From aa8410477e2638058a39ca5a230dc617986596e9 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 29 Apr 2015 11:57:30 +0200 Subject: [PATCH 01/44] Performance tuning by removing full listing of binaries from log --- include/binaries | 1 - 1 file changed, 1 deletion(-) diff --git a/include/binaries b/include/binaries index 844027d3..895cff4a 100644 --- a/include/binaries +++ b/include/binaries @@ -78,7 +78,6 @@ N=`expr ${N} + 1` BINARY="${SCANDIR}/${I}" DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} " - logtext "Binary: ${BINARY}" # Optimized, much quicker (limited file access needed) case ${I} in aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;; From 2cd57933b64ad64f1ee9d491a787d4b8ec7c4cad Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 29 Apr 2015 11:57:57 +0200 Subject: [PATCH 02/44] Correction of Display function --- include/helper_audit_dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index 3c481914..13174e40 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -4,7 +4,6 @@ if [ $# -eq 0 ]; then Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}" Display --text " "; Display --text " " - ExitFatal else FILE=`echo $1 | egrep "^http|https"` @@ -18,7 +17,7 @@ if [ $# -eq 0 ]; then if [ -f ${TMP_FILE} ]; then rm -f ${TMP_FILE} fi - Dislpay --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}" + Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}" ExitFatal fi else From 761314df23d6e412c352509ff25de8bcb50fb0d9 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 29 Apr 2015 12:21:52 +0200 Subject: [PATCH 03/44] Move helper text and small adjustment to security error --- lynis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lynis b/lynis index 2e07e5f0..8e67d668 100755 --- a/lynis +++ b/lynis @@ -134,7 +134,7 @@ echo "" echo " Why do I see this error?" echo " -------------------------------" - echo " This error is a protection mechanism, to prevent root user from executing user created files." + echo " This is a protection mechanism, to prevent the root user from executing user created files." echo ""; echo "" echo " What can I do?" echo " ---------------------" @@ -834,12 +834,12 @@ ################################################################################# # if [ ${RUN_HELPERS} -eq 1 ]; then - InsertPluginSection "Audit Module" if [ ! "${HELPER}" = "" ]; then logtext "Helper tool is $HELPER" if [ -f ${INCLUDEDIR}/helper_${HELPER} ]; then SafePerms ${INCLUDEDIR}/helper_${HELPER} logtext "Running helper tool ${HELPER} with params: ${HELPER_PARAMS}" + InsertPluginSection "Helper: ${HELPER}" . ${INCLUDEDIR}/helper_${HELPER} ${HELPER_PARAMS} else echo "Error, could not find helper" From 70e20d514ca6bb2057cf889171fb165f8b12ad42 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 29 Apr 2015 13:53:40 +0200 Subject: [PATCH 04/44] Ensure that only one value is provided --- include/functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/functions b/include/functions index 1dc1c1d9..04ccfe13 100644 --- a/include/functions +++ b/include/functions @@ -778,6 +778,8 @@ NGINX_ACCESS_LOG_DISABLED=1 else if [ ! "${VALUE}" = "" ]; then + # If multiple values follow, select first one + VALUE=`echo ${VALUE} | awk '{ print $1 }'` if [ ! -f ${VALUE} ]; then logtext "Result: could not find referenced log file ${VALUE} in nginx configuration" NGINX_ACCESS_LOG_MISSING=1 From 6a0417da8b19d1daec91c15ab4a2e91cf8b8ceee Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 29 Apr 2015 14:20:46 +0200 Subject: [PATCH 05/44] Added Python and updated PHP description --- include/binaries | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/binaries b/include/binaries index 895cff4a..a8fb6425 100644 --- a/include/binaries +++ b/include/binaries @@ -144,7 +144,7 @@ openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;; pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;; perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;; - php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language) - ${BINARY} (version ${PHPVERSION})" ;; + php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language intrepreter) - ${BINARY} (version ${PHPVERSION})" ;; pkg_admin) PKGADMINBINARY="${BINARY}"; logtext " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;; postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;; postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;; @@ -153,6 +153,7 @@ ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;; puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;; puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;; + python) PYTHONBINARY="${BINARY}"; logtext " Found known binary: python (programming language intepreter) - ${BINARY}" ;; readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;; rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;; rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; logtext " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;; From 508cf7ac719a621b54fd554b35fb77ca269f073c Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 29 Apr 2015 19:58:13 +0200 Subject: [PATCH 06/44] Added missing space --- include/tests_accounting | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_accounting b/include/tests_accounting index 4228ff28..2b5e5048 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -226,7 +226,7 @@ if [ -f /etc/ld.so.preload ]; then logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed" FIND=`grep ${FILE} /etc/ld.so.preload` - if [ !"${FIND}" = "" ]; then + if [ ! "${FIND}" = "" ]; then logtext "Result: found snoopy in ld.so.preload" logtext "Output: ${FIND}" Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN From b2b9f7627a82ebb6426498e6bf345cd176446001 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:20:03 +0200 Subject: [PATCH 07/44] Updates to several sections and point to documentation --- lynis.8 | 47 +++++++++++++++++++++++++++++++---------------- 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/lynis.8 b/lynis.8 index 38be837d..8de5135f 100644 --- a/lynis.8 +++ b/lynis.8 @@ -1,4 +1,4 @@ -.TH Lynis 8 "30 January 2015" "1.17" "Unix System Administrator's Manual" +.TH Lynis 8 "30 April 2015" "1.18" "Unix System Administrator's Manual" .SH "NAME" @@ -16,13 +16,13 @@ Lynis \fP\- Run an system and security audit on the system .fi .SH "DESCRIPTION" -\fBLynis\fP is an auditing tool for Unix (specialists). It checks the system -and software configuration and logs all the found information into a log file -for debugging purposes, and in a report file suitable to create fancy looking -auditing reports. -\fBLynis\fP can be run as a cronjob, or from the command line. It needs to have -full access to the system, so running it as root (or with sudo rights) is -required. +\fBLynis\fP is a security auditing tool for Linux and Unix systems. It checks +the system and software configurations, to determine any improvements. +All details are logged in a log file. Findings and other data is stored in a +report file, which can be used to create auditing reports. +\fBLynis\fP can be run as a cronjob, or from the command line. Lynis prefers +root permissions (or sudo), so it can access all parts of the system, however it +not required (see pentest mode). .PP The following system areas may be checked: .IP @@ -30,7 +30,7 @@ The following system areas may be checked: .IP \- Configuration files .IP -\- Common files by software packages +\- Files part of software packages .IP \- Directories and files related to logging and auditing .SH "OPTIONS" @@ -39,7 +39,6 @@ The following system areas may be checked: .B \-\-auditor Define the name of the auditor/pen-tester. When a full name is used, add double quotes, like "Your Name". - .TP .B \-\-checkall (or \-c) \fBLynis\fP performs a full check of the system, printing out the results of @@ -48,9 +47,6 @@ each test to stdout. Additional information will be saved into a log file .IP In case the outcome of a scan needs to be automated, use the report file. .TP -.B \-\-check\-update (or \-\-info) -Show program, database and update information. -.TP .B \-\-cronjob Perform automatic scan with cron safe options (no colors, no questions, no breaks). @@ -115,14 +111,33 @@ with others. When running Lynis without any parameters, help will be shown and the program will exit. .RE .PP + +.SH "HELPERS" +Lynis has special helpers to do certain tasks. This way the framework of Lynis is +used, while at the same time storing most of the functionality in a separated +file. This speeds up execution and keeps the code clean. +.TP +.B audit +Run audit on the system or on other targets +.TP +.B update +Run updater utility +.TP +To use a helper, run Lynis followed by the helper name +.RE +.PP .SH "BUGS" -Discovered a bug? Please report them via e-mail (lynis-dev@cisofy.com) or via GitHub: https://github.com/CISOfy/Lynis +Discovered a bug? Please report them via GitHub: https://github.com/CISOfy/lynis +.RE +.PP +.SH "Documentation" +Supporting documentation can be found via https://cisofy.com/documentation/lynis/ .RE .PP .SH "LICENSING" -Lynis is licensed with the GPL v3 license and under development by CISOfy and Michael Boelen. Plugins have their own license. +Lynis is licensed as GPL v3, written by Michael Boelen and supported by CISOfy. Plugins may have their own license. .RE .PP .SH "CONTACT INFORMATION" -Support and project related questions are addressed via https://cisofy.com/support/. +Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com. From 0cc3a69be9bf4f06222c575759f1aab85d14009a Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:23:18 +0200 Subject: [PATCH 08/44] Additions to allow for automatic updates --- default.prf | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/default.prf b/default.prf index c97e55f5..713070f7 100644 --- a/default.prf +++ b/default.prf @@ -308,6 +308,38 @@ permdir:/root/.ssh:rwx------:root:-:WARN: #config:custom_url_prepend:https://your-domain.example.org/control-info/: #config:custom_url_append:/: +################################################################################# +# +# Automatic Updating +# ------------------- +# +# These settings are required when using the lynis update functionality. +# By specifying local paths and your update server, the tool can do an update +# check, compare versions and download a new version. +# +################################################################################# + +# Local