tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2 from CISOfy/master 

Update from official repo.
This commit is contained in:
Roland Smith 2015-06-07 15:25:07 +02:00
parent a354a14093 785ac74f91
commit 4ae085ab87
26 changed files with 923 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
default.prf
View File

@ -308,6 +308,38 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
#config:custom_url_prepend:https://your-domain.example.org/control-info/: #config:custom_url_prepend:https://your-domain.example.org/control-info/:
#config:custom_url_append:/: #config:custom_url_append:/:
#################################################################################
#
# Automatic Updating
# -------------------
#
# These settings are required when using the lynis update functionality.
# By specifying local paths and your update server, the tool can do an update
# check, compare versions and download a new version.
#
#################################################################################
# Local directory (without slash at end) where lynis directory will be installed
# Note: do not add full path to lynis, as subdirectory is part of tarball
#config:update_local_directory:/usr/local:
# Full path to local file. Change local path if Lynis is installed on a different place
#config:update_local_version_info:/usr/local/lynis/client-version:
# Download information
# -----------------------------
# Protocol to use: http, https
#config:update_server_protocol:http:
# Address of update server
#config:update_server_address:192.168.1.125:
# Path to last stable release
#config:update_latest_version_download:/files/lynis-latest.tar.gz:
# Last part of URL (file to gather)
#config:update_latest_version_info:/files/lynis-latest-version:
################################################################################# #################################################################################
# #
# Lynis Enterprise # Lynis Enterprise

42
extras/lynis.spec
View File

@ -3,6 +3,8 @@
# Lynis spec file # Lynis spec file
# ----------------- # -----------------
# #
# This file helps to create your custom RPM package of Lynis.
#
# Usage: # Usage:
# - Adjust version number (Version:) # - Adjust version number (Version:)
# - Check if you have the directories in your home directory (or adjust topdir) # - Check if you have the directories in your home directory (or adjust topdir)
@ -12,9 +14,9 @@
# #
################################################################################# #################################################################################
# #
# (c) 2014 Michael Boelen # Copyright 2015 CISOfy
# #
# Website: http://cisofy.com/ # Documentation: https://cisofy.com/documentation/lynis/upgrading/
# #
################################################################################# #################################################################################
@ -27,30 +29,32 @@
Summary: Security and system auditing tool. Summary: Security and system auditing tool.
Name: lynis Name: lynis
Version: 1.6.2 Version: 2.1.1
Release: 1 Release: 1
License: GPL License: GPL
Group: Applications/System Group: Applications/System
Source: lynis-%{version}.tar.gz Source: lynis-%{version}.tar.gz
BuildRoot: /tmp/lynis-root BuildRoot: /tmp/lynis-root
URL: http://cisofy.com/ URL: https://cisofy.com/
Vendor: CISOfy / Michael Boelen Vendor: CISOfy
Packager: Michael Boelen <michael@rootkit.nl> Packager: Michael Boelen <michael.boelen@cisofy.com>
BuildArch: noarch BuildArch: noarch
%description %description
Lynis is a security tool to audit and harden Unix/Linux based systems. It scans a Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD
system and provides the user with suggestion and warnings regarding taken security and Solaris. It performs an in-depth security scan on the system to detect software
measures. Examples include: and security issues. Besides information related to security, it will also scan for
- Security enhancements general system information, installed packages, and possible
- Logging and auditing options configuration issues.
- Banner identification
- Software availability This software is aimed at assisting with automated auditing, configuration management,
- Missing security patches software patch management, penetration testing, vulnerability management, and malware
scanning of Unix-based systems.
Lynis is released as a GPLv3 licensed project and free for everyone to use. Lynis is released as a GPLv3 licensed project and free for everyone to use.
Commercial support and extensions are available.
See http://cisofy.com for a full description and documentation. See https://cisofy.com for a full description and documentation.
%prep %prep
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT" [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT"
@ -84,11 +88,6 @@ install plugins/* ${RPM_BUILD_ROOT}%{_pluginsdir}
install -d ${RPM_BUILD_ROOT}%{_dbdir} install -d ${RPM_BUILD_ROOT}%{_dbdir}
install db/* ${RPM_BUILD_ROOT}%{_dbdir} install db/* ${RPM_BUILD_ROOT}%{_dbdir}
# Patch default paths (not required for 1.1.2+)
#sed -i -e 's#INCLUDEDIR="include"#INCLUDEDIR="%{_includedir}"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis
#sed -i -e 's#PROFILE="default.prf"#PROFILE="/etc/lynis/default.prf"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis
%clean %clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT" [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT"
@ -111,6 +110,9 @@ install db/* ${RPM_BUILD_ROOT}%{_dbdir}
#%attr(644, root, root) %{_plugindir}/* #%attr(644, root, root) %{_plugindir}/*
%changelog %changelog
* Wed May 13 2015 Michael Boelen - 1.1.9-1
- Changed website address, version bump
* Sun Sep 14 2014 Michael Boelen - 1.1.8-1 * Sun Sep 14 2014 Michael Boelen - 1.1.8-1
- Changed permissions with regards of pentest option - Changed permissions with regards of pentest option

7
include/binaries
View File

@ -78,7 +78,6 @@
N=`expr ${N} + 1` N=`expr ${N} + 1`
BINARY="${SCANDIR}/${I}" BINARY="${SCANDIR}/${I}"
DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} " DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
logtext "Binary: ${BINARY}"
# Optimized, much quicker (limited file access needed) # Optimized, much quicker (limited file access needed)
case ${I} in case ${I} in
aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;; aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
@ -91,6 +90,9 @@
as) ASFOUND=1; ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: as (compiler) - ${BINARY}" ;; as) ASFOUND=1; ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: as (compiler) - ${BINARY}" ;;
auditctl) AUDITCTLFOUND=1; AUDITCTLBINARY="${BINARY}"; logtext " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;; auditctl) AUDITCTLFOUND=1; AUDITCTLBINARY="${BINARY}"; logtext " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;;
autolog) AUTOLOGFOUND=1; AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; logtext " Found known binary: autolog (idle session killer) - ${BINARY}" ;; autolog) AUTOLOGFOUND=1; AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; logtext " Found known binary: autolog (idle session killer) - ${BINARY}" ;;
debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;;
debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;;
docker) DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}" ;;
chkconfig) CHKCONFIGFOUND=1; CHKCONFIGBINARY=${BINARY}; logtext " Found known binary: chkconfig (administration tool) - ${BINARY}" ;; chkconfig) CHKCONFIGFOUND=1; CHKCONFIGBINARY=${BINARY}; logtext " Found known binary: chkconfig (administration tool) - ${BINARY}" ;;
clamscan) CLAMSCANFOUND=1; CLAMSCANBINARY=${BINARY}; logtext " Found known binary: clamscan (AV scanner) - ${BINARY}" ;; clamscan) CLAMSCANFOUND=1; CLAMSCANBINARY=${BINARY}; logtext " Found known binary: clamscan (AV scanner) - ${BINARY}" ;;
cfagent) CFAGENTFOUND=1; CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; logtext " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;; cfagent) CFAGENTFOUND=1; CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; logtext " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;;
@ -145,7 +147,7 @@
openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;; openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;; pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;;
perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;; perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;;
php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language) - ${BINARY} (version ${PHPVERSION})" ;; php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language intrepreter) - ${BINARY} (version ${PHPVERSION})" ;;
pkg_admin) PKGADMINBINARY="${BINARY}"; logtext " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;; pkg_admin) PKGADMINBINARY="${BINARY}"; logtext " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;;
postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;; postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;;
postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;; postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;;
@ -154,6 +156,7 @@
ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;; ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;;
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;; puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;; puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
python) PYTHONBINARY="${BINARY}"; logtext " Found known binary: python (programming language intepreter) - ${BINARY}" ;;
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;; readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;; rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; logtext " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;; rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; logtext " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;

