lynis/include/tests_tooling

438 lines
20 KiB
Plaintext
Raw Normal View History

2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2020-03-20 14:50:25 +01:00
# Copyright 2007-2020, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
2017-08-17 14:20:54 +02:00
ANSIBLE_ARTIFACT_FOUND=0
2014-08-26 17:33:55 +02:00
AUTOMATION_TOOL_FOUND=0
2014-09-18 11:04:22 +02:00
AUTOMATION_TOOL_RUNNING=""
CFENGINE_AGENT_FOUND=0
CFENGINE_SERVER_RUNNING=0
2014-08-26 17:33:55 +02:00
BACKUP_AGENT_FOUND=0
2014-09-18 11:04:22 +02:00
PUPPET_MASTER_RUNNING=0
SALT_MASTER_RUNNING=0
SALT_MINION_RUNNING=0
2018-10-23 12:58:40 +02:00
IDS_IPS_TOOL_FOUND=0
FAIL2BAN_FOUND=0
FAIL2BAN_EMAIL=0
FAIL2BAN_SILENT=0
PERFORM_FAIL2BAN_TESTS=0
SNORT_FOUND=0
SNORT_RUNNING=0
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
InsertSection "Software: System tooling"
#
#################################################################################
#
# Automation
#
#################################################################################
#
# Test : TOOL-5002
# Description : Check if automation tools are found
Register --test-no TOOL-5002 --weight L --network NO --category security --description "Checking for automation tools"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking automation tooling"
2014-08-26 17:33:55 +02:00
2017-08-17 14:20:54 +02:00
# Ansible
FOUND=0
LIST="${HOME}/.ansible ${ROOTDIR}etc/ansible ${ROOTDIR}root/.ansible ${ROOTDIR}tmp/.ansible"
for ITEM in ${LIST}; do if DirectoryExists ${ITEM}; then FOUND=1; break; fi; done
# Test for files (only if no match was found)
if [ ${FOUND} -eq 0 ]; then
LIST="${ROOTDIR}var/log/ansible.log ~/.ansible-retry"
for ITEM in ${LIST}; do if FileExists ${ITEM}; then FOUND=1; break; fi; done
fi
2017-08-17 14:20:54 +02:00
if [ ${FOUND} -eq 1 ]; then
LogText "Result: found a possible trace of Ansible"
AUTOMATION_TOOL_FOUND=1
ANSIBLE_ARTIFACT_FOUND=1
Report "automation_tool_running[]=ansible"
Display --indent 4 --text "- Ansible artifact" --result "${STATUS_FOUND}" --color GREEN
fi
2017-08-17 14:20:54 +02:00
2014-08-26 17:33:55 +02:00
# Cfengine
2019-07-16 13:20:30 +02:00
if [ -n "${CFAGENTBINARY}" ]; then
LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
2014-08-26 17:33:55 +02:00
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
Report "automation_tool_running[]=cf-agent"
2017-08-17 14:20:54 +02:00
Display --indent 4 --text "- Cfengine (cfagent)" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin /var/rudder/cfengine-community/bin"
for I in ${OTHER_CFENGINE_LOCATIONS}; do
2015-09-08 14:19:11 +02:00
if [ -d ${I} ]; then
if [ -f ${I}/cf-agent ]; then
LogText "Result: found CFEngine agent (cf-agent) in ${I}"
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
Report "automation_tool_running[]=cf-agent"
2017-08-17 14:20:54 +02:00
Display --indent 4 --text "- CFEngine (cf-agent)" --result "${STATUS_FOUND}" --color GREEN
fi
if IsRunning "cf-server"; then
LogText "Result: found CFEngine server"
AUTOMATION_TOOL_FOUND=1
CFENGINE_SERVER_RUNNING=1
Report "automation_tool_running[]=cf-server"
2017-08-17 14:20:54 +02:00
Display --indent 4 --text "- CFEngine (cf-server)" --result "${STATUS_FOUND}" --color GREEN
fi
2015-09-08 14:19:11 +02:00
fi
done
2014-08-26 17:33:55 +02:00
# Chef
2015-05-25 17:20:58 +02:00
CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin"
for I in ${CHEF_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/chef-client ]; then
CHEFCLIENTBINARY="${I}/chef-client"
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=chef-client"
2017-08-17 14:20:54 +02:00
Display --indent 4 --text "- Chef client (chef-client)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found chef-client (chef client daemon) in ${I}"
2015-05-25 17:20:58 +02:00
fi
if [ -f ${I}/erchef ]; then
CHEFSERVERBINARY="${I}/erchef"
LogText "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
2015-05-25 17:20:58 +02:00
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=chef-server"
2017-08-17 14:20:54 +02:00
Display --indent 4 --text "- Chef Server (erchef)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found erchef (chef server daemon) in ${I}"
2015-05-25 17:20:58 +02:00
fi
fi
done
2014-08-26 17:33:55 +02:00
# Puppet
2017-03-27 12:21:42 +02:00
# Check for Puppet installation provided by Puppetlabs package
if [ -z "${PUPPETBINARY}" ]; then
