2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
AUTOMATION_TOOL_FOUND=0
2014-09-18 11:04:22 +02:00
AUTOMATION_TOOL_RUNNING=""
2015-09-08 16:02:41 +02:00
CFENGINE_AGENT_FOUND=0
CFENGINE_SERVER_RUNNING=0
2014-08-26 17:33:55 +02:00
BACKUP_AGENT_FOUND=0
2014-09-18 11:04:22 +02:00
PUPPET_MASTER_RUNNING=0
2014-12-05 12:41:33 +01:00
SALT_MASTER_RUNNING=0
SALT_MINION_RUNNING=0
2016-04-13 08:12:26 +02:00
IPS_TOOL_FOUND=0
FAIL2BAN_FOUND=0
FAIL2BAN_EMAIL=0
FAIL2BAN_SILENT=0
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
InsertSection "Software: System tooling"
#
#################################################################################
#
# Automation
#
#################################################################################
#
# Test : TOOL-5002
# Description : Check if automation tools are found
Register --test-no TOOL-5002 --weight L --network NO --description "Checking for automation tools"
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking automation tooling"
2014-08-26 17:33:55 +02:00
# Cfengine
if [ ! "${CFAGENTBINARY}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
2014-08-26 17:33:55 +02:00
AUTOMATION_TOOL_FOUND=1
2015-09-08 16:02:41 +02:00
CFENGINE_AGENT_FOUND=1
2015-12-21 21:17:15 +01:00
Report "automation_tool_running[]=cf-agent"
2014-08-26 17:33:55 +02:00
Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN
fi
2015-09-08 16:02:41 +02:00
OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin"
for I in ${OTHER_CFENGINE_LOCATIONS}; do
2015-09-08 14:19:11 +02:00
if [ -d ${I} ]; then
2015-09-08 16:02:41 +02:00
if [ -f ${I}/cf-agent ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found CFEngine agent (cf-agent) in ${I}"
2015-09-08 16:02:41 +02:00
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
2015-12-21 21:17:15 +01:00
Report "automation_tool_running[]=cf-agent"
2015-09-08 16:02:41 +02:00
Display --indent 4 --text "Found: CFEngine (cf-agent)" --result FOUND --color GREEN
fi
IsRunning "cf-server"
if [ ${RUNNING} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found CFEngine server"
2015-09-08 16:02:41 +02:00
AUTOMATION_TOOL_FOUND=1
CFENGINE_SERVER_RUNNING=1
2015-12-21 21:17:15 +01:00
Report "automation_tool_running[]=cf-server"
2015-09-08 16:02:41 +02:00
Display --indent 4 --text "Found: CFEngine (cf-server)" --result FOUND --color GREEN
fi
2015-09-08 14:19:11 +02:00
fi
done
2014-08-26 17:33:55 +02:00
2015-09-08 16:02:41 +02:00
# Chef
2015-05-25 17:20:58 +02:00
CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin"
for I in ${CHEF_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/chef-client ]; then
CHEFCLIENTBINARY="${I}/chef-client"
AUTOMATION_TOOL_FOUND=1
2015-12-21 21:17:15 +01:00
Report "automation_tool_running[]=chef-client"
2015-05-25 17:20:58 +02:00
Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: found chef-client (chef client daemon) in ${I}"
2015-05-25 17:20:58 +02:00
fi
if [ -f ${I}/erchef ]; then
CHEFSERVERBINARY="${I}/erchef"
2015-12-21 21:17:15 +01:00
LogText "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
2015-05-25 17:20:58 +02:00
AUTOMATION_TOOL_FOUND=1
2015-12-21 21:17:15 +01:00
Report "automation_tool_running[]=chef-server"
2015-05-25 17:20:58 +02:00
Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: found erchef (chef server daemon) in ${I}"
2015-05-25 17:20:58 +02:00
fi
fi
done
2014-08-26 17:33:55 +02:00
# Puppet
if [ ! "${PUPPETBINARY}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Puppet is installed (${PUPPETBINARY})"
2014-08-26 17:33:55 +02:00
AUTOMATION_TOOL_FOUND=1
2015-12-21 21:17:15 +01:00
Report "automation_tool_running[]=puppet-agent"
2014-08-26 17:33:55 +02:00
Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN
fi
IsRunning "puppet master"
if [ ${RUNNING} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found puppet master"
2014-08-26 17:33:55 +02:00
PUPPET_MASTER_RUNNING=1
2015-12-21 21:17:15 +01:00
Report "automation_tool_running[]=puppet-master"
2014-08-26 17:33:55 +02:00
Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN
fi
2014-09-18 11:04:22 +02:00
# SaltStack
if [ ! "${SALTMINIONBINARY}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
2014-09-18 11:04:22 +02:00
AUTOMATION_TOOL_FOUND=1
2014-12-05 12:41:33 +01:00
SALT_MINION_RUNNING=1
2015-12-21 21:17:15 +01:00
Report "automation_tool_running[]=saltstack-minion"
2014-09-18 11:04:22 +02:00
Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result FOUND --color GREEN
fi
if [ ! "${SALTMASTERBINARY}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
2014-09-18 11:04:22 +02:00
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
2015-12-21 21:17:15 +01:00
Report "automation_tool_running[]=saltstack-minion"
2015-09-08 16:02:41 +02:00
Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN
else
IsRunning "salt-master"
if [ ${RUNNING} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found SaltStack (master)"
2015-09-08 16:02:41 +02:00
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
2015-12-21 21:17:15 +01:00
Report "automation_tool_running[]=saltstack-master"
2015-09-08 16:02:41 +02:00
Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN
fi
2014-09-18 11:04:22 +02:00
fi
2014-08-26 17:33:55 +02:00
if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Automation tooling" --result FOUND --color GREEN
else
Display --indent 2 --text "- Automation tooling" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
fi
fi
2016-04-13 08:12:26 +02:00
#
#################################################################################
#
# Intrusion Prevention tools
#
#################################################################################
#
2016-04-15 14:51:53 +02:00
# Test : TOOL-5102
# Description : Check for Fail2ban
Register --test-no TOOL-5102 --weight L --network NO --description "Check for presence of Fail2ban"
2016-04-13 08:12:26 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-04-15 14:51:53 +02:00
# Fail2ban presence
2016-04-13 08:12:26 +02:00
if [ ! "${FAIL2BANBINARY}" = "" ]; then
FAIL2BAN_FOUND=1
2016-04-28 09:15:54 +02:00
IDS_IPS_TOOL_FOUND=1
LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
Report "ids_ips_tooling[]=fail2ban"
2016-04-15 14:51:53 +02:00
Display --indent 2 --text "- Checking presence of Fail2ban" --result FOUND --color GREEN
2016-04-13 08:12:26 +02:00
else
2016-04-15 14:51:53 +02:00
LogText "Result: Fail2ban not present (fail2ban-server not found)"
2016-04-13 08:12:26 +02:00
fi
2016-04-15 14:51:53 +02:00
# Fail2ban configuration
LogText "Checking Fail2ban configuration file"
if [ -f /etc/fail2ban/jail.local ]; then
FAIL2BAN_CONFIG="/etc/fail2ban/jail.local"
elif [ -f /etc/fail2ban/jail.conf ]; then
FAIL2BAN_CONFIG="/etc/fail2ban/jail.conf"
else
FAIL2BAN_CONFIG=""
fi
2016-04-13 08:12:26 +02:00
2016-04-15 14:51:53 +02:00
# Continue if tooling is available and configuration file found
if [ ${FAIL2BAN_FOUND} -eq 1 -a ! "${FAIL2BAN_CONFIG}" = "" ]; then
LogText "Result: found configuration file (${FAIL2BAN_CONFIG})"
2016-04-13 08:12:26 +02:00
# Check email alert configuration
2016-04-15 14:51:53 +02:00
LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}"
2016-04-13 08:12:26 +02:00
2016-04-15 14:51:53 +02:00
FIND=`egrep "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}`
FIND2=`egrep "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}`
2016-04-13 08:12:26 +02:00
if [ ! "${FIND}" = "" ]; then
FAIL2BAN_EMAIL=1
LogText "Result: found at least one jail which sends an email alert"
fi
if [ ! "${FIND2}" = "" ]; then
FAIL2BAN_SILENT=1
LogText "Result: found at least one jail which does NOT send an email alert"
fi
2016-04-15 14:51:53 +02:00
2016-04-13 08:12:26 +02:00
if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
2016-04-15 14:51:53 +02:00
LogText "No registered actions found in ${FAIL2BAN_CONFIG}"
Display --indent 4 --text "- Checking Fail2ban actions" --result NONE --color RED
ReportWarning "${TEST_NO}" "M" "${FAIL2BAN_CONFIG}" "There are no actions configured for Fail2ban."
