bogus errors"

[ $icmp_redirect -eq 1 -o $icmp_redirect_def -eq 1 ] && \
	message WARN lin012w "" "The system accepts ICMP redirection messages"

[ $tcp_syncookies -eq 0 ] && \
	message FAIL lin013f "" "The system is not protected against Syn flooding attacks"

[ $rp_filter_all -eq 0 -o $rp_filter_def -eq 0 ] && \
	message FAIL lin014f "" "The system permits the transmission of IP packets with invalid addresses"

[ $ip_fwd -eq 1 ]  && \
	message WARN lin015w "" "The system has IP forwarding enabled"

[ $ip_source_route_all -eq 1 -o $ip_source_route_def -eq 1 ] && \
	message FAIL lin016f "" "The system permits source routing from incoming packets"

[ $log_martian_all -eq 0 -o $log_martian_def -eq 0 ] && \
	message WARN lin017w "" "The system is not configured to log suspicious (martian) packets"

# TODO: add a test that is useful for post-2.2 kernels
[ $ip_weak_end -eq 0 ] && \
	message WARN lin018w "" "The system implements weak end host RFC"

# Check if there is (at least) and 

haveallcmds CMP IPTABLES && {
	iptablesrules=$WORKDIR/ipt.$$
	iptablesempty=$WORKDIR/iptempt.$$
	safe_temp $iptablesrules $iptablesempty
	trap 'delete $iptablesrules $iptablesempty; exit 1;' 1 2 3 15
	
	$IPTABLES -nL 2>/dev/null >>$iptablesrules
	if [ -s "$iptablesrules" ]; then
		$CAT >>$iptablesempty <<EOF
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
EOF
		$CMP -s $iptablesrules $iptablesempty 
		[ $? -eq 0 ] && message FAIL lin019f "" "The system does not have any local firewall rules configured"
	else
		message ERROR run002e "" "Cannot extract local firewalling rules running $IPTABLES"
	fi
	delete $iptablesrules $iptablesempty
}

exit 0

APT Browse - Built by Thomas Orozco.