lynis/include/tests_kernel

638 lines
34 KiB
Plaintext
Raw Normal View History

2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2018-01-11 09:50:26 +01:00
# Copyright 2007-2018, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Kernel
#
#################################################################################
#
InsertSection "Kernel"
#
#################################################################################
#
CORE_DUMPS_DISABLED=0
CPU_PAE=0
CPU_NX=0
2014-09-19 02:23:07 +02:00
LINUXCONFIGFILE=""
LINUXCONFIGFILE_ZIPPED=0
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : KRNL-5622
# Description : Check default run level on Linux machines
Register --test-no KRNL-5622 --os Linux --weight L --network NO --category security --description "Determine Linux default run level"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
# Checking if we can find the systemd default target
LogText "Test: Checking for systemd default.target"
if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then
LogText "Result: symlink found"
2017-04-23 20:06:54 +02:00
if HasData "${READLINKBINARY}"; then
FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target)
2017-04-23 20:06:54 +02:00
if ! HasData "${FIND}"; then
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
2014-08-26 17:33:55 +02:00
ReportException "${TEST_NO}:01"
2017-04-23 20:06:54 +02:00
else
FIND2=$(echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
2017-04-23 20:06:54 +02:00
if HasData "${FIND2}"; then
LogText "Result: Found match on runlevel5/graphical"
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
Report "linux_default_runlevel=5"
2017-04-23 20:06:54 +02:00
else
LogText "Result: No match found on runlevel, defaulting to runlevel 3"
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
Report "linux_default_runlevel=3"
2014-08-26 17:33:55 +02:00
fi
fi
2017-04-23 20:06:54 +02:00
else
LogText "Result: No readlink binary, can't determine where symlink is pointing to"
Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
2017-04-23 20:06:54 +02:00
else
LogText "Result: no systemd found, so trying inittab"
LogText "Test: Checking ${ROOTDIR}etc/inittab"
if [ -f ${ROOTDIR}etc/inittab ]; then
LogText "Result: file ${ROOTDIR}etc/inittab found"
LogText "Test: Checking default Linux run level"
2017-04-23 20:06:54 +02:00
FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' ${ROOTDIR}etc/inittab | head -n 1)
if IsEmpty "${FIND}"; then
Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW
2017-04-23 20:06:54 +02:00
LogText "Result: Can't determine default run level from ${ROOTDIR}etc/inittab"
else
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN
LogText "Found default run level '${FIND}'"
Report "linux_default_runlevel=${FIND}"
2014-08-26 17:33:55 +02:00
fi
2017-04-23 20:06:54 +02:00
else
LogText "Result: file ${ROOTDIR}etc/inittab not found"
2014-08-26 17:33:55 +02:00
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then
LogText "Test: Checking run level with who -r, for Debian based systems"
FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }')
2017-04-23 20:06:54 +02:00
if HasData "${FIND}"; then
LogText "Result: Found default run level '${FIND}'"
Report "linux_default_runlevel=${FIND}"
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN
2017-04-23 20:06:54 +02:00
else
LogText "Result: Can't determine default run level from who -r"
Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
2014-09-15 12:01:09 +02:00
fi
fi
fi
2014-08-26 17:33:55 +02:00
fi
2014-09-15 12:01:09 +02:00
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : KRNL-5677
# Description : Check CPU options and support (PAE, No eXecute, eXecute Disable)
# More info : pae and nx bit are both visible on AMD and Intel CPU's if supported
Register --test-no KRNL-5677 --os Linux --weight L --network NO --category security --description "Check CPU options and support"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking CPU support (NX/PAE)"
LogText "Test: Checking /proc/cpuinfo"
2014-08-26 17:33:55 +02:00
if [ -f /proc/cpuinfo ]; then
LogText "Result: found /proc/cpuinfo"
LogText "Test: Checking CPU options (XD/NX/PAE)"
FIND_PAE_NX=$(${GREPBINARY} " pae " /proc/cpuinfo | ${GREPBINARY} " nx ")
FIND_PAE=$(${GREPBINARY} " pae " /proc/cpuinfo)
FIND_NX=$(${GREPBINARY} " nx " /proc/cpuinfo)
2014-08-26 17:33:55 +02:00
FOUND=0
2017-04-23 20:06:54 +02:00
if HasData "${FIND_PAE_NX}"; then
LogText "PAE: Yes"
LogText "NX: Yes"
