2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2017-02-09 13:35:40 +01:00
# Copyright 2007-2017, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
InsertSection "Accounting"
#
#################################################################################
#
2016-08-15 20:00:54 +02:00
AUDITD_CONF_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/audit"
2014-08-26 17:33:55 +02:00
AUDITD_CONF_FILE=""
2016-05-19 17:23:01 +02:00
LINUX_AUDITD_RUNNING=0
AUDIT_DAEMON_RUNNING=0
2014-08-26 17:33:55 +02:00
SOLARIS_AUDITD_RUNNING=0
#
#################################################################################
#
# Test : ACCT-2754
# Description : Check availability FreeBSD accounting data
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --category security --description "Check for available FreeBSD accounting information"
2016-01-22 11:52:34 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-08-15 20:00:54 +02:00
if [ -f ${ROOTDIR}var/account/acct ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
2016-09-08 21:04:17 +02:00
LogText "Result: ${ROOTDIR}var/account/acct available"
2016-01-22 11:52:34 +01:00
AddHP 3 3
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
2016-01-22 11:52:34 +01:00
LogText "Result: No accounting information available"
LogText "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"
AddHP 2 3
fi
fi
#
#################################################################################
#
# Test : ACCT-2760
# Description : Check availability OpenBSD accounting data
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-2760 --os OpenBSD --weight L --network NO --category security --description "Check for available OpenBSD accounting information"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-08 21:04:17 +02:00
if [ -f ${ROOTDIR}var/account/acct ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
2016-09-08 21:04:17 +02:00
LogText "Result: ${ROOTDIR}var/account/acct available"
2014-08-26 17:33:55 +02:00
AddHP 3 3
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
2015-12-21 21:17:15 +01:00
LogText "Result: No accounting information available"
LogText "Remark: Possibly there is another location where the accounting data is stored"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Enable process accounting"
AddHP 2 3
fi
fi
#
#################################################################################
#
# Test : ACCT-9622
# Description : Check availability Linux accounting data
# Notes : /var/log/pacct (Slackware)
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-9622 --os Linux --weight L --network NO --category security --description "Check for available Linux accounting information"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Check accounting information"
2016-08-15 20:00:54 +02:00
if [ -f ${ROOTDIR}var/account/pacct ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
2017-04-23 20:06:54 +02:00
LogText "Result: ${ROOTDIR}var/account/pacct available"
2014-08-26 17:33:55 +02:00
AddHP 3 3
2016-08-15 20:00:54 +02:00
elif [ -f ${ROOTDIR}var/log/account/pacct ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
2017-04-23 20:06:54 +02:00
LogText "Result: ${ROOTDIR}var/log/account/pacct available"
2014-08-26 17:33:55 +02:00
AddHP 3 3
2016-08-15 20:00:54 +02:00
elif [ -f ${ROOTDIR}var/log/pacct ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
2017-04-23 20:06:54 +02:00
LogText "Result: ${ROOTDIR}var/log/pacct available"
2014-08-26 17:33:55 +02:00
AddHP 3 3
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
2017-04-23 20:06:54 +02:00
LogText "Result: No accounting information available (${ROOTDIR}var/account/pacct, ${ROOTDIR}var/log/account/pact nor ${ROOTDIR}var/log/pact exist)"
2015-12-21 21:17:15 +01:00
LogText "Remark: Possibly there is another location where the accounting data is stored"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Enable process accounting"
AddHP 2 3
fi
fi
#
#################################################################################
#
# Test : ACCT-9626
# Description : Check sysstat accounting data
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-9626 --os Linux --weight L --network NO --category security --description "Check for sysstat accounting data"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-23 20:06:54 +02:00
LogText "Test: check ${ROOTDIR}etc/default/sysstat presence"
2016-08-15 20:00:54 +02:00
if [ -f ${ROOTDIR}etc/default/sysstat ]; then
LogText "Result: ${ROOTDIR}etc/default/sysstat found"
2016-09-08 21:04:17 +02:00
FIND=$(${GREPBINARY} "^ENABLED" ${ROOTDIR}etc/default/sysstat | ${GREPBINARY} -i true)
2017-04-23 20:06:54 +02:00
if [ ! -z "${FIND}" ]; then
2016-08-15 20:00:54 +02:00
LogText "Result: sysstat enabled via ${ROOTDIR}etc/default/sysstat"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
2016-09-08 21:04:17 +02:00
