tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2 from CISOfy/master 

Update from official repo.
This commit is contained in:
Roland Smith 2015-06-07 15:25:07 +02:00
parent a354a14093 785ac74f91
commit 4ae085ab87
26 changed files with 923 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
default.prf
View File

@ -308,6 +308,38 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
#config:custom_url_prepend:https://your-domain.example.org/control-info/:
#config:custom_url_append:/:
#################################################################################
#
# Automatic Updating
# -------------------
#
# These settings are required when using the lynis update functionality.
# By specifying local paths and your update server, the tool can do an update
# check, compare versions and download a new version.
#
#################################################################################
# Local directory (without slash at end) where lynis directory will be installed
# Note: do not add full path to lynis, as subdirectory is part of tarball
#config:update_local_directory:/usr/local:
# Full path to local file. Change local path if Lynis is installed on a different place
#config:update_local_version_info:/usr/local/lynis/client-version:
# Download information
# -----------------------------
# Protocol to use: http, https
#config:update_server_protocol:http:
# Address of update server
#config:update_server_address:192.168.1.125:
# Path to last stable release
#config:update_latest_version_download:/files/lynis-latest.tar.gz:
# Last part of URL (file to gather)
#config:update_latest_version_info:/files/lynis-latest-version:
#################################################################################
#
# Lynis Enterprise

42
extras/lynis.spec
View File

@ -3,6 +3,8 @@
# Lynis spec file
# -----------------
#
# This file helps to create your custom RPM package of Lynis.
#
# Usage:
# - Adjust version number (Version:)
# - Check if you have the directories in your home directory (or adjust topdir)
@ -12,9 +14,9 @@
#
#################################################################################
#
# (c) 2014 Michael Boelen
# Copyright 2015 CISOfy
#
# Website: http://cisofy.com/
# Documentation: https://cisofy.com/documentation/lynis/upgrading/
#
#################################################################################
@ -27,30 +29,32 @@
Summary: Security and system auditing tool.
Name: lynis
Version: 1.6.2
Version: 2.1.1
Release: 1
License: GPL
Group: Applications/System
Source: lynis-%{version}.tar.gz
BuildRoot: /tmp/lynis-root
URL: http://cisofy.com/
Vendor: CISOfy / Michael Boelen
Packager: Michael Boelen <michael@rootkit.nl>
URL: https://cisofy.com/
Vendor: CISOfy
Packager: Michael Boelen <michael.boelen@cisofy.com>
BuildArch: noarch
%description
Lynis is a security tool to audit and harden Unix/Linux based systems. It scans a
system and provides the user with suggestion and warnings regarding taken security
measures. Examples include:
- Security enhancements
- Logging and auditing options
- Banner identification
- Software availability
- Missing security patches
Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD
and Solaris. It performs an in-depth security scan on the system to detect software
and security issues. Besides information related to security, it will also scan for
general system information, installed packages, and possible
configuration issues.
This software is aimed at assisting with automated auditing, configuration management,
software patch management, penetration testing, vulnerability management, and malware
scanning of Unix-based systems.
Lynis is released as a GPLv3 licensed project and free for everyone to use.
Commercial support and extensions are available.
See http://cisofy.com for a full description and documentation.
See https://cisofy.com for a full description and documentation.
%prep
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT"
@ -84,11 +88,6 @@ install plugins/* ${RPM_BUILD_ROOT}%{_pluginsdir}
install -d ${RPM_BUILD_ROOT}%{_dbdir}
install db/* ${RPM_BUILD_ROOT}%{_dbdir}
# Patch default paths (not required for 1.1.2+)
#sed -i -e 's#INCLUDEDIR="include"#INCLUDEDIR="%{_includedir}"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis
#sed -i -e 's#PROFILE="default.prf"#PROFILE="/etc/lynis/default.prf"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis
%clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT"
@ -111,6 +110,9 @@ install db/* ${RPM_BUILD_ROOT}%{_dbdir}
#%attr(644, root, root) %{_plugindir}/*
%changelog
* Wed May 13 2015 Michael Boelen - 1.1.9-1
- Changed website address, version bump
* Sun Sep 14 2014 Michael Boelen - 1.1.8-1
- Changed permissions with regards of pentest option

7
include/binaries
View File

@ -78,7 +78,6 @@
N=`expr ${N} + 1`
BINARY="${SCANDIR}/${I}"
DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
logtext "Binary: ${BINARY}"
# Optimized, much quicker (limited file access needed)
case ${I} in
aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
@ -91,6 +90,9 @@
as) ASFOUND=1; ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: as (compiler) - ${BINARY}" ;;
auditctl) AUDITCTLFOUND=1; AUDITCTLBINARY="${BINARY}"; logtext " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;;
autolog) AUTOLOGFOUND=1; AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; logtext " Found known binary: autolog (idle session killer) - ${BINARY}" ;;
debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;;
debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;;
docker) DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}" ;;
chkconfig) CHKCONFIGFOUND=1; CHKCONFIGBINARY=${BINARY}; logtext " Found known binary: chkconfig (administration tool) - ${BINARY}" ;;
clamscan) CLAMSCANFOUND=1; CLAMSCANBINARY=${BINARY}; logtext " Found known binary: clamscan (AV scanner) - ${BINARY}" ;;
cfagent) CFAGENTFOUND=1; CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; logtext " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;;
@ -145,7 +147,7 @@
openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;;
perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;;
php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language) - ${BINARY} (version ${PHPVERSION})" ;;
php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language intrepreter) - ${BINARY} (version ${PHPVERSION})" ;;
pkg_admin) PKGADMINBINARY="${BINARY}"; logtext " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;;
postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;;
postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;;
@ -154,6 +156,7 @@
ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;;
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
python) PYTHONBINARY="${BINARY}"; logtext " Found known binary: python (programming language intepreter) - ${BINARY}" ;;
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; logtext " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;

4
include/consts
View File

@ -77,6 +77,7 @@ unset LANG
CONTROL_URL_PREPEND=""
CUSTOM_URL_APPEND=""
CUSTOM_URL_PREPEND=""
DOCKER_DAEMON_RUNNING=0
FILEVALUE=""
FIND=""
FIREWALL_ACTIVE=0
@ -129,6 +130,7 @@ unset LANG
SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW=""
SESTATUSBINARY=""
SERVICE_MANAGER=""
SHOW_PROGRAM_DETAILS=1
SHOW_REPORT=1
SKIPPED_TESTS_ROOTONLY=""
SSHKEYSCANBINARY=""
@ -141,6 +143,7 @@ unset LANG
UPLOAD_OPTIONS=""
UPDATE_CHECK_SKIPPED=0
VALUE=""
VMTYPE=""
#
#################################################################################
#
@ -166,7 +169,6 @@ unset LANG
TOTAL_TESTS=0 # Total amount of tests (counter)
UPLOAD_DATA=0 # Upload of data to central node
VIEWHELP=0 # Show help
VIEWUPDATEINFO=0 # View program/database version
WRONGOPTION=0 # A wrong option is used
#
#################################################################################

