2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2019-01-31 14:47:35 +01:00
# Copyright 2007-2019, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Category: Boot and services
#
#################################################################################
#
InsertSection "Boot and services"
#
#################################################################################
#
2014-12-02 13:55:06 +01:00
BOOT_LOADER="unknown"
2014-09-22 23:39:31 +02:00
BOOT_LOADER_FOUND=0
2015-08-20 18:37:03 +02:00
BOOT_LOADER_SEARCHED=0
2014-09-25 17:47:23 +02:00
GRUB_VERSION=0
2018-01-17 15:56:19 +01:00
if [ -z "${SERVICE_MANAGER}" ]; then
SERVICE_MANAGER="unknown"
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
2014-10-19 12:25:40 +02:00
#
# Test : BOOT-5102
# Description : Check for AIX boot device
# Notes : The AIX bootstrap is called as software ROS. Bootstrap contains IPL (Initial Program loader)
2016-09-08 21:04:17 +02:00
# TODO - binary detection of bootinfo and replace with variable
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --category security --description "Check for AIX boot device"
2014-10-19 12:25:40 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-08-20 18:37:03 +02:00
BOOT_LOADER_SEARCHED=1
2015-12-21 21:17:15 +01:00
LogText "Test: Query bootinfo for AIX boot device"
2014-10-19 12:25:40 +02:00
if [ -x /usr/sbin/bootinfo ]; then
2016-09-08 21:04:17 +02:00
FIND=$(/usr/sbin/bootinfo -b)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found boot device ${FIND}"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking boot device (bootinfo)" --result "${STATUS_FOUND}" --color GREEN
2014-10-19 12:25:40 +02:00
BOOT_LOADER="ROS"
BOOT_LOADER_FOUND=1
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no data received from bootinfo, most likely boot device not found"
2014-10-19 12:25:40 +02:00
fi
fi
fi
2014-12-02 13:55:06 +01:00
#
#################################################################################
#
# Test : BOOT-5104
# Description : Determine service manager
2014-12-03 14:22:58 +01:00
# Notes :
# initscripts - Used by Arch before
# systemd - Common option with more Linux distros implementing it
# upstart - Used by Debian/Ubuntu
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5104 --weight L --network NO --category security --description "Determine service manager"
2014-12-02 13:55:06 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-08-20 18:37:03 +02:00
BOOT_LOADER_SEARCHED=1
2014-12-02 13:55:06 +01:00
case ${OS} in
2014-12-05 17:11:59 +01:00
"Linux")
2014-12-02 13:55:06 +01:00
if [ -f /proc/1/cmdline ]; then
2018-08-22 16:38:54 +02:00
OUTPUT=$(${AWKBINARY} '/(^\/|init)/ { print $1 }' /proc/1/cmdline | ${TRBINARY} '\0' ' ' | ${SEDBINARY} 's/ $//')
LogText "Result: cmdline found = ${OUTPUT}"
FILENAME=$(echo "${OUTPUT}" | ${AWKBINARY} '{print $1}')
LogText "Result: file on disk = ${FILENAME}"
2017-03-05 13:13:20 +01:00
ISFILE=$(echo ${FILENAME} | ${GREPBINARY} "^/")
2019-07-16 13:20:30 +02:00
if [ -n "${ISFILE}" ]; then
2016-03-17 20:32:21 +01:00
if [ -L ${ISFILE} ]; then
ShowSymlinkPath ${ISFILE}
FILENAME="${SYMLINK}"
elif [ -f ${ISFILE} ]; then
FILENAME="${ISFILE}"
else
LogText "Result: cmdline of PID 1 is not a file"
fi
fi
2019-07-16 13:20:30 +02:00
if [ -n "${FILENAME}" ]; then
2017-03-05 13:13:20 +01:00
SHORTNAME=$(echo ${FILENAME} | ${AWKBINARY} -F/ '{ print $NF }')
2016-03-16 12:10:10 +01:00
LogText "Found: ${SHORTNAME}"
2018-01-17 15:56:19 +01:00
if [ "${SERVICE_MANAGER}" = "unknown" ]; then
case ${SHORTNAME} in
2018-07-25 13:24:11 +02:00
busybox)
SERVICE_MANAGER="busybox"
;;
2018-01-17 15:56:19 +01:00
"init" | "initsplash")
2019-06-06 14:41:29 +02:00
if [ -d ${ROOTDIR}etc/rc.d ]; then
SERVICE_MANAGER="bsdrc.d"
else
SERVICE_MANAGER="SysV Init"
fi
2018-01-17 15:56:19 +01:00
;;
systemd)
2016-03-17 20:57:31 +01:00
SERVICE_MANAGER="systemd"
2018-01-17 15:56:19 +01:00
;;
upstart)
SERVICE_MANAGER="upstart"
;;
*)
CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd")
2019-07-16 13:20:30 +02:00
if [ -n "${CONTAINS_SYSTEMD}" ]; then
2018-01-17 15:56:19 +01:00
SERVICE_MANAGER="systemd"
else
LogText "Found ${SHORTNAME}. Unclear what service manager this is"
ReportException "${TEST_NO}:001" "Unknown service manager"
fi
;;
esac
fi
2017-03-05 13:13:20 +01:00
else
2016-03-16 12:10:10 +01:00
LogText "Result: /proc/1/cmdline seems to be empty"
ReportException "${TEST_NO}:002" "No data found in /proc/1/cmdline"
2014-12-02 13:55:06 +01:00
fi
fi
2014-12-03 14:22:58 +01:00
# Continue testing if we didn't find it yet
if [ "${SERVICE_MANAGER}" = "unknown" ]; then
if [ -f /usr/bin/init-openrc ]; then SERVICE_MANAGER="openrc"; fi
fi
;;
2019-03-05 19:03:44 +01:00
"DragonFly" | "NetBSD" | "FreeBSD" | "OpenBSD")
2016-09-08 21:04:17 +02:00
if [ -x /sbin/init -a -d ${ROOTDIR}etc/rc.d -a -f ${ROOTDIR}etc/rc ]; then
2014-12-03 14:22:58 +01:00
SERVICE_MANAGER="bsdrc"
fi
2014-12-02 13:55:06 +01:00