4
include/consts
View File

@ -77,6 +77,7 @@ unset LANG
CONTROL_URL_PREPEND="" CONTROL_URL_PREPEND=""
CUSTOM_URL_APPEND="" CUSTOM_URL_APPEND=""
CUSTOM_URL_PREPEND="" CUSTOM_URL_PREPEND=""
DOCKER_DAEMON_RUNNING=0
FILEVALUE="" FILEVALUE=""
FIND="" FIND=""
FIREWALL_ACTIVE=0 FIREWALL_ACTIVE=0
@ -129,6 +130,7 @@ unset LANG
SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW="" SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW=""
SESTATUSBINARY="" SESTATUSBINARY=""
SERVICE_MANAGER="" SERVICE_MANAGER=""
SHOW_PROGRAM_DETAILS=1
SHOW_REPORT=1 SHOW_REPORT=1
SKIPPED_TESTS_ROOTONLY="" SKIPPED_TESTS_ROOTONLY=""
SSHKEYSCANBINARY="" SSHKEYSCANBINARY=""
@ -141,6 +143,7 @@ unset LANG
UPLOAD_OPTIONS="" UPLOAD_OPTIONS=""
UPDATE_CHECK_SKIPPED=0 UPDATE_CHECK_SKIPPED=0
VALUE="" VALUE=""
VMTYPE=""
# #
################################################################################# #################################################################################
# #
@ -166,7 +169,6 @@ unset LANG
TOTAL_TESTS=0 # Total amount of tests (counter) TOTAL_TESTS=0 # Total amount of tests (counter)
UPLOAD_DATA=0 # Upload of data to central node UPLOAD_DATA=0 # Upload of data to central node
VIEWHELP=0 # Show help VIEWHELP=0 # Show help
VIEWUPDATEINFO=0 # View program/database version
WRONGOPTION=0 # A wrong option is used WRONGOPTION=0 # A wrong option is used
# #
################################################################################# #################################################################################

34
include/functions
View File

@ -5,7 +5,7 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015 - Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Copyright 2007-2015, Michael Boelen - CISOfy
# https://cisofy.com # https://cisofy.com
# #
# This software is licensed under GPL, version 3. See LICENSE file for # This software is licensed under GPL, version 3. See LICENSE file for
@ -20,14 +20,15 @@
# Function Description # Function Description
# ----------------------- ------------------------------------------------- # ----------------------- -------------------------------------------------
# AddHP Add Hardening points to plot a graph later # AddHP Add Hardening points to plot a graph later
# AddSystemGroup Adds a system to a group
# CheckFilePermissions Check file permissions # CheckFilePermissions Check file permissions
# CheckUpdates Determine if a new version of Lynis is available # CheckUpdates Determine if a new version of Lynis is available
# counttests Count number of performed tests # counttests Count number of performed tests
# Debug Display additional information on the screen (not suited for cronjob) # Debug Display additional information on the screen (not suited for cronjob)
# DirectoryExists Check if a directory exists on the disk # DirectoryExists Check if a directory exists on the disk
# Display Output text to screen with colors and identation # Display Output text to screen with colors and identation
# ExitClean Stop the program (cleanly) # ExitClean Stop the program (cleanly), with exit code 0
# ExitFatal Stop the program (cleanly), with fatal # ExitFatal Stop the program (cleanly), with exit code 1
# FileExists Check if a file exists on the disk # FileExists Check if a file exists on the disk
# FileIsEmpty Check if a file is empty # FileIsEmpty Check if a file is empty
# FileIsReadable Check if a file is readable or directory accessible # FileIsReadable Check if a file is readable or directory accessible
@ -50,6 +51,7 @@
# ShowSymlinkPath Show a path behind a symlink # ShowSymlinkPath Show a path behind a symlink
# ViewCategories Display tests categories # ViewCategories Display tests categories
# logtext Log text strings to logfile, prefixed with date/time # logtext Log text strings to logfile, prefixed with date/time
# report Add string of data to report file
# #
################################################################################# #################################################################################
@ -62,6 +64,19 @@
logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}" logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}"
} }
################################################################################
# Name : AddSystemGroup
# Description : Adds a system to a group, which can be used for categorizing
# Returns : <nothing>
################################################################################
AddSystemGroup()
{
report "system_group[]=$1"
}
# Check file permissions # Check file permissions
# Parameter 1 is file/dir # Parameter 1 is file/dir
# Result: FILE_NOT_FOUND | OK | BAD # Result: FILE_NOT_FOUND | OK | BAD
@ -637,7 +652,7 @@
docker) ISVIRTUALMACHINE=1; VMTYPE="docker"; VMFULLTYPE="Docker container" ;; docker) ISVIRTUALMACHINE=1; VMTYPE="docker"; VMFULLTYPE="Docker container" ;;
kvm) ISVIRTUALMACHINE=1; VMTYPE="kvm"; VMFULLTYPE="KVM" ;; kvm) ISVIRTUALMACHINE=1; VMTYPE="kvm"; VMFULLTYPE="KVM" ;;
lxc) ISVIRTUALMACHINE=1; VMTYPE="lxc"; VMFULLTYPE="Linux Containers" ;; lxc) ISVIRTUALMACHINE=1; VMTYPE="lxc"; VMFULLTYPE="Linux Containers" ;;
lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers" ;; lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers)" ;;
microsoft) ISVIRTUALMACHINE=1; VMTYPE="microsoft"; VMFULLTYPE="Microsoft Virtual PC" ;; microsoft) ISVIRTUALMACHINE=1; VMTYPE="microsoft"; VMFULLTYPE="Microsoft Virtual PC" ;;
openvz) ISVIRTUALMACHINE=1; VMTYPE="openvz"; VMFULLTYPE="OpenVZ" ;; openvz) ISVIRTUALMACHINE=1; VMTYPE="openvz"; VMFULLTYPE="OpenVZ" ;;
oracle|virtualbox) ISVIRTUALMACHINE=1; VMTYPE="virtualbox"; VMFULLTYPE="Oracle VM VirtualBox" ;; oracle|virtualbox) ISVIRTUALMACHINE=1; VMTYPE="virtualbox"; VMFULLTYPE="Oracle VM VirtualBox" ;;
@ -778,6 +793,8 @@
NGINX_ACCESS_LOG_DISABLED=1 NGINX_ACCESS_LOG_DISABLED=1
else else
if [ ! "${VALUE}" = "" ]; then if [ ! "${VALUE}" = "" ]; then
# If multiple values follow, select first one
VALUE=`echo ${VALUE} | awk '{ print $1 }'`
if [ ! -f ${VALUE} ]; then if [ ! -f ${VALUE} ]; then
logtext "Result: could not find referenced log file ${VALUE} in nginx configuration" logtext "Result: could not find referenced log file ${VALUE} in nginx configuration"
NGINX_ACCESS_LOG_MISSING=1 NGINX_ACCESS_LOG_MISSING=1
@ -1283,6 +1300,7 @@
SYMLINK_USE_READLINK=1 SYMLINK_USE_READLINK=1
logtext "Note: Using real readlink binary to determine symlinks" logtext "Note: Using real readlink binary to determine symlinks"
tFILE=`${READLINKBINARY} -f ${sFILE}` tFILE=`${READLINKBINARY} -f ${sFILE}`
logtext "Result: readlink shows ${tFILE} as output"
fi fi
fi fi
# Check if we can find the file now # Check if we can find the file now
@ -1292,6 +1310,14 @@
sFILE="${tFILE}" sFILE="${tFILE}"
logtext "Result: symlink found, pointing to file ${sFILE}" logtext "Result: symlink found, pointing to file ${sFILE}"
FOUNDPATH=1 FOUNDPATH=1
elif [ -b ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to block device ${sFILE}"
FOUNDPATH=1
elif [ -c ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to character device ${sFILE}"
FOUNDPATH=1
elif [ -d ${tFILE} ]; then elif [ -d ${tFILE} ]; then
sFILE="${tFILE}" sFILE="${tFILE}"
logtext "Result: symlink found, pointing to directory ${sFILE}" logtext "Result: symlink found, pointing to directory ${sFILE}"

3
include/helper_audit_dockerfile
View File

@ -4,7 +4,6 @@ if [ $# -eq 0 ]; then
Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}" Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
Display --text " "; Display --text " " Display --text " "; Display --text " "
ExitFatal ExitFatal
else else
FILE=`echo $1 | egrep "^http|https"` FILE=`echo $1 | egrep "^http|https"`
@ -18,7 +17,7 @@ if [ $# -eq 0 ]; then
if [ -f ${TMP_FILE} ]; then if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE} rm -f ${TMP_FILE}
fi fi
Dislpay --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}" Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
ExitFatal ExitFatal
fi fi
else else

