#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2008, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Networking
#
#################################################################################
#
    # Number of active nameservers
    NUMBERACTIVENS=0
#
#################################################################################
#

    InsertSection "Networking"

    # Test        : NETW-2704 (YYY move to nameserver section?)
    # Description : Basic nameserver configuration tests (connectivity)
    
    Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests"
    if [ ${SKIPTEST} -eq 0 ]; then
        Display --indent 2 --text "- Checking configured nameservers..."
        logtext "Test: Checking /etc/resolv.conf file"
        if [ -f /etc/resolv.conf ]; then
            logtext "Result: Found /etc/resolv.conf file"
            FIND=`cat /etc/resolv.conf | grep '^nameserver' | tr -d '\t' | sed 's/nameserver*//g'`
            if [ ! "${FIND}" = "" ]; then
    	        Display --indent 4 --text "- Testing nameservers..."
		logtext "Test: Querying nameservers"
	        for I in ${FIND}; do
		    logtext "Found nameserver: ${I}"
	    	    report "nameserver[]=${I}"
		    if [ ! "${DIGBINARY}" = "" ]; then
		        # See if we can query something at the nameserver
	    	        # 0=good, other=bad
			DNSRESPONSE=`dig +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?`
		    	if [ "${DNSRESPONSE}" = "0" ]; then
		    	    Display --indent 6 --text "Nameserver: ${I}... " --result OK --color GREEN
		    	    logtext "Nameserver ${I} seems to respond to queries from this host."
		    	    # Count responsive nameservers
		    	    NUMBERACTIVENS=$(( $NUMBERACTIVENS + 1 ))
		          else
		    	    Display --indent 6 --text "Nameserver: ${I}... " --result "NO RESPONSE" --color RED
			    logtext "Result: nameserver ${I} does NOT respond"
			    logtext "Exit-code from dig: ${DNSRESPONSE}"
		    	    logtext "Suggestion: check connection to this nameserver and make sure no "
		    	    logtext "outbound DNS queries are blocked (port 53 UDP and TCP)."
			    ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
			fi
		      else
		        logtext "Result: Nameserver test for ${I} skipped, 'dig' not installed"
		    	Display --indent 6 --text "Nameserver: ${I}... " --result SKIPPED --color YELLOW
		    fi			
		done      
	    fi
	fi
    fi
#
#################################################################################
#
    # Test        : NETW-2705
    # Description : Basic nameserver configuration tests (connectivity)
    Register --test-no NETW-2705 --weight L --network YES --description "Check availability two nameservers"
    if [ ${SKIPTEST} -eq 0 ]; then
	if [ ${NUMBERACTIVENS} -lt 2 ]; then
	    Display --indent 4 --text "- Check for 2 responsive nameservers..." --result WARNING --color RED
	    logtext "Result: less than 2 responsive nameservers found"
	    ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers"
	    logtext "Non responsive nameservers can give problems for your system(s). Like lack"
	    logtext "of recursive lookups, bad connectivity to update servers etc."
	    ReportSuggestion ${TEST_NO} "Check your resolv.conf file and connectivity to your nameservers"
	  else
	    Display --indent 4 --text "- Check for 2 responsive nameservers..." --result OK --color GREEN
	    logtext "Result: found at least 2 responsive nameservers"
	fi
    fi
#
#################################################################################
#
    # Test        : NETW-3001
    # Description : Find default gateway (route)
    # More info   : FreeBSD/OpenBSD: ^default   Linux: 0.0.0.0
    Register --test-no NETW-3001 --weight L --network NO --description "Find default gateway (route)"
    if [ $SKIPTEST -eq 0 ]; then    
        Display --indent 2 --text "- Checking default gateway..." --result DONE --color GREEN
        logtext "Test: Searching default gateway(s)..."
        FIND=`netstat -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2`
        for I in ${FIND}; do
            logtext "Found default gateway ${I}"
            report "default_gateway[]=${I}"
        done
    fi
#
#################################################################################
#
    # Test        : NETW-3004
    # Description : Find available FreeBSD network interfaces
    Register --test-no NETW-3004 --os FreeBSD --weight L --network NO --description "Search FreeBSD available network interfaces"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=`ifconfig -l`
	N=0
	for I in ${FIND}; do
	    logtext "Found network interface ${I}"
	    N=`expr ${N} + 1`
	    report "network_interface[]=${I}"
	done
    fi
#
#################################################################################
#
    # Test        : NETW-3006
    # Description : Get network MAC addresses
    Register --test-no NETW-3006 --weight L --network NO --description "Get network MAC addresses"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=""
	case ${OS} in
	    FreeBSD)
	        FIND=`ifconfig -a | awk '{ if ($1=="ether") print $2 }'`
		;;
	    Linux)
	        FIND=`ifconfig -a | grep "HWaddr" | awk '{ if ($4=="HWaddr") print $5 }'`
		;;
	    OpenBSD)
		FIND=`ifconfig -A | awk '{ if ($1=="lladdr") print $2 }'`
		;;
	    SunOS)
	        FIND=`ifconfig -a | awk '{ if ($1=="ether") print $2 }'`	    
		;;
	    *)
	        logtext "Warning: no support for this OS (${OS}) to find MAC information"
		;;
	esac
	N=0
	for I in ${FIND}; do
	    logtext "Found network MAC address ${I}"
	    N=`expr ${N} + 1`
	    report "network_mac_address[]=${I}"
	done
    fi
#
#################################################################################
#
    # Test        : NETW-3008
    # Description : Get network IPv4/6 addresses
    Register --test-no NETW-3008 --weight L --network NO --description "Get network IP addresses"
    if [ ${SKIPTEST} -eq 0 ]; then
        FIND=""; FIND2=""
	case ${OS} in
	    FreeBSD)
	        FIND=`ifconfig -a | awk '{ if ($1=="inet") print $2 }'`	    
		FIND2=`ifconfig -a | awk '{ if ($1=="inet6") print $2 }'`	    
		;;
	    Linux)
		FIND=`ifconfig -a | awk '{ if ($1=="inet") print $2 }' | cut -d ':' -f2`	    
	        FIND2=`ifconfig -a | awk '{ if ($1=="inet6") print $3 }'`
		;;
	    OpenBSD)
		FIND=`ifconfig -A | awk '{ if ($1=="inet") print $2 }'`
		FIND2=`ifconfig -A | awk '{ if ($1=="inet6") print $2 }'`
		;;
	    SunOS)
	        FIND=`ifconfig -a | awk '{ if ($1=="inet") print $2 }'`	    
		FIND2=`ifconfig -a | awk '{ if ($1=="inet6") print $2 }'`	    
		;;
	    *)
	        logtext "Warning: no support yet for this OS (${OS}) to find IP address information"
		;;
	esac
	N=0
	# IPv4
	for I in ${FIND}; do
	    logtext "Found network IP address ${I}"
	    N=`expr ${N} + 1`
	    report "network_ipv4_address[]=${I}"
	done
	# IPv6
	for I in ${FIND2}; do
	    logtext "Found network IP address ${I}"
	    N=`expr ${N} + 1`
	    report "network_ipv6_address[]=${I}"
	done