;;
2017-05-08 14:56:39 +02:00
"macOS")
if [ -x ${ROOTDIR}sbin/launchd ]; then
SERVICE_MANAGER="launchd"
fi
;;
2014-12-02 13:55:06 +01:00
*)
2015-12-21 21:17:15 +01:00
LogText "Result: unknown service manager"
2017-03-05 13:13:20 +01:00
;;
2014-12-02 13:55:06 +01:00
esac
2016-03-16 12:10:10 +01:00
LogText "Result: service manager found = ${SERVICE_MANAGER}"
if [ "${SERVICE_MANAGER}" = "" -o "${SERVICE_MANAGER}" = "unknown" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Service Manager" --result "${STATUS_UNKNOWN}" --color YELLOW
2016-09-08 21:04:17 +02:00
else
2014-12-02 13:55:06 +01:00
Display --indent 2 --text "- Service Manager" --result "${SERVICE_MANAGER}" --color GREEN
fi
fi
2014-10-19 12:25:40 +02:00
#
#################################################################################
2015-12-08 18:41:43 +01:00
#
# Test : BOOT-5106
2016-11-05 11:53:22 +01:00
# Description : Check if boot.efi is found on macOS/macOS
Register --test-no BOOT-5106 --os "macOS" --weight L --network NO --root-only YES --category security --description "Check EFI boot file on Mac OS X/macOS"
2015-12-08 18:41:43 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2018-01-18 16:36:43 +01:00
BOOT_LOADER_SEARCHED=1
2016-09-08 21:04:17 +02:00
FileExists ${ROOTDIR}System/Library/CoreServices/boot.efi
2015-12-08 18:41:43 +01:00
if [ ${FILE_FOUND} -eq 1 ]; then
2016-11-05 11:53:22 +01:00
LogText "Result: found macOS/Mac OS X boot.efi file"
BOOT_LOADER="macOS-boot-EFI"
2015-12-08 18:41:43 +01:00
BOOT_LOADER_FOUND=1
fi
fi
#
#################################################################################
2016-08-18 15:31:51 +02:00
#
# Test : BOOT-5108
# Description : Check for Syslinux
Register --test-no BOOT-5108 --os "Linux" --weight L --network NO --root-only YES --category security --description "Check Syslinux as bootloader"
if [ ${SKIPTEST} -eq 0 ]; then
2018-01-18 16:36:43 +01:00
BOOT_LOADER_SEARCHED=1
2016-09-08 21:04:17 +02:00
FileExists ${ROOTDIR}boot/syslinux/syslinux.cfg
2016-08-18 15:31:51 +02:00
if [ ${FILE_FOUND} -eq 1 ]; then
LogText "Result: found Syslinux"
BOOT_LOADER="Syslinux"
BOOT_LOADER_FOUND=1
fi
fi
#
#################################################################################
2015-09-07 17:41:05 +02:00
#
# Test : BOOT-5116
# Description : Check if system is booted in UEFI mode
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5116 --weight L --network NO --root-only YES --category security --description "Check if system is booted in UEFI mode"
2015-09-07 17:41:05 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
UEFI_TESTS_PERFORMED=0
case ${OS} in
Linux)
UEFI_TESTS_PERFORMED=1
# Check if UEFI is available in this boot
2015-12-21 21:17:15 +01:00
LogText "Test: checking if UEFI is used"
2016-09-08 21:04:17 +02:00
if [ -d ${ROOTDIR}sys/firmware/efi ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: system booted in UEFI mode"
2015-09-07 17:41:05 +02:00
UEFI_BOOTED=1
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: UEFI not used, can't find /sys/firmware/efi directory"
2015-09-07 17:41:05 +02:00
fi
# Test if Secure Boot is enabled
2015-12-21 21:17:15 +01:00
LogText "Test: determine if Secure Boot is used"
2016-09-08 21:04:17 +02:00
if [ -d ${ROOTDIR}sys/firmware/efi/efivars ]; then
FIND=$(${LSBINARY} ${ROOTDIR}sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-09-08 21:04:17 +02:00
for FILE in ${FIND}; do
LogText "Test: checking file ${FILE}"
# TODO: add detection for od
J=$(od -An -t u1 ${FILE} | ${AWKBINARY} '{ print $5 }')
2015-09-07 17:41:05 +02:00
if [ "${J}" = "1" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found SecureBoot file with enabled status"
2015-09-07 17:41:05 +02:00
UEFI_BOOTED_SECURE=1
2016-09-08 21:04:17 +02:00
else
LogText "Result: system not booted with Secure Boot (status 0 in file ${FILE})"
2015-09-07 17:41:05 +02:00
fi
done
fi
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: system not booted with Secure Boot (no SecureBoot file found)"
2015-09-07 17:41:05 +02:00
fi
;;
2016-11-05 11:53:22 +01:00
#macOS)
# TODO: macOS ioreg -l -p IODeviceTree | ${GREPBINARY} firmware-abi
2015-09-07 17:41:05 +02:00
#;;
*)
2015-12-21 21:17:15 +01:00
LogText "Result: no test implemented yet to test for UEFI on this platform"
2015-09-07 17:41:05 +02:00
;;
esac
if [ ${UEFI_BOOTED} -eq 1 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking UEFI boot" --result "${STATUS_ENABLED}" --color GREEN
2015-09-07 17:41:05 +02:00
if [ ${UEFI_BOOTED_SECURE} -eq 1 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking Secure Boot" --result "${STATUS_ENABLED}" --color GREEN
2016-09-08 21:04:17 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking Secure Boot" --result "${STATUS_DISABLED}" --color YELLOW
2015-09-07 17:41:05 +02:00
fi
2016-09-08 21:04:17 +02:00
else
2015-09-07 17:41:05 +02:00
if [ ${UEFI_TESTS_PERFORMED} -eq 1 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking UEFI boot" --result "${STATUS_DISABLED}" --color WHITE