2014-08-26 17:33:55 +02:00
CPU_PAE=1
CPU_NX=1
LogText "Result: PAE or No eXecute option(s) both found"
Report "cpu_pae=1"
Report "cpu_nx=1"
2014-08-26 17:33:55 +02:00
FOUND=1
2017-04-23 20:06:54 +02:00
else
if HasData "${FIND_PAE}" && IsEmpty "${FIND_NX}"; then
Report "cpu_pae=1"
LogText "Result: found PAE"
2014-08-26 17:33:55 +02:00
CPU_PAE=1
FOUND=1
2017-04-23 20:06:54 +02:00
else
if HasData "${FIND_NX}" && IsEmpty "${FIND_PAE}"; then
Report "cpu_nx=1"
LogText "Result: found No eXecute"
2014-08-26 17:33:55 +02:00
CPU_NX=1
FOUND=1
2017-04-23 20:06:54 +02:00
else
LogText "Result: found no CPU options enabled (PAE or NX bit)"
2014-08-26 17:33:55 +02:00
fi
fi
fi
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result "${STATUS_FOUND}" --color GREEN
2017-04-23 20:06:54 +02:00
else
Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result "${STATUS_NONE}" --color YELLOW
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
fi
2017-04-23 20:06:54 +02:00
else
Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result "${STATUS_SKIPPED}" --color YELLOW
LogText "Result: /proc/cpuinfo not found"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : KRNL-5680
# Description : Check if installed kernel has PAE support
# Dependency : KRNL-5677
# More info : RedHat/CentOS/Fedora uses the package name 'kernel-PAE'
#
#################################################################################
#
# Test : KRNL-5695
# Description : Determining Linux kernel version and release number
Register --test-no KRNL-5695 --os Linux --weight L --network NO --category security --description "Determine Linux kernel version and release number"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
# Kernel number (and suffix)
LINUX_KERNEL_RELEASE=$(uname -r)
Report "linux_kernel_release=${LINUX_KERNEL_RELEASE}"
LogText "Result: found kernel release ${LINUX_KERNEL_RELEASE}"
2014-08-26 17:33:55 +02:00
# Type and build date
LINUX_KERNEL_VERSION=$(uname -v)
Report "linux_kernel_version=${LINUX_KERNEL_VERSION}"
LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}"
Display --indent 2 --text "- Checking kernel version and release" --result "${STATUS_DONE}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : KRNL-5723
# Description : Check if Linux is build as a monolithic kernel or not
Register --test-no KRNL-5723 --os Linux --weight L --network NO --category security --description "Determining if Linux kernel is monolithic"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-23 20:06:54 +02:00
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
LogText "Test: checking if kernel is monolithic or modular"
2014-08-26 17:33:55 +02:00
# Checking if any modules are loaded
FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ')
Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "0" ]; then
LogText "Result: Found monolithic kernel"
Report "linux_kernel_type=monolithic"
2014-08-26 17:33:55 +02:00
MONOLITHIC_KERNEL=1
2017-04-23 20:06:54 +02:00
else
LogText "Result: Found modular kernel"
Report "linux_kernel_type=modular"
2014-08-26 17:33:55 +02:00
MONOLITHIC_KERNEL=0
fi
2017-04-23 20:06:54 +02:00
else
LogText "Test skipped, lsmod binary not found or /proc/modules can not be opened"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : KRNL-5726
# Description : Checking Linux loaded kernel modules
Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-23 20:06:54 +02:00
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort)
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
2017-04-23 20:06:54 +02:00
if HasData "${FIND}"; then
LogText "Loaded modules according lsmod:"
COUNT=0
for ITEM in ${FIND}; do
LogText "Loaded module: ${ITEM}"
Report "loaded_kernel_module[]=${ITEM}"
COUNT=$((COUNT + 1))
2014-08-26 17:33:55 +02:00
done
Display --indent 6 --text "Found ${COUNT} active modules"
2017-04-23 20:06:54 +02:00
else
LogText "Result: no loaded modules found"
LogText "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel"
2014-08-26 17:33:55 +02:00
fi
2017-04-23 20:06:54 +02:00
else
LogText "Test skipped, lsmod binary not found or /proc/modules can not be opened"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : KRNL-5728
# Description : Checking for available Linux kernel configuration file in /boot
Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
CHECKFILE="/boot/config-$(uname -r)"
2014-09-19 02:23:07 +02:00
if [ -f ${CHECKFILE} ]; then
LINUXCONFIGFILE="${CHECKFILE}"