if [ -f ${ROOTDIR}opt/puppetlabs/puppet/bin/puppet ]; then
PUPPETBINARY="${ROOTDIR}opt/puppetlabs/puppet/bin/puppet"
fi
fi
2019-07-16 13:20:30 +02:00
if [ -n "${PUPPETBINARY}" ]; then
LogText "Result: Puppet is installed (${PUPPETBINARY})"
2014-08-26 17:33:55 +02:00
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=puppet-agent"
2017-08-17 14:20:54 +02:00
Display --indent 4 --text "- Puppet (agent)" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
2017-03-27 12:21:42 +02:00
if IsRunning --full "puppet master"; then
LogText "Result: found puppet master"
2017-03-27 12:21:42 +02:00
AUTOMATION_TOOL_FOUND=1
2014-08-26 17:33:55 +02:00
PUPPET_MASTER_RUNNING=1
Report "automation_tool_running[]=puppet-master"
2017-08-17 14:20:54 +02:00
Display --indent 4 --text "- Puppet (master)" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
2014-09-18 11:04:22 +02:00
# SaltStack
2019-07-16 13:20:30 +02:00
if [ -n "${SALTMINIONBINARY}" ]; then
Display --indent 4 --text "- SaltStack minion" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
2014-09-18 11:04:22 +02:00
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_installed[]=saltstack-minion"
if IsRunning "salt-minion" --user "root salt"; then
Display --indent 6 --text "- Minion process" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: found SaltStack (master)"
SALT_MINION_RUNNING=1
Report "automation_tool_running[]=saltstack-minion"
else
Display --indent 6 --text "- Minion process" --result "${STATUS_NOT_RUNNING}" --color YELLOW
fi
2014-09-18 11:04:22 +02:00
fi
2019-07-16 13:20:30 +02:00
if [ -n "${SALTMASTERBINARY}" ]; then
Display --indent 4 --text "- SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
2014-09-18 11:04:22 +02:00
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_installed[]=saltstack-master"
if IsRunning "salt-master" --user "root salt"; then
Display --indent 6 --text "- Master process" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: found SaltStack (master)"
SALT_MASTER_RUNNING=1
Report "automation_tool_running[]=saltstack-master"
else
Display --indent 6 --text "- Master process" --result "${STATUS_NOT_RUNNING}" --color YELLOW
fi
2014-09-18 11:04:22 +02:00
fi
2014-08-26 17:33:55 +02:00
if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN
2017-04-23 20:06:54 +02:00
else
Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Determine if automation tools are present for system management"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Intrusion Detection and Prevention tools
#
#################################################################################
#
# Test : TOOL-5102
# Description : Check for Fail2ban
Register --test-no TOOL-5102 --weight L --network NO --category security --description "Check for presence of Fail2ban"
if [ ${SKIPTEST} -eq 0 ]; then
# Fail2ban presence
2019-07-16 13:20:30 +02:00
if [ -n "${FAIL2BANBINARY}" ]; then
FAIL2BAN_FOUND=1
2016-04-28 09:15:54 +02:00
IDS_IPS_TOOL_FOUND=1
LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
Report "ids_ips_tooling[]=fail2ban"
Display --indent 2 --text "- Checking presence of Fail2ban" --result "${STATUS_FOUND}" --color GREEN
2017-04-23 20:06:54 +02:00
else
LogText "Result: Fail2ban not present (fail2ban-server not found)"
fi
# Fail2ban configuration
LogText "Checking Fail2ban configuration file"
if [ -f /etc/fail2ban/jail.local ]; then
FAIL2BAN_CONFIG="/etc/fail2ban/jail.local"
elif [ -f /etc/fail2ban/jail.conf ]; then
FAIL2BAN_CONFIG="/etc/fail2ban/jail.conf"
else
FAIL2BAN_CONFIG=""
fi
# Continue if tooling is available and configuration file found
2019-07-16 13:20:30 +02:00
if [ ${FAIL2BAN_FOUND} -eq 1 -a -n "${FAIL2BAN_CONFIG}" ]; then
Report "fail2ban_config=${FAIL2BAN_CONFIG}"