2015-09-07 17:41:05 +02:00
fi
fi
fi
#
#################################################################################
2019-03-07 10:07:52 +01:00
#
# Test : BOOT-5117
# Description : Check for systemd-boot boot loader
if [ ! "${BOOTCTLBINARY}" = "" -a ${HAS_SYSTEMD} -eq 1 -a ${UEFI_BOOTED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BOOT-5117 --preqs-met ${PREQS_MET} --os "Linux" --weight L --network NO --category security --description "Check for systemd-boot bootloader presence"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
CURRENT_BOOT_LOADER=$(${BOOTCTLBINARY} status --no-pager 2>/dev/null | ${AWKBINARY} '/Current Boot Loader/{ getline; print $2 }')
if [ "${CURRENT_BOOT_LOADER}" = "systemd-boot" ]; then
Display --indent 2 --text "- Checking systemd-boot presence" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found systemd-boot"
BOOT_LOADER="systemd-boot"
BOOT_LOADER_FOUND=1
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : BOOT-5121
# Description : Check for GRUB boot loader
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5121 --weight L --network NO --category security --description "Check for GRUB boot loader presence"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-08-20 18:37:03 +02:00
BOOT_LOADER_SEARCHED=1
2014-08-26 17:33:55 +02:00
FOUND=0
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)"
2014-08-26 17:33:55 +02:00
if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then
FOUND=1
BOOT_LOADER="GRUB"
2014-09-22 23:39:31 +02:00
BOOT_LOADER_FOUND=1
2014-09-25 17:47:23 +02:00
GRUB_VERSION=1
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking presence GRUB" --result "${STATUS_OK}" --color GREEN
2014-08-26 17:33:55 +02:00
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
fi
# GRUB2 configuration file
2014-10-09 00:41:06 +02:00
if [ -f /boot/grub/grub.cfg -o -f /boot/grub2/grub.cfg ]; then
2014-08-26 17:33:55 +02:00
FOUND=1
BOOT_LOADER="GRUB2"
2014-09-22 23:39:31 +02:00
BOOT_LOADER_FOUND=1
2014-09-25 17:47:23 +02:00
GRUB_VERSION=2
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking presence GRUB2" --result "${STATUS_FOUND}" --color GREEN
2014-10-06 21:27:23 +02:00
if [ -f /boot/grub/grub.cfg ]; then
GRUBCONFFILE="/boot/grub/grub.cfg"
elif [ -f /boot/grub2/grub.cfg ]; then
GRUBCONFFILE="/boot/grub2/grub.cfg"
fi
2015-12-21 21:17:15 +01:00
LogText "Result: found GRUB2 configuration file (${GRUBCONFFILE})"
2014-09-25 17:51:08 +02:00
fi
2014-09-25 17:57:59 +02:00
# Some OSes like Gentoo do not have /boot mounted by default
2016-09-08 21:04:17 +02:00
# TODO: root directory and rewrite ls statement
2014-09-25 17:47:23 +02:00
if [ -d /boot ]; then
2019-07-16 13:20:30 +02:00
if [ "$(ls /boot/* 2> /dev/null)" = "" -a -n "${GRUB2INSTALLBINARY}" ]; then
2014-09-25 17:57:59 +02:00
BOOT_LOADER_FOUND=1
2015-12-21 21:17:15 +01:00
LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
2014-12-03 14:22:58 +01:00
Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW
2014-09-25 17:47:23 +02:00
ReportManual "${TEST_NO}:01"
fi
2014-08-26 17:33:55 +02:00
fi
if [ ${FOUND} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: no GRUB configuration file found."
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
2014-09-25 17:47:23 +02:00
#
# Test : BOOT-5122
# Description : Check for GRUB boot loader configuration
2019-07-16 13:20:30 +02:00
if [ -n "${GRUBCONFFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password"
2014-09-25 17:47:23 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2014-11-13 00:58:11 +01:00
FOUND=0
2015-12-21 21:17:15 +01:00
LogText "Found file ${GRUBCONFFILE}, proceeding with tests."
2014-09-25 17:47:23 +02:00
FileIsReadable ${GRUBCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
2016-09-08 21:04:17 +02:00
FIND=$(${GREPBINARY} 'password --md5' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
FIND2=$(${GREPBINARY} 'password --encrypted' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
FIND3=$(${GREPBINARY} 'set superusers' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
FIND4=$(${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
2016-07-11 11:24:52 +02:00
# GRUB1: Password should be set (MD5 or SHA1)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
2014-11-13 00:58:11 +01:00
FOUND=1
2016-07-11 11:24:52 +02:00
# GRUB2: Superusers AND password should be defined
2019-07-16 13:20:30 +02:00
elif [ -n "${FIND3}" ]; then
if [ -n "${FIND4}" -o -n "${FIND5}" ]; then FOUND=1; fi
2014-11-13 00:58:11 +01:00
fi
if [ ${FOUND} -eq 1 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: GRUB has password protection."
2014-09-25 17:47:23 +02:00
AddHP 4 4
2016-09-08 21:04:17 +02:00
else
2019-03-07 10:15:16 +01:00
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_NONE}" --color RED
2015-12-21 21:17:15 +01:00
LogText "Result: Didn't find hashed password line in GRUB boot file!"