else
2016-08-15 20:00:54 +02:00
LogText "Result: sysstat disabled via ${ROOTDIR}etc/default/sysstat"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)"
fi
2016-08-15 20:00:54 +02:00
elif [ -f ${ROOTDIR}etc/cron.d/sysstat ]; then
2016-09-08 21:04:17 +02:00
FIND=$(${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat)
if [ ! -z "${FIND}" ]; then
2016-08-15 20:00:54 +02:00
LogText "Result: sysstat enabled via ${ROOTDIR}etc/cron.d/sysstat"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
2016-09-08 21:04:17 +02:00
else
2016-08-15 20:00:54 +02:00
LogText "Result: sysstat disabled via ${ROOTDIR}etc/cron.d/sysstat"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)"
fi
else
2017-04-23 20:06:54 +02:00
LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or ${ROOTDIR}etc/cron.d/sysstat"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_NOT_FOUND}" --color YELLOW
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)"
fi
fi
#
#################################################################################
#
# Test : ACCT-9628
# Description : Check auditd status
2017-04-23 20:06:54 +02:00
if [ ! -z "${AUDITDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-9628 --os Linux --weight L --network NO --category security --description "Check for auditd"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Check auditd status"
2014-09-19 01:07:34 +02:00
# Should not get kauditd
IsRunning auditd
if [ ${RUNNING} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: auditd running"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking auditd" --result "${STATUS_ENABLED}" --color GREEN
2016-05-19 17:23:01 +02:00
LINUX_AUDITD_RUNNING=1
AUDIT_DAEMON_RUNNING=1
2015-12-21 21:17:15 +01:00
Report "audit_trail_tool[]=auditd"
2016-05-19 17:23:01 +02:00
Report "linux_auditd_running=1"
2014-08-26 17:33:55 +02:00
AddHP 4 4
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: auditd not active"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking auditd" --result "${STATUS_NOT_FOUND}" --color WHITE
2015-05-26 11:11:42 +02:00
if [ ! "${VMTYPE}" = "openvz" ]; then
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
fi
2014-08-26 17:33:55 +02:00
AddHP 0 1
2016-05-19 17:23:01 +02:00
Report "linux_auditd_running=0"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : ACCT-9630
# Description : Check auditd rules
2016-09-08 21:04:17 +02:00
if [ ! -z "${AUDITDBINARY}" -a ! -z "${AUDITCTLBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for auditd rules"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking auditd rules"
2016-09-08 21:04:17 +02:00
FIND=$(${AUDITCTLBINARY} -l | ${GREPBINARY} -v "No rules")
if [ -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: auditd rules empty"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking audit rules" --result "${STATUS_SUGGESTION}" --color YELLOW
2014-08-26 17:33:55 +02:00
AddHP 0 2
ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules"
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: found auditd rules"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking audit rules" --result "${STATUS_OK}" --color GREEN
2014-08-26 17:33:55 +02:00
# Log audit daemon rules
2016-09-08 21:04:17 +02:00
FIND=$(${AUDITCTLBINARY} -l | ${SEDBINARY} 's/ /!space!/g')
for RULE in ${FIND}; do
RULE=$(echo ${RULE} | ${SEDBINARY} 's/!space!/ /g')
LogText "Output: ${RULE}"
2014-08-26 17:33:55 +02:00
done
fi
fi
#
#################################################################################
#
# Test : ACCT-9632
# Description : Check auditd configuration file
2017-04-23 20:06:54 +02:00
if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd configuration file"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking auditd configuration file"
2016-09-08 21:04:17 +02:00
for DIR in ${AUDITD_CONF_LOCS}; do
if [ -f ${DIR}/auditd.conf ]; then
AUDITD_CONF_FILE="${DIR}/auditd.conf"
LogText "Result: Found ${DIR}/auditd.conf"
else
LogText "Result: ${DIR}/auditd.conf not found"
2014-08-26 17:33:55 +02:00
fi
done
# Check if we discovered the configuration file. It should be there is the binaries are available and process is running
2017-04-23 20:06:54 +02:00
if [ ! -z "${AUDITD_CONF_FILE}" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: could not find auditd configuration file"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_WARNING}" --color RED
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file"
fi
fi
#
#################################################################################
#
# Test : ACCT-9634
# Description : Check auditd log file
2016-09-08 21:04:17 +02:00
if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a ! -z "${AUDITD_CONF_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking auditd log file"
2016-09-08 21:04:17 +02:00
FIND=$(${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }')
