lynis/include/tests_logging

652 lines
33 KiB
Plaintext
Raw Normal View History

2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2021-01-07 15:22:19 +01:00
# Copyright 2007-2021, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Logging and related files
#
#################################################################################
#
2016-09-10 16:12:44 +02:00
LOG_FILES_LOCS="${ROOTDIR}var/log ${ROOTDIR}var/adm"
2014-08-26 17:33:55 +02:00
LOGROTATE_CONFIG_FOUND=0
LOGROTATE_TOOL=""
METALOG_RUNNING=0
RFC3195D_RUNNING=0
RSYSLOG_RUNNING=0
WAZUH_AGENT_RUNNING=0
SOLARIS_LOGHOST=""
2014-08-26 17:33:55 +02:00
SOLARIS_LOGHOST_FOUND=0
SOLARIS_LOGHOST_LOCALHOST=0
2014-08-26 17:33:55 +02:00
SYSLOG_DAEMON_PRESENT=0
SYSLOG_DAEMON_RUNNING=0
SYSLOG_NG_RUNNING=0
SYSTEMD_JOURNAL_RUNNING=0
#
#################################################################################
#
InsertSection "${SECTION_LOGGING_AND_FILES}"
2014-08-26 17:33:55 +02:00
# Test : LOGG-2130
# Description : Check for a running syslog daemon
Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for a logging daemon"
2023-04-23 23:38:21 +02:00
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
2016-09-10 16:12:44 +02:00
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Check if any syslog daemon is running and correctly configured."
2014-09-15 12:01:09 +02:00
AddHP 0 3
2016-09-10 16:12:44 +02:00
else
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found a logging daemon"
2014-09-15 12:01:09 +02:00
SYSLOG_DAEMON_PRESENT=1
SYSLOG_DAEMON_RUNNING=1
AddHP 3 3
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : LOGG-2132
# Description : Check for a running syslog-ng daemon
Register --test-no LOGG-2132 --weight L --network NO --category security --description "Check for running syslog-ng daemon"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for syslog-ng daemon in process list"
if IsRunning "syslog-ng"; then
LogText "Result: Found syslog-ng in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_FOUND}" --color GREEN
2014-09-15 12:01:09 +02:00
SYSLOG_DAEMON_PRESENT=1
SYSLOG_NG_RUNNING=1
Report "syslog_daemon_present=1"
Report "syslog_daemon[]=syslog-ng"
2016-09-10 16:12:44 +02:00
else
LogText "Result: Syslog-ng NOT found in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-09-15 12:01:09 +02:00
fi
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : LOGG-2134
# Description : Check for Syslog-NG configuration file consistency
if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Syslog-NG configuration file consistency"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-10 16:12:44 +02:00
FIND=$(${SYSLOGNGBINARY} -s; echo $?)
2014-09-15 12:01:09 +02:00
if [ "${FIND}" = "0" ]; then
LogText "Result: Syslog-NG configuration file seems to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_OK}" --color GREEN
2016-09-10 16:12:44 +02:00
else
LogText "Result: Syslog-NG configuration file seems NOT to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
2014-09-15 12:01:09 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : LOGG-2136
# Description : Check for a running systemd-journal daemon
Register --test-no LOGG-2136 --weight L --network NO --category security --description "Check for running systemd journal daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for systemd journal daemon in process list"
if IsRunning "systemd-journal"; then
Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_FOUND}" --color GREEN
SYSTEMD_JOURNAL_RUNNING=1
Report "syslog_daemon_present=1"
Report "syslog_daemon[]=systemd-journal"
2016-09-10 16:12:44 +02:00
else
Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : LOGG-2210
# Description : Check for a running metalog daemon
Register --test-no LOGG-2210 --weight L --network NO --category security --description "Check for running metalog daemon"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for metalog daemon in process list"
if IsRunning "metalog"; then
LogText "Result: Found metalog in process list"
Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_FOUND}" --color GREEN
2014-09-15 12:01:09 +02:00
SYSLOG_DAEMON_PRESENT=1
METALOG_RUNNING=1
Report "syslog_daemon_present=1"
Report "syslog_daemon[]=metalog"
2016-09-10 16:12:44 +02:00
else
LogText "Result: metalog NOT found in process list"
Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-09-15 12:01:09 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : LOGG-2230
# Description : Check for a running rsyslog daemon
Register --test-no LOGG-2230 --weight L --network NO --category security --description "Check for running RSyslog daemon"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for RSyslog daemon in process list"
if IsRunning "rsyslogd"; then
LogText "Result: Found rsyslogd in process list"
Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_FOUND}" --color GREEN
2014-09-15 12:01:09 +02:00
SYSLOG_DAEMON_PRESENT=1
RSYSLOG_RUNNING=1
Report "syslog_daemon_present=1"
Report "syslog_daemon[]=rsyslog"
2016-09-10 16:12:44 +02:00
else
LogText "Result: rsyslogd NOT found in process list"
Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-09-15 12:01:09 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : LOGG-2240
# Description : Check for a running RFC 3195 compliant daemon (syslog via TCP)
Register --test-no LOGG-2240 --weight L --network NO --category security --description "Check for running RFC 3195 compliant daemon"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list"
if IsRunning "rfc3195d"; then
LogText "Result: Found rfc3195d in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_FOUND}" --color GREEN
2014-09-15 12:01:09 +02:00
SYSLOG_DAEMON_PRESENT=1
RFC3195D_RUNNING=1
2016-09-10 16:12:44 +02:00
else
LogText "Result: rfc3195d NOT found in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-09-15 12:01:09 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : LOGG-2138
# Description : Check for kernel log daemon (klogd) presence on Linux systems
# Notes : * When using metalog, rsyslog or systemd (systemd-journal), this process is not needed.
# * In combination with syslog-ng, klogd is still an addition to it, since it
# captures kernel related events and send them to syslog-ng.
# * This test should be below all other logging daemons
Register --test-no LOGG-2138 --os Linux --weight L --network NO --category security --description "Checking kernel logger daemon on Linux"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching kernel logger daemon (klogd)"
if [ ${RSYSLOG_RUNNING} -eq 0 ] && [ ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ] && [ ${METALOG_RUNNING} -eq 0 ]; then
2014-09-15 12:01:09 +02:00
# Search for klogd, but ignore other lines related to klogd (like dd with input/output file)
#FIND=$(${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep")
if IsRunning "klogd"; then
LogText "Result: klogd running"
Display --indent 4 --text "- Checking klogd" --result "${STATUS_FOUND}" --color GREEN
2016-09-10 16:12:44 +02:00
else
LogText "Result: No klogd found"
Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED
2019-12-18 12:17:46 +01:00
ReportWarning "${TEST_NO}" "klogd is not running, which could lead to missing kernel messages in log files"
2014-09-15 12:01:09 +02:00
fi
2016-09-10 16:12:44 +02:00
else
LogText "Result: test skipped, because other facility is being used to log kernel messages"
2014-09-15 12:01:09 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : LOGG-2142
# Description : Check for minilogd presence on Linux systems
Register --test-no LOGG-2142 --os Linux --weight L --network NO --category security --description "Checking minilog daemon"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Result: Checking for unkilled minilogd instances"
2014-08-26 17:33:55 +02:00
# Search for minilogd. It shouldn't be running normally, if another syslog daemon is started
if IsRunning "minilogd"; then
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED
LogText "Result: minilogd found in process list"
2014-09-15 12:01:09 +02:00
# minilogd daemon seems to be running
2019-12-18 12:17:46 +01:00
ReportWarning "${TEST_NO}" "minilogd is running, which should normally not be running"
else
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: No minilogd is running"
2014-09-15 12:01:09 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : LOGG-2144
# Description : Check for wazuh-agent presence on Linux systems
Register --test-no LOGG-2144 --os Linux --weight L --network NO --category security --description "Checking wazuh-agent"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Result: Searching for wazuh-agent instances in the process list"
if IsRunning "wazuh-agent"; then
LogText "Result: Found wazuh-agent in process list"
Display --indent 4 --text "- Checking wazuh-agent status" --result "${STATUS_FOUND}" --color GREEN
WAZUH_AGENT_RUNNING=1
else
LogText "Result: wazuh-agent NOT found in process list"
Display --indent 4 --text "- Checking wazuh-agent daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : LOGG-2146
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
Register --test-no LOGG-2146 --weight L --os Linux --network NO --category security --description "Checking logrotate.conf and logrotate.d"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-10 16:12:44 +02:00
LogText "Test: Checking for ${ROOTDIR}etc/logrotate.conf"
if [ -f ${ROOTDIR}etc/logrotate.conf ]; then
2014-08-26 17:33:55 +02:00
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="logrotate"
2016-09-10 16:12:44 +02:00
LogText "Result: ${ROOTDIR}etc/logrotate.conf found (file)"
2016-09-05 11:54:42 +02:00
else
2016-09-10 16:12:44 +02:00
LogText "Result: ${ROOTDIR}etc/logrotate.conf NOT found"
2014-08-26 17:33:55 +02:00
fi
2016-09-05 11:54:42 +02:00
2016-09-10 16:12:44 +02:00
LogText "Test: Checking for ${ROOTDIR}etc/logrotate.d (directory)"
if [ -d ${ROOTDIR}etc/logrotate.d ]; then
2014-08-26 17:33:55 +02:00
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="logrotate"
2016-09-10 16:12:44 +02:00
LogText "Result: ${ROOTDIR}etc/logrotate.d found"
2016-09-05 11:54:42 +02:00
else
2016-09-10 16:12:44 +02:00
LogText "Result: ${ROOTDIR}etc/logrotate.conf found"
2014-08-26 17:33:55 +02:00
fi
2016-09-05 11:54:42 +02:00
2014-08-26 17:33:55 +02:00
if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_OK}" --color GREEN
LogText "Result: logrotate configuration found"
2016-09-05 11:54:42 +02:00
else
Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_WARNING}" --color RED
LogText "Result: No logrotate configuration found"
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Check if log files are properly rotated"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : LOGG-2148
# Description : Checking log files rotated with logrotate
2019-07-16 13:20:30 +02:00
if [ -n "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which files are rotated with logrotate and if they exist"
2023-04-23 23:38:21 +02:00
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }')
2016-09-10 16:12:44 +02:00
if [ -z "${FIND}" ]; then
LogText "Result: nothing found"
2016-09-10 16:12:44 +02:00
else
LogText "Result: found one or more files which are rotated via logrotate"
2014-09-15 12:01:09 +02:00
for I in ${FIND}; do
LogText "Output: ${I}"
2014-09-15 12:01:09 +02:00
done
fi
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : LOGG-2150
# Description : Checking log directories rotated with logrotate
if HasData "${LOGROTATEBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which directories can be found in logrotate configuration"
2023-04-23 23:38:21 +02:00
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
if IsEmpty "${FIND}"; then
LogText "Result: nothing found"
else
LogText "Result: found one or more directories (via logrotate configuration)"
for DIR in ${FIND}; do
if [ -d ${DIR} ]; then
LogText "Directory found: ${DIR}"
Report "log_directory[]=${DIR}"
else
LogText "Result: Directory could not be found: ${DIR}"
