2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2021-01-07 15:22:19 +01:00
# Copyright 2007-2021, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
2016-09-10 16:12:44 +02:00
AIDECONFIG=""
CSF_CONFIG="${ROOTDIR}etc/csf/csf.conf"
2015-05-17 23:01:38 +02:00
FILE_INT_TOOL=""
2014-08-26 17:33:55 +02:00
FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found
#
#################################################################################
#
2020-10-22 00:13:42 +02:00
InsertSection "${SECTION_FILE_INTEGRITY}"
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking file integrity tools"
2014-12-03 22:51:19 +01:00
#
#################################################################################
#
2014-08-26 17:33:55 +02:00
# Test : FINT-4310
# Description : Check if AFICK is installed
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4310 --weight L --network NO --category security --description "AFICK availability"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking AFICK binary"
2019-07-15 19:39:04 +02:00
if [ -n "${AFICKBINARY}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: AFICK is installed (${AFICKBINARY})"
2016-05-16 20:55:42 +02:00
Report "file_integrity_tool[]=afick"
2015-05-17 23:01:38 +02:00
FILE_INT_TOOL="afick"
2014-08-26 17:33:55 +02:00
FILE_INT_TOOL_FOUND=1
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- AFICK" --result "${STATUS_FOUND}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: AFICK is not installed"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 4 --text "- AFICK" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : FINT-4314
# Description : Check if AIDE is installed
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4314 --weight L --network NO --category security --description "AIDE availability"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking AIDE binary"
2019-07-15 19:39:04 +02:00
if [ -n "${AIDEBINARY}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: AIDE is installed (${AIDEBINARY})"
2016-05-16 20:55:42 +02:00
Report "file_integrity_tool[]=aide"
2015-05-17 23:01:38 +02:00
FILE_INT_TOOL="aide"
2014-08-26 17:33:55 +02:00
FILE_INT_TOOL_FOUND=1
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- AIDE" --result "${STATUS_FOUND}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: AIDE is not installed"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 4 --text "- AIDE" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : FINT-4315
# Description : Check AIDE configuration file
2019-07-16 13:20:30 +02:00
if [ -n "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check AIDE configuration file"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-07-15 19:39:04 +02:00
AIDE_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/aide ${ROOTDIR}usr/local/etc"
2015-12-21 21:17:15 +01:00
LogText "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}"
2014-08-26 17:33:55 +02:00
for I in ${AIDE_CONFIG_LOCS}; do
2019-07-15 19:39:04 +02:00
if [ -f "${I}/aide.conf" ]; then
2017-03-07 20:23:08 +01:00
LogText "Result: found aide.conf in directory ${I}"
AIDECONFIG="${I}/aide.conf"
2014-08-26 17:33:55 +02:00
fi
done
2016-09-10 16:12:44 +02:00
if [ -z "${AIDECONFIG}" ]; then
2016-10-26 12:28:47 +02:00
Display --indent 6 --text "- AIDE config file" --result "${STATUS_NOT_FOUND}" --color RED
ReportWarning "${TEST_NO}" "No AIDE configuration file was found, needed for AIDE functionality"
2016-07-26 14:58:04 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Checking configuration file ${AIDECONFIG} for errors"
2016-05-16 20:55:42 +02:00
FIND=$(${AIDEBINARY} --config=${AIDECONFIG} -D)
if [ $? -eq 0 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- AIDE config file" --result "${STATUS_FOUND}" --color GREEN
2016-07-26 14:58:04 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- AIDE config file" --result "${STATUS_WARNING}" --color YELLOW
2016-07-26 14:35:47 +02:00
ReportSuggestion "${TEST_NO}" "Check the AIDE configuration file as it may contain errors"
2014-10-27 00:28:28 +01:00
fi
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
2019-08-26 08:02:11 +02:00
#
# Test : FINT-4316
# Description : Presence of AIDE database and size check
if [ -n "${AIDEBINARY}" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of AIDE database and size check"
if [ ${SKIPTEST} -eq 0 ]; then
2021-04-30 22:07:42 +02:00
AIDE_DB=$(${EGREPBINARY} '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://")
2019-08-26 08:02:11 +02:00
if case ${AIDE_DB} in @@*) ;; *) false;; esac; then
I=$(${GREPBINARY} "@@define.*DBDIR" ${AIDECONFIG} | ${AWKBINARY} '{print $3}')
AIDE_DB=$(echo ${AIDE_DB} | ${SEDBINARY} "s#.*}#${I}#")
fi
LogText "Test: search for AIDE database on disk ${AIDE_DB}"