266
include/helper_update Normal file
View File

@ -0,0 +1,266 @@
#!/bin/sh
######################################################################
#
# Helper program to support automatic updates of Lynis
#
######################################################################
#
# Options:
# ---------
# 1) lynis update info - Show version information (external)
# 2) lynis update release - Check and install new release (internal)
#
# How to use:
# ------------
# Run option 1 to know about current and latest release information.
# Run option 2 to query internal server for possible upgrade of Lynis.
#
# Steps for updating to new release:
# 1) Run Lynis with: lynis update release
# 2) Lynis will use this helper and check the profile
# 3) The configured web server will be queried (lynis-latest-version)
# 4) The contents of this file will be compared with a local file
# 5) If there is a difference, download package
# 6) Check paths and extract files
# 7) Quit program
#
# Suggested documentation if you want to use this functionality:
# https://cisofy.com/documentation/lynis/upgrading/
#
######################################################################
LOCAL_VERSION="-"
SERVER_VERSION=""
PERFORM_UPGRADE=0
WGET_EXISTS=`which wget 2> /dev/null`
CURL_EXISTS=`which curl 2> /dev/null`
FETCH_EXISTS=`which fetch 2> /dev/null`
# Update version
if [ "$1" = "release" ]; then
if [ "${UPDATE_SERVER_PROTOCOL}" = "" ] ; then
Display --indent 2 --text "Error: Unknown protocol, please specify (http, https) in profile (update_server_protocol)"
ExitFatal
fi
if [ "${UPDATE_SERVER_ADDRESS}" = "" ] ; then
Display --indent 2 --text "Error: Unknown download address, please specify in profile (update_server_address)"
ExitFatal
fi
if [ "${UPDATE_LATEST_VERSION_DOWNLOAD}" = "" ] ; then
Display --indent 2 --text "Error: No URL to latest download has been specifiedrsion on the server, please specify in profile (update_latest_version_download)"
ExitFatal
fi
if [ "${UPDATE_LATEST_VERSION_INFO}" = "" ] ; then
Display --indent 2 --text "Error: No URL has been specified to know the latest version on the server, please specify in profile (update_latest_version_info)"
ExitFatal
fi
if [ "${UPDATE_LOCAL_DIRECTORY}" = "" ] ; then
Display --indent 2 --text "Error: No local directory has been specified to store Lynis files. Please specify in profile (update_local_directory)"
ExitFatal
else
if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then
Display --indent 2 --text "Error: Directory ${UPDATE_LOCAL_DIRECTORY} does not exist"
ExitFatal
fi
fi
if [ "${UPDATE_LOCAL_VERSION_INFO}" = "" ] ; then
Display --indent 2 --text "Error: No data file has been specified to determine local Lynis version, please specify in profile (update_local_version_info)"
ExitFatal
fi
if [ ! -f ${UPDATE_LOCAL_VERSION_INFO} ]; then
Display --indent 2 --text "Note: local data file ${UPDATE_LOCAL_VERSION_INFO} does not exist. It will be created after updating. (update_local_version_info)"
else
LOCAL_VERSION=`cat ${UPDATE_LOCAL_VERSION_INFO}`
fi
# Normal update
FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_INFO}"
TMP_FILE=`mktemp /tmp/audit.XXXXXXXXXX`
if [ "${TMP_FILE}" = "" ]; then
Display --indent 2 --text "Could not create a temporary file in /tmp with mktemp. Aborting.."
ExitFatal
fi
Display --indent 2 --text "${CYAN}[Phase 1] Downloading details${NORMAL}"
if [ ! "${WGET_EXISTS}" = "" ]; then
logtext "Using wget to download release information"
LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}"
wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
elif [ ! "${CURL_EXISTS}" = "" ]; then
logtext "Using curl to download release information"
LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}"
curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
else
Display --indent 2 --text "No download tool available to perform download"
ExitFatal
fi
if [ ! "${TMP_FILE}" = "" ]; then
if [ -f ${TMP_FILE} ]; then
SERVER_VERSION=`cat ${TMP_FILE}`
rm -f ${TMP_FILE}
fi
else
Display --indent 2 --text "Temporary file variable is empty, which is unexpected. Aborting.."
ExitFatal
fi
# Determine if downloading meta data was successful
if [ ${EXIT_CODE} -eq 0 ]; then
if [ "${SERVER_VERSION}" = "" ]; then
Display --indent 2 --text "No version found on the server. Aborting.."
ExitFatal
else
Display --indent 2 --text "Version found on server: ${SERVER_VERSION}"
Display --indent 2 --text "Local version found: ${LOCAL_VERSION}"
fi
else
Display --indent 2 --text "${RED}Error: ${WHITE}Download utility returned an unexpected error code.${NORMAL} Aborting.."
Display --indent 2 --text "Error code: ${EXIT_CODE}"
Display --indent 2 --text "Suggested command: ${LAST_COMMAND_HELP}"
ExitFatal
fi
#==========================================================================================================================================
Display --indent 2 --text " "
Display --indent 2 --text "${CYAN}[Phase 2] Compare results${NORMAL}"
if [ ! "${LOCAL_VERSION}" = "${SERVER_VERSION}" ]; then
Display --indent 2 --text "Different version available, moving to upgrade phase"
PERFORM_UPGRADE=1
else
Display --indent 2 --text "${GREEN}No upgrade needed${NORMAL}"
fi
# Go to phase 3 if upgrade is needed
if [ ${PERFORM_UPGRADE} -eq 1 ]; then
FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_DOWNLOAD}"
Display --indent 2 --text " "
Display --indent 2 --text "[Phase 3] Downloading latest release"
Display --indent 2 --text "Download location: ${FULLPATH}"
if [ ! "${WGET_EXISTS}" = "" ]; then
logtext "Using wget to download latest release"
LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}"
wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
elif [ ! "${CURL_EXISTS}" = "" ]; then
logtext "Using curl to download latest release"
LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}"
curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
fi
if [ ${EXIT_CODE} -eq 0 ]; then
if [ -f ${TMP_FILE} ]; then
Display --indent 2 --text "Download successful"
# Extract the file to the related path, with 'lynis' appended
# Note: by default the tarball includes 'lynis' as directory
if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then
Display --indent 2 --text "Error: directory ${UPDATE_LOCAL_DIRECTORY} does not exist"
ExitFatal
fi
Display --indent 2 --text "Extracting latest version to path ${UPDATE_LOCAL_DIRECTORY}"
if [ ! -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then
Display --indent 2 --text "Creating 'lynis' directory in ${UPDATE_LOCAL_DIRECTORY}"
mkdir ${UPDATE_LOCAL_DIRECTORY}/lynis
if [ $? -gt 0 ]; then
Display --indent 2 --text "Error: could not create directory ${UPDATE_LOCAL_DIRECTORY}/lynis"
ExitFatal
fi
fi
if [ -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then
Display --indent 2 --text "Extracting files to ${UPDATE_LOCAL_DIRECTORY}"
tar xzf ${TMP_FILE} -C ${UPDATE_LOCAL_DIRECTORY}
if [ $? -eq 0 ]; then
# Check if we can find the Lynis binary (in the created 'lynis' directory)
if [ -f ${UPDATE_LOCAL_DIRECTORY}/lynis/lynis ]; then
# If version was downloaded, update local version
echo ${SERVER_VERSION} > ${UPDATE_LOCAL_VERSION_INFO}
else
Display --indent 2 --text "Error: could not find downloaded file on disk"
fi
else
Display --indent 2 --text "Error: File extraction failed"
ExitFatal
fi
else
Display --indent 2 --text "Error: could not find lynis directory"
fi
else
Display --indent 2 --text "Error: could not find downloaded file on disk"
ExitFatal
fi
else
Display --indent 2 --text "Error: could not download latest release"
Display --indent 2 --text "Suggestion: ${LAST_COMMAND_HELP}"
ExitFatal
fi
fi
# Removing temp file
logtext "Action: Removing temporary file ${TMP_FILE}"
if [ "${TMP_FILE}" = "" ]; then
if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE}
fi
fi
Display --indent 2 --text " "
Display --indent 2 --text "Done"
Display --indent 2 --text " "
ExitClean
# Update check
elif [ "$1" = "info" ]; then
# CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'`
PROGRAM_LV=0
CheckUpdates
# Reset everything if we can't determine our current version or the latest
# available version (due lack of internet connectivity for example)
if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then
# Set both to safe values
PROGRAM_AC=0; PROGRAM_LV=0
fi
echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="
echo ""
echo " Version : ${PROGRAM_version}"
echo -n " Status : "
if [ ${PROGRAM_LV} -eq 0 ]; then
echo "${RED}Unknown${NORMAL}";
elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo "${YELLOW}Outdated${NORMAL}";
echo " Current version : ${PROGRAM_AC}"
echo " Latest version : ${PROGRAM_LV}"
else
echo "${GREEN}Up-to-date${NORMAL}"
fi
echo " Release date : ${PROGRAM_releasedate}"
echo " Update location : ${PROGRAM_website}"
echo ""; echo ""
echo "${PROGRAM_copyright}"
echo ""
# Quit program
ExitClean
else
Display --indent 2 --text "${RED}Error: ${WHITE}Unknown parameter $1.${NORMAL} Aborting.."
ExitFatal
fi
# The End