2014-11-13 00:58:11 +01:00
ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
AddHP 0 2
2014-09-25 17:47:23 +02:00
fi
2016-09-08 21:04:17 +02:00
else
LogText "Result: Can not read ${GRUBCONFFILE} (no permission)"
2014-09-25 17:47:23 +02:00
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : BOOT-5124
# Description : Check for FreeBSD boot loader
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --category security --description "Check for FreeBSD boot loader presence"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-08-20 18:37:03 +02:00
BOOT_LOADER_SEARCHED=1
2016-09-08 21:04:17 +02:00
if [ -f ${ROOTDIR}boot/boot1 -a -f ${ROOTDIR}boot/boot2 -a -f ${ROOTDIR}boot/loader ]; then
LogText "Result: found boot1, boot2 and loader files in ${ROOTDIR}boot"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking presence FreeBSD loader" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
BOOT_LOADER="FreeBSD"
2014-09-22 23:39:31 +02:00
BOOT_LOADER_FOUND=1
2016-09-08 21:04:17 +02:00
else
LogText "Result: Not all expected files found in ${ROOTDIR}boot"
2016-11-19 13:39:57 +01:00
fi
fi
#
#################################################################################
#
# Test : BOOT-5261
# Description : Check for DragonFly boot loader
Register --test-no BOOT-5261 --os DragonFly --weight L --network NO --category security --description "Check for DragonFly boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
if [ -f ${ROOTDIR}boot/boot1 -a -f ${ROOTDIR}boot/boot2 -a -f ${ROOTDIR}boot/loader ]; then
LogText "Result: found boot1, boot2 and loader files in ${ROOTDIR}boot"
Display --indent 2 --text "- Checking presence DragonFly loader" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="DragonFly"
BOOT_LOADER_FOUND=1
else
LogText "Result: Not all expected files found in ${ROOTDIR}boot"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : BOOT-5126
# Description : Check for NetBSD boot loader
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --category security --description "Check for NetBSD boot loader presence"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-08-20 18:37:03 +02:00
BOOT_LOADER_SEARCHED=1
2016-09-08 21:04:17 +02:00
if [ -f ${ROOTDIR}boot.${HARDWARE} -o -f ${ROOTDIR}boot -o -f ${ROOTDIR}ofwboot ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found NetBSD secondary bootstrap"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking presence NetBSD loader" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
BOOT_LOADER="NetBSD"
2014-09-22 23:39:31 +02:00
BOOT_LOADER_FOUND=1
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: NetBSD secondary bootstrap not found"
2014-08-26 17:33:55 +02:00
ReportException "${TEST_NO}:1" "No boot loader found on NetBSD"
fi
fi
#
#################################################################################
#
# Test : BOOT-5139
# Description : Check for LILO boot loader
# Notes : password= or password =
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5139 --weight L --network NO --category security --description "Check for LILO boot loader presence"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-08-20 18:37:03 +02:00
BOOT_LOADER_SEARCHED=1
2016-09-08 21:04:17 +02:00
LILOCONFFILE="${ROOTDIR}etc/lilo.conf"
2015-12-21 21:17:15 +01:00
LogText "Test: checking for presence LILO configuration file"
2014-09-09 14:49:37 +02:00
if [ -f ${LILOCONFFILE} ]; then
FileIsReadable ${LILOCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
BOOT_LOADER="LILO"
2014-09-22 23:39:31 +02:00
BOOT_LOADER_FOUND=1
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Checking password option LILO"
2016-09-08 21:04:17 +02:00
FIND=$(${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#")
2016-10-26 12:34:56 +02:00
if [ -z "${FIND}" ]; then
if [ "${MACHINE_ROLE}" = "server" -o "${MACHINE_ROLE}" = "workstation" ]; then
Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED
LogText "Result: no password set for LILO. Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data."
ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportWarning ${TEST_NO} "No password set on LILO bootloader"
AddHP 0 2
2017-03-07 20:23:08 +01:00
elif [ "${MACHINE_ROLE}" = "personal" ]; then
2016-10-26 12:30:31 +02:00
Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color yellow
LogText "Result: no password set for LILO. Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data."
ReportSuggestion ${TEST_NO} "No password set on LILO bootloader. Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
2016-10-26 12:34:56 +02:00
AddHP 1 2
else
LogText "Result: no password set for LILO, with unknown machine role"
2016-10-26 12:30:31 +02:00
fi
2016-09-08 21:04:17 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Password option presence " --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: LILO password option set"
2014-09-09 14:49:37 +02:00
AddHP 4 4
fi
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: can not read ${LILOCONFFILE} (no permission)"
2014-08-26 17:33:55 +02:00
fi
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: LILO configuration file not found"
2016-10-26 13:31:59 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : BOOT-5142
# Description : Check for SILO boot loader
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5142 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-08-20 18:37:03 +02:00
BOOT_LOADER_SEARCHED=1
2017-04-30 17:59:35 +02:00
if [ -f ${ROOTDIR}etc/silo.conf ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Found SILO configuration file (/etc/silo.conf)"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking boot loader SILO" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
BOOT_LOADER="SILO"
2014-09-22 23:39:31 +02:00
BOOT_LOADER_FOUND=1
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no SILO configuration file found."
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : BOOT-5155
# Description : Check for YABOOT boot loader
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5155 --weight L --network NO --category security --description "Check for YABOOT boot loader configuration file"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-08-20 18:37:03 +02:00
BOOT_LOADER_SEARCHED=1
2015-12-21 21:17:15 +01:00
LogText "Test: Check for /etc/yaboot.conf"
2014-08-26 17:33:55 +02:00
if [ -f /etc/yaboot.conf ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking boot loader YABOOT" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
BOOT_LOADER="YABOOT"
2014-09-22 23:39:31 +02:00
BOOT_LOADER_FOUND=1
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no YABOOT configuration file found."