if [ ! -e "${AIDE_DB}" ]; then
Display --indent 6 --text "- AIDE database" --result "${STATUS_NOT_FOUND}" --color RED
LogText "Result: AIDE database ${AIDE_DB} does not exist"
ReportWarning "${TEST_NO}" "No AIDE database was found, needed for AIDE functionality"
else
LogText "Checking database size ${AIDE_DB}"
if [ -s "${AIDE_DB}" ]; then
Display --indent 6 --text "- AIDE database" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: AIDE database ${AIDE_DB} exist and has a size greater than zero"
else
Display --indent 6 --text "- AIDE database" --result "${STATUS_WARNING}" --color YELLOW
LogText "Result: AIDE database ${AIDE_DB} exist but has a size of zero"
ReportSuggestion "${TEST_NO}" "Check the AIDE database as it may contain errors"
fi
fi
unset AIDE_DB I
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : FINT-4318
# Description : Check if Osiris is installed
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking Osiris binary"
2019-07-16 13:20:30 +02:00
if [ -n "${OSIRISBINARY}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Osiris is installed (${OSIRISBINARY})"
2016-05-16 20:55:42 +02:00
Report "file_integrity_tool[]=osiris"
2015-05-17 23:01:38 +02:00
FILE_INT_TOOL="osiris"
2014-08-26 17:33:55 +02:00
FILE_INT_TOOL_FOUND=1
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Osiris" --result "${STATUS_FOUND}" --color GREEN
2016-07-26 14:58:04 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: Osiris is not installed"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 4 --text "- Osiris" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : FINT-4322
# Description : Check if Samhain is installed
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking Samhain binary"
2019-07-16 13:20:30 +02:00
if [ -n "${SAMHAINBINARY}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Samhain is installed (${SAMHAINBINARY})"
2016-05-16 20:55:42 +02:00
Report "file_integrity_tool[]=samhain"
2015-05-17 23:01:38 +02:00
FILE_INT_TOOL="samhain"
2014-08-26 17:33:55 +02:00
FILE_INT_TOOL_FOUND=1
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Samhain" --result "${STATUS_FOUND}" --color GREEN
2016-07-26 14:58:04 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: Samhain is not installed"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 4 --text "- Samhain" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : FINT-4326
# Description : Check if Tripwire is installed
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking Tripwire binary"
2019-07-16 13:20:30 +02:00
if [ -n "${TRIPWIREBINARY}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Tripwire is installed (${TRIPWIREBINARY})"
2016-05-16 20:55:42 +02:00
Report "file_integrity_tool[]=tripwire"
2015-05-17 23:01:38 +02:00
FILE_INT_TOOL="tripwire"
2014-08-26 17:33:55 +02:00
FILE_INT_TOOL_FOUND=1
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Tripwire" --result "${STATUS_FOUND}" --color GREEN
2016-07-26 14:58:04 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: Tripwire is not installed"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 4 --text "- Tripwire" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : FINT-4328
# Description : Check if OSSEC system integrity tool is running
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4328 --weight L --network NO --category security --description "OSSEC syscheck daemon running"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking if OSSEC syscheck daemon is running"
2019-07-15 19:34:37 +02:00
if IsRunning "ossec-syscheckd"; then
LogText "Result: syscheck (OSSEC) active"
2016-05-16 20:55:42 +02:00
Report "file_integrity_tool[]=ossec"
2015-05-17 23:01:38 +02:00
FILE_INT_TOOL="ossec-syscheck"
2014-08-26 17:33:55 +02:00
FILE_INT_TOOL_FOUND=1
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- OSSEC (syscheck)" --result "${STATUS_FOUND}" --color GREEN
2016-07-26 14:58:04 +02:00
else
2019-07-15 19:34:37 +02:00
LogText "Result: syscheck (OSSEC) is not active"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 4 --text "- OSSEC" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : FINT-4330
# Description : Check if mtree is installed
# Note : Usually on BSD and similar
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4330 --weight L --network NO --category security --description "mtree availability"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking mtree binary"
2019-07-15 19:39:04 +02:00
if [ -n "${MTREEBINARY}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: mtree is installed (${MTREEBINARY})"
2016-05-16 20:55:42 +02:00
Report "file_integrity_tool[]=mtree"
2015-05-17 23:01:38 +02:00
FILE_INT_TOOL="mtree"
2014-08-26 17:33:55 +02:00
FILE_INT_TOOL_FOUND=1