27
include/parameters
View File

@ -23,6 +23,7 @@
PARAMCOUNT=$# PARAMCOUNT=$#
while [ $# -ge 1 ]; do while [ $# -ge 1 ]; do
case $1 in case $1 in
# Helpers first
audit) audit)
CHECK_BINARIES=0 CHECK_BINARIES=0
RUN_HELPERS=1 RUN_HELPERS=1
@ -63,6 +64,28 @@
#break #break
;; ;;
# Helpers first
update)
CHECK_BINARIES=0
RUN_HELPERS=1
HELPER="update"
RUN_PLUGINS=0
RUN_TESTS=0
SHOW_PROGRAM_DETAILS=0
if [ ! $2 = "" ]; then
shift
HELPER_PARAMS="$1 $2"
break
else
Display --text "${RED}Error: ${WHITE}Need a target for update${NORMAL}"
Display --text " "
Display --text "Examples:"
Display --text "lynis update info"
Display --text "lynis update release"
ExitFatal
fi
;;
# Assign auditor to report # Assign auditor to report
--auditor) --auditor)
shift shift
@ -102,7 +125,9 @@
# View program/database information # View program/database information
--check-update | --check-updates | --info) --check-update | --check-updates | --info)
VIEWUPDATEINFO=1 echo "This option is deprecated"
echo "Use: lynis update info"
ExitClean
;; ;;
# License key for Lynis Enterprise # License key for Lynis Enterprise

30
include/profiles
View File

@ -147,6 +147,36 @@
if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi
;; ;;
# Server IP or hostname
update_server_address)
UPDATE_SERVER_ADDRESS="${VALUE}"
;;
# Protocol (http, https)
update_server_protocol)
UPDATE_SERVER_PROTOCOL="${VALUE}"
;;
# File path to tarball on server
update_latest_version_download)
UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}"
;;
# File path to information file
update_latest_version_info)
UPDATE_LATEST_VERSION_INFO="${VALUE}"
;;
# Local directory where lynis directory will be placed
update_local_directory)
UPDATE_LOCAL_DIRECTORY="${VALUE}"
;;
# Local file to maintain current version
update_local_version_info)
UPDATE_LOCAL_VERSION_INFO="${VALUE}"
;;
# Options during upload of data # Options during upload of data
upload_options) upload_options)
UPLOAD_OPTIONS="${VALUE}" UPLOAD_OPTIONS="${VALUE}"

8
include/tests_accounting
View File

@ -126,7 +126,9 @@
else else
logtext "Result: auditd not active" logtext "Result: auditd not active"
Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information" if [ ! "${VMTYPE}" = "openvz" ]; then
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
fi
AUDITD_RUNNING=0 AUDITD_RUNNING=0
report "audit_daemon_running=0" report "audit_daemon_running=0"
AddHP 0 1 AddHP 0 1
@ -226,7 +228,7 @@
if [ -f /etc/ld.so.preload ]; then if [ -f /etc/ld.so.preload ]; then
logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed" logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed"
FIND=`grep ${FILE} /etc/ld.so.preload` FIND=`grep ${FILE} /etc/ld.so.preload`
if [ !"${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: found snoopy in ld.so.preload" logtext "Result: found snoopy in ld.so.preload"
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
@ -427,4 +429,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen / CISOfy - https://cisofy.com

2
include/tests_authentication
View File

@ -1329,4 +1329,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

2
include/tests_banners
View File

@ -23,7 +23,7 @@
################################################################################# #################################################################################
# #
BANNER_FILES="/etc/issue /etc/issue.net /etc/motd" BANNER_FILES="/etc/issue /etc/issue.net /etc/motd"
LEGAL_BANNER_STRINGS="access authorized legal monitor owner policy policies private prohibited restricted this unauthorized" LEGAL_BANNER_STRINGS="audit access authori intrusion law legal monitor owner policy policies private prohibited restricted subject terms this unauthorized"
# #
################################################################################# #################################################################################
# #

167
include/tests_containers Normal file
View File

@ -0,0 +1,167 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Containers, Zones, Jails
#
#################################################################################
#
InsertSection "Containers"
#
#################################################################################
#
# Test : CONT-8004
# Description : Query running Solaris zones
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8004 --os Solaris --weight L --network NO --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
N=`expr ${N} + 1`
ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2`
logtext "Result: found zone ${ZONENAME} (running)"
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : CONT-1906
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no CONT-1906 --weight L --network NO --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
#logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi
#
#################################################################################
#
# Test : CONT-8102
# Description : Checking Docker daemon status and basic information for later tests
Register --test-no CONT-8102 --weight L --network NO --description "Checking Docker status and information"
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning "docker -d"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found Docker daemon running"
report "docker_daemon_running=1"
DOCKER_DAEMON_RUNNING=1
Display --indent 4 --text "- Docker"
Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN
fi
fi
#
#################################################################################
#
# Test : CONT-8104
# Description : Checking Docker info for any warnings
# Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory
if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
logtext "Test: Check for any warnings"
FIND=`${DOCKERBINARY} info 2>&1 | grep "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found warning(s) in output"
for I in ${FIND}; do
J=`echo ${I} | sed 's/:space:/ /g'`
logtext "Output: ${J}"
COUNT=`expr ${COUNT} + 1`
done
Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color RED
ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon"
AddHP 3 4
else
logtext "Result: no warnings found from 'docker info' output"
Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN
AddHP 1 1
fi
fi
#
#################################################################################
#
# Test : CONT-8106
# Description : Checking Docker containers (basic stats)
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 6 --text "- Containers"
# Check total of containers
logtext "Test: checking total amount of Docker containers"
DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'`
logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers"
DOCKER_CONTAINERS_TOTAL2=`${DOCKERBINARY} ps -a 2> /dev/null | grep -v "CONTAINER" | wc -l`
logtext "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers"
if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then
logtext "Result: difference detected, which is unexpected"
ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers"
Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED
else
Display --indent 8 --text "- Total containers" --result "${DOCKER_CONTAINERS_TOTAL}" --color WHITE
fi
# Check running instances
DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps | grep -v "CONTAINER" | wc -l`
Display --indent 8 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN
if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then
logtext "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active"
report "docker_containers_running=${DOCKER_CONTAINERS_RUNNING}"
else
logtext "Result: no active containers"
report "docker_containers_running=0"
fi
# Check if there aren't too many unused containers on the system
if [ ${DOCKER_CONTAINERS_TOTAL} -gt 0 ]; then
DOCKER_CONTAINERS_UNUSED=`expr ${DOCKER_CONTAINERS_TOTAL} - ${DOCKER_CONTAINERS_RUNNING}`
if [ ${DOCKER_CONTAINERS_UNUSED} -gt 10 ]; then
ReportSuggestion "${TEST_NO}" "More than 10 unused containers found on the system. Clean up old containers by using output of 'docker ps -a' command"
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color RED
AddHP 0 2
else
logtext "Result: found ${DOCKER_CONTAINERS_UNUSED} unused containers"
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color YELLOW
AddHP 1 1
fi
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