    fi
#
#################################################################################
#
    # Test        : NETW-3010
    # Description : Check IP forwarding (IPv4, IPv6)
    #Register --test-no NETW-3010 --weight L --network NO --description "Check IP forwarding"
    #if [ ${SKIPTEST} -eq 0 ]; then
    #fi
#
#################################################################################
#
    # Test        : NETW-3012
    # Description : Check listening ports
    if [ ! "${SOCKSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no NETW-3012 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check listening ports"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Retrieve information from sockstat, when available
	logtext "Test: Retrieving sockstat information to find listening ports..."
	#SOCKSTATOUTPUT=`sockstat | grep '*:*' | cut -c 1-55 | grep '*:' | cut -c 39-47 | tr -d ' ' | sort | grep -v '*' | uniq`
	SOCKSTATOUTPUT=`sockstat | awk '{ if ($7 ~ /\*:\*/) print $5","$6 }' | sort | uniq`
	for I in ${SOCKSTATOUTPUT}; do
	        SOCKPROTO=`echo ${I} | cut -d ',' -f1`
	        SOCKPORT=`echo ${I} | cut -d ',' -f2`
	        logtext "Found listening port: ${SOCKPORT}, proto ${SOCKPROTO}"
    	done
	Display --indent 2 --text "- Getting listening ports (sockstat)..." --result DONE --color GREEN
    fi
#
#################################################################################
#
    # Promiscuous interfaces
    FOUNDPROMISC=0

    # Test        : NETW-3014
    # Description : Checking promiscuous interfaces (FreeBSD)
    Register --test-no NETW-3014 --os FreeBSD --weight L --network NO --description "Checking promiscuous interfaces"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: Checking promiscuous interfaces (FreeBSD)..."
        FIND=`ifconfig | grep PROMISC | cut -d ':' -f1`
        if [ ! "${FIND}" = "" ]; then
            logtext "Result: Promiscuous interfaces: ${FIND}"
            for I in ${FIND}; do
                ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
    	        if [ "${ISWHITELISTED}" = "" ]; then
		    FOUNDPROMISC=1
		    ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})"
		    logtext "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
		    report "warning[]=Found promiscuous interface (${I})"
		  else
		    logtext "Found promiscuous interface ${I} (*whitelisted via profile*)"
    	        fi
	    done
        fi
	
        if [ ${FOUNDPROMISC} -eq 0 ]; then
    	    Display --indent 2 --text "- Checking promiscuous interfaces..." --result OK --color GREEN
	    logtext "No promiscuous interfaces found"	
	  else
	    Display --indent 2 --text "- Checking promiscuous interfaces..." --result WARNING --color RED
	    logtext "No promiscuous interfaces found"
	fi
    fi    
#
#################################################################################
#

    #YYY
    #echo "      - Checking logging probed ports...[Not implemented yet]"
#
#################################################################################
#
    #YYY Netstat/socktstat compare
    #	    echo -n "        - Comparing output sockstat and netstat... "
    #	    logtext "Comparing output of sockstat and netstat... "
    #	    NETSTATOUTPUT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort | uniq`
    #
    #	    if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then
    #	        ShowResult OK
    #	      else
    #	        echo "[ ${BAD}Warning!${NORMAL} ]"
    #		logtext "WARNING!"
    #		logtext "Sockstat tested output: ${SOCKSTAT}"
    #		logtext "Netstat tested output: ${NETSTAT}"
    #	    fi
#
#################################################################################
#

wait_for_keypress

#
#================================================================================
# Lynis - Copyright 2007-2008, Michael Boelen - www.rootkit.nl - The Netherlands