34
include/functions
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015 - Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2015, Michael Boelen - CISOfy
# https://cisofy.com
#
# This software is licensed under GPL, version 3. See LICENSE file for
@ -20,14 +20,15 @@
# Function Description
# ----------------------- -------------------------------------------------
# AddHP Add Hardening points to plot a graph later
# AddSystemGroup Adds a system to a group
# CheckFilePermissions Check file permissions
# CheckUpdates Determine if a new version of Lynis is available
# counttests Count number of performed tests
# Debug Display additional information on the screen (not suited for cronjob)
# DirectoryExists Check if a directory exists on the disk
# Display Output text to screen with colors and identation
# ExitClean Stop the program (cleanly)
# ExitFatal Stop the program (cleanly), with fatal
# ExitClean Stop the program (cleanly), with exit code 0
# ExitFatal Stop the program (cleanly), with exit code 1
# FileExists Check if a file exists on the disk
# FileIsEmpty Check if a file is empty
# FileIsReadable Check if a file is readable or directory accessible
@ -50,6 +51,7 @@
# ShowSymlinkPath Show a path behind a symlink
# ViewCategories Display tests categories
# logtext Log text strings to logfile, prefixed with date/time
# report Add string of data to report file
#
#################################################################################
@ -62,6 +64,19 @@
logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}"
}
################################################################################
# Name : AddSystemGroup
# Description : Adds a system to a group, which can be used for categorizing
# Returns : <nothing>
################################################################################
AddSystemGroup()
{
report "system_group[]=$1"
}
# Check file permissions
# Parameter 1 is file/dir
# Result: FILE_NOT_FOUND | OK | BAD
@ -637,7 +652,7 @@
docker) ISVIRTUALMACHINE=1; VMTYPE="docker"; VMFULLTYPE="Docker container" ;;
kvm) ISVIRTUALMACHINE=1; VMTYPE="kvm"; VMFULLTYPE="KVM" ;;
lxc) ISVIRTUALMACHINE=1; VMTYPE="lxc"; VMFULLTYPE="Linux Containers" ;;
lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers" ;;
lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers)" ;;
microsoft) ISVIRTUALMACHINE=1; VMTYPE="microsoft"; VMFULLTYPE="Microsoft Virtual PC" ;;
openvz) ISVIRTUALMACHINE=1; VMTYPE="openvz"; VMFULLTYPE="OpenVZ" ;;
oracle|virtualbox) ISVIRTUALMACHINE=1; VMTYPE="virtualbox"; VMFULLTYPE="Oracle VM VirtualBox" ;;
@ -778,6 +793,8 @@
NGINX_ACCESS_LOG_DISABLED=1
else
if [ ! "${VALUE}" = "" ]; then
# If multiple values follow, select first one
VALUE=`echo ${VALUE} | awk '{ print $1 }'`
if [ ! -f ${VALUE} ]; then
logtext "Result: could not find referenced log file ${VALUE} in nginx configuration"
NGINX_ACCESS_LOG_MISSING=1
@ -1283,6 +1300,7 @@
SYMLINK_USE_READLINK=1
logtext "Note: Using real readlink binary to determine symlinks"
tFILE=`${READLINKBINARY} -f ${sFILE}`
logtext "Result: readlink shows ${tFILE} as output"
fi
fi
# Check if we can find the file now
@ -1292,6 +1310,14 @@
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to file ${sFILE}"
FOUNDPATH=1
elif [ -b ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to block device ${sFILE}"
FOUNDPATH=1
elif [ -c ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to character device ${sFILE}"
FOUNDPATH=1
elif [ -d ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to directory ${sFILE}"

3
include/helper_audit_dockerfile
View File

@ -4,7 +4,6 @@ if [ $# -eq 0 ]; then
Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
Display --text " "; Display --text " "
ExitFatal
else
FILE=`echo $1 | egrep "^http|https"`
@ -18,7 +17,7 @@ if [ $# -eq 0 ]; then
if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE}
fi
Dislpay --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
ExitFatal
fi
else