LogText "Result: found config (${LINUXCONFIGFILE})"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
2017-04-23 20:06:54 +02:00
elif [ -f /proc/config.gz ]; then
2014-09-19 02:23:07 +02:00
LINUXCONFIGFILE="${CHECKFILE}"
LINUXCONFIGFILE_ZIPPED=1
LogText "Result: found config: /proc/config.gz (compressed)"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
2017-04-23 20:06:54 +02:00
else
LogText "Result: no Linux kernel configuration file found in /boot"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-08-26 17:33:55 +02:00
fi
2017-04-23 20:06:54 +02:00
if HasData "${LINUXCONFIGFILE}"; then
Report "linux_config_file=${LINUXCONFIGFILE}"
2014-09-19 02:23:07 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : KRNL-5730
# Description : Checking default I/O kernel scheduler
# Notes : This test could be extended with testing some of the specific devices like disks
# cat /sys/block/sda/queue/scheduler
2014-08-26 17:33:55 +02:00
PREQS_MET="NO"
2017-04-23 20:06:54 +02:00
if HasData "${LINUXCONFIGFILE}"; then
2014-08-26 17:33:55 +02:00
if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi
fi
Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking disk I/O kernel scheduler"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-19 02:23:07 +02:00
if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi
if [ ! "${GREPTOOL}" = "" ]; then
LogText "Test: Checking the default I/O kernel scheduler"
LINUX_KERNEL_IOSCHED=$(${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g)
2014-09-19 02:23:07 +02:00
if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then
LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN
Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
2017-04-23 20:06:54 +02:00
else
LogText "Result: no default i/o kernel scheduler found"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-09-19 02:23:07 +02:00
fi
2017-04-23 20:06:54 +02:00
else
2016-08-25 15:31:33 +02:00
ReportException "${TEST_NO}" "No valid ${GREPBINARY} tool found to search kernel settings"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : KRNL-5745
# Description : Checking FreeBSD loaded kernel modules
Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --category security --description "Checking FreeBSD loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking active kernel modules"
LogText "Test: Active kernel modules (KLDs)"
LogText "Description: View all active kernel modules (including kernel)"
LogText "Test: Checking modules"
if [ -f /sbin/kldstat ]; then
FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:"
COUNT=0
for ITEM in ${FIND}; do
LogText "Loaded module: ${ITEM}"
Report "loaded_kernel_module[]=${ITEM}"
COUNT=$((COUNT + 1))
done
Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN
2017-04-23 20:06:54 +02:00
else
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
LogText "Result: Problem with executing kldstat"
fi
2017-04-23 20:06:54 +02:00
else
LogText "Result: no results, can't find /sbin/kldstat"
fi
fi
#
#################################################################################
#
# Test : KRNL-5831
# Description : Checking DragonFly loaded kernel modules
Register --test-no KRNL-5831 --os DragonFly --weight L --network NO --category security --description "Checking DragonFly loaded kernel modules"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking active kernel modules"
LogText "Test: Active kernel modules (KLDs)"
LogText "Description: View all active kernel modules (including kernel)"
LogText "Test: Checking modules"
if [ -f ${ROOTDIR}sbin/kldstat ]; then
FIND=$(${ROOTDIR}sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
2014-08-26 17:33:55 +02:00
if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:"
COUNT=0
for ITEM in ${FIND}; do
LogText "Loaded module: ${ITEM}"
Report "loaded_kernel_module[]=${ITEM}"
COUNT=$((COUNT + 1))
2014-08-26 17:33:55 +02:00
done
Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN
2017-04-23 20:06:54 +02:00
else
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
LogText "Result: Problem with executing kldstat"
2014-08-26 17:33:55 +02:00
fi
2017-04-23 20:06:54 +02:00
else
2014-08-26 17:33:55 +02:00
echo "[ ${WHITE}SKIPPED${NORMAL} ]"
LogText "Result: no results, can NOT find ${ROOTDIR}sbin/kldstat"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : KRNL-5770
# Description : Checking Solaris load modules
Register --test-no KRNL-5770 --os Solaris --weight L --network NO --category security --description "Checking active kernel modules"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching loaded kernel modules"