if [ ! -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: log file is defined"
LogText "Defined value: ${FIND}"
2014-08-26 17:33:55 +02:00
if [ -f ${FIND} ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: log file ${FIND} exists on disk"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
Report "logfile[]=${FIND}"
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: can't find log file ${FIND} on disk"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_SUGGESTION}" --color YELLOW
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Check auditd log file location"
fi
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no log file found"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "Auditd log file is defined but can not be found on disk"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
2014-10-06 11:30:15 +02:00
#
# Test : ACCT-9636
# Description : Check for Snoopy (wrapper for execve() and logger)
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-9636 --os Linux --weight L --network NO --category security --description "Check for Snoopy wrapper and logger"
2014-10-06 11:30:15 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-08-15 20:00:54 +02:00
FILE="${ROOTDIR}lib/snoopy.so"
2014-10-06 11:30:15 +02:00
if [ -f ${FILE} ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found ${FILE}"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking Snoopy" --result "${STATUS_FOUND}" --color GREEN
2016-08-15 20:00:54 +02:00
if [ -f ${ROOTDIR}etc/ld.so.preload ]; then
LogText "Result: found ${ROOTDIR}etc/ld.so.preload, testing if snoopy.so is listed"
2016-09-08 21:04:17 +02:00
FIND=$(${GREPBINARY} ${FILE} ${ROOTDIR}etc/ld.so.preload)
2017-04-23 20:06:54 +02:00
if [ ! -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found snoopy in ld.so.preload"
LogText "Output: ${FIND}"
2014-10-06 11:30:15 +02:00
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
2015-12-21 21:17:15 +01:00
Report "audit_trail_tool[]=snoopy"
2016-09-08 21:04:17 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_NOT_FOUND}" --color YELLOW
2017-04-23 20:06:54 +02:00
ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via ${ROOTDIR}etc/ld.so.preload"
2014-10-06 11:30:15 +02:00
AddHP 3 3
fi
2016-09-08 21:04:17 +02:00
else
2016-08-15 20:00:54 +02:00
LogText "Result: ${ROOTDIR}etc/ld.so.preload does not exist"
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_UNKNOWN}" --color PURPLE
2014-10-06 11:30:15 +02:00
ReportException "${TEST_NO}:1" "Unsure how Snoopy might be loaded as ld.so.preload does not exist"
fi
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : ACCT-9650
# Description : Check Solaris audit daemon presence
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-9650 --os Solaris --weight L --network NO --category security --description "Check Solaris audit daemon"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: check if audit daemon is running"
2014-09-19 01:07:34 +02:00
IsRunning auditd
if [ ${RUNNING} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Solaris audit daemon is running"
2014-09-19 01:07:34 +02:00
SOLARIS_AUDITD_RUNNING=1
2016-05-19 17:23:01 +02:00
AUDIT_DAEMON_RUNNING=1
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking Solaris audit daemon status" --result "${STATUS_RUNNING}" --color GREEN
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: Solaris audit daemon is not running"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking Solaris audit daemon status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
2014-09-19 01:07:34 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : ACCT-9652
# Description : Check Solaris auditd service status
2017-04-23 20:06:54 +02:00
if [ -x ${ROOTDIR}usr/bin/svcs -a ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-9652 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check auditd SMF status"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: check if auditd service is enabled and online"
2017-04-23 20:06:54 +02:00
FIND=$(${ROOTDIR}usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online")
2016-09-08 21:04:17 +02:00
if [ ! -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: auditd service is online"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN
2016-09-08 21:04:17 +02:00
else
2014-09-19 01:07:34 +02:00
Display --indent 4 --text "- Checking Solaris audit daemon status" --result "NOT ONLINE" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check status of audit daemon"
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : ACCT-9654
# Description : Check Solaris Basic Security Mode (BSM) in /etc/system
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2017-04-23 20:06:54 +02:00
Register --test-no ACCT-9654 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check BSM auditing in ${ROOTDIR}etc/system"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-08-15 20:00:54 +02:00