266
include/helper_update Normal file
View File

@ -0,0 +1,266 @@
#!/bin/sh
######################################################################
#
# Helper program to support automatic updates of Lynis
#
######################################################################
#
# Options:
# ---------
# 1) lynis update info - Show version information (external)
# 2) lynis update release - Check and install new release (internal)
#
# How to use:
# ------------
# Run option 1 to know about current and latest release information.
# Run option 2 to query internal server for possible upgrade of Lynis.
#
# Steps for updating to new release:
# 1) Run Lynis with: lynis update release
# 2) Lynis will use this helper and check the profile
# 3) The configured web server will be queried (lynis-latest-version)
# 4) The contents of this file will be compared with a local file
# 5) If there is a difference, download package
# 6) Check paths and extract files
# 7) Quit program
#
# Suggested documentation if you want to use this functionality:
# https://cisofy.com/documentation/lynis/upgrading/
#
######################################################################
LOCAL_VERSION="-"
SERVER_VERSION=""
PERFORM_UPGRADE=0
WGET_EXISTS=`which wget 2> /dev/null`
CURL_EXISTS=`which curl 2> /dev/null`
FETCH_EXISTS=`which fetch 2> /dev/null`
# Update version
if [ "$1" = "release" ]; then
if [ "${UPDATE_SERVER_PROTOCOL}" = "" ] ; then
Display --indent 2 --text "Error: Unknown protocol, please specify (http, https) in profile (update_server_protocol)"
ExitFatal
fi
if [ "${UPDATE_SERVER_ADDRESS}" = "" ] ; then
Display --indent 2 --text "Error: Unknown download address, please specify in profile (update_server_address)"
ExitFatal
fi
if [ "${UPDATE_LATEST_VERSION_DOWNLOAD}" = "" ] ; then
Display --indent 2 --text "Error: No URL to latest download has been specifiedrsion on the server, please specify in profile (update_latest_version_download)"
ExitFatal
fi
if [ "${UPDATE_LATEST_VERSION_INFO}" = "" ] ; then
Display --indent 2 --text "Error: No URL has been specified to know the latest version on the server, please specify in profile (update_latest_version_info)"
ExitFatal
fi
if [ "${UPDATE_LOCAL_DIRECTORY}" = "" ] ; then
Display --indent 2 --text "Error: No local directory has been specified to store Lynis files. Please specify in profile (update_local_directory)"
ExitFatal
else
if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then
Display --indent 2 --text "Error: Directory ${UPDATE_LOCAL_DIRECTORY} does not exist"
ExitFatal
fi
fi
if [ "${UPDATE_LOCAL_VERSION_INFO}" = "" ] ; then
Display --indent 2 --text "Error: No data file has been specified to determine local Lynis version, please specify in profile (update_local_version_info)"
ExitFatal
fi
if [ ! -f ${UPDATE_LOCAL_VERSION_INFO} ]; then
Display --indent 2 --text "Note: local data file ${UPDATE_LOCAL_VERSION_INFO} does not exist. It will be created after updating. (update_local_version_info)"
else
LOCAL_VERSION=`cat ${UPDATE_LOCAL_VERSION_INFO}`
fi
# Normal update
FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_INFO}"
TMP_FILE=`mktemp /tmp/audit.XXXXXXXXXX`
if [ "${TMP_FILE}" = "" ]; then
Display --indent 2 --text "Could not create a temporary file in /tmp with mktemp. Aborting.."
ExitFatal
fi
Display --indent 2 --text "${CYAN}[Phase 1] Downloading details${NORMAL}"
if [ ! "${WGET_EXISTS}" = "" ]; then
logtext "Using wget to download release information"
LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}"
wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
elif [ ! "${CURL_EXISTS}" = "" ]; then
logtext "Using curl to download release information"
LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}"
curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
else
Display --indent 2 --text "No download tool available to perform download"
ExitFatal
fi
if [ ! "${TMP_FILE}" = "" ]; then
if [ -f ${TMP_FILE} ]; then
SERVER_VERSION=`cat ${TMP_FILE}`
rm -f ${TMP_FILE}
fi
else
Display --indent 2 --text "Temporary file variable is empty, which is unexpected. Aborting.."
ExitFatal
fi
# Determine if downloading meta data was successful
if [ ${EXIT_CODE} -eq 0 ]; then
if [ "${SERVER_VERSION}" = "" ]; then
Display --indent 2 --text "No version found on the server. Aborting.."
ExitFatal
else
Display --indent 2 --text "Version found on server: ${SERVER_VERSION}"
Display --indent 2 --text "Local version found: ${LOCAL_VERSION}"
fi
else
Display --indent 2 --text "${RED}Error: ${WHITE}Download utility returned an unexpected error code.${NORMAL} Aborting.."
Display --indent 2 --text "Error code: ${EXIT_CODE}"
Display --indent 2 --text "Suggested command: ${LAST_COMMAND_HELP}"
ExitFatal
fi
#==========================================================================================================================================
Display --indent 2 --text " "
Display --indent 2 --text "${CYAN}[Phase 2] Compare results${NORMAL}"
if [ ! "${LOCAL_VERSION}" = "${SERVER_VERSION}" ]; then
Display --indent 2 --text "Different version available, moving to upgrade phase"
PERFORM_UPGRADE=1
else
Display --indent 2 --text "${GREEN}No upgrade needed${NORMAL}"
fi
# Go to phase 3 if upgrade is needed
if [ ${PERFORM_UPGRADE} -eq 1 ]; then
FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_DOWNLOAD}"
Display --indent 2 --text " "
Display --indent 2 --text "[Phase 3] Downloading latest release"
Display --indent 2 --text "Download location: ${FULLPATH}"
if [ ! "${WGET_EXISTS}" = "" ]; then
logtext "Using wget to download latest release"
LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}"
wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
elif [ ! "${CURL_EXISTS}" = "" ]; then
logtext "Using curl to download latest release"
LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}"
curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
fi
if [ ${EXIT_CODE} -eq 0 ]; then
if [ -f ${TMP_FILE} ]; then
Display --indent 2 --text "Download successful"
# Extract the file to the related path, with 'lynis' appended
# Note: by default the tarball includes 'lynis' as directory
if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then
Display --indent 2 --text "Error: directory ${UPDATE_LOCAL_DIRECTORY} does not exist"
ExitFatal
fi
Display --indent 2 --text "Extracting latest version to path ${UPDATE_LOCAL_DIRECTORY}"
if [ ! -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then
Display --indent 2 --text "Creating 'lynis' directory in ${UPDATE_LOCAL_DIRECTORY}"
mkdir ${UPDATE_LOCAL_DIRECTORY}/lynis
if [ $? -gt 0 ]; then
Display --indent 2 --text "Error: could not create directory ${UPDATE_LOCAL_DIRECTORY}/lynis"
ExitFatal
fi
fi
if [ -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then
Display --indent 2 --text "Extracting files to ${UPDATE_LOCAL_DIRECTORY}"
tar xzf ${TMP_FILE} -C ${UPDATE_LOCAL_DIRECTORY}
if [ $? -eq 0 ]; then
# Check if we can find the Lynis binary (in the created 'lynis' directory)
if [ -f ${UPDATE_LOCAL_DIRECTORY}/lynis/lynis ]; then
# If version was downloaded, update local version
echo ${SERVER_VERSION} > ${UPDATE_LOCAL_VERSION_INFO}
else
Display --indent 2 --text "Error: could not find downloaded file on disk"
fi
else
Display --indent 2 --text "Error: File extraction failed"
ExitFatal
fi
else
Display --indent 2 --text "Error: could not find lynis directory"
fi
else
Display --indent 2 --text "Error: could not find downloaded file on disk"
ExitFatal
fi
else
Display --indent 2 --text "Error: could not download latest release"
Display --indent 2 --text "Suggestion: ${LAST_COMMAND_HELP}"
ExitFatal
fi
fi
# Removing temp file
logtext "Action: Removing temporary file ${TMP_FILE}"
if [ "${TMP_FILE}" = "" ]; then
if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE}
fi
fi
Display --indent 2 --text " "
Display --indent 2 --text "Done"
Display --indent 2 --text " "
ExitClean
# Update check
elif [ "$1" = "info" ]; then
# CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'`
PROGRAM_LV=0
CheckUpdates
# Reset everything if we can't determine our current version or the latest
# available version (due lack of internet connectivity for example)
if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then
# Set both to safe values
PROGRAM_AC=0; PROGRAM_LV=0
fi
echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="
echo ""
echo " Version : ${PROGRAM_version}"
echo -n " Status : "
if [ ${PROGRAM_LV} -eq 0 ]; then
echo "${RED}Unknown${NORMAL}";
elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo "${YELLOW}Outdated${NORMAL}";
echo " Current version : ${PROGRAM_AC}"
echo " Latest version : ${PROGRAM_LV}"
else
echo "${GREEN}Up-to-date${NORMAL}"
fi
echo " Release date : ${PROGRAM_releasedate}"
echo " Update location : ${PROGRAM_website}"
echo ""; echo ""
echo "${PROGRAM_copyright}"
echo ""
# Quit program
ExitClean
else
Display --indent 2 --text "${RED}Error: ${WHITE}Unknown parameter $1.${NORMAL} Aborting.."
ExitFatal
fi
# The End