69
include/tests_file_integrity
View File

@ -14,6 +14,8 @@
# #
################################################################################# #################################################################################
# #
CSF_CONFIG="/etc/csf/csf.conf"
FILE_INT_TOOL=""
FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found
# #
################################################################################# #################################################################################
@ -30,11 +32,11 @@
logtext "Test: Checking AFICK binary" logtext "Test: Checking AFICK binary"
if [ ! "${AFICKBINARY}" = "" ]; then if [ ! "${AFICKBINARY}" = "" ]; then
logtext "Result: AFICK is installed (${AFICKBINARY})" logtext "Result: AFICK is installed (${AFICKBINARY})"
FILE_INT_TOOL="afick"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK" --result FOUND --color GREEN Display --indent 4 --text "- AFICK" --result FOUND --color GREEN
else else
logtext "Result: AFICK is not installed" logtext "Result: AFICK is not installed"
Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -47,11 +49,11 @@
logtext "Test: Checking AIDE binary" logtext "Test: Checking AIDE binary"
if [ ! "${AIDEBINARY}" = "" ]; then if [ ! "${AIDEBINARY}" = "" ]; then
logtext "Result: AIDE is installed (${AIDEBINARY})" logtext "Result: AIDE is installed (${AIDEBINARY})"
FILE_INT_TOOL="aide"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE" --result FOUND --color GREEN Display --indent 4 --text "- AIDE" --result FOUND --color GREEN
else else
logtext "Result: AIDE is not installed" logtext "Result: AIDE is not installed"
Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -119,11 +121,11 @@
logtext "Test: Checking Osiris binary" logtext "Test: Checking Osiris binary"
if [ ! "${OSIRISBINARY}" = "" ]; then if [ ! "${OSIRISBINARY}" = "" ]; then
logtext "Result: Osiris is installed (${OSIRISBINARY})" logtext "Result: Osiris is installed (${OSIRISBINARY})"
FILE_INT_TOOL="osiris"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris" --result FOUND --color GREEN Display --indent 4 --text "- Osiris" --result FOUND --color GREEN
else else
logtext "Result: Osiris is not installed" logtext "Result: Osiris is not installed"
Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -136,11 +138,11 @@
logtext "Test: Checking Samhain binary" logtext "Test: Checking Samhain binary"
if [ ! "${SAMHAINBINARY}" = "" ]; then if [ ! "${SAMHAINBINARY}" = "" ]; then
logtext "Result: Samhain is installed (${SAMHAINBINARY})" logtext "Result: Samhain is installed (${SAMHAINBINARY})"
FILE_INT_TOOL="samhain"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain" --result FOUND --color GREEN Display --indent 4 --text "- Samhain" --result FOUND --color GREEN
else else
logtext "Result: Samhain is not installed" logtext "Result: Samhain is not installed"
Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -153,11 +155,11 @@
logtext "Test: Checking Tripwire binary" logtext "Test: Checking Tripwire binary"
if [ ! "${TRIPWIREBINARY}" = "" ]; then if [ ! "${TRIPWIREBINARY}" = "" ]; then
logtext "Result: Tripwire is installed (${TRIPWIREBINARY})" logtext "Result: Tripwire is installed (${TRIPWIREBINARY})"
FILE_INT_TOOL="tripwire"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN
else else
logtext "Result: Tripwire is not installed" logtext "Result: Tripwire is not installed"
Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -170,10 +172,12 @@
logtext "Test: Checking if OSSEC syscheck daemon is running" logtext "Test: Checking if OSSEC syscheck daemon is running"
IsRunning ossec-syscheckd IsRunning ossec-syscheckd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
logtext "Result: syscheck (OSSEC) installed"
FILE_INT_TOOL="ossec-syscheck"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN
else else
Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE logtext "Result: syscheck (OSSEC) not installed"
fi fi
fi fi
# #
@ -187,11 +191,59 @@
logtext "Test: Checking mtree binary" logtext "Test: Checking mtree binary"
if [ ! "${MTREEBINARY}" = "" ]; then if [ ! "${MTREEBINARY}" = "" ]; then
logtext "Result: mtree is installed (${MTREEBINARY})" logtext "Result: mtree is installed (${MTREEBINARY})"
FILE_INT_TOOL="mtree"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree" --result FOUND --color GREEN Display --indent 4 --text "- mtree" --result FOUND --color GREEN
else else
logtext "Result: mtree is not installed" logtext "Result: mtree is not installed"
Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE fi
fi
#
#################################################################################
#
# Test : FINT-4334
# Description : Check if LFD is used (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN
IsRunning 'lfd '
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: lfd daemon is running (CSF)"
Display --indent 6 --text "- Daemon status" --result RUNNING --color GREEN
FILE_INT_TOOL="csf-lfd"
FILE_INT_TOOL_FOUND=1
else
Display --indent 6 --text "- Daemon status" --result "NOT RUNNING" --color YELLOW
fi
fi
# Test : FINT-4336
# Description : Check if LFD is enabled (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd configuration status"
if [ ${SKIPTEST} -eq 0 ]; then
# LFD configuration parameters
ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}`
if [ ! "${ENABLED}" = "" ]; then
logtext "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN
else
logtext "Result: lfd service is configured NOT to run"
Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
logtext "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN
else
logtext "Result: lfd directory watching is disabled"
Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
Display --indent 6 --text "- Directory/File watches" --result ENABLED --color GREEN
else
Display --indent 6 --text "- Directory/File watches" --result DISABLED --color YELLOW
fi fi
fi fi
# #
@ -209,7 +261,7 @@
else else
logtext "Result: No file integrity tools found" logtext "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool" ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
AddHP 0 5 AddHP 0 5
fi fi
fi fi
@ -217,6 +269,7 @@
################################################################################# #################################################################################
# #
report "file_integrity_tool=${FILE_INT_TOOL}"
report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}" report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}"
wait_for_keypress wait_for_keypress

43
include/tests_filesystems
View File

@ -209,23 +209,46 @@
FOUND=0 FOUND=0
logtext "Test: query swap partitions from /etc/fstab file" logtext "Test: query swap partitions from /etc/fstab file"
# Check if third field contains 'swap' # Check if third field contains 'swap'
FIND=`awk '{ if ($3=="swap") print $1 }' /etc/fstab` FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"`
for I in ${FIND}; do for I in ${FIND}; do
FOUND=1 FOUND=1
REAL=""
UUID=""
logtext "Swap partition found: ${I}" logtext "Swap partition found: ${I}"
# YYY Add a test if partition is not a normal partition (e.g. UUID=) # YYY Add a test if partition is not a normal partition (e.g. UUID=)
# Can be ^/dev/mapper/vg-name_lv-name # Can be ^/dev/mapper/vg-name_lv-name
# Can be ^/dev/partition # Can be ^/dev/partition
# Can be ^UUID=uuid --> /dev/disk/by-uuid/<uuid> # Can be ^UUID=uuid --> /dev/disk/by-uuid/<uuid>
# if [ ! "${BLKIDBINARY}" = "" ]; then HAS_UUID=`echo ${I} | grep "^UUID="`
# FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'` if [ ! "${HAS_UUID}" = "" ]; then
# else UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'`
# logtext "Result: blkid binary not found, trying by checking device listing" logtext "Result: Using ${UUID} as UUID"
# if [ -f /dev/disk/by-uuid/${UUID} ]; then if [ ! "${BLKIDBINARYx}" = "" ]; then
# logtext "Result: found disk via /dev/disk/by-uuid listing" FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'`
# fi if [ ! "${FIND2}" = "" ]; then
# fi REAL="${FIND2}"
report "swap_partition[]=${I}" fi
else
logtext "Result: blkid binary not found, trying by checking device listing"
sFILE=""
if [ -L /dev/disk/by-uuid/${UUID} ]; then
logtext "Result: found disk via /dev/disk/by-uuid listing"
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
if [ ! "${sFILE}" = "" ]; then
REAL="${sFILE}"
logtext "Result: disk is ${REAL}"
fi
else
logtext "Result: no symlink found to /dev/disk/by-uuid/${UUID}"
fi
fi
fi
# Set real device
if [ "${REAL}" = "" ]; then
REAL="${I}"
fi
report "swap_partition[]=${I},${REAL},"
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN

6
include/tests_kernel
View File

@ -340,7 +340,6 @@
logtext "Test: Searching apt-cache, to determine if a newer kernel is available" logtext "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x /usr/bin/apt-cache ]; then if [ -x /usr/bin/apt-cache ]; then
logtext "Result: found /usr/bin/apt-cache" logtext "Result: found /usr/bin/apt-cache"
# YYY Test for presence /usr/bin/apt-cache and dpkg
logtext "Test: checking readlink location of /vmlinuz" logtext "Test: checking readlink location of /vmlinuz"
FINDKERNFILE=`readlink -f /vmlinuz` FINDKERNFILE=`readlink -f /vmlinuz`
logtext "Output: readlink reported file ${FINDKERNFILE}" logtext "Output: readlink reported file ${FINDKERNFILE}"
@ -516,7 +515,8 @@
FIND=`ls /boot/vmlinuz* 2> /dev/null` FIND=`ls /boot/vmlinuz* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` # Remove generic. and huge. for Slackware machines
KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
elif [ ! `ls /boot/kernel* 2> /dev/null` = "" ]; then elif [ ! `ls /boot/kernel* 2> /dev/null` = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
# Examples: # Examples:
@ -580,4 +580,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands # Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

3
include/tests_logging
View File

@ -274,7 +274,7 @@
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration" Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking which directories can be found in logrotate configuration" logtext "Test: Checking which directories can be found in logrotate configuration"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq` FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort | uniq`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: nothing found" logtext "Result: nothing found"
else else
@ -285,7 +285,6 @@
report "log_directory[]=${I}" report "log_directory[]=${I}"
else else
logtext "Directory could not be found: ${I}" logtext "Directory could not be found: ${I}"
# YYY strip more parts of the name, until it can be found (and stop at /)
fi fi
done done
fi fi