2014-09-15 12:01:09 +02:00
fi
done
fi
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : LOGG-2152
# Description : Check for Solaris 'loghost' entry in /etc/inet/hosts, or
2018-04-23 10:54:44 +02:00
# successful resolving via DNS or any other name service.
Register --test-no LOGG-2152 --weight L --os Solaris --network NO --category security --description "Checking loghost"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-15 12:01:09 +02:00
# Try local hosts file
LogText "Result: Checking for loghost in /etc/inet/hosts"
2016-09-10 16:12:44 +02:00
FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
SOLARIS_LOGHOST="${FIND}"
2014-09-15 12:01:09 +02:00
SOLARIS_LOGHOST_FOUND=1
LogText "Result: Found loghost entry in /etc/inet/hosts"
2016-09-10 16:12:44 +02:00
else
LogText "Result: No loghost entry found in /etc/inet/hosts"
2014-09-15 12:01:09 +02:00
# Try name resolving if no entry is present in local host file
LogText "Result: Checking for loghost via name resolving"
FIND=$(getent hosts loghost | ${GREPBINARY} loghost)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2020-12-17 20:17:52 +01:00
SOLARIS_LOGHOST="${FIND}"
2014-09-15 12:01:09 +02:00
SOLARIS_LOGHOST_FOUND=1
2018-04-23 10:54:44 +02:00
LogText "Result: name resolving was successful"
LogText "Output: ${FIND}"
2016-09-10 16:12:44 +02:00
else
LogText "Result: name resolving didn't find results"
2014-09-15 12:01:09 +02:00
fi
fi
2014-08-26 17:33:55 +02:00
if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then
LogText "Result: loghost entry found and most likely used to send syslog messages"
Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_OK}" --color GREEN
2016-09-10 16:12:44 +02:00
else
Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED
LogText "Result: No loghost entry found"
2019-12-18 12:17:46 +01:00
ReportWarning "${TEST_NO}" "No loghost entry found"
ReportSuggestion "${TEST_NO}" "Add a loghost entry to /etc/inet/hosts or other name services"
2014-09-15 12:01:09 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : LOGG-2153
# Description : Check Solaris 'loghost' entry is not localhost, meaning
# remote logging is not configured.
if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ] && [ -n "${SOLARIS_LOGHOST}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2153 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking loghost is localhost"
if [ ${SKIPTEST} -eq 0 ]; then
2023-04-23 23:38:21 +02:00
FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} -E "::1|127.0.0.1|127.1")
if [ -n "${FIND}" ]; then
SOLARIS_LOGHOST_LOCALHOST=1
LogText "Result: loghost entry is localhost (default)"
Display --indent 4 --text "- Checking loghost entry is localhost" --result "${STATUS_YES}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Set loghost entry to a remote location to enable remote logging."
else
Display --indent 4 --text "- Checking loghost entry is localhost" --result "${STATUS_NO}" --color GREEN
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : LOGG-2154
# Description : Check to see if remote logging is enabled
# Notes : prevent lines showing up with commands in it (like |mail)
if [ ${SYSLOG_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2154 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking syslog configuration file"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${RSYSLOG_RUNNING} -eq 1 ]; then
DATA=""
TARGET="${ROOTDIR}etc/rsyslog.conf"
if [ -f ${TARGET} ]; then
LogText "Test: analyzing file ${TARGET} for remote target"
2023-04-23 23:38:21 +02:00
DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
if [ -z "${DATA}" ]; then
LogText "Result: no remote target found"
else
LogText "Result: found remote target"
REMOTE_LOGGING_ENABLED=1
for D in ${DATA}; do
if SafeInput "${D}"; then
D=$(echo ${D} | ${SEDBINARY} 's/:space:/ /g')
LogText "Data: ${D}"
fi
done
fi
fi
TARGET="${ROOTDIR}etc/rsyslog.d"
if [ -d ${TARGET} ]; then
FILES=$(${FINDBINARY} -L ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ')
for F in ${FILES}; do
F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g')
LogText "Test: analyzing file ${F} for remote target"
2023-04-23 23:38:21 +02:00
DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
if [ -n "${DATA}" ]; then
LogText "Result: found remote target"
REMOTE_LOGGING_ENABLED=1
for D in ${DATA}; do
if SafeInput "${D}"; then
D=$(echo ${D} | ${SEDBINARY} 's/:space:/ /g')
LogText "Data: ${D}"