27
include/parameters
View File

@ -23,6 +23,7 @@
PARAMCOUNT=$#
while [ $# -ge 1 ]; do
case $1 in
# Helpers first
audit)
CHECK_BINARIES=0
RUN_HELPERS=1
@ -63,6 +64,28 @@
#break
;;
# Helpers first
update)
CHECK_BINARIES=0
RUN_HELPERS=1
HELPER="update"
RUN_PLUGINS=0
RUN_TESTS=0
SHOW_PROGRAM_DETAILS=0
if [ ! $2 = "" ]; then
shift
HELPER_PARAMS="$1 $2"
break
else
Display --text "${RED}Error: ${WHITE}Need a target for update${NORMAL}"
Display --text " "
Display --text "Examples:"
Display --text "lynis update info"
Display --text "lynis update release"
ExitFatal
fi
;;
# Assign auditor to report
--auditor)
shift
@ -102,7 +125,9 @@
# View program/database information
--check-update | --check-updates | --info)
VIEWUPDATEINFO=1
echo "This option is deprecated"
echo "Use: lynis update info"
ExitClean
;;
# License key for Lynis Enterprise

30
include/profiles
View File

@ -147,6 +147,36 @@
if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi
;;
# Server IP or hostname
update_server_address)
UPDATE_SERVER_ADDRESS="${VALUE}"
;;
# Protocol (http, https)
update_server_protocol)
UPDATE_SERVER_PROTOCOL="${VALUE}"
;;
# File path to tarball on server
update_latest_version_download)
UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}"
;;
# File path to information file
update_latest_version_info)
UPDATE_LATEST_VERSION_INFO="${VALUE}"
;;
# Local directory where lynis directory will be placed
update_local_directory)
UPDATE_LOCAL_DIRECTORY="${VALUE}"
;;
# Local file to maintain current version
update_local_version_info)
UPDATE_LOCAL_VERSION_INFO="${VALUE}"
;;
# Options during upload of data
upload_options)
UPLOAD_OPTIONS="${VALUE}"

6
include/tests_accounting
View File

@ -126,7 +126,9 @@
else
logtext "Result: auditd not active"
Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE
if [ ! "${VMTYPE}" = "openvz" ]; then
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
fi
AUDITD_RUNNING=0
report "audit_daemon_running=0"
AddHP 0 1
@ -226,7 +228,7 @@
if [ -f /etc/ld.so.preload ]; then
logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed"
FIND=`grep ${FILE} /etc/ld.so.preload`
if [ !"${FIND}" = "" ]; then
if [ ! "${FIND}" = "" ]; then
logtext "Result: found snoopy in ld.so.preload"
logtext "Output: ${FIND}"
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
@ -427,4 +429,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen / CISOfy - https://cisofy.com

2
include/tests_authentication
View File

@ -1329,4 +1329,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

2
include/tests_banners
View File

@ -23,7 +23,7 @@
#################################################################################
#
BANNER_FILES="/etc/issue /etc/issue.net /etc/motd"
LEGAL_BANNER_STRINGS="access authorized legal monitor owner policy policies private prohibited restricted this unauthorized"
LEGAL_BANNER_STRINGS="audit access authori intrusion law legal monitor owner policy policies private prohibited restricted subject terms this unauthorized"
#
#################################################################################
#

167
include/tests_containers Normal file
View File

@ -0,0 +1,167 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Containers, Zones, Jails
#
#################################################################################
#
InsertSection "Containers"
#
#################################################################################
#
# Test : CONT-8004
# Description : Query running Solaris zones
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8004 --os Solaris --weight L --network NO --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
N=`expr ${N} + 1`
ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2`
logtext "Result: found zone ${ZONENAME} (running)"
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : CONT-1906
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no CONT-1906 --weight L --network NO --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
#logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi
#
#################################################################################
#
# Test : CONT-8102
# Description : Checking Docker daemon status and basic information for later tests
Register --test-no CONT-8102 --weight L --network NO --description "Checking Docker status and information"
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning "docker -d"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found Docker daemon running"
report "docker_daemon_running=1"
DOCKER_DAEMON_RUNNING=1
Display --indent 4 --text "- Docker"
Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN
fi
fi
#
#################################################################################
#
# Test : CONT-8104
# Description : Checking Docker info for any warnings
# Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory
if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
logtext "Test: Check for any warnings"
FIND=`${DOCKERBINARY} info 2>&1 | grep "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found warning(s) in output"
for I in ${FIND}; do
J=`echo ${I} | sed 's/:space:/ /g'`
logtext "Output: ${J}"
COUNT=`expr ${COUNT} + 1`
done
Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color RED
ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon"
AddHP 3 4
else
logtext "Result: no warnings found from 'docker info' output"
Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN
AddHP 1 1
fi
fi
#
#################################################################################
#
# Test : CONT-8106
# Description : Checking Docker containers (basic stats)
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 6 --text "- Containers"
# Check total of containers
logtext "Test: checking total amount of Docker containers"
DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'`
logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers"
DOCKER_CONTAINERS_TOTAL2=`${DOCKERBINARY} ps -a 2> /dev/null | grep -v "CONTAINER" | wc -l`
logtext "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers"
if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then
logtext "Result: difference detected, which is unexpected"
ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers"
Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED
else
Display --indent 8 --text "- Total containers" --result "${DOCKER_CONTAINERS_TOTAL}" --color WHITE
fi
# Check running instances
DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps | grep -v "CONTAINER" | wc -l`
Display --indent 8 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN
if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then
logtext "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active"
report "docker_containers_running=${DOCKER_CONTAINERS_RUNNING}"
else
logtext "Result: no active containers"
report "docker_containers_running=0"
fi
# Check if there aren't too many unused containers on the system
if [ ${DOCKER_CONTAINERS_TOTAL} -gt 0 ]; then
DOCKER_CONTAINERS_UNUSED=`expr ${DOCKER_CONTAINERS_TOTAL} - ${DOCKER_CONTAINERS_RUNNING}`
if [ ${DOCKER_CONTAINERS_UNUSED} -gt 10 ]; then
ReportSuggestion "${TEST_NO}" "More than 10 unused containers found on the system. Clean up old containers by using output of 'docker ps -a' command"
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color RED
AddHP 0 2
else
logtext "Result: found ${DOCKER_CONTAINERS_UNUSED} unused containers"
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color YELLOW
AddHP 1 1
fi
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