36
include/tests_malware
View File

@ -23,7 +23,9 @@
################################################################################# #################################################################################
# #
CLAMD_RUNNING=0 CLAMD_RUNNING=0
MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0 MALWARE_SCANNER_INSTALLED=0
SOPHOS_SCANNER_RUNNING=0
# #
################################################################################# #################################################################################
# #
@ -66,27 +68,36 @@
Register --test-no MALW-3280 --weight L --network NO --description "Check if anti-virus tool is installed" Register --test-no MALW-3280 --weight L --network NO --description "Check if anti-virus tool is installed"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
MCAFEE_RUNNING=0
logtext "Test: checking process cma or cmdagent (McAfee)" logtext "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first # cma is too generic to match on, so we want to ensure that it is related to McAfee first
if [ -x /opt/McAfee/cma/bin/cma ]; then if [ -x /opt/McAfee/cma/bin/cma ]; then
IsRunning cma IsRunning cma
if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
else else
IsRunning cmdagent IsRunning cmdagent
if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
fi fi
if [ ${MCAFEE_RUNNING} -eq 1 ]; then if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1 FOUND=1
Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN
logtext "Result: Found McAfee" logtext "Result: Found McAfee"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
AddHP 2 2 AddHP 2 2
fi fi
# Sophos savscand/SophosScanD
logtext "Test: checking process savscand"
IsRunning savscand
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1;
fi
logtext "Test: checking process SophosScanD" logtext "Test: checking process SophosScanD"
IsRunning SophosScanD IsRunning SophosScanD
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
FOUND=1 FOUND=1
SOPHOS_SCANNER_RUNNING=1;
fi
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN
logtext "Result: Found Sophos" logtext "Result: Found Sophos"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
@ -114,7 +125,6 @@
logtext "Result: clamscan couldn't be found" logtext "Result: clamscan couldn't be found"
fi fi
fi fi
# #
################################################################################# #################################################################################
# #
@ -185,22 +195,6 @@
# Description : Check for LMD # Description : Check for LMD
# #
################################################################################# #################################################################################
#
# Test : MALW-3292
# Description : Check if at least one malware scanner is installed
# Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner"
# if [ ${SKIPTEST} -eq 0 ]; then
# if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
# logtext "Result: At least one malware scanner is installed"
# Display --indent 2 --text "- Checking presence malware scanner" --result "FOUND" --color GREEN
# #AddHP 3 3
# else
# logtext "Result: No malware scanners found"
# Display --indent 2 --text "- Checking presence malware scanner" --result "NOT FOUND" --color YELLOW
# ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system"
# #AddHP 0 3
# fi
# fi
# #
################################################################################# #################################################################################
# #

102
include/tests_ports_packages
View File

@ -402,9 +402,67 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : PKGS-7366
# Description : Checking if debsecan is installed and enabled on Debian systems
if [ ! "${DEBSECANBINARY}" = "" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsecan utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSECANBINARY}" = "" ]; then
logtext "Result: debsecan utility is installed"
Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN
AddHP 3 3
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="debsecan"
FIND=`find /etc/cron* -name debsecan`
if [ ! ${FIND} = "" ]; then
logtext "Result: cron job is configured for debsecan"
Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: no cron job is configured for debsecan"
Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW
AddHP 1 3
ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
fi
else
logtext "Result: debsecan is not installed."
Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
fi
fi
#
#################################################################################
# #
# Test : PKGS-7370 # Test : PKGS-7370
# Description : Check debsums output # Description : Checking debsums installation status and presence in cron job
# Note : Run this only when it is a DPKG based system
if [ ! "${DPKGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsums utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSUMSBINARY}" = "" ]; then
logtext "Result: debsums utility is installed"
Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN
AddHP 1 1
# Check in /etc/cron.hourly, daily, weekly, monthly etc
COUNT=`find /etc/cron* -name debsums | wc -l`
if [ ${COUNT} -gt 0 ]; then
logtext "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW
AddHP 1 3
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job."
fi
else
logtext "Result: debsums utility is not installed."
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database."
fi
fi
# #
################################################################################# #################################################################################
# #
@ -933,9 +991,45 @@
# #
################################################################################# #################################################################################
# #
# check for popularity-contest (Debian/Ubuntu) # Test : PKGS-7410
# check for yum-changelog # Description : Count number of installed kernel packages
Register --test-no PKGS-7410 --weight L --network NO --description "Count installed kernel packages"
if [ ${SKIPTEST} -eq 0 ]; then
KERNELS=0
if [ ! "${RPMBINARY}" = "" ]; then
logtext "Test: Checking how many kernel packages are installed"
KERNELS=`rpm -q kernel 2> /dev/null | wc -l`
if [ ${KERNELS} -eq 0 ]; then
logtext "Result: found no kernels from rpm -q kernel output, which is unexpected"
ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output"
elif [ ${KERNELS} -gt 5 ]; then
logtext "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)"
AddHP 4 5
else
logtext "Result: found ${KERNELS} on the system, which is fine"
AddHP 1 1
fi
fi
fi
#
#################################################################################
#
# Test : PKGS-7414
# Description : Check installonly_limit in yum.conf
#
#################################################################################
#
# Test : PKGS-7416
# Description : Check for popularity-contest (Debian/Ubuntu)
#
#################################################################################
#
# Test : PKGS-7418
# Description : Check for yum-changelog
#
#################################################################################
#
if [ ! "${INSTALLED_PACKAGES}" = "" ]; then if [ ! "${INSTALLED_PACKAGES}" = "" ]; then
report "installed_packages_array=${INSTALLED_PACKAGES}" report "installed_packages_array=${INSTALLED_PACKAGES}"

48
include/tests_shells
View File

@ -57,16 +57,9 @@
logtext "Output /etc/ttys:" logtext "Output /etc/ttys:"
logtext "${FIND}" logtext "${FIND}"
ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys" ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys"
#ReportSuggestion ${TEST_NO} "Change the console line from 'secure' to 'insecure'." logtext "Possible solution: Change the console line from 'secure' to 'insecure'."
fi fi
fi fi
#
#################################################################################
#
# Test : SHLL-6214
# Description : check for idle session killing tools (timeoutd)
# #
################################################################################# #################################################################################
# #
@ -220,43 +213,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : SHLL-6236
# Description : Check /etc/profile
#
#################################################################################
#
# Test : SHLL-6240
# Description : Check default umask
# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking /etc/profile"
# if [ -f /etc/profile ]; then
# FIND=`grep "^umask" | awk '{ print $2 }'`
# if [ "${FIND}" = "" ]; then
# logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask" --result OK --color GREEN
# else
# logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask" --result WARNING --color RED
# #ReportWarning ${TEST_NO} "M" "xxx"
# #ReportSuggestion ${TEST_NO} "xxx"
# fi
# fi
# fi
#
#################################################################################
#
# Test : SHLL-6250
# Description : Check /etc/bash.bashrc
# Register --test-no SHLL-6250 --weight L --network NO --description "Check default umask"
# if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
#
#################################################################################
# #
# Test : SHLL-6290 # Test : SHLL-6290
# Description : Check for Shellshock vulnerability # Description : Check for Shellshock vulnerability
@ -395,4 +351,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, CISOfy & Michael Boelen - http://cisofy.com - The Netherlands # Lynis - Copyright 2007-2015, CISOfy - http://cisofy.com

16
include/tests_storage
View File

@ -33,7 +33,7 @@
if [ -d /etc/modprobe.d ]; then if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null` FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FIND=`grep -r "install usb-storage /bin/true" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"` FIND=`grep -r "install usb-storage /bin/(false|true)" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"`
FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*` FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*`
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1 FOUND=1
@ -44,7 +44,7 @@
fi fi
fi fi
if [ -f /etc/modprobe.conf ]; then if [ -f /etc/modprobe.conf ]; then
FIND=`grep "install usb-storage /bin/true" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"` FIND=`grep "install usb-storage /bin/(false|true)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1 FOUND=1
logtext "Result: found usb-storage driver in disabled state" logtext "Result: found usb-storage driver in disabled state"
@ -66,6 +66,7 @@
# #
# Test : STRG-1846 # Test : STRG-1846
# Description : Check for disabled firewire storage # Description : Check for disabled firewire storage
# Explanation : Best option is to use the install function, or else drivers can still be loaded manually
Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled" Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
@ -73,8 +74,8 @@
if [ -d /etc/modprobe.d ]; then if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null` FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FIND1=`egrep "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"` FIND1=`egrep "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
FIND2=`egrep "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.d/* | grep "ohci" | grep -v "#"` FIND2=`egrep "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1 FOUND=1
logtext "Result: found firewire ohci driver in disabled state" logtext "Result: found firewire ohci driver in disabled state"
@ -84,8 +85,8 @@
fi fi
fi fi
if [ -f /etc/modprobe.conf ]; then if [ -f /etc/modprobe.conf ]; then
FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"` FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
FIND2=`egrep -r "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.conf | grep "ohci" | grep -v "#"` FIND2=`egrep -r "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1 FOUND=1
logtext "Result: found firewire ohci driver in disabled state" logtext "Result: found firewire ohci driver in disabled state"
@ -107,6 +108,7 @@
# #
################################################################################# #################################################################################
# #
# Use modprobe --showconfig to test for options
# NetBSD: amd (auto mount daemon) # NetBSD: amd (auto mount daemon)
@ -119,4 +121,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, CISOfy, Michael Boelen - https://cisofy.com