directory (without slash at end) where lynis directory will be installed +# Note: do not add full path to lynis, as subdirectory is part of tarball +#config:update_local_directory:/usr/local: +# Full path to local file. Change local path if Lynis is installed on a different place +#config:update_local_version_info:/usr/local/lynis/client-version: + +# Download information +# ----------------------------- +# Protocol to use: http, https +#config:update_server_protocol:http: + +# Address of update server +#config:update_server_address:192.168.1.125: + +# Path to last stable release +#config:update_latest_version_download:/files/lynis-latest.tar.gz: + +# Last part of URL (file to gather) +#config:update_latest_version_info:/files/lynis-latest-version: + + ################################################################################# # # Lynis Enterprise From 1ece78f1a82b140c4e1994694e7f2bf3517cb22f Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:23:47 +0200 Subject: [PATCH 09/44] Set default for showing program details at start --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index 077628f9..a46464fa 100644 --- a/include/consts +++ b/include/consts @@ -129,6 +129,7 @@ unset LANG SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW="" SESTATUSBINARY="" SERVICE_MANAGER="" + SHOW_PROGRAM_DETAILS=1 SHOW_REPORT=1 SKIPPED_TESTS_ROOTONLY="" SSHKEYSCANBINARY="" From 8ae3cfd5ad56804fa0db67e8af13f9a37299969f Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:25:18 +0200 Subject: [PATCH 10/44] Remove unused variable --- include/consts | 1 - 1 file changed, 1 deletion(-) diff --git a/include/consts b/include/consts index a46464fa..6c4ad85a 100644 --- a/include/consts +++ b/include/consts @@ -167,7 +167,6 @@ unset LANG TOTAL_TESTS=0 # Total amount of tests (counter) UPLOAD_DATA=0 # Upload of data to central node VIEWHELP=0 # Show help - VIEWUPDATEINFO=0 # View program/database version WRONGOPTION=0 # A wrong option is used # ################################################################################# From af1c100f0ec28a9621ceaadca4918079da64e88d Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:27:10 +0200 Subject: [PATCH 11/44] Remove the display of update check, extend help with new helper --- lynis | 59 ++++++----------------------------------------------------- 1 file changed, 6 insertions(+), 53 deletions(-) diff --git a/lynis b/lynis index 8e67d668..46740486 100755 --- a/lynis +++ b/lynis @@ -23,7 +23,7 @@ # Program information PROGRAM_name="Lynis" PROGRAM_version="2.1.1" - PROGRAM_releasedate="19 April 2015" + PROGRAM_releasedate="29 April 2015" PROGRAM_author="CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" @@ -226,55 +226,6 @@ # CV - Current Version PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'` PROGRAM_LV=0 - #DB_MALWARE_CV=`grep "^#version=" ${DBDIR}/malware.db | cut -d '=' -f2` - #DB_FILEPERMS_CV=`grep "^#version=" ${DBDIR}/fileperms.db | cut -d '=' -f2` - - # Number of signatures - #DB_MALWARE_IC=`grep -v "^#" ${DBDIR}/malware.db | wc -l | tr -s ' ' | tr -d ' '` - - if [ ${VIEWUPDATEINFO} -eq 1 ]; then - - CheckUpdates - - # Reset everything if we can't determine our current version or the latest - # available version (due lack of internet connectivity for example) - if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then - # Set both to safe values - PROGRAM_AC=0; PROGRAM_LV=0 - #DB_MALWARE_LV=0; DB_MALWARE_CV=0 - #DB_FILEPERMS_LV=0; DB_FILEPERMS_CV=0 - fi - - echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="; echo "" - echo " Version : ${PROGRAM_version}" - echo -n " Status : " - if [ ${PROGRAM_LV} -eq 0 ]; then - echo "${RED}Unknown${NORMAL}"; - elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then - echo "${YELLOW}Outdated${NORMAL}"; - echo " Current version : ${PROGRAM_AC}" - echo " Latest version : ${PROGRAM_LV}" - else - echo "${GREEN}Up-to-date${NORMAL}" - fi - echo " Release date : ${PROGRAM_releasedate}" - echo " Update location : ${PROGRAM_website}" -# echo "" -# echo " == ${WHITE}Plugins${NORMAL} ==" -# echo "" -# echo " == ${WHITE}Databases${NORMAL} ==" -# echo " Current Latest Status" -# echo " -----------------------------------------------------------------------------" -# echo -n " Malware : ${DB_MALWARE_CV} ${DB_MALWARE_LV} " -# if [ ${DB_MALWARE_LV} -gt ${DB_MALWARE_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi -# echo -n " File perms : ${DB_FILEPERMS_CV} ${DB_FILEPERMS_LV} " -# if [ ${DB_FILEPERMS_LV} -gt ${DB_FILEPERMS_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi - echo ""; echo "" - echo "${PROGRAM_copyright}"; echo "" - - # Quit program - ExitClean - fi # ################################################################################# # @@ -394,8 +345,11 @@ echo " audit system : Perform security scan" echo " audit dockerfile : Analyze Dockerfile" echo "" + echo " ${GREEN}update${NORMAL}" + echo " update info : Show update details" + echo " update release : Update Lynis release" + echo "" echo "" - echo " ${WHITE}Scan options:${NORMAL}" echo " --auditor \"\" : Auditor name" echo " --dump-options : See all available options" @@ -412,7 +366,6 @@ echo " --reverse-colors : Optimize color display for light backgrounds" echo "" echo " ${WHITE}Misc options:${NORMAL}" - echo " --check-update : Check for updates" echo " --debug : Debug logging to screen" echo " --view-manpage (--man) : View man page" echo " --version (-V) : Display version number and quit" @@ -529,7 +482,7 @@ # ################################################################################# # - if [ ${QUIET} -eq 0 ]; then + if [ ${QUIET} -eq 0 -a ${SHOW_PROGRAM_DETAILS} -eq 1 ]; then echo "" echo " ---------------------------------------------------" echo " Program version: ${PROGRAM_version}" From 0e581e6ad75a392c0d5f409405b3e132858d3fc6 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:27:36 +0200 Subject: [PATCH 12/44] Initial import of helper for automatic updates --- include/helper_update | 266 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 266 insertions(+) create mode 100644 include/helper_update diff --git a/include/helper_update b/include/helper_update new file mode 100644 index 00000000..60529c4b --- /dev/null +++ b/include/helper_update @@ -0,0 +1,266 @@ +#!/bin/sh + +###################################################################### +# +# Helper program to support automatic updates of Lynis +# +###################################################################### +# +# Options: +# --------- +# 1) lynis update info - Show version information (external) +# 2) lynis update release - Check and install new release (internal) +# +# How to use: +# ------------ +# Run option 1 to know about current and latest release information. +# Run option 2 to query internal server for possible upgrade of Lynis. +# +# Steps for updating to new release: +# 1) Run Lynis with: lynis update release +# 2) Lynis will use this helper and check the profile +# 3) The configured web server will be queried (lynis-latest-version) +# 4) The contents of this file will be compared with a local file +# 5) If there is a difference, download package +# 6) Check paths and extract files +# 7) Quit program +# +# Suggested documentation if you want to use this functionality: +# https://cisofy.com/documentation/lynis/upgrading/ +# +###################################################################### + +LOCAL_VERSION="-" +SERVER_VERSION="" +PERFORM_UPGRADE=0 + +WGET_EXISTS=`which wget 2> /dev/null` +CURL_EXISTS=`which curl 2> /dev/null` +FETCH_EXISTS=`which fetch 2> /dev/null` + +# Update version +if [ "$1" = "release" ]; then + + if [ "${UPDATE_SERVER_PROTOCOL}" = "" ] ; then + Display --indent 2 --text "Error: Unknown protocol, please specify (http, https) in profile (update_server_protocol)" + ExitFatal + fi + + if [ "${UPDATE_SERVER_ADDRESS}" = "" ] ; then + Display --indent 2 --text "Error: Unknown download address, please specify in profile (update_server_address)" + ExitFatal + fi + + if [ "${UPDATE_LATEST_VERSION_DOWNLOAD}" = "" ] ; then + Display --indent 2 --text "Error: No URL to latest download has been specifiedrsion on the server, please specify in profile (update_latest_version_download)" + ExitFatal + fi + + if [ "${UPDATE_LATEST_VERSION_INFO}" = "" ] ; then + Display --indent 2 --text "Error: No URL has been specified to know the latest version on the server, please specify in profile (update_latest_version_info)" + ExitFatal + fi + + if [ "${UPDATE_LOCAL_DIRECTORY}" = "" ] ; then + Display --indent 2 --text "Error: No local directory has been specified to store Lynis files. Please specify in profile (update_local_directory)" + ExitFatal + else + if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then + Display --indent 2 --text "Error: Directory ${UPDATE_LOCAL_DIRECTORY} does not exist" + ExitFatal + fi + fi + + if [ "${UPDATE_LOCAL_VERSION_INFO}" = "" ] ; then + Display --indent 2 --text "Error: No data file has been specified to determine local Lynis version, please specify in profile (update_local_version_info)" + ExitFatal + fi + + if [ ! -f ${UPDATE_LOCAL_VERSION_INFO} ]; then + Display --indent 2 --text "Note: local data file ${UPDATE_LOCAL_VERSION_INFO} does not exist. It will be created after updating. (update_local_version_info)" + else + LOCAL_VERSION=`cat ${UPDATE_LOCAL_VERSION_INFO}` + fi + + # Normal update + FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_INFO}" + TMP_FILE=`mktemp /tmp/audit.XXXXXXXXXX` + if [ "${TMP_FILE}" = "" ]; then + Display --indent 2 --text "Could not create a temporary file in /tmp with mktemp. Aborting.." + ExitFatal + fi + Display --indent 2 --text "${CYAN}[Phase 1] Downloading details${NORMAL}" + if [ ! "${WGET_EXISTS}" = "" ]; then + logtext "Using wget to download release information" + LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}" + wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null + EXIT_CODE=$? + elif [ ! "${CURL_EXISTS}" = "" ]; then + logtext "Using curl to download release information" + LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}" + curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null + EXIT_CODE=$? + else + Display --indent 2 --text "No download tool available to perform download" + ExitFatal + fi + + if [ ! "${TMP_FILE}" = "" ]; then + if [ -f ${TMP_FILE} ]; then + SERVER_VERSION=`cat ${TMP_FILE}` + rm -f ${TMP_FILE} + fi + else + Display --indent 2 --text "Temporary file variable is empty, which is unexpected. Aborting.." + ExitFatal + fi + + # Determine if downloading meta data was successful + if [ ${EXIT_CODE} -eq 0 ]; then + if [ "${SERVER_VERSION}" = "" ]; then + Display --indent 2 --text "No version found on the server. Aborting.." + ExitFatal + else + Display --indent 2 --text "Version found on server: ${SERVER_VERSION}" + Display --indent 2 --text "Local version found: ${LOCAL_VERSION}" + fi + else + Display --indent 2 --text "${RED}Error: ${WHITE}Download utility returned an unexpected error code.