Worklet: Disable LLMNR (Security Risk) - Linux

Hi Automox Alive Community!

Previously, I added a worklet for addressing LLMNR security risk for Windows, and now I’m adding the same for Linux considerations. If you are unfamiliar, LLMNR stands for Link-Local Multicast Name Resolution and is a favorite vector among pen-testers and malicious threat actors for conducting man-in-the-middle attacks.

Evaluation:

#!/bin/bash

# LLMNR - Evaluation : This will check whether LLMNR has been disabled.
test_val='^LLMNR=no'
test_cfg='/etc/systemd/resolved.conf'

# Case-insensitvely check for value
if ($(grep -qi "$test_val" $test_cfg)); then
  # Compliant
  exit 0
else
  # Non-Compliant
  exit 1
fi

Remediation:

#!/bin/bash

# LLMNR - Remediation : This will disable LLMNR. (restart required)
test_val='^LLMNR=no'
test_cfg='/etc/systemd/resolved.conf'

sed -i 's/.*LLMNR=.*/LLMNR=no/g' $test_cfg

# Case-insensitvely check for value
if ($(grep -qi "$test_val" $test_cfg)); then
  # Compliant
  exit 0
else
  # Non-Compliant
  echo "LLMNR could not be toggled off."
  exit 1
fi

I’ve also added this script to my GitHub.

1 Like