A bunch of Solaris compatibility tweaks (#367) * Work around Solaris' /bin/sh not being POSIX. If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or a derivative, and /bin/sh cannot be trusted to support POSIX, but /usr/xpg4/bin/sh can be. Exec it right away. * Work around Solaris 'which' command oddity. Solaris' (at least) 'which' command outputs not-found errors to STDOUT instead of STDERR. This makes "did we get any output from which" checks insufficient; piping to grep -v the "no foo in ..." message should work. Note that this patch set includes all such uses of which that I could find, including ones that should never be reached on Solaris (i.e. only executed on some other OS) just for consistency. * Improved alternate-sh exec to avoid looping. * Solaris' /usr/ucb/echo supports -n. * Check for the best hash type that openssl supports. When using openssl to generate hashes, do not assume it supports sha256; try that, then sha1, then give up and use md5. * Solaris does not support sed -i; use a tempfile. * Use the full path for modinfo. When running as non-root, /usr/sbin/ might not be in PATH. include/tests_accounting already calls modinfo by full path, but include/tests_kernel did not. * Solaris find does not support -maxdepth. This mirrors the logic already in tests_homedirs. * Use PSBINARY instead of ps. * Work around Solaris' date not supporting +%s. Printing nawk's srand value is a bizarre but apparently once popular workaround for there being no normal userland command to print UNIX epoch seconds. A perl one-liner is the other common approach, but nawk may be more reliably present on Solaris than perl. * Revert to using sha1 for HOSTID. * Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
FAIL2BANCLIENT=$(which fail2ban-client 2> /dev/null | grep -v "no [^ ]* in ")
2019-07-16 13:20:30 +02:00
if [ -n "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi
fi
fi
#
#################################################################################
#
# Test : TOOL-5104
# Description : Check for Fail2ban enabled tests
if [ ${PERFORM_FAIL2BAN_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${FAIL2BANCLIENT} -d | ${TRBINARY} -d '[]' | ${TRBINARY} -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | ${TRBINARY} -d ' ')
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
for F2BSERVICE in ${FIND}; do
LogText "Result: service '${F2BSERVICE}' enabled"
Report "fail2ban_enabled_service[]=${F2BSERVICE}"
done
LogText "Result: found at least one enabled jail"
Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3
else
LogText "Result: Fail2ban installed but completely disabled"
Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_DISABLED}" --color RED
AddHP 0 5
ReportWarning "${TEST_NO}" "All jails in Fail2ban are disabled" "${FAIL2BAN_CONFIG}"
fi
fi
#
#################################################################################
#
# These tests are temporarily disabled to split them up in different areas to check
#
# LogText "Result: found configuration file (${FAIL2BAN_CONFIG})"
#
# # Check email alert configuration
# LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}"
#
# FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
# FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
#
2019-07-16 13:20:30 +02:00
# if [ -n "${FIND}" ]; then
# FAIL2BAN_EMAIL=1
# LogText "Result: found at least one jail which sends an email alert"
# fi
#
2019-07-16 13:20:30 +02:00
# if [ -n "${FIND2}" ]; then
# FAIL2BAN_SILENT=1
# LogText "Result: found at least one jail which does NOT send an email alert"
# fi
#
# if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
# LogText "No registered actions found in ${FAIL2BAN_CONFIG}"
# Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color RED
# ReportWarning "${TEST_NO}" "${FAIL2BAN_CONFIG}" "There are no actions configured for Fail2ban."
# AddHP 0 3
# fi
#
# if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
# LogText "All actions in ${FAIL2BAN_CONFIG} are configured to send email alerts"
# Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_OK}" --color GREEN
# AddHP 3 3
# fi
#
# if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
# LogText "Some actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts"
# Display --indent 4 --text "- Checking Fail2ban actions" --result PARTIAL --color YELLOW
# ReportSuggestion "${TEST_NO}" "Some Fail2ban jails are configured with non-notified actions. Consider changing these to emailed alerts."
# AddHP 2 3
# fi
#
# if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
# LogText "None of the actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts"
# Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color YELLOW
# ReportSuggestion "${TEST_NO}" "None of the Fail2ban jails are configured to send email notifications. Consider changing these to emailed alerts."