${NORMAL} Aborting.." + Display --indent 2 --text "Error code: ${EXIT_CODE}" + Display --indent 2 --text "Suggested command: ${LAST_COMMAND_HELP}" + ExitFatal + fi + +#========================================================================================================================================== + + Display --indent 2 --text " " + Display --indent 2 --text "${CYAN}[Phase 2] Compare results${NORMAL}" + if [ ! "${LOCAL_VERSION}" = "${SERVER_VERSION}" ]; then + Display --indent 2 --text "Different version available, moving to upgrade phase" + PERFORM_UPGRADE=1 + else + Display --indent 2 --text "${GREEN}No upgrade needed${NORMAL}" + fi + + # Go to phase 3 if upgrade is needed + if [ ${PERFORM_UPGRADE} -eq 1 ]; then + FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_DOWNLOAD}" + Display --indent 2 --text " " + Display --indent 2 --text "[Phase 3] Downloading latest release" + Display --indent 2 --text "Download location: ${FULLPATH}" + if [ ! "${WGET_EXISTS}" = "" ]; then + logtext "Using wget to download latest release" + LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}" + wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null + EXIT_CODE=$? + elif [ ! "${CURL_EXISTS}" = "" ]; then + logtext "Using curl to download latest release" + LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}" + curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null + EXIT_CODE=$? + fi + if [ ${EXIT_CODE} -eq 0 ]; then + if [ -f ${TMP_FILE} ]; then + Display --indent 2 --text "Download successful" + # Extract the file to the related path, with 'lynis' appended + # Note: by default the tarball includes 'lynis' as directory + if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then + Display --indent 2 --text "Error: directory ${UPDATE_LOCAL_DIRECTORY} does not exist" + ExitFatal + fi + Display --indent 2 --text "Extracting latest version to path ${UPDATE_LOCAL_DIRECTORY}" + if [ ! -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then + Display --indent 2 --text "Creating 'lynis' directory in ${UPDATE_LOCAL_DIRECTORY}" + mkdir ${UPDATE_LOCAL_DIRECTORY}/lynis + if [ $? -gt 0 ]; then + Display --indent 2 --text "Error: could not create directory ${UPDATE_LOCAL_DIRECTORY}/lynis" + ExitFatal + fi + fi + if [ -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then + Display --indent 2 --text "Extracting files to ${UPDATE_LOCAL_DIRECTORY}" + tar xzf ${TMP_FILE} -C ${UPDATE_LOCAL_DIRECTORY} + if [ $? -eq 0 ]; then + # Check if we can find the Lynis binary (in the created 'lynis' directory) + if [ -f ${UPDATE_LOCAL_DIRECTORY}/lynis/lynis ]; then + # If version was downloaded, update local version + echo ${SERVER_VERSION} > ${UPDATE_LOCAL_VERSION_INFO} + else + Display --indent 2 --text "Error: could not find downloaded file on disk" + fi + else + Display --indent 2 --text "Error: File extraction failed" + ExitFatal + fi + else + Display --indent 2 --text "Error: could not find lynis directory" + fi + else + Display --indent 2 --text "Error: could not find downloaded file on disk" + ExitFatal + fi + else + Display --indent 2 --text "Error: could not download latest release" + Display --indent 2 --text "Suggestion: ${LAST_COMMAND_HELP}" + ExitFatal + fi + fi + + # Removing temp file + logtext "Action: Removing temporary file ${TMP_FILE}" + if [ "${TMP_FILE}" = "" ]; then + if [ -f ${TMP_FILE} ]; then + rm -f ${TMP_FILE} + fi + fi + + Display --indent 2 --text " " + Display --indent 2 --text "Done" + Display --indent 2 --text " " + ExitClean + +# Update check +elif [ "$1" = "info" ]; then + + # CV - Current Version + PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'` + PROGRAM_LV=0 + + CheckUpdates + + # Reset everything if we can't determine our current version or the latest + # available version (due lack of internet connectivity for example) + if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then + # Set both to safe values + PROGRAM_AC=0; PROGRAM_LV=0 + fi + + echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} ==" + echo "" + echo " Version : ${PROGRAM_version}" + echo -n " Status : " + if [ ${PROGRAM_LV} -eq 0 ]; then + echo "${RED}Unknown${NORMAL}"; + elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then + echo "${YELLOW}Outdated${NORMAL}"; + echo " Current version : ${PROGRAM_AC}" + echo " Latest version : ${PROGRAM_LV}" + else + echo "${GREEN}Up-to-date${NORMAL}" + fi + echo " Release date : ${PROGRAM_releasedate}" + echo " Update location : ${PROGRAM_website}" + echo ""; echo "" + echo "${PROGRAM_copyright}" + echo "" + + # Quit program + ExitClean + +else + Display --indent 2 --text "${RED}Error: ${WHITE}Unknown parameter $1.${NORMAL} Aborting.." + ExitFatal +fi + + +# The End From 943b944a13a6602b088ad0b224a9479c6634225d Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:28:05 +0200 Subject: [PATCH 13/44] New profile options for automatic updates --- include/profiles | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/include/profiles b/include/profiles index fea8d412..93176716 100644 --- a/include/profiles +++ b/include/profiles @@ -147,6 +147,36 @@ if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi ;; + # Server IP or hostname + update_server_address) + UPDATE_SERVER_ADDRESS="${VALUE}" + ;; + + # Protocol (http, https) + update_server_protocol) + UPDATE_SERVER_PROTOCOL="${VALUE}" + ;; + + # File path to tarball on server + update_latest_version_download) + UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}" + ;; + + # File path to information file + update_latest_version_info) + UPDATE_LATEST_VERSION_INFO="${VALUE}" + ;; + + # Local directory where lynis directory will be placed + update_local_directory) + UPDATE_LOCAL_DIRECTORY="${VALUE}" + ;; + + # Local file to maintain current version + update_local_version_info) + UPDATE_LOCAL_VERSION_INFO="${VALUE}" + ;; + # Options during upload of data upload_options) UPLOAD_OPTIONS="${VALUE}" From 22810e58e7949098da1bbbfde3d5232798fabb08 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:28:33 +0200 Subject: [PATCH 14/44] Replace existing update check options with new helper utility --- include/parameters | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/include/parameters b/include/parameters index 790fa2f8..2cd372f8 100644 --- a/include/parameters +++ b/include/parameters @@ -23,6 +23,7 @@ PARAMCOUNT=$# while [ $# -ge 1 ]; do case $1 in + # Helpers first audit) CHECK_BINARIES=0 RUN_HELPERS=1 @@ -63,6 +64,28 @@ #break ;; + # Helpers first + update) + CHECK_BINARIES=0 + RUN_HELPERS=1 + HELPER="update" + RUN_PLUGINS=0 + RUN_TESTS=0 + SHOW_PROGRAM_DETAILS=0 + if [ ! $2 = "" ]; then + shift + HELPER_PARAMS="$1 $2" + break + else + Display --text "${RED}Error: ${WHITE}Need a target for update${NORMAL}" + Display --text " " + Display --text "Examples:" + Display --text "lynis update info" + Display --text "lynis update release" + ExitFatal + fi + ;; + # Assign auditor to report --auditor) shift @@ -102,7 +125,9 @@ # View program/database information --check-update | --check-updates | --info) - VIEWUPDATEINFO=1 + echo "This option is deprecated" + echo "Use: lynis update info" + ExitClean ;; # License key for Lynis Enterprise From c37e2eb9eb593aaa7aa78fda36d37fbf1d97317b Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 4 May 2015 13:37:36 +0200 Subject: [PATCH 15/44] Extended Sophos detection --- include/tests_malware | 36 +++++++++++++++--------------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/include/tests_malware b/include/tests_malware index 6465ab0e..2fe22ba1 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -23,7 +23,9 @@ ################################################################################# # CLAMD_RUNNING=0 + MCAFEE_SCANNER_RUNNING=0 MALWARE_SCANNER_INSTALLED=0 + SOPHOS_SCANNER_RUNNING=0 # ################################################################################# # @@ -66,27 +68,36 @@ Register --test-no MALW-3280 --weight L --network NO --description "Check if anti-virus tool is installed" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - MCAFEE_RUNNING=0 logtext "Test: checking process cma or cmdagent (McAfee)" # cma is too generic to match on, so we want to ensure that it is related to McAfee first if [ -x /opt/McAfee/cma/bin/cma ]; then IsRunning cma - if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi + if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi else IsRunning cmdagent - if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi + if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi fi - if [ ${MCAFEE_RUNNING} -eq 1 ]; then + if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then FOUND=1 Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN logtext "Result: Found McAfee" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 fi + # Sophos savscand/SophosScanD + logtext "Test: checking process savscand" + IsRunning savscand + if [ ${RUNNING} -eq 1 ]; then + FOUND=1 + SOPHOS_SCANNER_RUNNING=1; + fi logtext "Test: checking process SophosScanD" IsRunning SophosScanD if [ ${RUNNING} -eq 1 ]; then FOUND=1 + SOPHOS_SCANNER_RUNNING=1; + fi + if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN logtext "Result: Found Sophos" MALWARE_SCANNER_INSTALLED=1 @@ -114,7 +125,6 @@ logtext "Result: clamscan couldn't be found" fi fi - # ################################################################################# # @@ -185,22 +195,6 @@ # Description : Check for LMD # ################################################################################# -# - # Test : MALW-3292 - # Description : Check if at least one malware scanner is installed -# Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner" -# if [ ${SKIPTEST} -eq 0 ]; then -# if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then -# logtext "Result: At least one malware