mirror of https://github.com/CISOfy/lynis.git
Adjustments to allow non-privileged scan and reduce errors on screen
This commit is contained in:
mboelen
parent
691019f9ae
commit
56cc2df2c2
|
|
@ -26,12 +26,15 @@
|
|||
|
||||
Changes:
|
||||
- Improved vulnerable packages test on Debian based systems (apt-check) [PKGS-7392]
|
||||
- CheckUpdates function will have better output when no connection is available
|
||||
- Improved chown command when file permissions are incorrect
|
||||
- Changed output of update test, show when status is unknown
|
||||
- Remove warning for old files in /tmp [FILE-6354]
|
||||
- Test for actual files in /etc/modprobe.d before grepping in it
|
||||
- Don't show warnings for 'swap' in 4th column fstab file [FILE-6336]
|
||||
- Changes to parameters and functions, to allow penetration tests with Lynis
|
||||
- Extended SafePerms function to also check for UID
|
||||
- Several tests will have root-only bit set
|
||||
- Several tests will have root-only bit set now
|
||||
- Improved netstat tests on Arch Linux
|
||||
|
||||
--
|
||||
|
|
|
|||
|
|
@ -254,24 +254,70 @@
|
|||
|
||||
FileIsReadable()
|
||||
{
|
||||
CHECKFILE=$1
|
||||
sFILE=$1
|
||||
CANREAD=0
|
||||
if [ -d ${CHECKFILE} ]; then
|
||||
OTHERPERMS=`ls -d -l ${CHECKFILE} | cut -c 8`
|
||||
elif [ -f ${CHECKFILE} ]; then
|
||||
OTHERPERMS=`ls -d -l ${CHECKFILE} | cut -c 8`
|
||||
logtext "Test: testing if we can access ${sFILE}"
|
||||
|
||||
# Check for symlink
|
||||
if [ -L ${sFILE} ]; then
|
||||
if [ ! "${READLINKBINARY}" = "" ]; then
|
||||
tFILE=`${READLINKBINARY} ${sFILE}`
|
||||
# Check if we can find the file now
|
||||
if [ -f ${tFILE} ]; then
|
||||
sFILE="${tFILE}"
|
||||
logtext "Result: symlink found, pointing to file ${sFILE}"
|
||||
elif [ -d ${tFILE} ]; then
|
||||
sFILE="${tFILE}"
|
||||
logtext "Result: symlink found, pointing to directory ${sFILE}"
|
||||
else
|
||||
# Check the full path of the symlink, strip the filename, copy the path and linked filename together
|
||||
tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'`
|
||||
tFILE="${tDIR}/${tFILE}"
|
||||
if [ -f ${tFILE} ]; then
|
||||
sFILE="${tFILE}"
|
||||
logtext "Result: symlink found, seems to be file ${sFILE}"
|
||||
elif [ -d ${tFILE} ]; then
|
||||
sFILE="${tFILE}"
|
||||
logtext "Result: symlink found, seems to be directory ${sFILE}"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
# Only check the file if it isn't a symlink (after previous check)
|
||||
if [ -L ${sFILE} ]; then
|
||||
OTHERPERMS="-"
|
||||
logtext "Result: unclear if we can read this file, as this is a symlink"
|
||||
ReportException "FileIsReadable" "Can not determine symlink ${sFILE}"
|
||||
elif [ -d ${sFILE} ]; then
|
||||
OTHERPERMS=`ls -d -l ${sFILE} | cut -c 8`
|
||||
elif [ -f ${sFILE} ]; then
|
||||
OTHERPERMS=`ls -d -l ${sFILE} | cut -c 8`
|
||||
else
|
||||
OTHERPERMS="-"
|
||||
fi
|
||||
|
||||
# Also check if we are the actual owner of the file
|
||||
FILEOWNER=`ls -n ${sFILE} | awk -F" " '{ print $3 }'`
|
||||
if [ "${FILEOWNER}" = "${MYID}" ]; then
|
||||
logtext "Result: file is owned by our current user ID (${MYID}), checking if it is readable"
|
||||
if [ -d ${sFILE} ]; then
|
||||
OTHERPERMS=`ls -d -l ${sFILE} | cut -c 2`
|
||||
elif [ -f ${sFILE} ]; then
|
||||
OTHERPERMS=`ls -d -l ${sFILE} | cut -c 2`
|
||||
fi
|
||||
fi
|
||||
|
||||
# YYY check group ownership (just in case)
|
||||
|
||||
# Check if we have the read bit
|
||||
if [ "${OTHERPERMS}" = "r" ]; then
|
||||
CANREAD=1
|
||||
logtext "Result: file ${sFILE} is readable (or directory accessible)."
|
||||
else
|
||||
logtext "Result: file ${sFILE} is NOT readable (or directory accessible), symlink, or does not exist."