A bunch of Solaris compatibility tweaks (#367) * Work around Solaris' /bin/sh not being POSIX. If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or a derivative, and /bin/sh cannot be trusted to support POSIX, but /usr/xpg4/bin/sh can be. Exec it right away. * Work around Solaris 'which' command oddity. Solaris' (at least) 'which' command outputs not-found errors to STDOUT instead of STDERR. This makes "did we get any output from which" checks insufficient; piping to grep -v the "no foo in ..." message should work. Note that this patch set includes all such uses of which that I could find, including ones that should never be reached on Solaris (i.e. only executed on some other OS) just for consistency. * Improved alternate-sh exec to avoid looping. * Solaris' /usr/ucb/echo supports -n. * Check for the best hash type that openssl supports. When using openssl to generate hashes, do not assume it supports sha256; try that, then sha1, then give up and use md5. * Solaris does not support sed -i; use a tempfile. * Use the full path for modinfo. When running as non-root, /usr/sbin/ might not be in PATH. include/tests_accounting already calls modinfo by full path, but include/tests_kernel did not. * Solaris find does not support -maxdepth. This mirrors the logic already in tests_homedirs. * Use PSBINARY instead of ps. * Work around Solaris' date not supporting +%s. Printing nawk's srand value is a bizarre but apparently once popular workaround for there being no normal userland command to print UNIX epoch seconds. A perl one-liner is the other common approach, but nawk may be more reliably present on Solaris than perl. * Revert to using sha1 for HOSTID. * Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
FIND=$(/usr/sbin/modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort)
2017-04-23 20:06:54 +02:00
if HasData "${FIND}"; then
for ITEM in ${FIND}; do
LogText "Found module: ${ITEM}"
Report "loaded_kernel_module[]=${ITEM}"
2014-08-26 17:33:55 +02:00
done
Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_DONE}" --color GREEN
2017-04-23 20:06:54 +02:00
else
LogText "Result: no output"
Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_UNKNOWN}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : KRNL-5788
# Description : Checking availability new kernel
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
LogText "Result: found ${ROOTDIR}usr/bin/apt-cache"
LogText "Test: checking readlink location of ${ROOTDIR}vmlinuz"
if [ -f ${ROOTDIR}vmlinuz ]; then
FINDKERNFILE=$(readlink -f ${ROOTDIR}vmlinuz)
LogText "Output: readlink reported file ${FINDKERNFILE}"
LogText "Test: checking package from dpkg -S"
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
LogText "Output: dpkg -S reported package ${FINDKERNEL}"
elif [ -e ${ROOTDIR}dev/grsec ]; then
FINDKERNEL=linux-image-$(uname -r)
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
else
LogText "This system is missing ${ROOTDIR}vmlinuz. Unable to check whether kernel is up-to-date."
ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz"
fi
LogText "Test: Using apt-cache policy to determine if there is an update available"
FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
LogText "Kernel installed: ${FINDINST}"
LogText "Kernel candidate: ${FINDCAND}"
2017-04-23 20:06:54 +02:00
if IsEmpty "${FINDINST}"; then
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: Exception occurred, no output from apt-cache policy"
2014-08-26 17:33:55 +02:00
ReportException "${TEST_NO}:01"
LogText "Exception: apt-cache policy did not return an installed kernel version"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty"
else
2014-08-26 17:33:55 +02:00
if [ "${FINDINST}" = "${FINDCAND}" ]; then
if [ -e /dev/grsec ]; then
Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN
LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available"
ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch"
else
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN
LogText "Result: no kernel update available"
fi
else
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
LogText "Result: kernel update available according 'apt-cache policy'."
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Determine priority for available kernel update"
fi
fi
2017-04-23 20:06:54 +02:00
else
LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests."