scanner is installed" -# Display --indent 2 --text "- Checking presence malware scanner" --result "FOUND" --color GREEN -# #AddHP 3 3 -# else -# logtext "Result: No malware scanners found" -# Display --indent 2 --text "- Checking presence malware scanner" --result "NOT FOUND" --color YELLOW -# ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system" -# #AddHP 0 3 -# fi -# fi # ################################################################################# # From 5729189349e1f532f6c81571248b6174a8eef613 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 13 May 2015 14:45:16 +0200 Subject: [PATCH 16/44] Added additional legal words for banners --- include/tests_banners | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_banners b/include/tests_banners index 1bc1bbd0..de60c258 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -23,7 +23,7 @@ ################################################################################# # BANNER_FILES="/etc/issue /etc/issue.net /etc/motd" - LEGAL_BANNER_STRINGS="access authorized legal monitor owner policy policies private prohibited restricted this unauthorized" + LEGAL_BANNER_STRINGS="audit access authori intrusion law legal monitor owner policy policies private prohibited restricted subject terms this unauthorized" # ################################################################################# # From 893e17d982bb8072b5a49d3931b2b99e587a6752 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 13 May 2015 14:45:50 +0200 Subject: [PATCH 17/44] Added new AddSystemGroup function --- include/functions | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/include/functions b/include/functions index 04ccfe13..e412d7c4 100644 --- a/include/functions +++ b/include/functions @@ -20,6 +20,7 @@ # Function Description # ----------------------- ------------------------------------------------- # AddHP Add Hardening points to plot a graph later +# AddSystemGroup Adds a system to a group # CheckFilePermissions Check file permissions # CheckUpdates Determine if a new version of Lynis is available # counttests Count number of performed tests @@ -50,6 +51,7 @@ # ShowSymlinkPath Show a path behind a symlink # ViewCategories Display tests categories # logtext Log text strings to logfile, prefixed with date/time +# report Add string of data to report file # ################################################################################# @@ -62,6 +64,19 @@ logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}" } + + ################################################################################ + # Name : AddSystemGroup + # Description : Adds a system to a group, which can be used for categorizing + # Returns : + ################################################################################ + + AddSystemGroup() + { + report "system_group[]=$1" + } + + # Check file permissions # Parameter 1 is file/dir # Result: FILE_NOT_FOUND | OK | BAD From e0f9536761fbfa282ad089554c6f313f32b06a3a Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 13 May 2015 14:50:43 +0200 Subject: [PATCH 18/44] Updated spec file with description, website and documentation link, version bump --- extras/lynis.spec | 42 ++++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/extras/lynis.spec b/extras/lynis.spec index 997a386f..3ff52e7a 100644 --- a/extras/lynis.spec +++ b/extras/lynis.spec @@ -3,6 +3,8 @@ # Lynis spec file # ----------------- # +# This file helps to create your custom RPM package of Lynis. +# # Usage: # - Adjust version number (Version:) # - Check if you have the directories in your home directory (or adjust topdir) @@ -12,9 +14,9 @@ # ################################################################################# # -# (c) 2014 Michael Boelen +# Copyright 2015 CISOfy # -# Website: http://cisofy.com/ +# Documentation: https://cisofy.com/documentation/lynis/upgrading/ # ################################################################################# @@ -27,30 +29,32 @@ Summary: Security and system auditing tool. Name: lynis -Version: 1.6.2 +Version: 2.1.1 Release: 1 License: GPL Group: Applications/System Source: lynis-%{version}.tar.gz BuildRoot: /tmp/lynis-root -URL: http://cisofy.com/ -Vendor: CISOfy / Michael Boelen -Packager: Michael Boelen +URL: https://cisofy.com/ +Vendor: CISOfy +Packager: Michael Boelen BuildArch: noarch %description -Lynis is a security tool to audit and harden Unix/Linux based systems. It scans a -system and provides the user with suggestion and warnings regarding taken security -measures. Examples include: - - Security enhancements - - Logging and auditing options - - Banner identification - - Software availability - - Missing security patches +Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD +and Solaris. It performs an in-depth security scan on the system to detect software +and security issues. Besides information related to security, it will also scan for +general system information, installed packages, and possible +configuration issues. + +This software is aimed at assisting with automated auditing, configuration management, +software patch management, penetration testing, vulnerability management, and malware +scanning of Unix-based systems. Lynis is released as a GPLv3 licensed project and free for everyone to use. +Commercial support and extensions are available. -See http://cisofy.com for a full description and documentation. +See https://cisofy.com for a full description and documentation. %prep [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT" @@ -84,11 +88,6 @@ install plugins/* ${RPM_BUILD_ROOT}%{_pluginsdir} install -d ${RPM_BUILD_ROOT}%{_dbdir} install db/* ${RPM_BUILD_ROOT}%{_dbdir} - -# Patch default paths (not required for 1.1.2+) -#sed -i -e 's#INCLUDEDIR="include"#INCLUDEDIR="%{_includedir}"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis -#sed -i -e 's#PROFILE="default.prf"#PROFILE="/etc/lynis/default.prf"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis - %clean [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT" @@ -111,6 +110,9 @@ install db/* ${RPM_BUILD_ROOT}%{_dbdir} #%attr(644, root, root) %{_plugindir}/* %changelog +* Wed May 13 2015 Michael Boelen - 1.1.9-1 +- Changed website address, version bump + * Sun Sep 14 2014 Michael Boelen - 1.1.8-1 - Changed permissions with regards of pentest option From 283e198c231df3b6535414197ba1e592dba0a8e8 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 17 May 2015 23:00:28 +0200 Subject: [PATCH 19/44] Improved detection of blacklisted/disabled modules --- include/tests_storage | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/include/tests_storage b/include/tests_storage index a3b59eae..1ee95589 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -33,7 +33,7 @@ if [ -d /etc/modprobe.d ]; then FIND=`ls /etc/modprobe.d/* 2> /dev/null` if [ ! "${FIND}" = "" ]; then - FIND=`grep -r "install usb-storage /bin/true" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"` + FIND=`grep -r "install usb-storage /bin/(false|true)" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"` FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*` if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 @@ -44,7 +44,7 @@ fi fi if [ -f /etc/modprobe.conf ]; then - FIND=`grep "install usb-storage /bin/true" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"` + FIND=`grep "install usb-storage /bin/(false|true)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"` if [ ! "${FIND}" = "" ]; then FOUND=1 logtext "Result: found usb-storage driver in disabled state" @@ -66,6 +66,7 @@ # # Test : STRG-1846 # Description : Check for disabled firewire storage + # Explanation : Best option is to use the install function, or else drivers can still be loaded manually Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 @@ -73,8 +74,8 @@ if [ -d /etc/modprobe.d ]; then FIND=`ls /etc/modprobe.d/* 2> /dev/null` if [ ! "${FIND}" = "" ]; then - FIND1=`egrep "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"` - FIND2=`egrep "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.d/* | grep "ohci" | grep -v "#"` + FIND1=`egrep "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"` + FIND2=`egrep "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"` if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 logtext "Result: found firewire ohci driver in disabled state" @@ -84,8 +85,8 @@ fi fi if [ -f /etc/modprobe.conf ]; then - FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"` - FIND2=`egrep -r "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.conf | grep "ohci" | grep -v "#"` + FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"` + FIND2=`egrep -r "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.conf | grep "ohci" | grep -v "#"` if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 logtext "Result: found firewire ohci driver in disabled state" @@ -107,6 +108,7 @@ # ################################################################################# # +# Use modprobe --showconfig to test for options # NetBSD: amd (auto mount daemon) @@ -119,4 +121,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, CISOfy, Michael Boelen - https://cisofy.com From 46f9a3dec8a6c6f5cd93ea79b95a208dabc61794 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 17 May 2015 23:01:38 +0200 Subject: [PATCH 20/44] Log file integrity monitoring tool, adding support for lfd (CSF) tool --- include/tests_file_integrity | 65 +++++++++++++++++++++++++++++++++--- 1 file changed, 60 insertions(+), 5 deletions(-) diff --git a/include/tests_file_integrity b/include/tests_file_integrity index d5d7ef1e..0fe987c5 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -14,6 +14,8 @@ # ################################################################################# # + CSF_CONFIG="/etc/csf/csf.conf" + FILE_INT_TOOL="" FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found # ################################################################################# @@ -30,11 +32,11 @@ logtext "Test: Checking AFICK binary" if [ ! "${AFICKBINARY}" = "" ]; then logtext "Result: AFICK is installed (${AFICKBINARY})" + FILE_INT_TOOL="afick" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- AFICK" --result FOUND --color GREEN else logtext "Result: AFICK is not installed" - Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE fi fi # @@ -47,11 +49,11 @@ logtext "Test: Checking AIDE