69
include/tests_file_integrity
View File

@ -14,6 +14,8 @@
#
#################################################################################
#
CSF_CONFIG="/etc/csf/csf.conf"
FILE_INT_TOOL=""
FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found
#
#################################################################################
@ -30,11 +32,11 @@
logtext "Test: Checking AFICK binary"
if [ ! "${AFICKBINARY}" = "" ]; then
logtext "Result: AFICK is installed (${AFICKBINARY})"
FILE_INT_TOOL="afick"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK" --result FOUND --color GREEN
else
logtext "Result: AFICK is not installed"
Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -47,11 +49,11 @@
logtext "Test: Checking AIDE binary"
if [ ! "${AIDEBINARY}" = "" ]; then
logtext "Result: AIDE is installed (${AIDEBINARY})"
FILE_INT_TOOL="aide"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE" --result FOUND --color GREEN
else
logtext "Result: AIDE is not installed"
Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -119,11 +121,11 @@
logtext "Test: Checking Osiris binary"
if [ ! "${OSIRISBINARY}" = "" ]; then
logtext "Result: Osiris is installed (${OSIRISBINARY})"
FILE_INT_TOOL="osiris"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris" --result FOUND --color GREEN
else
logtext "Result: Osiris is not installed"
Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -136,11 +138,11 @@
logtext "Test: Checking Samhain binary"
if [ ! "${SAMHAINBINARY}" = "" ]; then
logtext "Result: Samhain is installed (${SAMHAINBINARY})"
FILE_INT_TOOL="samhain"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain" --result FOUND --color GREEN
else
logtext "Result: Samhain is not installed"
Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -153,11 +155,11 @@
logtext "Test: Checking Tripwire binary"
if [ ! "${TRIPWIREBINARY}" = "" ]; then
logtext "Result: Tripwire is installed (${TRIPWIREBINARY})"
FILE_INT_TOOL="tripwire"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN
else
logtext "Result: Tripwire is not installed"
Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -170,10 +172,12 @@
logtext "Test: Checking if OSSEC syscheck daemon is running"
IsRunning ossec-syscheckd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: syscheck (OSSEC) installed"
FILE_INT_TOOL="ossec-syscheck"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN
else
Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE
logtext "Result: syscheck (OSSEC) not installed"
fi
fi
#
@ -187,11 +191,59 @@
logtext "Test: Checking mtree binary"
if [ ! "${MTREEBINARY}" = "" ]; then
logtext "Result: mtree is installed (${MTREEBINARY})"
FILE_INT_TOOL="mtree"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree" --result FOUND --color GREEN
else
logtext "Result: mtree is not installed"
Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : FINT-4334
# Description : Check if LFD is used (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN
IsRunning 'lfd '
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: lfd daemon is running (CSF)"
Display --indent 6 --text "- Daemon status" --result RUNNING --color GREEN
FILE_INT_TOOL="csf-lfd"
FILE_INT_TOOL_FOUND=1
else
Display --indent 6 --text "- Daemon status" --result "NOT RUNNING" --color YELLOW
fi
fi
# Test : FINT-4336
# Description : Check if LFD is enabled (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd configuration status"
if [ ${SKIPTEST} -eq 0 ]; then
# LFD configuration parameters
ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}`
if [ ! "${ENABLED}" = "" ]; then
logtext "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN
else
logtext "Result: lfd service is configured NOT to run"
Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
logtext "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN
else
logtext "Result: lfd directory watching is disabled"
Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
Display --indent 6 --text "- Directory/File watches" --result ENABLED --color GREEN
else
Display --indent 6 --text "- Directory/File watches" --result DISABLED --color YELLOW
fi
fi
#
@ -209,7 +261,7 @@
else
logtext "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool"
ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
AddHP 0 5
fi
fi
@ -217,6 +269,7 @@
#################################################################################
#
report "file_integrity_tool=${FILE_INT_TOOL}"
report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}"
wait_for_keypress

43
include/tests_filesystems
View File

@ -209,23 +209,46 @@
FOUND=0
logtext "Test: query swap partitions from /etc/fstab file"
# Check if third field contains 'swap'
FIND=`awk '{ if ($3=="swap") print $1 }' /etc/fstab`
FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"`
for I in ${FIND}; do
FOUND=1
REAL=""
UUID=""
logtext "Swap partition found: ${I}"
# YYY Add a test if partition is not a normal partition (e.g. UUID=)
# Can be ^/dev/mapper/vg-name_lv-name
# Can be ^/dev/partition
# Can be ^UUID=uuid --> /dev/disk/by-uuid/<uuid>
# if [ ! "${BLKIDBINARY}" = "" ]; then
# FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'`
# else
# logtext "Result: blkid binary not found, trying by checking device listing"
# if [ -f /dev/disk/by-uuid/${UUID} ]; then
# logtext "Result: found disk via /dev/disk/by-uuid listing"
# fi
# fi
report "swap_partition[]=${I}"
HAS_UUID=`echo ${I} | grep "^UUID="`
if [ ! "${HAS_UUID}" = "" ]; then
UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'`
logtext "Result: Using ${UUID} as UUID"
if [ ! "${BLKIDBINARYx}" = "" ]; then
FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'`
if [ ! "${FIND2}" = "" ]; then
REAL="${FIND2}"
fi
else
logtext "Result: blkid binary not found, trying by checking device listing"
sFILE=""
if [ -L /dev/disk/by-uuid/${UUID} ]; then
logtext "Result: found disk via /dev/disk/by-uuid listing"
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
if [ ! "${sFILE}" = "" ]; then
REAL="${sFILE}"
logtext "Result: disk is ${REAL}"
fi
else
logtext "Result: no symlink found to /dev/disk/by-uuid/${UUID}"
fi
fi
fi
# Set real device
if [ "${REAL}" = "" ]; then
REAL="${I}"
fi
report "swap_partition[]=${I},${REAL},"
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN

6
include/tests_kernel
View File

@ -340,7 +340,6 @@
logtext "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x /usr/bin/apt-cache ]; then
logtext "Result: found /usr/bin/apt-cache"
# YYY Test for presence /usr/bin/apt-cache and dpkg
logtext "Test: checking readlink location of /vmlinuz"
FINDKERNFILE=`readlink -f /vmlinuz`
logtext "Output: readlink reported file ${FINDKERNFILE}"
@ -516,7 +515,8 @@
FIND=`ls /boot/vmlinuz* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
# Remove generic. and huge. for Slackware machines
KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
elif [ ! `ls /boot/kernel* 2> /dev/null` = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
# Examples:
@ -580,4 +580,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

3
include/tests_logging
View File

@ -274,7 +274,7 @@
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking which directories can be found in logrotate configuration"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq`
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort | uniq`
if [ "${FIND}" = "" ]; then
logtext "Result: nothing found"
else
@ -285,7 +285,6 @@
report "log_directory[]=${I}"
else
logtext "Directory could not be found: ${I}"
# YYY strip more parts of the name, until it can be found (and stop at /)
fi
done
fi

