/usr/lib/tiger/systems/Linux/2/check_network_config is in tiger 1:3.2.3-12.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 | #!/bin/sh
#
# tiger - A UN*X security checking system
# Copyright (C) 2002 Javier Fernandez-Sanguino
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Please see the file `COPYING' for the complete copyright notice.
#
# check_network_config: checks for security configuration paramenters of the
# network environment (using /proc)
#
# 11/25/2002 jfs - Initial version derived from Hispasec's bulletin
# (which is based on documentation online)
# 15/04/2003 jfs - Changed ERROR into FAIL
# 10/15/2003 jfs - Return '1' instead of '-1' (Debian bug #215891)
# 04/16/2005 jfs - Fixed check of ICMP redirects (Debian bug #304957).
# Also fixed call to message so that everything appears
# in one line.
# 04/17/2005 jfs - Added check for local firewall rules
#
# References:
# http://www.linuxsecurity.com/articles/network_security_article-4528.html
# http://linux.oreillynet.com/pub/a/linux/2000/11/16/LinuxAdmin.html
#
#-----------------------------------------------------------------------------
# TODO
#
# - Check if conf/all have the same information as conf/default, conf/ethX...
# (since a given interface might be different from the others)
#
#-----------------------------------------------------------------------------
#
TigerInstallDir="/usr/lib/tiger"
#
# Set default base directory.
# Order or preference:
# -B option
# TIGERHOMEDIR environment variable
# TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}
for parm
do
case $parm in
-B) basedir=$2; break;;
esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
exit 1
}
. $basedir/config
. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
haveallcmds CAT || exit 1
haveallfiles PROCDIR BASEDIR WORKDIR || exit 1
echo "--CONFIG-- [init003c] $0: Configuration ok..."
exit 0
}
#------------------------------------------------------------------------
haveallcmds CAT || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
haveallfiles PROCDIR || {
message ERROR lin008e "" "The $PROCDIR filesystem is not available. Please make sure you have configured support for this pseudo-filesystem."
exit 1
}
echo
echo "# Checking network configuration"
# Instead of using the sysctl interface we are going to $CAT from the
# specified locations
read_if_exist() {
# Reads a file if it exists
# Otherwise returns 1
file=$1
value=1
[ -f $1 ] && value=`$CAT $file`
return $value
}
read_if_exist /proc/sys/net/ipv4/icmp_echo_ignore_all
icmp_echo_ignore=$?
read_if_exist /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
icmp_broadcast_ignore=$?
read_if_exist /proc/sys/net/ipv4/icmp_bogus_error_responses
icmp_bogus_error=$?
read_if_exist /proc/sys/net/ipv4/conf/all/accept_redirects
icmp_redirect=$?
read_if_exist /proc/sys/net/ipv4/conf/default/accept_redirects
icmp_redirect_def=$?
read_if_exist /proc/sys/net/ipv4/tcp_syncookies
tcp_syncookies=$?
read_if_exist /proc/sys/net/ipv4/conf/all/rp_filter
rp_filter_all=$?
read_if_exist /proc/sys/net/ipv4/default/all/rp_filter
rp_filter_def=$?
read_if_exist /proc/sys/net/ipv4/ip_forward
ip_fwd=$?
read_if_exist /proc/sys/net/ipv4/conf/all/accept_source_route
ip_source_route_all=$?
read_if_exist /proc/sys/net/ipv4/conf/default/accept_source_route
ip_source_route_def=$?
read_if_exist /proc/sys/net/ipv4/conf/all/log_martians
log_martian_all=$?
read_if_exist /proc/sys/net/ipv4/conf/default/log_martians
log_martian_def=$?
# Only useful for kernel's 2.2 and previous
read_if_exist /proc/sys/net/ipv4/conf/all/hidden
ip_weak_end=$?
# Aff info on this
read_if_exist /proc/sys/net/ipv4/ip_always_defrag
ip_always_defrag=$?
read_if_exist /proc/sys/net/ipv4/conf/all/bootp_relay
bootp_relay=$?
read_if_exist /proc/sys/net/ipv4/conf/all/mc_forwarding
mc_forwarding=$?
read_if_exist /proc/sys/net/ipv4/conf/all/proxy_arp
proxy_arp=$?
read_if_exist /proc/sys/net/ipv4/conf/all/secure_redirects
secure_redirects=$?
# Now start checking and sending messages
[ $icmp_echo_ignore -eq 0 ] && \
message INFO lin009i "" "The system is configured to answer ICMP ECHO requests"
[ $icmp_broadcast_ignore -eq 0 ] && \
message FAIL lin010f "" "The system is configured to answer to ICMP broadcasts"
[ $icmp_bogus_error -eq 0 ] && \
message FAIL lin011f "" "The system is configured to answer bogus errors"
[ $icmp_redirect -eq 1 -o $icmp_redirect_def -eq 1 ] && \
message WARN lin012w "" "The system accepts ICMP redirection messages"
[ $tcp_syncookies -eq 0 ] && \
message FAIL lin013f "" "The system is not protected against Syn flooding attacks"
[ $rp_filter_all -eq 0 -o $rp_filter_def -eq 0 ] && \
message FAIL lin014f "" "The system permits the transmission of IP packets with invalid addresses"
[ $ip_fwd -eq 1 ] && \
message WARN lin015w "" "The system has IP forwarding enabled"
[ $ip_source_route_all -eq 1 -o $ip_source_route_def -eq 1 ] && \
message FAIL lin016f "" "The system permits source routing from incoming packets"
[ $log_martian_all -eq 0 -o $log_martian_def -eq 0 ] && \
message WARN lin017w "" "The system is not configured to log suspicious (martian) packets"
# TODO: add a test that is useful for post-2.2 kernels
[ $ip_weak_end -eq 0 ] && \
message WARN lin018w "" "The system implements weak end host RFC"
# Check if there is (at least) and
haveallcmds CMP IPTABLES && {
iptablesrules=$WORKDIR/ipt.$$
iptablesempty=$WORKDIR/iptempt.$$
safe_temp $iptablesrules $iptablesempty
trap 'delete $iptablesrules $iptablesempty; exit 1;' 1 2 3 15
$IPTABLES -nL 2>/dev/null >>$iptablesrules
if [ -s "$iptablesrules" ]; then
$CAT >>$iptablesempty <<EOF
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
EOF
$CMP -s $iptablesrules $iptablesempty
[ $? -eq 0 ] && message FAIL lin019f "" "The system does not have any local firewall rules configured"
else
message ERROR run002e "" "Cannot extract local firewalling rules running $IPTABLES"
fi
delete $iptablesrules $iptablesempty
}
exit 0
|