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : BOOT-5159
# Description : Check for OpenBSD boot loader
2014-11-04 00:29:44 +01:00
# More info : Only OpenBSD
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5159 --os OpenBSD --weight L --network NO --category security --description "Check for OpenBSD boot loader presence"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-08-20 18:37:03 +02:00
BOOT_LOADER_SEARCHED=1
2014-11-04 00:29:44 +01:00
FOUND=0
# Boot files
# /usr/mdec/biosboot: first stage bootstrap
# /boot : second stage bootstrap
2016-09-08 21:04:17 +02:00
if [ -f ${ROOTDIR}usr/mdec/biosboot -a -f ${ROOTDIR}boot ]; then
2014-11-04 00:29:44 +01:00
FOUND=1
fi
# Configuration file
2016-09-08 21:04:17 +02:00
if [ -f ${ROOTDIR}etc/boot.conf ]; then
2014-11-04 00:29:44 +01:00
FOUND=1
2016-09-08 21:04:17 +02:00
Display --indent 2 --text "- Checking ${ROOTDIR}etc/boot.conf" --result "${STATUS_FOUND}" --color GREEN
FIND=$(${GREPBINARY} '^boot' ${ROOTDIR}etc/boot.conf)
if [ -z "${FIND}" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking boot option" --result "${STATUS_WARNING}" --color RED
2016-09-08 21:04:17 +02:00
#ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
2016-08-10 07:12:29 +02:00
ReportWarning ${TEST_NO} "System can be booted into single user mode without password"
2016-09-08 21:04:17 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking boot option" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Ok, boot option is enabled."
2014-08-26 17:33:55 +02:00
fi
2016-09-08 21:04:17 +02:00
else
Display --indent 2 --text "- Checking ${ROOTDIR}etc/boot.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: no ${ROOTDIR}etc/boot.conf found. When using the default boot loader, physical"
2015-12-21 21:17:15 +01:00
LogText "access to the server can be used to possibly enter single user mode."
2016-09-08 21:04:17 +02:00
ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time."
2014-08-26 17:33:55 +02:00
fi
2014-11-04 00:29:44 +01:00
if [ ${FOUND} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found OpenBSD boot loader"
2014-11-04 00:29:44 +01:00
BOOT_LOADER="OpenBSD"
BOOT_LOADER_FOUND=1
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
2014-09-22 23:39:31 +02:00
#
2015-08-20 18:37:03 +02:00
if [ ${BOOT_LOADER_FOUND} -eq 0 -a ${BOOT_LOADER_SEARCHED} -eq 1 ]; then
2014-09-22 23:39:31 +02:00
# Your boot loader is not detected. Want to help supporting it, see the README
2016-10-19 10:07:11 +02:00
# ReportException "BOOTLOADER" "No boot loader found"
Display --indent 4 --text "- Boot loader" --result "NONE FOUND" --color YELLOW
2014-09-22 23:39:31 +02:00
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : BOOT-5165
# Description : Check for FreeBSD boot services
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --category security --description "Check for FreeBSD boot services"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-30 17:59:35 +02:00
if HasData "${SERVICEBINARY}"; then
2015-04-27 19:58:07 +02:00
# FreeBSD (Ask services(8) for enabled services)
2015-12-21 21:17:15 +01:00
LogText "Searching for services at startup (service)"
2016-09-08 21:04:17 +02:00
FIND=$(${SERVICEBINARY} -e | ${SEDBINARY} 's|^.*\/||' | ${SORTBINARY})
2015-04-27 19:58:07 +02:00
else
# FreeBSD (Read /etc/rc.conf file for enabled services)
2015-12-21 21:17:15 +01:00
LogText "Searching for services at startup (rc.conf)"
2017-04-30 17:59:35 +02:00
FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
2015-04-27 19:58:07 +02:00
fi
2017-04-30 17:59:35 +02:00
COUNT=0
for ITEM in ${FIND}; do
LogText "Found service (service/rc.conf): ${ITEM}"
Report "boottask[]=${ITEM}"
COUNT=$((COUNT + 1))
2014-08-26 17:33:55 +02:00
done
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "${STATUS_DONE}" --color GREEN
2017-04-30 17:59:35 +02:00
Display --indent 6 --text "Result: found ${COUNT} services/options set"
LogText "Found ${COUNT} services/options to run at startup"
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : BOOT-5177
# Description : Check for Linux boot services (systemd and chkconfig)
# Notes : We skip using chkconfig if systemd is being used.
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5177 --os Linux --weight L --network NO --category security --description "Check for Linux boot and running services"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
CHECKED=0
2015-12-21 21:17:15 +01:00
LogText "Test: checking presence systemctl binary"
2014-08-26 17:33:55 +02:00
# Determine if we have systemctl on board
2017-04-30 17:59:35 +02:00
if HasData "${SYSTEMCTLBINARY}"; then
2015-12-21 21:17:15 +01:00
LogText "Result: systemctl binary found, trying that to discover information"
2014-08-26 17:33:55 +02:00
# Running services
2015-12-21 21:17:15 +01:00
LogText "Searching for running services (systemctl services only)"
2019-03-07 10:10:21 +01:00
FIND=$(${SYSTEMCTLBINARY} --no-legend --full --type=service --state=running | ${AWKBINARY} -F.service '{ print $1 }')
2017-04-30 17:59:35 +02:00
COUNT=0
2015-12-21 21:17:15 +01:00
Report "running_service_tool=systemctl"
2017-04-30 17:59:35 +02:00
for ITEM in ${FIND}; do
LogText "Found running service: ${ITEM}"
Report "running_service[]=${ITEM}"
COUNT=$((COUNT + 1))
2014-08-26 17:33:55 +02:00
done
2018-12-14 13:17:46 +01:00
LogText "Hint: Run systemctl --full --type=service to see all services"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN
2017-04-30 17:59:35 +02:00
Display --indent 8 --text "Result: found ${COUNT} running services"
LogText "Result: Found ${COUNT} enabled services"
2014-08-26 17:33:55 +02:00
# Services at boot
2015-12-21 21:17:15 +01:00
LogText "Searching for enabled services (systemctl services only)"
2019-03-07 10:10:21 +01:00
FIND=$(${SYSTEMCTLBINARY} list-unit-files --no-legend --type=service --state=enabled | ${SORTBINARY} -u | ${AWKBINARY} -F.service '{ print $1 }')
2017-04-30 17:59:35 +02:00
COUNT=0
2015-12-21 21:17:15 +01:00
Report "boot_service_tool=systemctl"
2017-04-30 17:59:35 +02:00
for ITEM in ${FIND}; do
LogText "Found enabled service at boot: ${ITEM}"
Report "boot_service[]=${ITEM}"
COUNT=$((COUNT + 1))
2014-08-26 17:33:55 +02:00
done
2018-12-14 13:17:46 +01:00
LogText "Hint: Run systemctl list-unit-files --type=service to see all services"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN
2017-04-30 17:59:35 +02:00
Display --indent 8 --text "Result: found ${COUNT} enabled services"
LogText "Result: Found ${COUNT} running services"
2014-08-26 17:33:55 +02:00
2017-04-30 17:59:35 +02:00
else
2016-09-08 21:04:17 +02:00
2015-12-21 21:17:15 +01:00
LogText "Result: systemctl binary not found, checking chkconfig binary"
2019-07-16 13:20:30 +02:00
if [ -n "${CHKCONFIGBINARY}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: chkconfig binary found, trying that to discover information"
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
2016-09-08 21:04:17 +02:00
FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
2017-04-30 17:59:35 +02:00
COUNT=0
2015-12-21 21:17:15 +01:00
Report "boot_service_tool=chkconfig"
2017-04-30 17:59:35 +02:00
for ITEM in ${FIND}; do
LogText "Found service (at boot, runlevel 3 or 5): ${ITEM}"
Report "boot_service[]=${ITEM}"
COUNT=$((COUNT + 1))
2014-08-26 17:33:55 +02:00
done
2016-04-25 20:48:21 +02:00
LogText "Hint: Run chkconfig --list to see all services and disable unneeded services"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Check services at startup (chkconfig)" --result "${STATUS_DONE}" --color GREEN
2017-04-30 17:59:35 +02:00
Display --indent 8 --text "Result: found ${COUNT} services"
LogText "Result: Found ${COUNT} services at startup"
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: both systemctl and chkconfig not found. Skipping this test"
2014-08-26 17:33:55 +02:00
fi
fi
fi
#
#################################################################################
#
# Test : BOOT-5180
# Description : Check for Linux boot services (Debian style)
2015-08-20 18:37:03 +02:00
# Notes : Debian 8+ shows runlevel 5
2014-08-26 17:33:55 +02:00
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for Linux boot services (Debian style)"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-07-22 16:28:11 +02:00
# Runlevel check
2016-09-08 21:04:17 +02:00
sRUNLEVEL=$(${RUNLEVELBINARY} | ${GREPBINARY} "N [0-9]" | ${AWKBINARY} '{ print $2} ')
2015-12-21 21:17:15 +01:00
LogText "Result: found runlevel ${sRUNLEVEL}"
2015-08-20 18:37:03 +02:00
if [ "${sRUNLEVEL}" = "2" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
2016-09-08 21:04:17 +02:00
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2017-04-30 17:59:35 +02:00
COUNT=0
2016-09-08 21:04:17 +02:00
for SERVICE in ${FIND}; do
LogText "Found service (at boot, runlevel 2): ${SERVICE}"
2017-04-30 17:59:35 +02:00
COUNT=$((COUNT + 1))
2014-08-26 17:33:55 +02:00
done
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "${STATUS_DONE}" --color WHITE
2017-04-30 17:59:35 +02:00
Display --indent 4 --text "Result: found ${COUNT} services"
LogText "Result: found ${COUNT} services"
2014-08-26 17:33:55 +02:00
fi
2016-09-08 21:04:17 +02:00
elif [ -z "${sRUNLEVEL}" ]; then
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: skipping further actions"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : BOOT-5184
# Description : Check world writable startup scripts
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5184 --os Linux --weight L --network NO --category security --description "Check permissions for boot files/scripts"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
2016-09-08 21:04:17 +02:00
CHECKDIRS="${ROOTDIR}etc/init.d ${ROOTDIR}etc/rc.d ${ROOTDIR}etc/rcS.d"
2014-08-26 17:33:55 +02:00
2017-04-30 17:59:35 +02:00
LogText "Result: checking ${ROOTDIR}etc/init.d scripts for writable bit"
for DIR in ${CHECKDIRS}; do
LogText "Test: checking if directory ${DIR} exists"
if [ -d ${DIR} ]; then
LogText "Result: directory ${DIR} found"
2015-12-21 21:17:15 +01:00
LogText "Test: checking for available files in directory"
2017-05-31 15:40:39 +02:00
FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY})
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found files in directory, checking permissions now"
2017-04-30 17:59:35 +02:00
for FILE in ${FIND}; do
LogText "Test: checking permissions of file ${FILE}"
if IsWorldWritable ${FILE}; then
2014-08-26 17:33:55 +02:00
FOUND=1
2017-04-30 17:59:35 +02:00
LogText "Result: warning, file ${FILE} is world writable"
2016-09-08 21:04:17 +02:00
else
2017-04-30 17:59:35 +02:00
LogText "Result: good, file ${FILE} not world writable"
2014-08-26 17:33:55 +02:00
fi
done
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: found no files in directory."
2014-08-26 17:33:55 +02:00
fi
2016-09-08 21:04:17 +02:00
else
2017-04-30 17:59:35 +02:00
LogText "Result: directory ${DIR} not found. Skipping.."