36
include/tests_malware
View File

@ -23,7 +23,9 @@
#################################################################################
#
CLAMD_RUNNING=0
MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0
SOPHOS_SCANNER_RUNNING=0
#
#################################################################################
#
@ -66,27 +68,36 @@
Register --test-no MALW-3280 --weight L --network NO --description "Check if anti-virus tool is installed"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
MCAFEE_RUNNING=0
logtext "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first
if [ -x /opt/McAfee/cma/bin/cma ]; then
IsRunning cma
if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi
if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
else
IsRunning cmdagent
if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi
if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
fi
if [ ${MCAFEE_RUNNING} -eq 1 ]; then
if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN
logtext "Result: Found McAfee"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
fi
# Sophos savscand/SophosScanD
logtext "Test: checking process savscand"
IsRunning savscand
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1;
fi
logtext "Test: checking process SophosScanD"
IsRunning SophosScanD
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1;
fi
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN
logtext "Result: Found Sophos"
MALWARE_SCANNER_INSTALLED=1
@ -114,7 +125,6 @@
logtext "Result: clamscan couldn't be found"
fi
fi
#
#################################################################################
#
@ -185,22 +195,6 @@
# Description : Check for LMD
#
#################################################################################
#
# Test : MALW-3292
# Description : Check if at least one malware scanner is installed
# Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner"
# if [ ${SKIPTEST} -eq 0 ]; then
# if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
# logtext "Result: At least one malware scanner is installed"
# Display --indent 2 --text "- Checking presence malware scanner" --result "FOUND" --color GREEN
# #AddHP 3 3
# else
# logtext "Result: No malware scanners found"
# Display --indent 2 --text "- Checking presence malware scanner" --result "NOT FOUND" --color YELLOW
# ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system"
# #AddHP 0 3
# fi
# fi
#
#################################################################################
#

102
include/tests_ports_packages
View File

@ -402,9 +402,67 @@
fi
#
#################################################################################
#
# Test : PKGS-7366
# Description : Checking if debsecan is installed and enabled on Debian systems
if [ ! "${DEBSECANBINARY}" = "" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsecan utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSECANBINARY}" = "" ]; then
logtext "Result: debsecan utility is installed"
Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN
AddHP 3 3
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="debsecan"
FIND=`find /etc/cron* -name debsecan`
if [ ! ${FIND} = "" ]; then
logtext "Result: cron job is configured for debsecan"
Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: no cron job is configured for debsecan"
Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW
AddHP 1 3
ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
fi
else
logtext "Result: debsecan is not installed."
Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
fi
fi
#
#################################################################################
#
# Test : PKGS-7370
# Description : Check debsums output
# Description : Checking debsums installation status and presence in cron job
# Note : Run this only when it is a DPKG based system
if [ ! "${DPKGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsums utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSUMSBINARY}" = "" ]; then
logtext "Result: debsums utility is installed"
Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN
AddHP 1 1
# Check in /etc/cron.hourly, daily, weekly, monthly etc
COUNT=`find /etc/cron* -name debsums | wc -l`
if [ ${COUNT} -gt 0 ]; then
logtext "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW
AddHP 1 3
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job."
fi
else
logtext "Result: debsums utility is not installed."
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database."
fi
fi
#
#################################################################################
#
@ -933,9 +991,45 @@
#
#################################################################################
#
# check for popularity-contest (Debian/Ubuntu)
# check for yum-changelog
# Test : PKGS-7410
# Description : Count number of installed kernel packages
Register --test-no PKGS-7410 --weight L --network NO --description "Count installed kernel packages"
if [ ${SKIPTEST} -eq 0 ]; then
KERNELS=0
if [ ! "${RPMBINARY}" = "" ]; then
logtext "Test: Checking how many kernel packages are installed"
KERNELS=`rpm -q kernel 2> /dev/null | wc -l`
if [ ${KERNELS} -eq 0 ]; then
logtext "Result: found no kernels from rpm -q kernel output, which is unexpected"
ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output"
elif [ ${KERNELS} -gt 5 ]; then
logtext "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)"
AddHP 4 5
else
logtext "Result: found ${KERNELS} on the system, which is fine"
AddHP 1 1
fi
fi
fi
#
#################################################################################
#
# Test : PKGS-7414
# Description : Check installonly_limit in yum.conf
#
#################################################################################
#
# Test : PKGS-7416
# Description : Check for popularity-contest (Debian/Ubuntu)
#
#################################################################################
#
# Test : PKGS-7418
# Description : Check for yum-changelog
#
#################################################################################
#
if [ ! "${INSTALLED_PACKAGES}" = "" ]; then
report "installed_packages_array=${INSTALLED_PACKAGES}"

48
include/tests_shells
View File

@ -57,16 +57,9 @@
logtext "Output /etc/ttys:"
logtext "${FIND}"
ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys"
#ReportSuggestion ${TEST_NO} "Change the console line from 'secure' to 'insecure'."
logtext "Possible solution: Change the console line from 'secure' to 'insecure'."
fi
fi
#
#################################################################################
#
# Test : SHLL-6214
# Description : check for idle session killing tools (timeoutd)
#
#################################################################################
#
@ -220,43 +213,6 @@
fi
#
#################################################################################
#
# Test : SHLL-6236
# Description : Check /etc/profile
#
#################################################################################
#
# Test : SHLL-6240
# Description : Check default umask
# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking /etc/profile"
# if [ -f /etc/profile ]; then
# FIND=`grep "^umask" | awk '{ print $2 }'`
# if [ "${FIND}" = "" ]; then
# logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask" --result OK --color GREEN
# else
# logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask" --result WARNING --color RED
# #ReportWarning ${TEST_NO} "M" "xxx"
# #ReportSuggestion ${TEST_NO} "xxx"
# fi
# fi
# fi
#
#################################################################################
#
# Test : SHLL-6250
# Description : Check /etc/bash.bashrc
# Register --test-no SHLL-6250 --weight L --network NO --description "Check default umask"
# if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
#
#################################################################################
#
# Test : SHLL-6290
# Description : Check for Shellshock vulnerability
@ -395,4 +351,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy & Michael Boelen - http://cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, CISOfy - http://cisofy.com