61
include/tests_time
View File

@ -32,6 +32,7 @@
# Specific for ntpd # Specific for ntpd
NTPD_RUNNING=0 NTPD_RUNNING=0
CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs" CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
SYSTEMD_NTP_ENABLED=0
# #
################################################################################# #################################################################################
# #
@ -46,10 +47,25 @@
fi fi
Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client" Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate) # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate), Chrony, systemd-timesyncd
logtext "Test: Searching for a running NTP daemon or available client" logtext "Test: Searching for a running NTP daemon or available client"
FOUND=0 FOUND=0
if [ -f /etc/chrony.conf ]; then
IsRunning chronyd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN
fi
fi
# Check time daemon (eg DragonFly BSD)
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
fi
# Check running processes # Check running processes
FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
@ -66,19 +82,18 @@
Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN
fi fi
# Check time daemon (eg DragonFly BSD)
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
fi
# Check timedate daemon (systemd) # Check timedate daemon (systemd)
if [ ! "${TIMEDATECTL}" = "" ]; then if [ ! "${TIMEDATECTL}" = "" ]; then
FIND=`${TIMEDATECTL} status | grep "NTP enabled: yes"` FIND=`${TIMEDATECTL} status | grep "NTP enabled: yes"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timedated" # Check for systemd-timesyncd
Display --indent 2 --text "- NTP daemon found: timedated" --result "FOUND" --color GREEN if [ -f /etc/systemd/timesyncd.conf ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "FOUND" --color GREEN
SYSTEMD_NTP_ENABLED=1
fi
else
logtext "Result: time sychronization not performed according timedatectl command"
fi fi
fi fi
@ -94,12 +109,12 @@
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate reference in crontab file ${I}" logtext "Result: found ntpdate or rdate reference in crontab file ${I}"
else else
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate reference found in crontab file ${I}" logtext "Result: no ntpdate or rdate reference found in crontab file ${I}"
fi fi
else else
logtext "Result: crontab file ${I} not found" logtext "Result: crontab file ${I} not found"
fi fi
done done
########################## ##########################
@ -133,11 +148,10 @@
Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate in cron directory" logtext "Result: found ntpdate or rdate in cron directory"
else else
Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE #Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate found in cron directories" logtext "Result: no ntpdate or rdate found in cron directories"
fi fi
# Checking if ntpdate is performed by event # Checking if ntpdate is performed by event
logtext "Test: checking for file /etc/network/if-up.d/ntpdate" logtext "Test: checking for file /etc/network/if-up.d/ntpdate"
if [ -f /etc/network/if-up.d/ntpdate ]; then if [ -f /etc/network/if-up.d/ntpdate ]; then
@ -181,6 +195,21 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : TIME-3106
# Description : Check status of systemd time synchronization
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check systemd NTP time synchronization status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check the status of time synchronization via timedatectl"
FIND=`${TIMEDATECTL} status | grep "NTP sychronized: yes"`
if [ "${FIND}" = "" ]; then
logtext "Result: time not synchronized via NTP"
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized"
fi
fi
#
#################################################################################
# #
# Test : TIME-3112 # Test : TIME-3112
# Description : Check for valid associations from ntpq peers list # Description : Check for valid associations from ntpq peers list
@ -404,6 +433,8 @@
# #
################################################################################# #################################################################################
# #
# For VMs check ntpd.conf : tinker panic 0
#
wait_for_keypress wait_for_keypress
@ -429,4 +460,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

21
include/tests_tooling
View File

@ -45,6 +45,25 @@
Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN
fi fi
CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin"
for I in ${CHEF_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/chef-client ]; then
CHEFCLIENTBINARY="${I}/chef-client"
AUTOMATION_TOOL_FOUND=1
Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN
logtext "Result: found chef-client (chef client daemon) in ${I}"
fi
if [ -f ${I}/erchef ]; then
CHEFSERVERBINARY="${I}/erchef"
logtext "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
AUTOMATION_TOOL_FOUND=1
Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN
logtext "Result: found erchef (chef server daemon) in ${I}"
fi
fi
done
# Puppet # Puppet
if [ ! "${PUPPETBINARY}" = "" ]; then if [ ! "${PUPPETBINARY}" = "" ]; then
logtext "Result: Puppet is installed (${PUPPETBINARY})" logtext "Result: Puppet is installed (${PUPPETBINARY})"
@ -106,4 +125,4 @@
wait_for_keypress wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

47
include/tests_virtualization
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -22,49 +22,6 @@
# #
################################################################################# #################################################################################
# #
# Test : VIRT-1902
# Description : Query running Solaris zones
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no VIRT-1902 --os Solaris --weight L --network NO --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
N=`expr ${N} + 1`
ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2`
logtext "Result: found zone ${ZONENAME} (running)"
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : VIRT-1906
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no VIRT-1906 --weight L --network NO --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
#logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi
#
#################################################################################
#
# # Test : VIRT-1920 # # Test : VIRT-1920
# # Description : Checking VMware # # Description : Checking VMware
# Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status" # Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status"