binary" if [ ! "${AIDEBINARY}" = "" ]; then logtext "Result: AIDE is installed (${AIDEBINARY})" + FILE_INT_TOOL="aide" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- AIDE" --result FOUND --color GREEN else logtext "Result: AIDE is not installed" - Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE fi fi # @@ -119,11 +121,11 @@ logtext "Test: Checking Osiris binary" if [ ! "${OSIRISBINARY}" = "" ]; then logtext "Result: Osiris is installed (${OSIRISBINARY})" + FILE_INT_TOOL="osiris" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Osiris" --result FOUND --color GREEN else logtext "Result: Osiris is not installed" - Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE fi fi # @@ -136,11 +138,11 @@ logtext "Test: Checking Samhain binary" if [ ! "${SAMHAINBINARY}" = "" ]; then logtext "Result: Samhain is installed (${SAMHAINBINARY})" + FILE_INT_TOOL="samhain" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Samhain" --result FOUND --color GREEN else logtext "Result: Samhain is not installed" - Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE fi fi # @@ -153,6 +155,7 @@ logtext "Test: Checking Tripwire binary" if [ ! "${TRIPWIREBINARY}" = "" ]; then logtext "Result: Tripwire is installed (${TRIPWIREBINARY})" + FILE_INT_TOOL="tripwire" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN else @@ -170,10 +173,13 @@ logtext "Test: Checking if OSSEC syscheck daemon is running" IsRunning ossec-syscheckd if [ ${RUNNING} -eq 1 ]; then + logtext "Result: syscheck (OSSEC) installed" + FILE_INT_TOOL="ossec-syscheck" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN else Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE + logtext "Result: syscheck (OSSEC) not installed" fi fi # @@ -187,11 +193,59 @@ logtext "Test: Checking mtree binary" if [ ! "${MTREEBINARY}" = "" ]; then logtext "Result: mtree is installed (${MTREEBINARY})" + FILE_INT_TOOL="mtree" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- mtree" --result FOUND --color GREEN else logtext "Result: mtree is not installed" - Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE + fi + fi +# +################################################################################# +# + # Test : FINT-4334 + # Description : Check if LFD is used (part of CSF suite) + if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status" + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN + IsRunning 'lfd ' + if [ ${RUNNING} -eq 1 ]; then + logtext "Result: lfd daemon is running (CSF)" + Display --indent 6 --text "- Daemon status" --result RUNNING --color GREEN + FILE_INT_TOOL="csf-lfd" + FILE_INT_TOOL_FOUND=1 + else + Display --indent 6 --text "- Daemon status" --result "NOT RUNNING" --color YELLOW + fi + fi + # Test : FINT-4336 + # Description : Check if LFD is enabled (part of CSF suite) + if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd configuration status" + if [ ${SKIPTEST} -eq 0 ]; then + # LFD configuration parameters + ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}` + if [ ! "${ENABLED}" = "" ]; then + logtext "Result: lfd service is configured to run" + Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN + else + logtext "Result: lfd service is configured NOT to run" + Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW + fi + ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` + if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then + logtext "Result: lfd directory watching is enabled (value: ${ENABLED})" + Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN + else + logtext "Result: lfd directory watching is disabled" + Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW + fi + ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` + if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then + Display --indent 6 --text "- Directory/File watches" --result ENABLED --color GREEN + else + Display --indent 6 --text "- Directory/File watches" --result DISABLED --color YELLOW fi fi # @@ -217,6 +271,7 @@ ################################################################################# # +report "file_integrity_tool=${FILE_INT_TOOL}" report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}" wait_for_keypress From f3bd9ca9ad4266eff8f4ad8d632fe07f8b30cffe Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 17 May 2015 23:22:54 +0200 Subject: [PATCH 21/44] Display only the tools actually found, to keep screen output as clean as possible --- include/tests_file_integrity | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 0fe987c5..7bdc2072 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -160,7 +160,6 @@ Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN else logtext "Result: Tripwire is not installed" - Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE fi fi # @@ -178,7 +177,6 @@ FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN else - Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE logtext "Result: syscheck (OSSEC) not installed" fi fi @@ -263,7 +261,7 @@ else logtext "Result: No file integrity tools found" Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW - ReportSuggestion ${TEST_NO} "Install a file integrity tool" + ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files" AddHP 0 5 fi fi From 45114e6557ede683308c0031c976921016bcb0c9 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 17:20:58 +0200 Subject: [PATCH 22/44] Chef support added --- include/tests_tooling | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/include/tests_tooling b/include/tests_tooling index 6f8e6150..6d4b9917 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -45,6 +45,25 @@ Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN fi + CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin" + for I in ${CHEF_LOCATIONS}; do + if [ -d ${I} ]; then + if [ -f ${I}/chef-client ]; then + CHEFCLIENTBINARY="${I}/chef-client" + AUTOMATION_TOOL_FOUND=1 + Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN + logtext "Result: found chef-client (chef client daemon) in ${I}" + fi + if [ -f ${I}/erchef ]; then + CHEFSERVERBINARY="${I}/erchef" + logtext "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})" + AUTOMATION_TOOL_FOUND=1 + Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN + logtext "Result: found erchef (chef server daemon) in ${I}" + fi + fi + done + # Puppet if [ ! "${PUPPETBINARY}" = "" ]; then logtext "Result: Puppet is installed (${PUPPETBINARY})" From 1c07e6fa2c92b8e75e4194704360b4d1eba11a4d Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 17:33:51 +0200 Subject: [PATCH 23/44] New test TIME-3106, Chronyd and systemd-timesyncd support --- include/tests_time | 50 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 39 insertions(+), 11 deletions(-) diff --git a/include/tests_time b/include/tests_time index 4e40bace..8937219d 100644 --- a/include/tests_time +++ b/include/tests_time @@ -32,6 +32,7 @@ # Specific for ntpd NTPD_RUNNING=0 CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs" + SYSTEMD_NTP_ENABLED=0 # ################################################################################# # @@ -46,10 +47,24 @@ fi Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client" if [ ${SKIPTEST} -eq 0 ]; then - # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate) + # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate), Chrony, systemd-timesyncd logtext "Test: Searching for a running NTP daemon or available client" FOUND=0 + if [ -f /etc/chrony.conf ]; then + IsRunning chronyd + if [ ${RUNNING} -eq 1 ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd" + Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN + fi + + # Check time daemon (eg DragonFly BSD) + IsRunning dntpd + if [ ${RUNNING} -eq 1 ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd" + Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN + fi + # Check running processes FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then @@ -66,19 +81,18 @@ Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN fi - # Check time daemon (eg DragonFly BSD) - IsRunning dntpd - if [ ${RUNNING} -eq 1 ]; then - FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd" - Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN - fi - # Check timedate daemon (systemd) if [ ! "${TIMEDATECTL}" = "" ]; then FIND=`${TIMEDATECTL} status | grep "NTP enabled: yes"` if [ ! "${FIND}" = "" ]; then - FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timedated" - Display --indent 2 --text "- NTP daemon found: timedated" --result "FOUND" --color GREEN + # Check for systemd-timesyncd + if [ -f /etc/systemd/timesyncd.conf ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" + Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "FOUND" --color GREEN + SYSTEMD_NTP_ENABLED=1 + fi + else + logtext "Result: time sychronization not performed according timedatectl command" fi fi @@ -137,7 +151,6 @@ logtext "Result: no ntpdate or rdate found in cron directories" fi - # Checking if ntpdate is performed by event logtext "Test: checking for file /etc/network/if-up.d/ntpdate" if [ -f /etc/network/if-up.d/ntpdate ]; then @@ -181,6 +194,21 @@ fi # ################################################################################# +# + # Test : TIME-3106 + # Description : Check status of systemd time synchronization + if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check systemd NTP time synchronization status" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Check the status of time synchronization via timedatectl" + FIND=`${TIMEDATECTL} status | grep "NTP sychronized: yes"` + if [ "${FIND}" = "" ]; then + logtext "Result: time not synchronized via NTP" + ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized" + fi + fi +# +################################################################################# # # Test : TIME-3112 # Description : Check for valid associations from ntpq peers list From 7854eeae20cecc13b3b5c4e2dfdb11cdeea63034 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 17:45:41 +0200 Subject: [PATCH 24/44] Chronyd support, finishing test --- include/tests_time | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/include/tests_time b/include/tests_time index 8937219d..8d425fa3 100644 --- a/include/tests_time +++ b/include/tests_time @@ -52,10 +52,11 @@ FOUND=0 if [ -f /etc/chrony.conf ]; then - IsRunning chronyd - if [ ${RUNNING} -eq 1 ]; then - FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd" - Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN + IsRunning chronyd + if [ ${RUNNING} -eq 1 ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd" + Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN + fi fi # Check time daemon (eg DragonFly BSD) @@ -113,7 +114,7 @@ fi else logtext "Result: crontab file ${I} not found" - fi + fi done ########################## From 3f3ced806e8662f7ebd3c41938fa5140c28a4ec4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 23:16:45 +0200 Subject: [PATCH 25/44] Changed last line --- include/tests_tooling | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_tooling b/include/tests_tooling index 6d4b9917..ee118c31 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -125,4 +125,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com From ef2b12e218be09e0e0a48f7640edd7701dd95776 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 23:17:08 +0200 Subject: [PATCH 26/44] Added block and character type devices as symlinks --- include/functions | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/functions b/include/functions index e412d7c4..39487967 100644 --- a/include/functions +++ b/include/functions @@ -1300,6 +1300,7 @@ SYMLINK_USE_READLINK=1 logtext "Note: Using real readlink binary to determine symlinks" tFILE=`${READLINKBINARY} -f ${sFILE}` + logtext "Result: readlink shows ${tFILE} as output" fi fi # Check if we can find the file now @@ -1309,6 +1310,14 @@ sFILE="${tFILE}" logtext "Result: symlink found, pointing to file ${sFILE}" FOUNDPATH=1 + elif [ -b ${tFILE} ]; then + sFILE="${tFILE}" + logtext "Result: symlink found, pointing to block device ${sFILE}" + FOUNDPATH=1 + elif [ -c ${tFILE} ]; then + sFILE="${tFILE}" + logtext "Result: symlink found, pointing to character device ${sFILE}" + FOUNDPATH=1 elif [ -d ${tFILE} ]; then sFILE="${tFILE}" logtext "Result: symlink found, pointing to directory ${sFILE}" From 2f0e9f0981fe8ba6306a8b2369c178936b539926 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 23:17:21 +0200 Subject: [PATCH 27/44] Changed last line --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 6921373c..d5a5c8bd 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -1329,4 +1329,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com From 1d1aa3c96676bf350ef459aafb81d978e13dd351 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 23:17:42 +0200 Subject: [PATCH 28/44] Improved kernel detection on Slackware --- include/tests_kernel | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index a2ba9e9b..d5a105a7 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -516,7 +516,8 @@ FIND=`ls /boot/vmlinuz* 2> /dev/null` if [ ! "${FIND}" = "" ]; then # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) - KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` + # Remove generic. and huge. for Slackware machines + KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` elif [ ! `ls /boot/kernel* 2> /dev/null` = "" ]; then # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) # Examples: From b885b9f84f245f1dfc4913ded405e612e563ff9b Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 23:20:52 +0200 Subject: [PATCH 29/44] Add missing pipe --- include/tests_kernel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index d5a105a7..b6c2b2ff 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -517,7 +517,7 @@ if [ ! "${FIND}" = "" ]; then # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) # Remove generic. and huge. for Slackware machines - KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` + KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` elif [ ! `ls /boot/kernel* 2> /dev/null` = "" ]; then # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) # Examples: From 52b8c3a6a701d0cc3ea9d3507cd4f59153c41daa Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 May 2015 11:10:50 +0200 Subject: [PATCH 30/44] Added VMTYPE --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index 6c4ad85a..1d80c0b2 100644 --- a/include/consts +++ b/include/consts @@ -142,6 +142,7 @@ unset LANG UPLOAD_OPTIONS="" UPDATE_CHECK_SKIPPED=0 VALUE="" + VMTYPE="" # ################################################################################# # From 1a04109daddb3c264a44d1d98c04b0fe82102972 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 May 2015 11:11:15 +0200 Subject: [PATCH 31/44] Extended descriptions --- include/functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/functions b/include/functions index 39487967..2245bc80 100644 --- a/include/functions +++ b/include/functions @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015 - Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2015, Michael Boelen - CISOfy # https://cisofy.com # # This software is licensed under GPL, version 3. See LICENSE file for @@ -27,8 +27,8 @@ # Debug Display additional information on the screen (not suited for cronjob) # DirectoryExists Check if a directory exists on the disk # Display Output text to screen with colors and identation -# ExitClean Stop the program (cleanly) -# ExitFatal Stop the program (cleanly), with fatal +# ExitClean Stop the program (cleanly), with exit code 0 +# ExitFatal Stop the program (cleanly), with exit code 1 # FileExists Check if a file exists on the disk # FileIsEmpty Check if a file is empty # FileIsReadable Check if a file is readable or directory accessible @@ -652,7 +652,7 @@ docker) ISVIRTUALMACHINE=1; VMTYPE="docker"; VMFULLTYPE="Docker container" ;; kvm) ISVIRTUALMACHINE=1; VMTYPE="kvm"; VMFULLTYPE="KVM" ;; lxc) ISVIRTUALMACHINE=1; VMTYPE="lxc"; VMFULLTYPE="Linux Containers" ;; - lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers" ;; + lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers)" ;; microsoft) ISVIRTUALMACHINE=1; VMTYPE="microsoft"; VMFULLTYPE="Microsoft Virtual PC" ;; openvz) ISVIRTUALMACHINE=1; VMTYPE="openvz"; VMFULLTYPE="OpenVZ" ;; oracle|virtualbox) ISVIRTUALMACHINE=1; VMTYPE="virtualbox"; VMFULLTYPE="Oracle VM VirtualBox" ;; From 3c3bb2d0db067a69574d3bcfbd732c197e9c3d56 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 May 2015 11:11:42 +0200 Subject: [PATCH 32/44] Do not show auditd suggestion for OpenVZ systems --- include/tests_accounting | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/tests_accounting b/include/tests_accounting index 2b5e5048..d32f4b33 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -126,7 +126,9 @@ else logtext "Result: auditd not active" Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE - ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information" + if [ ! "${VMTYPE}" = "openvz" ]; then + ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information" + fi AUDITD_RUNNING=0 report "audit_daemon_running=0" AddHP 0 1 @@ -427,4 +429,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen / CISOfy - https://cisofy.com From a1095ef9413dcd50964a4d9b42605c7250e19e46 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 May 2015 11:12:36 +0200 Subject: [PATCH 33/44] Improved swap detection and added UUID check --- include/tests_filesystems | 43 ++++++++++++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 10 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 6d9453da..6444a645 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -209,23 +209,46 @@ FOUND=0 logtext "Test: query swap partitions from /etc/fstab file" # Check if third field contains 'swap' - FIND=`awk '{ if ($3=="swap") print $1 }' /etc/fstab` + FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"` for I in ${FIND}; do FOUND=1 + REAL="" + UUID="" logtext "Swap partition found: ${I}" # YYY Add a test if partition is not a normal partition (e.g. UUID=) # Can be ^/dev/mapper/vg-name_lv-name # Can be ^/dev/partition + # Can be ^UUID=uuid --> /dev/disk/by-uuid/ - # if [ ! "${BLKIDBINARY}" = "" ]; then - # FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'` - # else - # logtext "Result: blkid binary not found, trying by checking device listing" - # if [ -f /dev/disk/by-uuid/${UUID} ]; then - # logtext "Result: found disk via /dev/disk/by-uuid listing" - # fi - # fi - report "swap_partition[]=${I}" + HAS_UUID=`echo ${I} | grep "^UUID="` + if [ ! "${HAS_UUID}" = "" ]; then + UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'` + logtext "Result: Using ${UUID} as UUID" + if [ ! "${BLKIDBINARYx}" = "" ]; then + FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'` + if [ ! "${FIND2}" = "" ]; then + REAL="${FIND2}" + fi + else + logtext "Result: blkid binary not found, trying by checking device listing" + sFILE="" + if [ -L /dev/disk/by-uuid/${UUID} ]; then + logtext "Result: found disk via /dev/disk/by-uuid listing" + ShowSymlinkPath /dev/disk/by-uuid/${UUID} + if [ ! "${sFILE}" = "" ]; then + REAL="${sFILE}" + logtext "Result: disk is ${REAL}" + fi + else + logtext "Result: no symlink found to /dev/disk/by-uuid/${UUID}" + fi + fi + fi + # Set real device + if [ "${REAL}" = "" ]; then + REAL="${I}" + fi + report "swap_partition[]=${I},${REAL}," done if [ ${FOUND} -eq 1 ]; then Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN From c70f3e93cd7a79d7a579158a756ca2122f6ce0e7 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 May 2015 11:13:23 +0200 Subject: [PATCH 34/44] Cleanup of screen output, with focus on minimum output --- include/tests_time | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/include/tests_time b/include/tests_time index 8d425fa3..508702c5 100644 --- a/include/tests_time +++ b/include/tests_time @@ -109,7 +109,7 @@ Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN logtext "Result: found ntpdate or rdate reference in crontab file ${I}" else - Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE + #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE logtext "Result: no ntpdate or rdate reference found in crontab file ${I}" fi else @@ -148,7 +148,7 @@ Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN logtext "Result: found ntpdate or rdate in cron directory" else - Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE + #Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE logtext "Result: no ntpdate or rdate found in cron directories" fi @@ -433,6 +433,8 @@ # ################################################################################# # +# For VMs check ntpd.conf : tinker panic 0 +# wait_for_keypress @@ -458,4 +460,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com From