16
include/tests_storage
View File

@ -33,7 +33,7 @@
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
FIND=`grep -r "install usb-storage /bin/true" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"`
FIND=`grep -r "install usb-storage /bin/(false|true)" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"`
FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*`
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
@ -44,7 +44,7 @@
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND=`grep "install usb-storage /bin/true" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
FIND=`grep "install usb-storage /bin/(false|true)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
if [ ! "${FIND}" = "" ]; then
FOUND=1
logtext "Result: found usb-storage driver in disabled state"
@ -66,6 +66,7 @@
#
# Test : STRG-1846
# Description : Check for disabled firewire storage
# Explanation : Best option is to use the install function, or else drivers can still be loaded manually
Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@ -73,8 +74,8 @@
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
FIND1=`egrep "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
FIND2=`egrep "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
FIND1=`egrep "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
FIND2=`egrep "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found firewire ohci driver in disabled state"
@ -84,8 +85,8 @@
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
FIND2=`egrep -r "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
FIND2=`egrep -r "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found firewire ohci driver in disabled state"
@ -107,6 +108,7 @@
#
#################################################################################
#
# Use modprobe --showconfig to test for options
# NetBSD: amd (auto mount daemon)
@ -119,4 +121,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, CISOfy, Michael Boelen - https://cisofy.com

59
include/tests_time
View File

@ -32,6 +32,7 @@
# Specific for ntpd
NTPD_RUNNING=0
CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
SYSTEMD_NTP_ENABLED=0
#
#################################################################################
#
@ -46,10 +47,25 @@
fi
Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client"
if [ ${SKIPTEST} -eq 0 ]; then
# Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate)
# Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate), Chrony, systemd-timesyncd
logtext "Test: Searching for a running NTP daemon or available client"
FOUND=0
if [ -f /etc/chrony.conf ]; then
IsRunning chronyd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN
fi
fi
# Check time daemon (eg DragonFly BSD)
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
fi
# Check running processes
FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
@ -66,19 +82,18 @@
Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN
fi
# Check time daemon (eg DragonFly BSD)
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
fi
# Check timedate daemon (systemd)
if [ ! "${TIMEDATECTL}" = "" ]; then
FIND=`${TIMEDATECTL} status | grep "NTP enabled: yes"`
if [ ! "${FIND}" = "" ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timedated"
Display --indent 2 --text "- NTP daemon found: timedated" --result "FOUND" --color GREEN
# Check for systemd-timesyncd
if [ -f /etc/systemd/timesyncd.conf ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "FOUND" --color GREEN
SYSTEMD_NTP_ENABLED=1
fi
else
logtext "Result: time sychronization not performed according timedatectl command"
fi
fi
@ -94,7 +109,7 @@
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate reference in crontab file ${I}"
else
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE
#Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate reference found in crontab file ${I}"
fi
else
@ -133,11 +148,10 @@
Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate in cron directory"
else
Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
#Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate found in cron directories"
fi
# Checking if ntpdate is performed by event
logtext "Test: checking for file /etc/network/if-up.d/ntpdate"
if [ -f /etc/network/if-up.d/ntpdate ]; then
@ -181,6 +195,21 @@
fi
#
#################################################################################
#
# Test : TIME-3106
# Description : Check status of systemd time synchronization
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check systemd NTP time synchronization status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check the status of time synchronization via timedatectl"
FIND=`${TIMEDATECTL} status | grep "NTP sychronized: yes"`
if [ "${FIND}" = "" ]; then
logtext "Result: time not synchronized via NTP"
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized"
fi
fi
#
#################################################################################
#
# Test : TIME-3112
# Description : Check for valid associations from ntpq peers list
@ -404,6 +433,8 @@
#
#################################################################################
#
# For VMs check ntpd.conf : tinker panic 0
#
wait_for_keypress
@ -429,4 +460,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

21
include/tests_tooling
View File

@ -45,6 +45,25 @@
Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN
fi
CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin"
for I in ${CHEF_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/chef-client ]; then
CHEFCLIENTBINARY="${I}/chef-client"
AUTOMATION_TOOL_FOUND=1
Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN
logtext "Result: found chef-client (chef client daemon) in ${I}"
fi
if [ -f ${I}/erchef ]; then
CHEFSERVERBINARY="${I}/erchef"
logtext "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
AUTOMATION_TOOL_FOUND=1
Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN
logtext "Result: found erchef (chef server daemon) in ${I}"
fi
fi
done
# Puppet
if [ ! "${PUPPETBINARY}" = "" ]; then
logtext "Result: Puppet is installed (${PUPPETBINARY})"
@ -106,4 +125,4 @@
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

47
include/tests_virtualization
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -22,49 +22,6 @@
#
#################################################################################
#
# Test : VIRT-1902
# Description : Query running Solaris zones
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no VIRT-1902 --os Solaris --weight L --network NO --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
N=`expr ${N} + 1`
ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2`
logtext "Result: found zone ${ZONENAME} (running)"
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : VIRT-1906
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no VIRT-1906 --weight L --network NO --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
#logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi
#
#################################################################################
#
# # Test : VIRT-1920
# # Description : Checking VMware
# Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status"