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- mtree" --result "${STATUS_FOUND}" --color GREEN
2016-07-26 14:58:04 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: mtree is not installed"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 4 --text "- mtree" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2015-05-17 23:01:38 +02:00
fi
fi
#
#################################################################################
#
# Test : FINT-4334
# Description : Check if LFD is used (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd daemon status"
2015-05-17 23:01:38 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- lfd (CSF)" --result "${STATUS_FOUND}" --color GREEN
2019-07-26 16:14:26 +02:00
LogText "Test: determine lfd status"
if IsRunning "lfd - sleeping"; then
2015-12-21 21:17:15 +01:00
LogText "Result: lfd daemon is running (CSF)"
2016-05-16 20:55:42 +02:00
Report "file_integrity_tool[]=csf-lfd"
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_RUNNING}" --color GREEN
2015-05-17 23:01:38 +02:00
FILE_INT_TOOL="csf-lfd"
FILE_INT_TOOL_FOUND=1
2016-07-26 14:58:04 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_NOT_RUNNING}" --color YELLOW
2015-05-17 23:01:38 +02:00
fi
fi
2016-05-16 20:55:42 +02:00
#
#################################################################################
#
2015-05-17 23:01:38 +02:00
# Test : FINT-4336
# Description : Check if LFD is enabled (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd configuration status"
2015-05-17 23:01:38 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
# LFD configuration parameters
2016-09-10 16:12:44 +02:00
ENABLED=$(${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG})
2019-07-15 19:39:04 +02:00
if [ -n "${ENABLED}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: lfd service is configured to run"
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: lfd service is configured NOT to run"
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
2015-05-17 23:01:38 +02:00
fi
2016-09-10 16:12:44 +02:00
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
2019-07-16 13:20:30 +02:00
if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: lfd directory watching is disabled"
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
2015-05-17 23:01:38 +02:00
fi
2016-09-10 16:12:44 +02:00
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
2019-07-16 13:20:30 +02:00
if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
2016-05-16 20:55:42 +02:00
#
2016-02-29 23:27:07 +01:00
#################################################################################
#
2016-03-01 16:30:48 +01:00
# Test : FINT-4338
2016-02-29 23:27:07 +01:00
# Description : Check if osquery system integrity tool is running
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4338 --weight L --network NO --category security --description "osqueryd syscheck daemon running"
2016-02-29 23:27:07 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if osqueryd syscheck daemon is running"
2019-07-15 19:39:04 +02:00
if IsRunning "osqueryd"; then
2016-02-29 23:27:07 +01:00
LogText "Result: syscheck (osquery) installed"
2016-05-16 20:55:42 +02:00
Report "file_integrity_tool[]=osquery"
2016-02-29 23:27:07 +01:00
FILE_INT_TOOL="osquery"
FILE_INT_TOOL_FOUND=1
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_FOUND}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2016-02-29 23:27:07 +01:00
LogText "Result: syscheck (osquery) not installed"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2016-05-16 20:55:42 +02:00
fi
fi
#
#################################################################################
2020-03-22 10:18:00 +01:00
#
# Test : FINT-4339
# Description : Check IMA/EVM status
if [ ! -z "${EVMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No evmctl binary found"; fi
Register --test-no FINT-4339 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check IMA/EVM status"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
if [ -e /sys/kernel/security/ima ]; then
2020-03-25 19:40:05 +01:00
FOUND=$(${CAT_BINARY} /sys/kernel/security/ima/runtime_measurements_count)
2020-03-22 10:18:00 +01:00
fi
if [ "${FOUND}" -ne 1 ]; then
LogText "Result: EVM tools found but IMA/EVM disabled"
Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_DISABLED}" --color YELLOW
else
LogText "Result: EVM tools found, IMA/EVM enabled"
FILE_INT_TOOL="evmctl"
FILE_INT_TOOL_FOUND=1
Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_ENABLED}" --color GREEN
fi
fi
#
#################################################################################
2020-03-23 09:35:38 +01:00
#
# Test : FINT-4340
# Description : Check dm-integrity status
if [ ! -z "${INTEGRITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No integritysetup binary found"; fi