# AddHP 1 3
# fi
#
# # Check at least one enabled jail
# LogText "Checking for enabled jails within ${FAIL2BAN_CONFIG}"
#
#
#
# # Confirm at least one iptables chain for fail2ban
#
# LogText "Checking for fail2ban iptables chains"
#
2019-07-16 13:20:30 +02:00
# if [ -n "${IPTABLESBINARY}" ]; then
# CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban)
2019-07-16 13:20:30 +02:00
# if [ -n "${CHECK_CHAINS}" ]; then
# LogText "Result: found at least one iptables chain for fail2ban"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
# else
# LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
# AddHP 0 3
# ReportSuggestion "${TEST_NO}" "Check config to see why iptables does not have a fail2ban chain" "${FAIL2BAN_CONFIG}"
# fi
# else
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
# ReportSuggestion "${TEST_NO}" "iptables doesn't seem to be installed; Fail2ban will not work. Remove Fail2ban or install iptables" "${FAIL2BAN_CONFIG}"
# fi
# fi
# fi
#
#################################################################################
#
# Test : TOOL-5120
# Description : Check for Snort
Register --test-no TOOL-5120 --weight L --network NO --category security --description "Check for presence of Snort"
if [ ${SKIPTEST} -eq 0 ]; then
# Snort presence
if [ -n "${SNORTBINARY}" ]; then
SNORT_FOUND=1
IDS_IPS_TOOL_FOUND=1
LogText "Result: Snort is installed (${SNORTBINARY})"
Report "ids_ips_tooling[]=snort"
Display --indent 2 --text "- Checking presence of Snort" --result "${STATUS_FOUND}" --color GREEN
fi
if IsRunning "snort"; then
SNORT_FOUND=1
SNORT_RUNNING=1
SNORT_LOG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $4}' | ${HEADBINARY} -1)
else
LogText "Result: Snort not present (Snort not running)"
fi
fi
#
#################################################################################
#
# Test : TOOL-5122
# Description : Check for Snort configuration
Register --test-no TOOL-5122 --weight L --network NO --category security --description "Check Snort configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
# Continue if tooling is available and snort is running
if [ -n "${SNORT_FOUND}" ] || [ -n "${SNORT_RUNNING}" ]; then
if [ ${SNORT_FOUND} -eq 1 ] && [ ${SNORT_RUNNING} -eq 1 ]; then
SNORT_CONFIG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $3}' | ${HEADBINARY} -1)
if HasData "${SNORT_CONFIG}"; then
LogText "Result: found Snort configuration file: ${SNORT_CONFIG}"
Report "snort_config=${SNORT_CONFIG}"
fi
SNORT=$(which snort 2> /dev/null)
fi
fi
fi
#
#################################################################################
2018-10-23 12:58:22 +02:00
#
# Test : TOOL-5160
# Description : Check for OSSEC
Register --test-no TOOL-5126 --weight L --network NO --category security --description "Check for active OSSEC daemon"
2018-10-23 12:58:22 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
# Server side
2018-10-23 12:58:22 +02:00
if IsRunning "ossec-analysisd"; then
IDS_IPS_TOOL_FOUND=1
Report "ids_ips_tooling[]=ossec"
Report "ids_ips_tooling[]=ossec-analysisd"
LogText "Result: OSSEC analysis daemon is active"
Display --indent 2 --text "- Checking presence of OSSEC (analysis)" --result "${STATUS_FOUND}" --color GREEN
2018-10-23 12:58:22 +02:00
else
LogText "Result: OSSEC analysis daemon not active"
fi
# Client side
if IsRunning "ossec-agentd"; then
IDS_IPS_TOOL_FOUND=1
Report "ids_ips_tooling[]=ossec"
Report "ids_ips_tooling[]=ossec-agentd"
LogText "Result: OSSEC agent daemon is active"
Display --indent 2 --text "- Checking presence of OSSEC (agent)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: OSSEC agent daemon not active"
fi
2018-10-23 12:58:22 +02:00
fi
#
#################################################################################
#
# Test : TOOL-5190
# Description : Check for an IDS/IPS tool
Register --test-no TOOL-5190 --weight L --network NO --category security --description "Check presence of IDS/IPS tool"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_FOUND}" --color GREEN
AddHP 2 2
2017-04-23 20:06:54 +02:00
else
Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_NONE}" --color YELLOW
2019-12-18 12:17:46 +01:00
#ReportSuggestion "${TEST_NO}" "Install and configure automated intrusion detection/prevention tools"
AddHP 0 2
fi
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Backup tools
#
#################################################################################
2014-09-18 11:04:22 +02:00
#
# Netvault
# Rsync in cron
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
Report "automation_tool_present=${AUTOMATION_TOOL_FOUND}"
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com