75
lynis
View File

@ -23,7 +23,7 @@
# Program information
PROGRAM_name="Lynis"
PROGRAM_version="2.1.1"
PROGRAM_releasedate="19 April 2015"
PROGRAM_releasedate="27 May 2015"
PROGRAM_author="CISOfy"
PROGRAM_author_contact="lynis-dev@cisofy.com"
PROGRAM_website="https://cisofy.com"
@ -134,7 +134,7 @@
echo ""
echo " Why do I see this error?"
echo " -------------------------------"
echo " This error is a protection mechanism, to prevent root user from executing user created files."
echo " This is a protection mechanism, to prevent the root user from executing user created files."
echo ""; echo ""
echo " What can I do?"
echo " ---------------------"
@ -226,55 +226,6 @@
# CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'`
PROGRAM_LV=0
#DB_MALWARE_CV=`grep "^#version=" ${DBDIR}/malware.db | cut -d '=' -f2`
#DB_FILEPERMS_CV=`grep "^#version=" ${DBDIR}/fileperms.db | cut -d '=' -f2`
# Number of signatures
#DB_MALWARE_IC=`grep -v "^#" ${DBDIR}/malware.db | wc -l | tr -s ' ' | tr -d ' '`
if [ ${VIEWUPDATEINFO} -eq 1 ]; then
CheckUpdates
# Reset everything if we can't determine our current version or the latest
# available version (due lack of internet connectivity for example)
if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then
# Set both to safe values
PROGRAM_AC=0; PROGRAM_LV=0
#DB_MALWARE_LV=0; DB_MALWARE_CV=0
#DB_FILEPERMS_LV=0; DB_FILEPERMS_CV=0
fi
echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="; echo ""
echo " Version : ${PROGRAM_version}"
echo -n " Status : "
if [ ${PROGRAM_LV} -eq 0 ]; then
echo "${RED}Unknown${NORMAL}";
elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo "${YELLOW}Outdated${NORMAL}";
echo " Current version : ${PROGRAM_AC}"
echo " Latest version : ${PROGRAM_LV}"
else
echo "${GREEN}Up-to-date${NORMAL}"
fi
echo " Release date : ${PROGRAM_releasedate}"
echo " Update location : ${PROGRAM_website}"
# echo ""
# echo " == ${WHITE}Plugins${NORMAL} =="
# echo ""
# echo " == ${WHITE}Databases${NORMAL} =="
# echo " Current Latest Status"
# echo " -----------------------------------------------------------------------------"
# echo -n " Malware : ${DB_MALWARE_CV} ${DB_MALWARE_LV} "
# if [ ${DB_MALWARE_LV} -gt ${DB_MALWARE_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi
# echo -n " File perms : ${DB_FILEPERMS_CV} ${DB_FILEPERMS_LV} "
# if [ ${DB_FILEPERMS_LV} -gt ${DB_FILEPERMS_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi
echo ""; echo ""
echo "${PROGRAM_copyright}"; echo ""
# Quit program
ExitClean
fi
#
#################################################################################
#
@ -394,8 +345,11 @@
echo " audit system : Perform security scan"
echo " audit dockerfile <file> : Analyze Dockerfile"
echo ""
echo " ${GREEN}update${NORMAL}"
echo " update info : Show update details"
echo " update release : Update Lynis release"
echo ""
echo ""
echo " ${WHITE}Scan options:${NORMAL}"
echo " --auditor \"<name>\" : Auditor name"
echo " --dump-options : See all available options"
@ -412,7 +366,6 @@
echo " --reverse-colors : Optimize color display for light backgrounds"
echo ""
echo " ${WHITE}Misc options:${NORMAL}"
echo " --check-update : Check for updates"
echo " --debug : Debug logging to screen"
echo " --view-manpage (--man) : View man page"
echo " --version (-V) : Display version number and quit"
@ -529,7 +482,7 @@
#
#################################################################################
#
if [ ${QUIET} -eq 0 ]; then
if [ ${QUIET} -eq 0 -a ${SHOW_PROGRAM_DETAILS} -eq 1 ]; then
echo ""
echo " ---------------------------------------------------"
echo " Program version: ${PROGRAM_version}"
@ -766,13 +719,11 @@
logtext "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
filesystems storage storage_nfs \
nameservices ports_packages networking printers_spools \
mail_messaging firewalls \
webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting \
time crypto virtualization mac_frameworks file_integrity hardening_tools tooling \
malware file_permissions homedirs kernel_hardening hardening"
filesystems storage storage_nfs nameservices ports_packages networking printers_spools \
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting time crypto virtualization containers \
mac_frameworks file_integrity hardening_tools tooling malware file_permissions homedirs \
kernel_hardening hardening"
else
INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}"
logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}"
@ -834,12 +785,12 @@
#################################################################################
#
if [ ${RUN_HELPERS} -eq 1 ]; then
InsertPluginSection "Audit Module"
if [ ! "${HELPER}" = "" ]; then
logtext "Helper tool is $HELPER"
if [ -f ${INCLUDEDIR}/helper_${HELPER} ]; then
SafePerms ${INCLUDEDIR}/helper_${HELPER}
logtext "Running helper tool ${HELPER} with params: ${HELPER_PARAMS}"
InsertPluginSection "Helper: ${HELPER}"
. ${INCLUDEDIR}/helper_${HELPER} ${HELPER_PARAMS}
else
echo "Error, could not find helper"

47
lynis.8
View File

@ -1,4 +1,4 @@
.TH Lynis 8 "30 January 2015" "1.17" "Unix System Administrator's Manual"
.TH Lynis 8 "30 April 2015" "1.18" "Unix System Administrator's Manual"
.SH "NAME"
@ -16,13 +16,13 @@ Lynis \fP\- Run an system and security audit on the system
.fi
.SH "DESCRIPTION"
\fBLynis\fP is an auditing tool for Unix (specialists). It checks the system
and software configuration and logs all the found information into a log file
for debugging purposes, and in a report file suitable to create fancy looking
auditing reports.
\fBLynis\fP can be run as a cronjob, or from the command line. It needs to have
full access to the system, so running it as root (or with sudo rights) is
required.
\fBLynis\fP is a security auditing tool for Linux and Unix systems. It checks
the system and software configurations, to determine any improvements.
All details are logged in a log file. Findings and other data is stored in a
report file, which can be used to create auditing reports.
\fBLynis\fP can be run as a cronjob, or from the command line. Lynis prefers
root permissions (or sudo), so it can access all parts of the system, however it
not required (see pentest mode).
.PP
The following system areas may be checked:
.IP
@ -30,7 +30,7 @@ The following system areas may be checked:
.IP
\- Configuration files
.IP
\- Common files by software packages
\- Files part of software packages
.IP
\- Directories and files related to logging and auditing
.SH "OPTIONS"
@ -39,7 +39,6 @@ The following system areas may be checked:
.B \-\-auditor <full name>
Define the name of the auditor/pen-tester. When a full name is used, add double
quotes, like "Your Name".
.TP
.B \-\-checkall (or \-c)
\fBLynis\fP performs a full check of the system, printing out the results of
@ -48,9 +47,6 @@ each test to stdout. Additional information will be saved into a log file
.IP
In case the outcome of a scan needs to be automated, use the report file.
.TP
.B \-\-check\-update (or \-\-info)
Show program, database and update information.
.TP
.B \-\-cronjob
Perform automatic scan with cron safe options (no colors, no questions, no
breaks).
@ -115,14 +111,33 @@ with others. When running Lynis without any parameters, help will be shown and
the program will exit.
.RE
.PP
.SH "HELPERS"
Lynis has special helpers to do certain tasks. This way the framework of Lynis is
used, while at the same time storing most of the functionality in a separated
file. This speeds up execution and keeps the code clean.
.TP
.B audit
Run audit on the system or on other targets
.TP
.B update
Run updater utility
.TP
To use a helper, run Lynis followed by the helper name
.RE
.PP
.SH "BUGS"
Discovered a bug? Please report them via e-mail (lynis-dev@cisofy.com) or via GitHub: https://github.com/CISOfy/Lynis
Discovered a bug? Please report them via GitHub: https://github.com/CISOfy/lynis
.RE
.PP
.SH "Documentation"
Supporting documentation can be found via https://cisofy.com/documentation/lynis/
.RE
.PP
.SH "LICENSING"
Lynis is licensed with the GPL v3 license and under development by CISOfy and Michael Boelen. Plugins have their own license.
Lynis is licensed as GPL v3, written by Michael Boelen and supported by CISOfy. Plugins may have their own license.
.RE
.PP
.SH "CONTACT INFORMATION"
Support and project related questions are addressed via https://cisofy.com/support/.
Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com.