Register --test-no FINT-4340 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-integrity status"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
ROOTPROTECTED=0
ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
for DEVICE in /dev/mapper/*; do
if [ -e "${DEVICE}" ]; then
FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY')
if [ ! -z "${FIND}" ]; then
FOUND=1
LogText "Result: found dm-integrity device ${DEVICE}"
if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then
ROOTPROTECTED=1
fi
fi
fi
done
if [ "${FOUND}" -ne 1 ]; then
LogText "Result: dm-integrity tools found but no active devices"
Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_DISABLED}" --color WHITE
else
LogText "Result: dm-integrity tools found, active devices"
if [ ${ROOTPROTECTED} -eq 1 ]; then
LogText "Result: root filesystem is protected by dm-integrity"
Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: root filesystem is not protected by dm-integrity but active devices found"
Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_FOUND}" --color YELLOW
fi
FILE_INT_TOOL="dm-integrity"
FILE_INT_TOOL_FOUND=1
Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : FINT-4341
# Description : Check dm-verity status
if [ ! -z "${VERITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No veritysetup binary found"; fi
Register --test-no FINT-4341 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-verity status"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
ROOTPROTECTED=0
ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
for DEVICE in /dev/mapper/*; do
if [ -e "${DEVICE}" ]; then
FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY')
if [ ! -z "${FIND}" ]; then
FOUND=1
LogText "Result: found dm-verity device ${DEVICE}"
if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then
ROOTPROTECTED=1
fi
fi
fi
done
if [ "${FOUND}" -ne 1 ]; then
LogText "Result: dm-verity tools found but no active devices"
Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_DISABLED}" --color WHITE
else
LogText "Result: dm-verity tools found, active devices"
if [ ${ROOTPROTECTED} -eq 1 ]; then
LogText "Result: root filesystem is protected by dm-verity"
Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: root filesystem is not protected by dm-verity but active devices found"
Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_FOUND}" --color YELLOW
fi
FILE_INT_TOOL="dm-verity"
FILE_INT_TOOL_FOUND=1
fi
fi
#
#################################################################################
2016-05-16 20:55:42 +02:00
#
# Test : FINT-4402 (was FINT-4316)
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
2019-07-16 13:20:30 +02:00
if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
2016-05-16 20:55:42 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-07-28 10:38:10 +02:00
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
2016-09-10 16:12:44 +02:00
if [ -z "${FIND}" ]; then
2016-05-16 20:55:42 +02:00
LogText "Result: No SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Use SHA256 or SHA512 to create checksums in AIDE"
2016-05-16 20:55:42 +02:00
AddHP 1 3
2016-07-26 14:58:04 +02:00
else
2016-05-16 20:55:42 +02:00
LogText "Result: Found SHA256 or SHA512 found for creating checksums"
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- AIDE config (Checksum)" --result "${STATUS_OK}" --color GREEN
2016-05-16 20:55:42 +02:00
AddHP 2 2
2016-02-29 23:27:07 +01:00
fi
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : FINT-4350
# Description : Check if at least one file integrity tool is installed
2016-07-24 17:22:00 +02:00
Register --test-no FINT-4350 --weight L --network NO --category security --description "File integrity software installed"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Check if at least on file integrity tool is available/installed"
2014-08-26 17:33:55 +02:00
if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found at least one file integrity tool"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
AddHP 5 5
2016-07-26 14:58:04 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: No file integrity tools found"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_NOT_FOUND}" --color YELLOW
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Install a file integrity tool to monitor changes to critical and sensitive files"
2014-08-26 17:33:55 +02:00
AddHP 0 5
fi
fi
#
2016-05-16 20:55:42 +02:00
#################################################################################
#
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2021-01-07 15:22:19 +01:00
# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com