2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 15:48:03 +01:00
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Databases
#
#################################################################################
#
# Paths to DATADIR
sMYSQLDBPATHS="/var/lib/mysql"
# Paths to my.cnf
sMYCNFLOCS="/etc/mysql/my.cnf /usr/etc/my.cnf"
2016-08-11 19:56:33 +02:00
REDIS_CONFIGURATION=""
REDIS_CONFIGURATION_FOUND=0
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
InsertSection "Databases"
# Test : DBS-1804
# Description : Check if MySQL is being used
2016-07-24 17:22:00 +02:00
Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
2016-06-18 11:14:01 +02:00
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
2015-12-21 21:17:15 +01:00
LogText "Result: MySQL process not active"
2014-08-26 17:33:55 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- MySQL process status" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: MySQL is active"
2014-08-26 17:33:55 +02:00
MYSQL_RUNNING=1
2016-07-24 19:46:45 +02:00
DATABASE_ENGINE_RUNNING=1
2016-04-02 18:28:53 +02:00
Report "mysql_running=${MYSQL_RUNNING}"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : DBS-1808
# Description : Check MySQL data directory
2016-07-24 17:22:00 +02:00
#Register --test-no DBS-1808 --weight L --network NO --category security --description "Checking MySQL data directory"
2014-08-26 17:33:55 +02:00
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#
#################################################################################
#
# Test : DBS-1812
# Description : Check data directory permissions
2016-07-24 17:22:00 +02:00
#Register --test-no DBS-1812 --weight L --network NO --category security --description "Checking MySQL data directory permissions"
2014-08-26 17:33:55 +02:00
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#
#################################################################################
#
# Test : DBS-1816
# Description : Check empty MySQL root password
# Notes : Only perform test when MySQL is running and client is available
if [ ! "${MYSQLCLIENTBINARY}" = "" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking MySQL root password"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Trying to login to local MySQL server without password"
2014-09-15 12:01:09 +02:00
FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Login succeeded, no MySQL root password set!"
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "No MySQL root password set"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED
2014-09-15 12:01:09 +02:00
AddHP 0 5
else
2015-12-21 21:17:15 +01:00
LogText "Result: Login did not succeed, so a MySQL root password is set"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking MySQL root password" --result "${STATUS_OK}" --color GREEN
2014-09-15 12:01:09 +02:00
AddHP 2 2
fi
2014-08-26 17:33:55 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Test skipped, MySQL daemon not running or no MySQL client available"
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : DBS-1826
# Description : Check if PostgreSQL is being used
2016-07-24 17:22:00 +02:00
Register --test-no DBS-1826 --weight L --network NO --category security --description "Checking active PostgreSQL processes"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-04-02 18:28:53 +02:00
if IsRunning "postgres:"; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: PostgreSQL is active"
2014-09-15 12:01:09 +02:00
POSTGRESQL_RUNNING=1
2016-07-24 19:46:45 +02:00
DATABASE_ENGINE_RUNNING=1
2016-04-02 18:28:53 +02:00
Report "postgresql_running=${POSTGRESQL_RUNNING}"
else
2016-06-18 11:14:01 +02:00
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
2016-04-02 18:28:53 +02:00
LogText "Result: PostgreSQL process not active"
2014-09-15 12:01:09 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : DBS-1840
# Description : Check if Oracle is being used
# Notes : tnslsnr: Oracle listener
# pmon: process monitor
# smon: system monitor
# dbwr: database writer
# lgwr: log writer
# arch: archiver (optional)
# ckpt: checkpoint (optional)
# reco: recovery (optional)
2016-07-24 17:22:00 +02:00
Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
2016-06-18 11:14:01 +02:00
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
2015-12-21 21:17:15 +01:00
LogText "Result: Oracle process(es) not active"
2014-08-26 17:33:55 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Oracle processes status" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: Oracle is active"
2014-08-26 17:33:55 +02:00
ORACLE_RUNNING=1
2016-07-24 19:46:45 +02:00
DATABASE_ENGINE_RUNNING=1
2016-04-02 18:28:53 +02:00
Report "oracle_running=${ORACLE_RUNNING}"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : DBS-1842