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : KRNL-5820
# Description : Checking core dumps configuration (Linux)
Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking presence /etc/security/limits.conf"
2014-08-26 17:33:55 +02:00
if [ -f /etc/security/limits.conf ]; then
LogText "Result: file /etc/security/limits.conf exists"
LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
FIND1=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }')
FIND2=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }')
2014-08-26 17:33:55 +02:00
if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system"
2014-08-26 17:33:55 +02:00
AddHP 1 2
else
LogText "Result: core dumps (soft and hard) are both disabled"
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN
2014-08-26 17:33:55 +02:00
CORE_DUMPS_DISABLED=1
AddHP 3 3
fi
# Sysctl option
LogText "Test: Checking sysctl value of fs.suid_dumpable"
FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }')
if [ -z "${FIND}" ]; then
LogText "Result: sysctl key fs.suid_dumpable not found"
else
LogText "Result: value ${FIND} found"
2014-08-26 17:33:55 +02:00
fi
if [ "${FIND}" = "2" ]; then
LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
2014-09-15 12:01:09 +02:00
Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN
2014-08-26 17:33:55 +02:00
AddHP 1 1
elif [ "${FIND}" = "1" ]; then
LogText "Result: all programs can perform core dumps (value 1, for debugging)"
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW
ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump"
2014-08-26 17:33:55 +02:00
AddHP 0 1
else
LogText "Result: found default option, some programs can dump (not processes which need to change credentials)"
2014-09-15 12:01:09 +02:00
Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW
2014-08-26 17:33:55 +02:00
AddHP 1 1
fi
2017-04-23 20:06:54 +02:00
else
LogText "Result: file /etc/security/limits.conf does not exist, skipping test"
2014-08-26 17:33:55 +02:00
fi
# TODO: Check ulimit settings in /etc/profile and /etc/profile.d
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : KRNL-5826
# Description : Checking core dumps configuration (Solaris)
#Register --test-no KRNL-5826 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration"
2014-08-26 17:33:55 +02:00
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : KRNL-5830
# Description : Check if system needs a reboot (Linux only)
Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
REBOOT_NEEDED=2
2016-09-10 16:12:44 +02:00
FILE="${ROOTDIR}var/run/reboot-required.pkgs"
LogText "Test: Checking presence ${FILE}"
2014-08-26 17:33:55 +02:00
if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists"
2016-09-10 16:12:44 +02:00
FIND=$(${WCBINARY} -l < ${FILE})
if [ "${FIND}" = "0" ]; then
LogText "Result: No reboot needed (file empty)"
REBOOT_NEEDED=0
else
2016-09-10 16:12:44 +02:00
PKGSCOUNT=$(${WCBINARY} -l < ${FILE})
LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages"
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
LogText "Package: ${I}"
2014-08-26 17:33:55 +02:00
done
REBOOT_NEEDED=1
2014-08-26 17:33:55 +02:00
fi
else
LogText "Result: file ${FILE} not found"
fi
# Check if /boot exists
2016-09-10 16:12:44 +02:00
if [ -d ${ROOTDIR}boot ]; then
LogText "Result: /boot exists, performing more tests from here"
2016-09-10 16:12:44 +02:00
FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -f ${ROOTDIR}boot/vmlinuz -a ! -L ${ROOTDIR}boot/vmlinuz ]; then
LogText "Result: found /boot/vmlinuz (not symlinked)"
NEXTLINE=0
FINDVERSION=""
2016-09-10 16:12:44 +02:00
for I in $(file ${ROOTDIR}boot/vmlinuz-linux); do
if [ ${NEXTLINE} -eq 1 ]; then
FINDVERSION="${I}"
else
# Searching for the Linux kernel after the keyword 'version'
if [ "${I}" = "version" ]; then NEXTLINE=1; fi
fi
done
2016-09-10 16:12:44 +02:00
if [ ! -z "${FINDVERSION}" ]; then
CURRENT_KERNEL=$(uname -r)
if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then
LogText "Result: reboot needed, as current kernel is different than the one loaded"
REBOOT_NEEDED=1
fi
else
ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data"
fi
2016-09-10 16:12:44 +02:00
elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)"
LogText "Test: checking kernel version on disk"
2016-09-10 16:12:44 +02:00
VERSION_ON_DISK=$(${FILEBINARY} -b ${ROOTDIR}boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}')
if [ ! -z "${VERSION_ON_DISK}" ]; then
LogText "Result: found version ${VERSION_ON_DISK}"
2016-11-20 16:23:17 +01:00
ACTIVE_KERNEL=$(uname -r)
LogText "Result: active kernel version ${ACTIVE_KERNEL}"