bb696a04f12193ec06432fcf8e3312a601935b0d Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 May 2015 11:13:47 +0200 Subject: [PATCH 35/44] Improved detection of directories in logrotate --- include/tests_logging | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/tests_logging b/include/tests_logging index 0d8189a9..7346365a 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -274,7 +274,7 @@ Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking which directories can be found in logrotate configuration" - FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq` + FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort | uniq` if [ "${FIND}" = "" ]; then logtext "Result: nothing found" else @@ -285,7 +285,6 @@ report "log_directory[]=${I}" else logtext "Directory could not be found: ${I}" - # YYY strip more parts of the name, until it can be found (and stop at /) fi done fi From 30b9b1edd9d9689c59266b2be12f95bc80a334a5 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 11:25:07 +0200 Subject: [PATCH 36/44] Added support for Docker binary --- include/binaries | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/binaries b/include/binaries index a8fb6425..e2569613 100644 --- a/include/binaries +++ b/include/binaries @@ -90,6 +90,9 @@ as) ASFOUND=1; ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: as (compiler) - ${BINARY}" ;; auditctl) AUDITCTLFOUND=1; AUDITCTLBINARY="${BINARY}"; logtext " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;; autolog) AUTOLOGFOUND=1; AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; logtext " Found known binary: autolog (idle session killer) - ${BINARY}" ;; + debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;; + debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;; + docker) DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}" ;; chkconfig) CHKCONFIGFOUND=1; CHKCONFIGBINARY=${BINARY}; logtext " Found known binary: chkconfig (administration tool) - ${BINARY}" ;; clamscan) CLAMSCANFOUND=1; CLAMSCANBINARY=${BINARY}; logtext " Found known binary: clamscan (AV scanner) - ${BINARY}" ;; cfagent) CFAGENTFOUND=1; CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; logtext " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;; From fe636c7d6c39332ab359e426a37b079177ef10d3 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 11:25:35 +0200 Subject: [PATCH 37/44] Docker support --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index 1d80c0b2..cd85acb9 100644 --- a/include/consts +++ b/include/consts @@ -77,6 +77,7 @@ unset LANG CONTROL_URL_PREPEND="" CUSTOM_URL_APPEND="" CUSTOM_URL_PREPEND="" + DOCKER_DAEMON_RUNNING=0 FILEVALUE="" FIND="" FIREWALL_ACTIVE=0 From 917c790ecc930077cc303aa7192906eb4279da72 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 11:42:31 +0200 Subject: [PATCH 38/44] Changed text --- include/tests_kernel | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index b6c2b2ff..4a5f437a 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -340,7 +340,6 @@ logtext "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x /usr/bin/apt-cache ]; then logtext "Result: found /usr/bin/apt-cache" - # YYY Test for presence /usr/bin/apt-cache and dpkg logtext "Test: checking readlink location of /vmlinuz" FINDKERNFILE=`readlink -f /vmlinuz` logtext "Output: readlink reported file ${FINDKERNFILE}" @@ -581,4 +580,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands +# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com From f60011eb1b4887c589fa2e985b0486b36e967626 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 11:43:08 +0200 Subject: [PATCH 39/44] Removing tests which were already performed in authentication section. --- include/tests_shells | 48 ++------------------------------------------ 1 file changed, 2 insertions(+), 46 deletions(-) diff --git a/include/tests_shells b/include/tests_shells index cf406602..52550562 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -57,16 +57,9 @@ logtext "Output /etc/ttys:" logtext "${FIND}" ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys" - #ReportSuggestion ${TEST_NO} "Change the console line from 'secure' to 'insecure'." + logtext "Possible solution: Change the console line from 'secure' to 'insecure'." fi fi -# -################################################################################# -# - # Test : SHLL-6214 - # Description : check for idle session killing tools (timeoutd) - - # ################################################################################# # @@ -220,43 +213,6 @@ fi # ################################################################################# -# - # Test : SHLL-6236 - # Description : Check /etc/profile -# -################################################################################# -# - - # Test : SHLL-6240 - # Description : Check default umask -# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking /etc/profile" -# if [ -f /etc/profile ]; then -# FIND=`grep "^umask" | awk '{ print $2 }'` -# if [ "${FIND}" = "" ]; then -# logtext "Result: xxx" -# Display --indent 2 --text "- Checking default umask" --result OK --color GREEN -# else -# logtext "Result: xxx" -# Display --indent 2 --text "- Checking default umask" --result WARNING --color RED -# #ReportWarning ${TEST_NO} "M" "xxx" -# #ReportSuggestion ${TEST_NO} "xxx" -# fi -# fi -# fi -# -################################################################################# -# - # Test : SHLL-6250 - # Description : Check /etc/bash.bashrc -# Register --test-no SHLL-6250 --weight L --network NO --description "Check default umask" -# if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# -# -################################################################################# # # Test : SHLL-6290 # Description : Check for Shellshock vulnerability @@ -395,4 +351,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy & Michael Boelen - http://cisofy.com - The Netherlands +# Lynis - Copyright 2007-2015, CISOfy - http://cisofy.com From 7f0fbcf359fb3f15735991923b391f44a0345bf1 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 12:34:01 +0200 Subject: [PATCH 40/44] Initial import for container category --- include/tests_containers | 167 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 167 insertions(+) create mode 100644 include/tests_containers diff --git a/include/tests_containers b/include/tests_containers new file mode 100644 index 00000000..d6450c95 --- /dev/null +++ b/include/tests_containers @@ -0,0 +1,167 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Containers, Zones, Jails +# +################################################################################# +# + InsertSection "Containers" +# +################################################################################# +# + # Test : CONT-8004 + # Description : Query running Solaris zones + if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no CONT-8004 --os Solaris --weight L --network NO --description "Query running Solaris zones" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: query zoneadm to list all running zones" + FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'` + if [ ! "${FIND}" = "" ]; then + N=0 + for I in ${FIND}; do + N=`expr ${N} + 1` + ZONEID=`echo ${I} | cut -d ':' -f1` + ZONENAME=`echo ${I} | cut -d ':' -f2` + logtext "Result: found zone ${ZONENAME} (running)" + report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]" + done + logtext "Result: total of ${N} running zones" + Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN + else + logtext "Result: no running zones found" + Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE + fi + fi +# +################################################################################# +# + # Test : CONT-1906 + # Description : Query running Xen zones + #if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + #Register --test-no CONT-1906 --weight L --network NO --description "Query Xen guests" + #if [ ${SKIPTEST} -eq 0 ]; then + # Show Xen guests + #FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'` + #for I in ${FIND}; do + #XENGUESTNAME=`echo ${I} | cut -d ':' -f1` + #XENGUESTID=`echo ${I} | cut -d ':' -f2` + #logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})" + #done + #fi +# +################################################################################# +# + # Test : CONT-8102 + # Description : Checking Docker daemon status and basic information for later tests + Register --test-no CONT-8102 --weight L --network NO --description "Checking Docker status and information" + if [ ${SKIPTEST} -eq 0 ]; then + IsRunning "docker -d" + if [ ${RUNNING} -eq 1 ]; then + logtext "Result: found Docker daemon running" + report "docker_daemon_running=1" + DOCKER_DAEMON_RUNNING=1 + Display --indent 4 --text "- Docker" + Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN + fi + fi +# +################################################################################# +# + # Test : CONT-8104 + # Description : Checking Docker info for any warnings + # Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory + if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings" + if [ ${SKIPTEST} -eq 0 ]; then + COUNT=0 + logtext "Test: Check for any warnings" + FIND=`${DOCKERBINARY} info 2>&1 | grep "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found warning(s) in output" + for I in ${FIND}; do + J=`echo ${I} | sed 's/:space:/ /g'` + logtext "Output: ${J}" + COUNT=`expr ${COUNT} + 1` + done + Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color RED + ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon" + AddHP 3 4 + else + logtext "Result: no warnings found from 'docker info' output" + Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN + AddHP 1 1 + fi + fi +# +################################################################################# +# + # Test : CONT-8106 + # Description : Checking Docker containers (basic stats) + # Notes : Hardening points are awarded, if there aren't a lot of stopped containers + if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings" + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 6 --text "- Containers" + + # Check total of containers + logtext "Test: checking total amount of Docker containers" + DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'` + logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers" + DOCKER_CONTAINERS_TOTAL2=`${DOCKERBINARY} ps -a 2> /dev/null | grep -v "CONTAINER" | wc -l` + logtext "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers" + if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then + logtext "Result: difference detected, which is unexpected" + ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers" + Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED + else + Display --indent 8 --text "- Total containers" --result "${DOCKER_CONTAINERS_TOTAL}" --color WHITE + fi + + # Check running instances + DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps | grep -v "CONTAINER" | wc -l` + Display --indent 8 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN + if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then + logtext "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active" + report "docker_containers_running=${DOCKER_CONTAINERS_RUNNING}" + else + logtext "Result: no active containers" + report "docker_containers_running=0" + fi + + # Check if there aren't too many unused containers on the system + if [ ${DOCKER_CONTAINERS_TOTAL} -gt 0 ]; then + DOCKER_CONTAINERS_UNUSED=`expr ${DOCKER_CONTAINERS_TOTAL} - ${DOCKER_CONTAINERS_RUNNING}` + if [ ${DOCKER_CONTAINERS_UNUSED} -gt 10 ]; then + ReportSuggestion "${TEST_NO}" "More than 10 unused containers found on the system. Clean up old containers by using output of 'docker ps -a' command" + Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color RED + AddHP 0 2 + else + logtext "Result: found ${DOCKER_CONTAINERS_UNUSED} unused containers" + Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color YELLOW + AddHP 1 1 + fi + fi + fi +# +################################################################################# +# + + +wait_for_keypress + +# +#================================================================================ +# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com From 46e6f87fc10c8823da35049f241f28960a1ccea7 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 12:34:19 +0200 Subject: [PATCH 41/44] Added container to test groups --- lynis | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/lynis b/lynis index 46740486..3415692b 100755 --- a/lynis +++ b/lynis @@ -719,13 +719,11 @@ logtext "Info: perform tests from all categories" INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ - filesystems storage storage_nfs \ - nameservices ports_packages networking printers_spools \ - mail_messaging firewalls \ - webservers ssh snmp databases ldap php squid logging \ - insecure_services banners scheduling accounting \ - time crypto virtualization mac_frameworks file_integrity hardening_tools tooling \ - malware file_permissions homedirs kernel_hardening hardening" + filesystems storage storage_nfs nameservices ports_packages networking printers_spools \ + mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ + insecure_services banners scheduling accounting time crypto virtualization containers \ + mac_frameworks file_integrity hardening_tools tooling malware file_permissions homedirs \ + kernel_hardening hardening" else INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}" logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}" From d59b180e76d162090c2006c0fef968d36d6691b0 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 12:34:48 +0200 Subject: [PATCH 42/44] Updated release date --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index 3415692b..3ca57f7d 100755 --- a/lynis +++ b/lynis @@ -23,7 +23,7 @@ # Program information PROGRAM_name="Lynis" PROGRAM_version="2.1.1" - PROGRAM_releasedate="29 April 2015" + PROGRAM_releasedate="27 May 2015" PROGRAM_author="CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" From 5f3c47df68eda0fe6808efc65cff2742d62f04df Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 12:35:56 +0200 Subject: [PATCH 43/44] Added debsecan, debsums and kernel package counting --- include/tests_ports_packages | 102 +++++++++++++++++++++++++++++++++-- 1 file changed, 98 insertions(+), 4 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 30d67f85..23a66584 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -402,9 +402,67 @@ fi # ################################################################################# +# + # Test : PKGS-7366 + # Description : Checking if debsecan is installed and enabled on Debian systems + if [ ! "${DEBSECANBINARY}" = "" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsecan utility" + if [ ${SKIPTEST} -eq 0 ]; then + if [ ! "${DEBSECANBINARY}" = "" ]; then + logtext "Result: debsecan utility is installed" + Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN + AddHP 3 3 + PACKAGE_AUDIT_TOOL_FOUND=1 + PACKAGE_AUDIT_TOOL="debsecan" + FIND=`find /etc/cron* -name debsecan` + if [ ! ${FIND} = "" ]; then + logtext "Result: cron job is configured for debsecan" + Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN + AddHP 3 3 + else + logtext "Result: no cron job is configured for debsecan" + Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW + AddHP 1 3 + ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled" + fi + else + logtext "Result: debsecan is not installed." + Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW + AddHP 0 2 + ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages." + fi + fi +# +################################################################################# # # Test : PKGS-7370 - # Description : Check debsums output + # Description : Checking debsums installation status and presence in cron job + # Note : Run this only when it is a DPKG based system + if [ ! "${DPKGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsums utility" + if [ ${SKIPTEST} -eq 0 ]; then + if [ ! "${DEBSUMSBINARY}" = "" ]; then + logtext "Result: debsums utility is installed" + Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN + AddHP 1 1 + # Check in /etc/cron.hourly, daily, weekly, monthly etc + COUNT=`find /etc/cron* -name debsums | wc -l` + if [ ${COUNT} -gt 0 ]; then + logtext "Result: Cron job is configured for debsums utility." + Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN + AddHP 3 3 + else + logtext "Result: Cron job is not configured for debsums utility." + Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW + AddHP 1 3 + ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job." + fi + else + logtext "Result: debsums utility is not installed." + AddHP 0 2 + ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database." + fi + fi # ################################################################################# # @@ -933,9 +991,45 @@ # ################################################################################# # -# check for popularity-contest (Debian/Ubuntu) -# check for yum-changelog - + # Test : PKGS-7410 + # Description : Count number of installed kernel packages + Register --test-no PKGS-7410 --weight L --network NO --description "Count installed kernel packages" + if [ ${SKIPTEST} -eq 0 ]; then + KERNELS=0 + if [ ! "${RPMBINARY}" = "" ]; then + logtext "Test: Checking how many kernel packages are installed" + KERNELS=`rpm -q kernel 2> /dev/null | wc -l` + if [ ${KERNELS} -eq 0 ]; then + logtext "Result: found no kernels from rpm -q kernel output, which is unexpected" + ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output" + elif [ ${KERNELS} -gt 5 ]; then + logtext "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" + ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)" + AddHP 4 5 + else + logtext "Result: found ${KERNELS} on the system, which is fine" + AddHP 1 1 + fi + fi + fi +# +################################################################################# +# + # Test : PKGS-7414 + # Description : Check installonly_limit in yum.conf +# +################################################################################# +# + # Test : PKGS-7416 + # Description : Check for popularity-contest (Debian/Ubuntu) +# +################################################################################# +# + # Test : PKGS-7418 + # Description : Check for yum-changelog +# +################################################################################# +# if [ ! "${INSTALLED_PACKAGES}" = "" ]; then report "installed_packages_array=${INSTALLED_PACKAGES}" From 785ac74f91d6d2f0c6dd8728a28555f897f50333 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 12:36:34 +0200 Subject: [PATCH 44/44] Moved tests to new container group --- include/tests_virtualization | 47 ++---------------------------------- 1 file changed, 2 insertions(+), 45 deletions(-) diff --git a/include/tests_virtualization b/include/tests_virtualization index c9100bf9..36a3a456 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -22,49 +22,6 @@ # ################################################################################# # - # Test : VIRT-1902 - # Description : Query running Solaris zones - if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no VIRT-1902 --os Solaris --weight L --network NO --description "Query running Solaris zones" - if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: query zoneadm to list all running zones" - FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'` - if [ ! "${FIND}" = "" ]; then - N=0 - for I in ${FIND}; do - N=`expr ${N} + 1` - ZONEID=`echo ${I} | cut -d ':' -f1` - ZONENAME=`echo ${I} | cut -d ':' -f2` - logtext "Result: found zone ${ZONENAME} (running)" - report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]" - done - logtext "Result: total of ${N} running zones" - Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN - else - logtext "Result: no running zones found" - Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE - fi - fi -# -################################################################################# -# - # Test : VIRT-1906 - # Description : Query running Xen zones - #if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no VIRT-1906 --weight L --network NO --description "Query Xen guests" - #if [ ${SKIPTEST} -eq 0 ]; then - # Show Xen guests - #FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'` - #for I in ${FIND}; do - #XENGUESTNAME=`echo ${I} | cut -d ':' -f1` - #XENGUESTID=`echo ${I} | cut -d ':' -f2` - #logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})" - #done - #fi -# -################################################################################# -# - # # Test : VIRT-1920 # # Description : Checking VMware # Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status"