2016-04-13 08:12:26 +02:00
AddHP 0 3
fi
if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
2016-04-15 14:51:53 +02:00
LogText "All actions in ${FAIL2BAN_CONFIG} are configured to send email alerts"
Display --indent 4 --text "- Checking Fail2ban actions" --result OK --color GREEN
2016-04-13 08:12:26 +02:00
AddHP 3 3
fi
if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
2016-04-15 14:51:53 +02:00
LogText "Some actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts"
Display --indent 4 --text "- Checking Fail2ban actions" --result PARTIAL --color YELLOW
ReportSuggestion "${TEST_NO}" "Some Fail2ban jails are configured with non-notified actions. Consider changing these to emailed alerts."
2016-04-13 08:12:26 +02:00
AddHP 2 3
fi
if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
2016-04-15 14:51:53 +02:00
LogText "None of the actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts"
Display --indent 4 --text "- Checking Fail2ban actions" --result NONE --color YELLOW
ReportSuggestion "${TEST_NO}" "None of the Fail2ban jails are configured to send email notifications. Consider changing these to emailed alerts."
2016-04-13 08:12:26 +02:00
AddHP 1 3
2016-04-15 14:51:53 +02:00
fi
2016-04-13 08:12:26 +02:00
2016-04-15 14:51:53 +02:00
# Check at least one enabled jail
LogText "Checking for enabled jails within ${FAIL2BAN_CONFIG}"
2016-04-13 08:12:26 +02:00
2016-04-15 14:51:53 +02:00
FIND=`egrep "^enabled\s*=\s*true" ${FAIL2BAN_CONFIG}`
2016-04-13 08:12:26 +02:00
if [ ! "${FIND}" = "" ]; then
LogText "Result: found at least one enabled jail"
2016-04-15 14:51:53 +02:00
Display --indent 4 --text "- Checking Fail2ban jails" --result ENABLED --color GREEN
2016-04-13 08:12:26 +02:00
AddHP 3 3
else
2016-04-15 14:51:53 +02:00
LogText "Result: Fail2ban installed but completely disabled"
Display --indent 4 --text "- Checking Fail2ban jails" --result DISABLED --color RED
2016-04-13 08:12:26 +02:00
AddHP 0 3
2016-04-15 14:51:53 +02:00
ReportWarning "${TEST_NO}" "M" "All jails in Fail2ban are disabled" "${FAIL2BAN_CONFIG}"
2016-04-13 08:12:26 +02:00
fi
# Confirm at least one iptables chain for fail2ban
LogText "Checking for fail2ban iptables chains"
2016-04-15 14:51:53 +02:00
if [ ! "${IPTABLESBINARY}" = "" ]; then
CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | grep fail2ban`
2016-04-15 14:18:11 +02:00
if [ ! "${CHECK_CHAINS}" = "" ]; then
LogText "Result: found at least one iptables chain for fail2ban"
2016-04-15 14:51:53 +02:00
Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result OK --color GREEN
2016-04-15 14:18:11 +02:00
else
2016-04-15 14:51:53 +02:00
LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work"
Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result WARNING --color RED
2016-04-15 14:18:11 +02:00
AddHP 0 3
2016-04-15 14:51:53 +02:00
ReportSuggestion "${TEST_NO}" "M" "Check config to see why iptables does not have a fail2ban chain" "${FAIL2BAN_CONFIG}"
2016-04-15 14:18:11 +02:00
fi
else
2016-04-15 14:51:53 +02:00
Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result WARNING --color RED
ReportSuggestion "${TEST_NO}" "H" "iptables doesn't seem to be installed; Fail2ban will not work. Remove Fail2ban or install iptables" "${FAIL2BAN_CONFIG}"
2016-04-13 08:12:26 +02:00
fi
fi
fi
2016-04-15 14:51:53 +02:00
#
#################################################################################
#
# Test : TOOL-5190
2016-04-15 20:07:20 +02:00
# Description : Check for an IDS/IPS tool
Register --test-no TOOL-5014 --weight L --network NO --description "Check presence of IDS/IPS tool"
2016-04-13 08:12:26 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-04-15 20:07:20 +02:00
if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result FOUND --color GREEN
2016-04-13 08:12:26 +02:00
AddHP 2 2
else
2016-04-15 20:07:20 +02:00
Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result NONE --color YELLOW
#ReportSuggestion ${TEST_NO} "Ensure that automatic intrusion detection/prevention tools are installed"
2016-04-13 08:12:26 +02:00
AddHP 0 2
fi
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Backup tools
#
#################################################################################
2014-09-18 11:04:22 +02:00
#
# Netvault
# Rsync in cron
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
2015-12-21 21:17:15 +01:00
Report "automation_tool_present=${AUTOMATION_TOOL_FOUND}"
2014-12-05 12:41:33 +01:00
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-03-13 16:03:46 +01:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