if [ "${VERSION_ON_DISK}" = "${ACTIVE_KERNEL}" ]; then
REBOOT_NEEDED=0
LogText "Result: no reboot needed, active kernel is the same version as the one on disk"
else
REBOOT_NEEDED=1
LogText "Result: reboot needed, as there is a difference between active kernel and the one on disk"
fi
else
LogText "Result: could not find the version on disk"
ReportException "${TEST_NO}:4" "Could not find the kernel version from /boot/vmlinux-linux"
fi
else
2016-09-10 16:12:44 +02:00
if [ -L ${ROOTDIR}boot/vmlinuz ]; then
LogText "Result: found symlink of ${ROOTDIR}boot/vmlinuz, skipping file"
else
2016-09-10 16:12:44 +02:00
LogText "Result: ${ROOTDIR}boot/vmlinuz not on disk, trying to find ${ROOTDIR}boot/vmlinuz*"
fi
2016-08-25 15:31:33 +02:00
# Extra current kernel version and replace dashes to allow numeric ${SORTBINARY} later on
2016-09-10 16:12:44 +02:00
MYKERNEL=$(${UNAMEBINARY} -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g')
LogText "Result: using ${MYKERNEL} as my kernel version (stripped)"
2016-09-10 16:12:44 +02:00
FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
Lots of cleanups (#366) * Description fix: SafePerms works on files not dirs. All uses of SafePerms are on files (and indeed, it would reject directories which would have +x set). * Lots of whitespace cleanups. Enforce everywhere(?) the same indentations for if/fi blocks. The standard for the Lynis codebase is 4 spaces. But sometimes it's 1, sometimes 3, sometimes 8. These patches standardize all(?) if blocks but _not_ else's (which are usually indented 2, but sometimes zero); I was too lazy to identify those (see below). This diff is giant, but should not change code behavior at all; diff -w shows no changes apart from whitespace. FWIW I identified instances to check by using: perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1) Which produced output like: ./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then ./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated" ./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then ./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists" ...There's probably formal shellscript-beautification tools that I'm oblivious about. * More whitespace standardization. * Fix a syntax error. This looks like an if [ foo -o bar ]; was converted to if .. elif, but incompletely. * Add whitespace before closing ]. Without it, the shell thinks the ] is part of the last string, and emits warnings like: .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 20:23:08 +01:00
for ITEM in ${FIND}; do
LogText "Result: found ${ITEM}"
done
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
# Ignore rescue images. Remove generic. and huge. for Slackware machines
LogText "Action: checking relevant kernels"
KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ')
LogText "Output: ${KERNELS_ONE_LINE}"
2016-09-10 16:12:44 +02:00
elif [ ! "$(ls ${ROOTDIR}boot/kernel* 2> /dev/null)" = "" ]; then
Lots of cleanups (#366) * Description fix: SafePerms works on files not dirs. All uses of SafePerms are on files (and indeed, it would reject directories which would have +x set). * Lots of whitespace cleanups. Enforce everywhere(?) the same indentations for if/fi blocks. The standard for the Lynis codebase is 4 spaces. But sometimes it's 1, sometimes 3, sometimes 8. These patches standardize all(?) if blocks but _not_ else's (which are usually indented 2, but sometimes zero); I was too lazy to identify those (see below). This diff is giant, but should not change code behavior at all; diff -w shows no changes apart from whitespace. FWIW I identified instances to check by using: perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1) Which produced output like: ./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then ./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated" ./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then ./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists" ...There's probably formal shellscript-beautification tools that I'm oblivious about. * More whitespace standardization. * Fix a syntax error. This looks like an if [ foo -o bar ]; was converted to if .. elif, but incompletely. * Add whitespace before closing ]. Without it, the shell thinks the ] is part of the last string, and emits warnings like: .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 20:23:08 +01:00
LogText "Output: Found a kernel file in ${ROOTDIR}boot"
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
# Examples:
# /boot/kernel-genkernel-x86_64-3.14.14-gentoo
KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