75
lynis
View File

@ -23,7 +23,7 @@
# Program information # Program information
PROGRAM_name="Lynis" PROGRAM_name="Lynis"
PROGRAM_version="2.1.1" PROGRAM_version="2.1.1"
PROGRAM_releasedate="19 April 2015" PROGRAM_releasedate="27 May 2015"
PROGRAM_author="CISOfy" PROGRAM_author="CISOfy"
PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_author_contact="lynis-dev@cisofy.com"
PROGRAM_website="https://cisofy.com" PROGRAM_website="https://cisofy.com"
@ -134,7 +134,7 @@
echo "" echo ""
echo " Why do I see this error?" echo " Why do I see this error?"
echo " -------------------------------" echo " -------------------------------"
echo " This error is a protection mechanism, to prevent root user from executing user created files." echo " This is a protection mechanism, to prevent the root user from executing user created files."
echo ""; echo "" echo ""; echo ""
echo " What can I do?" echo " What can I do?"
echo " ---------------------" echo " ---------------------"
@ -226,55 +226,6 @@
# CV - Current Version # CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'` PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'`
PROGRAM_LV=0 PROGRAM_LV=0
#DB_MALWARE_CV=`grep "^#version=" ${DBDIR}/malware.db | cut -d '=' -f2`
#DB_FILEPERMS_CV=`grep "^#version=" ${DBDIR}/fileperms.db | cut -d '=' -f2`
# Number of signatures
#DB_MALWARE_IC=`grep -v "^#" ${DBDIR}/malware.db | wc -l | tr -s ' ' | tr -d ' '`
if [ ${VIEWUPDATEINFO} -eq 1 ]; then
CheckUpdates
# Reset everything if we can't determine our current version or the latest
# available version (due lack of internet connectivity for example)
if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then
# Set both to safe values
PROGRAM_AC=0; PROGRAM_LV=0
#DB_MALWARE_LV=0; DB_MALWARE_CV=0
#DB_FILEPERMS_LV=0; DB_FILEPERMS_CV=0
fi
echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="; echo ""
echo " Version : ${PROGRAM_version}"
echo -n " Status : "
if [ ${PROGRAM_LV} -eq 0 ]; then
echo "${RED}Unknown${NORMAL}";
elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo "${YELLOW}Outdated${NORMAL}";
echo " Current version : ${PROGRAM_AC}"
echo " Latest version : ${PROGRAM_LV}"
else
echo "${GREEN}Up-to-date${NORMAL}"
fi
echo " Release date : ${PROGRAM_releasedate}"
echo " Update location : ${PROGRAM_website}"
# echo ""
# echo " == ${WHITE}Plugins${NORMAL} =="
# echo ""
# echo " == ${WHITE}Databases${NORMAL} =="
# echo " Current Latest Status"
# echo " -----------------------------------------------------------------------------"
# echo -n " Malware : ${DB_MALWARE_CV} ${DB_MALWARE_LV} "
# if [ ${DB_MALWARE_LV} -gt ${DB_MALWARE_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi
# echo -n " File perms : ${DB_FILEPERMS_CV} ${DB_FILEPERMS_LV} "
# if [ ${DB_FILEPERMS_LV} -gt ${DB_FILEPERMS_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi
echo ""; echo ""
echo "${PROGRAM_copyright}"; echo ""
# Quit program
ExitClean
fi
# #
################################################################################# #################################################################################
# #
@ -394,8 +345,11 @@
echo " audit system : Perform security scan" echo " audit system : Perform security scan"
echo " audit dockerfile <file> : Analyze Dockerfile" echo " audit dockerfile <file> : Analyze Dockerfile"
echo "" echo ""
echo " ${GREEN}update${NORMAL}"
echo " update info : Show update details"
echo " update release : Update Lynis release"
echo ""
echo "" echo ""
echo " ${WHITE}Scan options:${NORMAL}" echo " ${WHITE}Scan options:${NORMAL}"
echo " --auditor \"<name>\" : Auditor name" echo " --auditor \"<name>\" : Auditor name"
echo " --dump-options : See all available options" echo " --dump-options : See all available options"
@ -412,7 +366,6 @@
echo " --reverse-colors : Optimize color display for light backgrounds" echo " --reverse-colors : Optimize color display for light backgrounds"
echo "" echo ""
echo " ${WHITE}Misc options:${NORMAL}" echo " ${WHITE}Misc options:${NORMAL}"
echo " --check-update : Check for updates"
echo " --debug : Debug logging to screen" echo " --debug : Debug logging to screen"
echo " --view-manpage (--man) : View man page" echo " --view-manpage (--man) : View man page"
echo " --version (-V) : Display version number and quit" echo " --version (-V) : Display version number and quit"
@ -529,7 +482,7 @@
# #
################################################################################# #################################################################################
# #
if [ ${QUIET} -eq 0 ]; then if [ ${QUIET} -eq 0 -a ${SHOW_PROGRAM_DETAILS} -eq 1 ]; then
echo "" echo ""
echo " ---------------------------------------------------" echo " ---------------------------------------------------"
echo " Program version: ${PROGRAM_version}" echo " Program version: ${PROGRAM_version}"
@ -766,13 +719,11 @@
logtext "Info: perform tests from all categories" logtext "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
filesystems storage storage_nfs \ filesystems storage storage_nfs nameservices ports_packages networking printers_spools \
nameservices ports_packages networking printers_spools \ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
mail_messaging firewalls \ insecure_services banners scheduling accounting time crypto virtualization containers \
webservers ssh snmp databases ldap php squid logging \ mac_frameworks file_integrity hardening_tools tooling malware file_permissions homedirs \
insecure_services banners scheduling accounting \ kernel_hardening hardening"
time crypto virtualization mac_frameworks file_integrity hardening_tools tooling \
malware file_permissions homedirs kernel_hardening hardening"
else else
INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}" INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}"
logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}" logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}"
@ -834,12 +785,12 @@
################################################################################# #################################################################################
# #
if [ ${RUN_HELPERS} -eq 1 ]; then if [ ${RUN_HELPERS} -eq 1 ]; then
InsertPluginSection "Audit Module"
if [ ! "${HELPER}" = "" ]; then if [ ! "${HELPER}" = "" ]; then
logtext "Helper tool is $HELPER" logtext "Helper tool is $HELPER"
if [ -f ${INCLUDEDIR}/helper_${HELPER} ]; then if [ -f ${INCLUDEDIR}/helper_${HELPER} ]; then
SafePerms ${INCLUDEDIR}/helper_${HELPER} SafePerms ${INCLUDEDIR}/helper_${HELPER}
logtext "Running helper tool ${HELPER} with params: ${HELPER_PARAMS}" logtext "Running helper tool ${HELPER} with params: ${HELPER_PARAMS}"
InsertPluginSection "Helper: ${HELPER}"
. ${INCLUDEDIR}/helper_${HELPER} ${HELPER_PARAMS} . ${INCLUDEDIR}/helper_${HELPER} ${HELPER_PARAMS}
else else
echo "Error, could not find helper" echo "Error, could not find helper"

47
lynis.8
View File

@ -1,4 +1,4 @@
.TH Lynis 8 "30 January 2015" "1.17" "Unix System Administrator's Manual" .TH Lynis 8 "30 April 2015" "1.18" "Unix System Administrator's Manual"
.SH "NAME" .SH "NAME"
@ -16,13 +16,13 @@ Lynis \fP\- Run an system and security audit on the system
.fi .fi
.SH "DESCRIPTION" .SH "DESCRIPTION"
\fBLynis\fP is an auditing tool for Unix (specialists). It checks the system \fBLynis\fP is a security auditing tool for Linux and Unix systems. It checks
and software configuration and logs all the found information into a log file the system and software configurations, to determine any improvements.
for debugging purposes, and in a report file suitable to create fancy looking All details are logged in a log file. Findings and other data is stored in a
auditing reports. report file, which can be used to create auditing reports.
\fBLynis\fP can be run as a cronjob, or from the command line. It needs to have \fBLynis\fP can be run as a cronjob, or from the command line. Lynis prefers
full access to the system, so running it as root (or with sudo rights) is root permissions (or sudo), so it can access all parts of the system, however it
required. not required (see pentest mode).
.PP .PP
The following system areas may be checked: The following system areas may be checked:
.IP .IP
@ -30,7 +30,7 @@ The following system areas may be checked:
.IP .IP
\- Configuration files \- Configuration files
.IP .IP
\- Common files by software packages \- Files part of software packages
.IP .IP
\- Directories and files related to logging and auditing \- Directories and files related to logging and auditing
.SH "OPTIONS" .SH "OPTIONS"
@ -39,7 +39,6 @@ The following system areas may be checked:
.B \-\-auditor <full name> .B \-\-auditor <full name>
Define the name of the auditor/pen-tester. When a full name is used, add double Define the name of the auditor/pen-tester. When a full name is used, add double
quotes, like "Your Name". quotes, like "Your Name".
.TP .TP
.B \-\-checkall (or \-c) .B \-\-checkall (or \-c)
\fBLynis\fP performs a full check of the system, printing out the results of \fBLynis\fP performs a full check of the system, printing out the results of
@ -48,9 +47,6 @@ each test to stdout. Additional information will be saved into a log file
.IP .IP
In case the outcome of a scan needs to be automated, use the report file. In case the outcome of a scan needs to be automated, use the report file.
.TP .TP
.B \-\-check\-update (or \-\-info)
Show program, database and update information.
.TP
.B \-\-cronjob .B \-\-cronjob
Perform automatic scan with cron safe options (no colors, no questions, no Perform automatic scan with cron safe options (no colors, no questions, no
breaks). breaks).
@ -115,14 +111,33 @@ with others. When running Lynis without any parameters, help will be shown and
the program will exit. the program will exit.
.RE .RE
.PP .PP
.SH "HELPERS"
Lynis has special helpers to do certain tasks. This way the framework of Lynis is
used, while at the same time storing most of the functionality in a separated
file. This speeds up execution and keeps the code clean.
.TP
.B audit
Run audit on the system or on other targets
.TP
.B update
Run updater utility
.TP
To use a helper, run Lynis followed by the helper name
.RE
.PP
.SH "BUGS" .SH "BUGS"
Discovered a bug? Please report them via e-mail (lynis-dev@cisofy.com) or via GitHub: https://github.com/CISOfy/Lynis Discovered a bug? Please report them via GitHub: https://github.com/CISOfy/lynis
.RE
.PP
.SH "Documentation"
Supporting documentation can be found via https://cisofy.com/documentation/lynis/
.RE .RE
.PP .PP
.SH "LICENSING" .SH "LICENSING"
Lynis is licensed with the GPL v3 license and under development by CISOfy and Michael Boelen. Plugins have their own license. Lynis is licensed as GPL v3, written by Michael Boelen and supported by CISOfy. Plugins may have their own license.
.RE .RE
.PP .PP
.SH "CONTACT INFORMATION" .SH "CONTACT INFORMATION"
Support and project related questions are addressed via https://cisofy.com/support/. Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com.