2014-08-26 17:33:55 +02:00
fi
done
# /etc/rc[0-6].d
for NO in 0 1 2 3 4 5 6; do
2017-04-30 17:59:35 +02:00
LogText "Test: Checking ${ROOTDIR}etc/rc${NO}.d scripts for writable bit"
2016-09-08 21:04:17 +02:00
if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then
2017-05-31 15:40:39 +02:00
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print | ${SORTBINARY})
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
2015-12-21 21:17:15 +01:00
if IsWorldWritable ${I}; then
2014-08-26 17:33:55 +02:00
FOUND=1
2016-05-02 13:26:27 +02:00
LogText "Result: warning, file ${I} is world writable"
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: good, file ${I} not world writable"
2014-08-26 17:33:55 +02:00
fi
done
fi
done
# Other files
2016-09-08 21:04:17 +02:00
CHECKFILES="${ROOTDIR}etc/rc ${ROOTDIR}etc/rc.local ${ROOTDIR}etc/rc.d/rc.sysinit"
2014-08-26 17:33:55 +02:00
for I in ${CHECKFILES}; do
if [ -f ${I} ]; then
2016-05-02 13:23:43 +02:00
ShowSymlinkPath "${I}"
if [ ${FOUNDPATH} -eq 1 ]; then
2016-05-02 13:26:27 +02:00
CHECKFILE="${SYMLINK}"
2016-05-02 13:23:43 +02:00
LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${I})"
2016-09-08 21:04:17 +02:00
else
2016-05-02 13:26:27 +02:00
CHECKFILE="${I}"
2016-05-02 13:23:43 +02:00
fi
LogText "Test: Checking ${CHECKFILE} file for writable bit"
if IsWorldWritable ${CHECKFILE}; then
2014-08-26 17:33:55 +02:00
FOUND=1
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}"
2016-05-02 13:23:43 +02:00
LogText "Result: warning, file ${CHECKFILE} is world writable"
2016-09-08 21:04:17 +02:00
else
2016-05-02 13:23:43 +02:00
LogText "Result: good, file ${CHECKFILE} not world writable"
2014-08-26 17:33:55 +02:00
fi
fi
done
# Check results
if [ ${FOUND} -eq 1 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED
2015-09-24 21:41:48 +02:00
ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-"
2015-12-21 21:17:15 +01:00
LogText "Result: found one or more scripts which are possibly writable by other users"
2014-08-26 17:33:55 +02:00
AddHP 0 3
2016-09-08 21:04:17 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_OK}" --color GREEN
2014-08-26 17:33:55 +02:00
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : BOOT-5202
# Description : Check uptime of system
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5202 --weight L --network NO --category security --description "Check uptime of system"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
FIND=""
2016-10-17 17:24:34 +02:00
UPTIME_IN_SECS=""
2014-08-26 17:33:55 +02:00
case "${OS}" in
Linux)
2014-11-04 01:04:28 +01:00
# Idle time, not real uptime
if [ -f /proc/uptime ]; then
2019-09-19 14:05:15 +02:00
UPTIME_IN_SECS=$(${CUTBINARY} -d ' ' -f1 /proc/uptime | ${CUTBINARY} -d '.' -f1)
2016-09-08 21:04:17 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
2014-11-04 01:04:28 +01:00
ReportException "${TEST_NO}:1" "No uptime test available for this operating system (/proc/uptime missing)"
fi
2019-09-19 14:05:15 +02:00
;;
2014-11-04 01:36:56 +01:00
2019-09-19 14:05:15 +02:00
DragonFly | FreeBSD | macOS)
2019-07-16 13:20:30 +02:00
if [ -n "${SYSCTLBINARY}" ]; then
2016-10-17 17:18:10 +02:00
TIME_BOOT=$(${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | ${SEDBINARY} -e 's/,//' | ${GREPBINARY} "[0-9]")
TIME_NOW=$(date "+%s")
LogText "Boot time: ${TIME_BOOT}"
LogText "Current time: ${TIME_NOW}"
2019-07-16 13:20:30 +02:00
if [ -n "${TIME_BOOT}" -a -n "${TIME_NOW}" ]; then
2016-10-17 17:18:10 +02:00
UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
else
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
fi
2016-09-08 21:04:17 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
2014-11-04 01:04:28 +01:00
ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
fi
2019-09-19 14:05:15 +02:00
;;
2014-11-04 01:04:28 +01:00
2019-09-19 14:05:15 +02:00
NetBSD | OpenBSD)
2019-07-16 13:20:30 +02:00
if [ -n "${SYSCTLBINARY}" ]; then
2016-09-08 21:04:17 +02:00
TIME_BOOT=$(${SYSCTLBINARY} -n kern.boottime)
TIME_NOW=$(date "+%s")
2015-12-21 21:17:15 +01:00
LogText "Boot time: ${TIME_BOOT}"
LogText "Current time: ${TIME_NOW}"
2019-07-16 13:20:30 +02:00
if [ -n "${TIME_BOOT}" -a -n "${TIME_NOW}" ]; then
2016-05-03 14:57:53 +02:00
UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
2016-09-08 21:04:17 +02:00
else
2014-11-04 01:04:28 +01:00
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
fi
2016-09-08 21:04:17 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
2014-11-04 01:04:28 +01:00
ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
fi
2019-09-19 14:05:15 +02:00
;;
2014-09-25 19:00:36 +02:00
2014-08-26 17:33:55 +02:00
Solaris)
2019-07-16 13:20:30 +02:00
if [ -n "${KSTATBINARY}" ]; then
2016-10-17 17:24:34 +02:00
UPTIME_IN_SECS=$(${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | ${CUTBINARY} -d "." -f1)
2016-09-08 21:04:17 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
2014-11-04 01:04:28 +01:00
ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)"
fi
2019-09-19 14:05:15 +02:00
;;
2014-11-04 01:04:28 +01:00
2014-08-26 17:33:55 +02:00
*)
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
2014-08-26 17:33:55 +02:00
2014-11-04 01:04:28 +01:00
# Want to help improving Lynis? Share your operating system and a way to determine the uptime (in seconds)
ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system"
2019-09-19 14:05:15 +02:00
;;
2014-08-26 17:33:55 +02:00
esac
2019-09-19 14:05:15 +02:00
2019-07-16 13:20:30 +02:00
if [ -n "${UPTIME_IN_SECS}" ]; then
2016-05-03 14:57:53 +02:00
UPTIME_IN_DAYS=$((UPTIME_IN_SECS / 60 / 60 / 24))
2015-12-21 21:17:15 +01:00