if [ ! -z "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi
else
ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected"
fi
2016-09-10 16:12:44 +02:00
if [ ! -z "${KERNELS}" ]; then
Lots of cleanups (#366) * Description fix: SafePerms works on files not dirs. All uses of SafePerms are on files (and indeed, it would reject directories which would have +x set). * Lots of whitespace cleanups. Enforce everywhere(?) the same indentations for if/fi blocks. The standard for the Lynis codebase is 4 spaces. But sometimes it's 1, sometimes 3, sometimes 8. These patches standardize all(?) if blocks but _not_ else's (which are usually indented 2, but sometimes zero); I was too lazy to identify those (see below). This diff is giant, but should not change code behavior at all; diff -w shows no changes apart from whitespace. FWIW I identified instances to check by using: perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1) Which produced output like: ./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then ./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated" ./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then ./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists" ...There's probably formal shellscript-beautification tools that I'm oblivious about. * More whitespace standardization. * Fix a syntax error. This looks like an if [ foo -o bar ]; was converted to if .. elif, but incompletely. * Add whitespace before closing ]. Without it, the shell thinks the ] is part of the last string, and emits warnings like: .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 20:23:08 +01:00
FOUND_KERNEL=0
for I in ${KERNELS}; do
# Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist)
if [ ${FOUND_KERNEL} -eq 1 -a ! "${MYKERNEL}" = "${I}" ]; then
LogText "Result: found a kernel (${I}) later than running one (${MYKERNEL})"
REBOOT_NEEDED=1
fi
if [ "${MYKERNEL}" = "${I}" ]; then
FOUND_KERNEL=1
LogText "Result: Found ${I} (= our kernel)"
else
LogText "Result: Found ${I}"
fi
done
# Check if we at least found the kernel on disk
if [ ${FOUND_KERNEL} -eq 0 ]; then
ReportException "${TEST_NO}:3" "Could not find our running kernel on disk, which is unexpected"
else
# If we are not sure yet reboot it needed, but we found running kernel as last one on disk, we run latest kernel
if [ ${REBOOT_NEEDED} -eq 2 ]; then
LogText "Result: we found our kernel on disk as last entry, so seems to be up-to-date"
REBOOT_NEEDED=0
fi
fi
fi
fi
# No files in /boot
else
Lots of cleanups (#366) * Description fix: SafePerms works on files not dirs. All uses of SafePerms are on files (and indeed, it would reject directories which would have +x set). * Lots of whitespace cleanups. Enforce everywhere(?) the same indentations for if/fi blocks. The standard for the Lynis codebase is 4 spaces. But sometimes it's 1, sometimes 3, sometimes 8. These patches standardize all(?) if blocks but _not_ else's (which are usually indented 2, but sometimes zero); I was too lazy to identify those (see below). This diff is giant, but should not change code behavior at all; diff -w shows no changes apart from whitespace. FWIW I identified instances to check by using: perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1) Which produced output like: ./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then ./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated" ./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then ./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists" ...There's probably formal shellscript-beautification tools that I'm oblivious about. * More whitespace standardization. * Fix a syntax error. This looks like an if [ foo -o bar ]; was converted to if .. elif, but incompletely. * Add whitespace before closing ]. Without it, the shell thinks the ] is part of the last string, and emits warnings like: .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 20:23:08 +01:00
LogText "Result: Skipping this test, as there are no files in /boot"
fi
else
LogText "Result: /boot does not exist"
fi
# Display discovered status
if [ ${REBOOT_NEEDED} -eq 0 ]; then
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_NO}" --color GREEN
AddHP 5 5
elif [ ${REBOOT_NEEDED} -eq 1 ]; then
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED
2016-11-20 16:23:17 +01:00
ReportWarning ${TEST_NO} "Reboot of system is most likely needed" "" "text:reboot"
AddHP 0 5
else
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2018-01-11 09:50:26 +01:00
# Lynis - Copyright 2007-2018, CISOfy - https://cisofy.com