fi
done
else
# Check new style configuration (omrelp/omfwd). This can be all on one line or even split over multiple lines.
2023-04-23 23:38:21 +02:00
DATA=$(${GREPBINARY} -E "target=\"([a-zA-Z0-9\-])" ${F})
if [ -n "${DATA}" ]; then
LogText "Result: most likely remote log host is used, as keyword 'target' is used"
REMOTE_LOGGING_ENABLED=1
else
LogText "Result: no remote target found"
fi
fi
done
fi
fi
# Test generic syslog files (syslog-ng and older syslog daemons)
2014-09-15 12:01:09 +02:00
if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then
SYSLOGD_CONF="${ROOTDIR}etc/syslog-ng/syslog-ng.conf"
2016-09-10 16:12:44 +02:00
else
SYSLOGD_CONF="${ROOTDIR}etc/syslog.conf"
2014-09-15 12:01:09 +02:00
fi
2014-09-15 12:01:09 +02:00
if [ -f ${SYSLOGD_CONF} ]; then
LogText "Test: check if logs are also logged to a remote logging host"
2023-04-23 23:38:21 +02:00
FIND=$(${GREPBINARY} -E "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
FIND2=$(echo "${FIND}" | ${GREPBINARY} -v "@loghost")
2021-01-03 08:29:17 +01:00
if [ ${SOLARIS_LOGHOST_LOCALHOST} -eq 1 ] && [ -z "${FIND2}" ]; then
LogText "Result: remote logging enabled to loghost, but loghost is localhost"
else
LogText "Result: remote logging enabled"
REMOTE_LOGGING_ENABLED=1
fi
else
# Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
2023-04-23 23:38:21 +02:00
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${GREPBINARY} -E "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
for DESTINATION in ${DESTINATIONS}; do
2023-04-23 23:38:21 +02:00
FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${GREPBINARY} -E "destination\(${DESTINATION}\)")
if [ -n "${FIND2}" ]; then
LogText "Result: found destination ${DESTINATION} configured for remote logging"
REMOTE_LOGGING_ENABLED=1
fi
done
fi
fi
# Test wazuh-agent configuration for syslog configuration
if [ ${WAZUH_AGENT_RUNNING} ]; then
WAZUH_AGENT_CONF="/var/ossec/etc/ossec.conf"
fi
if [ -f ${WAZUH_AGENT_CONF} ]; then
LogText "Test: Checking Wazuh agent configuration for remote syslog forwarding"
FIND=$(${EGREPBINARY} '<location>/var/log/syslog</location>' ${WAZUH_AGENT_CONF})
if [ "${FIND}" ]; then
DESTINATION=$(${EGREPBINARY} -o '<address>([A-Za-z0-9\.\-\_]*)</address>' ${WAZUH_AGENT_CONF} | sed 's/<address>//' | sed 's/<\/address>//')
LogText "Result: found destination ${DESTINATION} configured for remote logging with wazuh"
REMOTE_LOGGING_ENABLED=1
fi
fi
# Show result
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
Report "remote_syslog_configured=0"
LogText "Result: no remote logging found"
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Enable logging to an external logging host for archiving purposes and additional protection"
AddHP 1 3
Display --indent 2 --text "- Checking remote logging" --result "${STATUS_NOT_ENABLED}" --color YELLOW
else
Report "remote_syslog_configured=1"
AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN
2014-09-15 12:01:09 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : LOGG-2160
# Description : Check for /etc/newsyslog.conf (FreeBSD/OpenBSD)
2016-09-10 16:12:44 +02:00
if [ -f ${ROOTDIR}etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking /etc/newsyslog.conf"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-10 16:12:44 +02:00
LogText "Result: ${ROOTDIR}etc/newsyslog.conf found"
Display --indent 2 --text "- Checking ${ROOTDIR}etc/newsyslog.conf" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="newsyslog"
fi
#
#################################################################################
#
# Test : LOGG-2162
# Description : Check for directories in /etc/newsyslog.conf
if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking directories in /etc/newsyslog.conf"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: parsing directories from /etc/newsyslog.conf file"
2016-09-10 16:12:44 +02:00
FIND=$(${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SEDBINARY} 's/\/*[a-zA-Z_.-]*$//g' | ${SORTBINARY} -u)
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
if [ -d ${I} ]; then
LogText "Result: Directory ${I} found and exists"
Report "log_directory[]=${I}"
2016-09-10 16:12:44 +02:00
else
LogText "Result: Item ${I} is not a directory"
2014-08-26 17:33:55 +02:00
fi
done
Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result "${STATUS_DONE}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : LOGG-2164
# Description : Check for files in /etc/newsyslog.conf
2016-09-10 16:12:44 +02:00
if [ -f ${ROOTDIR}etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking files specified /etc/newsyslog.conf"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-10 16:12:44 +02:00