LogText "Uptime (in seconds): ${UPTIME_IN_SECS}"
LogText "Uptime (in days): ${UPTIME_IN_DAYS}"
Report "uptime_in_seconds=${UPTIME_IN_SECS}"
Report "uptime_in_days=${UPTIME_IN_DAYS}"
2016-09-08 21:04:17 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no uptime information available"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
2014-12-09 18:11:21 +01:00
# Test : BOOT-5260
# Description : Check single user mode for systemd
2016-07-24 17:22:00 +02:00
Register --test-no BOOT-5260 --weight L --network NO --category security --description "Check single user mode for systemd"
2014-12-09 18:11:21 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Searching /usr/lib/systemd/system/rescue.service"
2016-09-08 21:04:17 +02:00
if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then
LogText "Result: file /usr/lib/systemd/system/rescue.service"
LogText "Test: checking presence sulogin for single user mode"
2018-10-17 14:21:30 +02:00
FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-09-08 21:04:17 +02:00
FOUND=1
LogText "Result: found sulogin, so single user is protected"
AddHP 3 3
else
LogText "Result: did not find sulogin in rescue.service"
AddHP 1 3
Display --indent 2 --text "- Checking sulogin in rescue.service" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Protect rescue.service by using sulogin"
fi
else
LogText "Result: file ${ROOTDIR}usr/lib/systemd/system/rescue.service does not exist"
fi
2014-12-09 18:11:21 +01:00
fi
#
#################################################################################
2019-03-05 19:03:44 +01:00
#
# Test : BOOT-5262
# Description : Check for OpenBSD boot daemons
Register --test-no BOOT-5262 --os OpenBSD --weight L --network NO --category security --description "Check for OpenBSD boot daemons"
if [ ${SKIPTEST} -eq 0 ]; then
if HasData "${RCCTLBINARY}"; then
LogText "Result: rcctl binary found, trying that to discover information"
# OpenBSD (Ask rcctl(8) for running daemons)
LogText "Searching for running daemons (rcctl)"
FIND=$(${RCCTLBINARY} ls started)
COUNT=0
Report "running_service_tool=rcctl"
for ITEM in ${FIND}; do
LogText "Found running daemon: ${ITEM}"
Report "running_service[]=${ITEM}"
COUNT=$((COUNT + 1 ))
done
LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons"
Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found ${COUNT} running daemons"
LogText "Result: Found ${COUNT} running daemons"
# OpenBSD (Ask rcctl(8) for enabled daemons)
LogText "Searching for enabled daemons (rcctl)"
FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$')
COUNT=0
Report "boot_service_tool=rcctl"
for ITEM in ${FIND}; do
LogText "Found enabled daemon at boot: ${ITEM}"
Report "boot_service[]=${ITEM}"
COUNT=$((COUNT + 1 ))
done
LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons"
Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot"
LogText "Result: Found ${COUNT} enabled daemons at boot"
fi
fi
#
#################################################################################
#
# Test : BOOT-5263
# Description : Check OpenBSD world writable startup scripts
Register --test-no BOOT-5263 --os OpenBSD --weight L --network NO --category security --description "Check permissions for boot files/scripts"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
CHECKDIR="${ROOTDIR}etc/rc.d"
LogText "Result: checking ${ROOTDIR}etc/rc.d scripts for writable bit"
LogText "Test: checking if directory ${DIR} exists"
if [ -d ${CHECKDIR} ]; then
LogText "Result: directory ${DIR} found"
LogText "Test: checking for available files in directory"
# OpenBSD uses symlinks to create another instance of daemons
FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY})
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2019-03-05 19:03:44 +01:00
LogText "Result: found files in directory, checking permissions now"
for FILE in ${FIND}; do
LogText "Test: checking permissions of file ${FILE}"
ShowSymlinkPath "${FILE}"
if [ ${FOUNDPATH} -eq 1 ]; then
CHECKFILE="${SYMLINK}"
LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${FILE})"
else
CHECKFILE="${FILE}"
fi
if IsWorldWritable ${CHECKFILE}; then
FOUND=1
LogText "Result: warning, file ${CHECKFILE} is world writable"
else
LogText "Result: good, file ${CHECKFILE} not world writable"
fi
done
else
LogText "Result: found no files in directory."
fi
else
LogText "Result: directory ${CHECKDIR} not found. Skipping.."
fi
# Other files
CHECKFILES="${ROOTDIR}etc/rc ${ROOT}etc/rc.conf ${ROOT}etc/rc.conf.local ${ROOTDIR}etc/rc.local"
for I in ${CHECKFILES}; do
if [ -f ${I} ]; then
ShowSymlinkPath "${I}"
if [ ${FOUNDPATH} -eq 1 ]; then
CHECKFILE="${SYMLINK}"
LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${I})"
else
CHECKFILE="${I}"
fi
LogText "Test: Checking ${CHECKFILE} file for writable bit"
if IsWorldWritable ${CHECKFILE}; then
FOUND=1
ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}"
LogText "Result: warning, file ${CHECKFILE} is world writable"
else
LogText "Result: good, file ${CHECKFILE} not world writable"
fi
fi
done
# Check results
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-"
LogText "Result: found one or more scripts which are possibly writable by other users"
AddHP 0 3
else
Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
2014-12-09 18:11:21 +01:00
#
2015-12-21 21:17:15 +01:00
Report "boot_loader=${BOOT_LOADER}"
Report "boot_uefi_booted=${UEFI_BOOTED}"
Report "boot_uefi_booted_secure=${UEFI_BOOTED_SECURE}"
Report "service_manager=${SERVICE_MANAGER}"
2014-08-26 17:33:55 +02:00
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-03-13 16:03:46 +01:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com