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
# Get Host ID
|
||||
GetHostID()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -136,7 +136,7 @@
|
|||
# Test : ACCT-9630
|
||||
# Description : Check auditd rules
|
||||
if [ ! "${AUDITDBINARY}" = "" -a ! "${AUDITCTLBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd rules"
|
||||
Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --description "Check for auditd rules"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
logtext "Test: Checking auditd rules"
|
||||
FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"`
|
||||
|
|
|
|||
|
|
@ -114,7 +114,7 @@
|
|||
# Test : AUTH-9216
|
||||
# Description : Check /etc/group and shadow group files
|
||||
if [ ! "${GRPCKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check group and shadow group files"
|
||||
Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --description "Check group and shadow group files"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Test : run grpck to test group files (most likely /etc/group and shadow group files)
|
||||
# Expected result : 0 (exit code)
|
||||
|
|
@ -131,7 +131,7 @@
|
|||
|
||||
# Overrule for SuSE
|
||||
if [ "${LINUX_VERSION}" = "SuSE" ]; then
|
||||
FIND=`${GRPCKBINARY} -q -r > /dev/null ; echo $?`
|
||||
FIND=`${GRPCKBINARY} -q -r > /dev/null ; echo $?`
|
||||
fi
|
||||
|
||||
# Check exit-code
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@
|
|||
if [ -d ${I} ]; then
|
||||
logtext "Result: found directory ${I}"
|
||||
# Search for CRT files
|
||||
sFINDCRTS=`find ${I} -name "*.crt" -type f -print`
|
||||
sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null`
|
||||
for J in ${sFINDCRTS}; do
|
||||
logtext "Test: checking certificate ${J}"
|
||||
# Check certificate where 'end date' has been expired
|
||||
|
|
|
|||
|
|
@ -244,7 +244,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
logtext "Test: Searching for old files in /tmp..."
|
||||
# Search for files only in /tmp, with an access time older than X days
|
||||
FIND=`find /tmp -type f -atime +${TMP_OLD_DAYS} | sed 's/ /!space!/g'`
|
||||
FIND=`find /tmp -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | sed 's/ /!space!/g'`
|
||||
if [ "${FIND}" = "" ]; then
|
||||
Display --indent 2 --text "- Checking for old files in /tmp..." --result OK --color GREEN
|
||||
logtext "Result: no files found in /tmp which are older than 3 months"
|
||||
|
|
@ -261,8 +261,7 @@
|
|||
logtext "private information and should be deleted it not being used actively. Use a tool like lsof to"
|
||||
logtext "see which programs possibly are using a particular file. Some systems can cleanup temporary"
|
||||
logtext "directories by setting a boot option."
|
||||
ReportWarning ${TEST_NO} "L" "Found ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days"
|
||||
ReportSuggestion ${TEST_NO} "Clean up unused files in /tmp"
|
||||
ReportSuggestion ${TEST_NO} "L" "Check ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
|
@ -335,7 +334,7 @@
|
|||
#
|
||||
# Test : FILE-6368
|
||||
# Description : Checking Linux root file system ACL support
|
||||
Register --test-no FILE-6368 --os Linux --weight L --network NO --description "Checking ACL support on root file system"
|
||||
Register --test-no FILE-6368 --os Linux --weight L --network NO --root-only YES --description "Checking ACL support on root file system"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
logtext "Test: Checking acl option on root file system"
|
||||
|
|
|
|||
|
|
@ -28,15 +28,15 @@
|
|||
# Description : Check if AppArmor is installed
|
||||
Register --test-no MACF-6204 --weight L --network NO --description "Check AppArmor presence"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ "${AASTATUSBINARY}" = "" ]; then
|
||||
APPARMORFOUND=0
|
||||
logtext "Result: aa-status binary not found, AppArmor not installed"
|
||||
Display --indent 2 --text "- Checking presence AppArmor" --result "NOT FOUND" --color WHITE
|
||||
else
|
||||
APPARMORFOUND=1
|
||||
logtext "Result: aa-status binary found, AppArmor is installed"
|
||||
Display --indent 2 --text "- Checking presence AppArmor" --result FOUND --color GREEN
|
||||
fi
|
||||
if [ "${AASTATUSBINARY}" = "" ]; then
|
||||
APPARMORFOUND=0
|
||||
logtext "Result: aa-status binary not found, AppArmor not installed"
|
||||
Display --indent 2 --text "- Checking presence AppArmor" --result "NOT FOUND" --color WHITE
|
||||
else
|
||||
APPARMORFOUND=1
|
||||
logtext "Result: aa-status binary found, AppArmor is installed"
|
||||
Display --indent 2 --text "- Checking presence AppArmor" --result FOUND --color GREEN
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
|
@ -48,20 +48,32 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! "${AASTATUSBINARY}" = "" ]; then
|
||||
# Checking AppArmor status
|
||||
FIND=`${AASTATUSBINARY} > /dev/null; echo $?`
|
||||
#0 if apparmor is enabled and policy is loaded.
|
||||
#1 if apparmor is not enabled/loaded.
|
||||
#2 if apparmor is enabled but no policy is loaded.