LogText "Test: check if BSM is enabled in ${ROOTDIR}etc/system"
if [ -f ${ROOTDIR}etc/system ]; then
2016-09-08 21:04:17 +02:00
FIND=$(${GREPBINARY} 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system)
if [ ! -z "${FIND}" ]; then
2016-08-15 20:00:54 +02:00
LogText "Result: BSM is enabled in ${ROOTDIR}etc/system"
Display --indent 4 --text "- Checking Solaris BSM (${ROOTDIR}etc/system)" --result "${STATUS_ENABLED}" --color GREEN
2016-09-08 21:04:17 +02:00
else
2016-08-15 20:00:54 +02:00
Display --indent 4 --text "- Checking Solaris BSM (${ROOTDIR}etc/system)" --result "${STATUS_NOT_FOUND}" --color YELLOW
2014-09-19 01:07:34 +02:00
fi
2016-09-08 21:04:17 +02:00
else
2016-08-15 20:00:54 +02:00
LogText "Result: ${ROOTDIR}etc/system does not exist"
2014-09-19 01:07:34 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : ACCT-9656
# Description : Check Solaris BSM (c2audit) module status
2016-09-08 21:04:17 +02:00
# Notes : todo - replace direct binary call
2014-08-26 17:33:55 +02:00
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-9656 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check BSM auditing in module list"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: check if c2audit module is active"
2017-04-23 20:06:54 +02:00
if [ -x ${ROOTDIR}usr/sbin/modinfo ]; then
FIND=$(${ROOTDIR}usr/sbin/modinfo | ${GREPBINARY} c2audit)
if [ ! -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: c2audit found in modinfo output"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: c2audit not found in modinfo output"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_NOT_FOUND}" --color YELLOW
2014-09-19 01:07:34 +02:00
fi
2016-09-08 21:04:17 +02:00
else
2017-04-23 20:06:54 +02:00
LogText "Result: ${ROOTDIR}usr/sbin/modinfo does not exist, skipping test"
2014-09-19 01:07:34 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : ACCT-9662
# Description : Check location for audit events
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check location of audit events"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-23 20:06:54 +02:00
LogText "Test: check ${ROOTDIR}etc/security/audit_control for event logging location"
2016-08-15 20:00:54 +02:00
if [ -f ${ROOTDIR}etc/security/audit_control ]; then
LogText "Result: file ${ROOTDIR}etc/security/audit_control found"
2016-09-08 21:04:17 +02:00
FIND=$(${GREPBINARY} "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }')
2017-04-23 20:06:54 +02:00
if [ ! -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found location ${FIND}"
LogText "Test: Checking if location is a valid directory"
2014-09-19 01:07:34 +02:00
if [ -d ${FIND} ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: location ${FIND} is valid"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_FOUND}" --color GREEN
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: location ${FIND} does not exist"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_NOT_FOUND}" --color YELLOW
2015-07-22 13:47:44 +02:00
ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available"
2014-09-19 01:07:34 +02:00
fi
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: unknown event location"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_UNKNOWN}" --color YELLOW
2015-07-22 13:47:44 +02:00
ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured"
2014-08-26 17:33:55 +02:00
fi
2016-09-08 21:04:17 +02:00
else
2016-08-15 20:00:54 +02:00
LogText "Result: could not find ${ROOTDIR}etc/security/audit_control"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_SKIPPED}" --color YELLOW
2014-09-19 01:07:34 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : ACCT-9672
# Description : check auditstat
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Solaris auditing stats"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Check auditing statistics"
2017-04-23 20:06:54 +02:00
if [ -x ${ROOTDIR}usr/sbin/auditstat ]; then
FIND=$(${ROOTDIR}usr/sbin/auditstat | ${TRBINARY} -s ' ' ',')
2016-09-08 21:04:17 +02:00
for ITEM in ${FIND}; do
LogText "Output: ${ITEM}"
2014-09-19 01:07:34 +02:00
done
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Solaris audit statistics" --result "${STATUS_DONE}" --color GREEN
2016-09-08 21:04:17 +02:00
else
2017-04-23 20:06:54 +02:00
LogText "Result: ${ROOTDIR}usr/sbin/auditstat not found, skipping test"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Solaris audit statistics" --result "${STATUS_SKIPPED}" --color YELLOW
2014-09-19 01:07:34 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
2016-05-19 17:23:01 +02:00
#
Report "audit_daemon_running=${AUDIT_DAEMON_RUNNING}"
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2017-02-09 13:35:40 +01:00
# Lynis - Copyright 2007-2017, Michael Boelen / CISOfy - https://cisofy.com
