Hi Automox Alive Community!
Previously, I added a worklet for addressing LLMNR security risk for Windows, and now I’m adding the same for Linux considerations. If you are unfamiliar, LLMNR stands for Link-Local Multicast Name Resolution and is a favorite vector among pen-testers and malicious threat actors for conducting man-in-the-middle attacks.
Evaluation:
#!/bin/bash
# LLMNR - Evaluation : This will check whether LLMNR has been disabled.
test_val='^LLMNR=no'
test_cfg='/etc/systemd/resolved.conf'
# Case-insensitvely check for value
if ($(grep -qi "$test_val" $test_cfg)); then
# Compliant
exit 0
else
# Non-Compliant
exit 1
fi
Remediation:
#!/bin/bash
# LLMNR - Remediation : This will disable LLMNR. (restart required)
test_val='^LLMNR=no'
test_cfg='/etc/systemd/resolved.conf'
sed -i 's/.*LLMNR=.*/LLMNR=no/g' $test_cfg
# Case-insensitvely check for value
if ($(grep -qi "$test_val" $test_cfg)); then
# Compliant
exit 0
else
# Non-Compliant
echo "LLMNR could not be toggled off."
exit 1
fi
I’ve also added this script to my GitHub.