# Description : Check Oracle home paths from oratab
2016-07-24 17:22:00 +02:00
#Register --test-no DBS-1842 --weight L --network NO --category security --description "Checking Oracle home paths"
2014-08-26 17:33:55 +02:00
#if [ ${SKIPTEST} -eq 0 ]; then
# if [ -f /etc/oratab ]; then
2015-10-10 13:25:14 +02:00
# FIND=`grep -v "#" /etc/oratab | awk -F: "{ print $2 }"`
2014-08-26 17:33:55 +02:00
# fi
#fi
#
#################################################################################
2016-04-02 00:38:20 +02:00
#
2016-04-02 17:18:49 +02:00
# Test : DBS-1860
2016-04-02 00:38:20 +02:00
# Description : Checks if a DB2 instance is currently runnigng
2016-07-24 17:22:00 +02:00
Register --test-no DBS-1860 --weight L --network NO --category security --description "Checking active DB2 instances"
2016-04-02 00:38:20 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-04-02 17:18:49 +02:00
if IsRunning db2sysc; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- DB2 instance running" --result "${STATUS_FOUND}" --color GREEN
2016-04-02 00:38:20 +02:00
LogText "Result: At least one DB2 instance is running"
DB2_RUNNING=1
2016-07-24 19:46:45 +02:00
DATABASE_ENGINE_RUNNING=1
2016-04-02 18:28:53 +02:00
Report "db2_running=${DB2_RUNNING}"
2016-04-02 17:18:49 +02:00
else
2016-06-18 11:14:01 +02:00
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- DB2 instance running" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
2016-04-02 17:18:49 +02:00
LogText "Result: No DB2 instances are running"
2016-04-02 00:38:20 +02:00
fi
fi
#
#################################################################################
2016-07-24 19:46:45 +02:00
#
# Test : DBS-1880
# Description : Determine if redis is running
Register --test-no DBS-1880 --weight L --network NO --category security --description "Check for active Redis server"
if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning redis-server; then
Display --indent 2 --text "- Redis (server) status" --result "${STATUS_FOUND}" --color GREEN
2016-08-11 19:56:33 +02:00
LogText "Result: Redis is running"
2016-07-24 19:46:45 +02:00
REDIS_RUNNING=1
DATABASE_ENGINE_RUNNING=1
2016-07-30 14:03:28 +02:00
Report "redis_running=${REDIS_RUNNING}"
else
2016-07-24 19:46:45 +02:00
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Redis (server) status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: No Redis processes are running"
fi
fi
#
#################################################################################
2016-08-11 19:56:33 +02:00
#
# Test : DBS-1882
# Description : Determine Redis configuration
if [ ${REDIS_RUNNING} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; fi
Register --test-no DBS-1882 --weight L --network NO --preqs-met "${PREQS_MET}" --category security --description "Redis configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
PATHS="${ROOTDIR}etc/redis ${ROOTDIR}usr/local/etc/redis"
FOUND=0
REDIS_CONFIGURATION=""
for DIR in ${PATHS}; do
if [ -f ${DIR}/redis.conf ]; then
REDIS_CONFIGURATION="${DIR}/redis.conf"
REDIS_CONFIGURATION_FOUND=1
LogText "Result: found configuration file (${REDIS_CONFIGURATION})"
else
LogText "Result: no redis.conf in ${DIR}"
fi
done
if [ ${REDIS_CONFIGURATION_FOUND} -eq 0 ]; then ReportException "${TEST_NO}" "Found Redis, but no configuration file. Report this if you know where it is located on your system."; fi
fi
#
#################################################################################
#
# Test : DBS-1884
# Description : Determine Redis configuration option: secureauth
if [ ${REDIS_RUNNING} -eq 1 -a ${REDIS_CONFIGURATION_FOUND} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; fi
Register --test-no DBS-1884 --weight L --network NO --preqs-met "${PREQS_MET}" --category security --description "Redis: secureauth option configured"
if [ ${SKIPTEST} -eq 0 ]; then
if FileIsReadable ${REDIS_CONFIGURATION}; then
if SearchItem "^secureauth" "${REDIS_CONFIGURATION}" "--sensitive"; then
LogText "Result: found 'secureauth' configured"
AddHP 3 3
Display --indent 4 --text "- Redis (secureauth configured)" --result "${STATUS_FOUND}" --color GREEN
Report "redis_secureauth=1"
else
AddHP 0 3
Display --indent 4 --text "- Redis (secureauth configured)" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Configure the 'secureauth' setting for Redis" "${REDIS_CONFIGURATION}" "solution:configure 'secureauth' setting"
Report "redis_secureauth=0"
fi
else
LogText "Result: test skipped, as we can't read configuration file"
fi
fi
#
#################################################################################
2016-07-24 19:46:45 +02:00
#
if [ ${DATABASE_ENGINE_RUNNING} -eq 0 ]; then
Display --indent 4 --text "No database engines found"
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-04-02 18:28:53 +02:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