|
||||
#3 if control files are not available
|
||||
#4 if apparmor status can't be read
|
||||
FIND=`${AASTATUSBINARY} > /dev/null; echo $?`
|
||||
if [ ${FIND} -eq 0 ]; then
|
||||
MAC_FRAMEWORK_ACTIVE=1
|
||||
logtext "Result: AppArmor is enabled and a policy is loaded"
|
||||
Display --indent 4 --text "- Checking AppArmor status" --result "ENABLED" --color GREEN
|
||||
Display --indent 4 --text "- Checking AppArmor status" --result "ENABLED" --color GREEN
|
||||
elif [ ${FIND} -eq 4 ]; then
|
||||
logtext "Result: Can not determine status, most likely due to lacking permissions"
|
||||
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED
|
||||
elif [ ${FIND} -eq 3 ]; then
|
||||
logtext "Result: Can not check control files"
|
||||
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED
|
||||
elif [ ${FIND} -eq 2 ]; then
|
||||
logtext "Result: AppArmor is enabled, but no policy is loaded"
|
||||
ReportSuggestion ${TEST_NO} "Disable AppArmor or load a policy"
|
||||
Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
|
||||
Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
|
||||
elif [ ${FIND} -eq 1 ]; then
|
||||
Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW
|
||||
logtext "Result: AppArmor is disabled"
|
||||
Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW
|
||||
else
|
||||
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED
|
||||
ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -256,9 +256,9 @@
|
|||
Linux)
|
||||
if [ ! "${NETSTATBINARY}" = "" ]; then
|
||||
# UDP
|
||||
FIND=`${NETSTATBINARY} -nlp | grep "^udp" | awk '{ print $4"|"$1"|"$6"|" }' | sed 's:|[0-9]*/:|:'`
|
||||
FIND=`${NETSTATBINARY} -nlp 2> /dev/null | grep "^udp" | awk '{ print $4"|"$1"|"$6"|" }' | sed 's:|[0-9]*/:|:'`
|
||||
# TCP
|
||||
FIND2=`${NETSTATBINARY} -nlp | grep "^tcp" | awk '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | sed 's:|[0-9]*/:|:'`
|
||||
FIND2=`${NETSTATBINARY} -nlp 2> /dev/null | grep "^tcp" | awk '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | sed 's:|[0-9]*/:|:'`
|
||||
else
|
||||
ReportException "${TEST_NO}:1" "netstat binary is missing"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -647,7 +647,7 @@
|
|||
Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Ubuntu database consistency"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
logtext "Test: Package database consistency by running apt-get check"
|
||||
FIND=`/usr/bin/apt-get -q=2 check; echo $?`
|
||||
FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?`
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
Display --indent 2 --text "- Checking APT package database..." --result OK --color GREEN
|
||||
logtext "Result: package database seems to be consistent."
|
||||
|
|
|
|||
|
|
@ -139,20 +139,26 @@
|
|||
for I in `cat ${TMPFILE}`; do
|
||||
logtext "Apache config file: ${I}"
|
||||
|
||||
# Search Virtual Hosts
|
||||
for J in `cat ${I} | grep "ServerName" | grep -v "^#" | awk '{ if ($1=="ServerName") print $2 }'`; do
|
||||
if [ ! -z ${J} ]; then
|
||||
tVHOSTS="${tVHOSTS} ${J}"
|
||||
cVHOSTS=`expr ${cVHOSTS} + 1`
|
||||
fi
|
||||
done
|
||||
# Search Server aliases
|
||||
for J in `cat ${I} | grep "ServerAlias" | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do
|
||||
if [ ! -z ${J} ]; then
|
||||
tVHOSTS="${tVHOSTS} ${J}"
|
||||
cVHOSTS=`expr ${cVHOSTS} + 1`
|
||||
fi
|
||||
done
|
||||
FileIsReadable ${I}
|
||||
if [ ${CANREAD} -eq 1 ]; then
|
||||
# Search Virtual Hosts
|
||||
for J in `cat ${I} | grep "ServerName" | grep -v "^#" | awk '{ if ($1=="ServerName") print $2 }'`; do
|
||||
if [ ! -z ${J} ]; then
|
||||
tVHOSTS="${tVHOSTS} ${J}"
|
||||
cVHOSTS=`expr ${cVHOSTS} + 1`
|
||||
fi
|
||||
done
|
||||
# Search Server aliases
|
||||
for J in `cat ${I} | grep "ServerAlias" | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do
|
||||
if [ ! -z ${J} ]; then
|
||||
tVHOSTS="${tVHOSTS} ${J}"
|
||||
cVHOSTS=`expr ${cVHOSTS} + 1`
|
||||
fi
|
||||
done
|
||||
else
|
||||
logtext "Result: can not read configuration file with this user ID"
|
||||
ReportException "${TEST_NO}:1" "Can not read configuration file $I"
|
||||
fi
|
||||
done
|
||||
|
||||
# Log all virtual hosts we found
|
||||
|
|
@ -425,7 +431,12 @@
|
|||
N=`expr ${N} + 1`
|
||||
logtext "Result: found Nginx configuration file ${J}"
|
||||
report "nginx_sub_conf_file=${J}"
|
||||
FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}`
|
||||
FileIsReadable ${J}
|
||||
if [ ${CANREAD} -eq 1 ]; then
|
||||
FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}`
|
||||
else
|
||||
ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
|
|
|||
Loading…
Reference in New Issue