LogText "Test: parsing files from ${ROOTDIR}etc/newsyslog.conf file"
FIND=$(${AWKBINARY} '/^\// { print $1 }' ${ROOTDIR}etc/newsyslog.conf | ${SORTBINARY} -u)
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
if [ -f ${I} ]; then
LogText "Result: File ${I} found and exists"
2016-09-10 16:12:44 +02:00
else
LogText "Result: Item ${I} is not a file"
2014-08-26 17:33:55 +02:00
fi
done
Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result "${STATUS_DONE}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : LOGG-2170
# Description : Search available log paths
Register --test-no LOGG-2170 --weight L --network NO --category security --description "Checking log paths"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching log paths"
2014-08-26 17:33:55 +02:00
for I in ${LOG_FILES_LOCS}; do
if [ -d ${I} ]; then
LogText "Result: directory ${I} exists"
Report "log_directory[]=${I}"
2016-09-10 16:12:44 +02:00
else
LogText "Result: directory ${I} can't be found"
2014-08-26 17:33:55 +02:00
fi
done
Display --indent 2 --text "- Checking log directories (static list)" --result "${STATUS_DONE}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : LOGG-2180
# Description : Search open log file
Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking open log files with lsof"
2019-07-16 13:20:30 +02:00
if [ -n "${LSOFBINARY}" ]; then
2023-04-23 23:38:21 +02:00
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${GREPBINARY} -E -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
LogText "Found logfile: ${I}"
2014-08-26 17:33:55 +02:00
done
Display --indent 2 --text "- Checking open log files" --result "${STATUS_DONE}" --color GREEN
2016-09-10 16:12:44 +02:00
else
LogText "Result: lsof not installed, skipping test"
2019-03-21 09:07:05 +01:00
Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color WHITE
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : LOGG-2190
# Description : Checking deleted files
2019-07-16 13:20:30 +02:00
if [ -n "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for deleted files in use"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
EARLY_MYSQL=""
LogText "Test: checking deleted files that are still in use"
LSOF_GREP="WARNING|Output information"
# MySQL versions prior to 5.6 leave lots of deleted in-use files in /tmp, ignoring those
LSOF_GREP="${LSOF_GREP}|mysqld"
# grsecurity causes Fail2Ban to hold onto deleted in-use files in /var/tmp
if [ ${GRSEC_FOUND} -eq 1 ]; then LSOF_GREP="${LSOF_GREP}|fail2ban"; fi
if [ ${OS_REDHAT_OR_CLONE} -eq 1 ]; then
# If lynis is run from /etc/cron.daily some deleted in-use files are kept in /tmp
LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts"
fi
2023-04-23 23:38:21 +02:00
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${GREPBINARY} -E -vw "${LSOF_GREP}" | ${GREPBINARY} -E -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
LogText "Result: found one or more files which are deleted, but still in use"
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
LogText "Found deleted file: ${I}"
Report "deleted_file[]=${I}"
2014-08-26 17:33:55 +02:00
done
Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_FILES_FOUND}" --color YELLOW
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Check what deleted files are still in use and why."
else
LogText "Result: no deleted files found"
Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_DONE}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
2016-08-22 12:21:43 +02:00
#
# Test : LOGG-2192
# Description : Check for open log files which are empty. This may indicate a problem with log rotation, or unused services
if [ -n "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-08-22 12:21:43 +02:00
Register --test-no LOGG-2192 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for open log files that are empty"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n -w | ${AWKBINARY} '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | ${SORTBINARY} | uniq)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-08-22 12:21:43 +02:00
for I in ${FIND}; do
LogText "Found an opened logfile that is empty: ${I}"
Report "open_empty_log_file[]=${I}"
done
else
LogText "Result: all opened log files are bigger than zero bytes in size"
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
Report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}"
Report "log_rotation_tool=${LOGROTATE_TOOL}"
2014-08-26 17:33:55 +02:00
2016-05-03 11:00:06 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com