tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-31 01:34:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into docu

Browse Source
This commit is contained in:
Michael Boelen 2019-07-15 18:55:10 +02:00 committed by GitHub
commit 7728213ac4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 345 additions and 184 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
CHANGELOG.md
View File

@ -23,13 +23,16 @@ measures to further tighten any possible misuse.
- Security: test if setuid bit is set on Lynis binary - Security: test if setuid bit is set on Lynis binary
- New function: DisplayWarning - show a warning on the screen - New function: DisplayWarning - show a warning on the screen
- New function: Equals - compare two strings - New function: Equals - compare two strings
- New function: GetReportData - retrieve earlier stored data
- New function: Readonly - mark variable read-only (security) - New function: Readonly - mark variable read-only (security)
- New function: SafeFile - test file type and call permission check - New function: SafeFile - test file type and call permission check
- New function: SafeInput - check for safe input (security) - New function: SafeInput - check for safe input (security)
- New profile option: disable-plugin - disables a single plugin - New profile option: disable-plugin - disables a single plugin
- New profile option: ssl-certificate-paths-to-ignore - ignore a path - New profile option: ssl-certificate-paths-to-ignore - ignore a path
- New test: CRYP-7930 - disk or file system encryption testing - New test: CRYP-7930 - disk or file system encryption testing
- New test: PROC-3802 - Check presence of prelink tooling - New test: INSE-8314 - test for NIS client
- New test: INSE-8316 - test for NIS server
- New test: PROC-3802 - check presence of prelink tooling
- New report key: openssh_daemon_running - New report key: openssh_daemon_running
- New command: lynis generate systemd-units - New command: lynis generate systemd-units
- Measure timing of tests and report slow tests (10+ seconds) - Measure timing of tests and report slow tests (10+ seconds)
@ -41,13 +44,18 @@ measures to further tighten any possible misuse.
- Security: the 'nounset' (set -u) parameter is now activated by default - Security: the 'nounset' (set -u) parameter is now activated by default
- Use only locations from PATH environment variable, unless it is not defined - Use only locations from PATH environment variable, unless it is not defined
- Show 'lynis generate hostids' when they are missing - Show 'lynis generate hostids' when they are missing
- INSE-8116 - added rsync service
- INSE-8342 - renamed to INSE-8304
- KRNL-5820 - extended check to include limits.d directory
- NAME-4408 - corrected Report function call - NAME-4408 - corrected Report function call
- NETW-3032 - small rewrite of test and extended with addrwatch - NETW-3032 - small rewrite of test and extended with addrwatch
- PROC-3602 - allow different root directory - PROC-3602 - allow different root directory
- PROC-3612 - show 'Not found' instead of 'OK' - PROC-3612 - show 'Not found' instead of 'OK'
- PROC-3614 - show 'Not found' instead of 'OK' - PROC-3614 - show 'Not found' instead of 'OK'
- SCHD-7702 - removed hardening points
- SSH-7402 - detect other SSH daemons like dropbear - SSH-7402 - detect other SSH daemons like dropbear
- SSH-7406 - strip OpenSSH patch version and remove characters (carriage return) - SSH-7406 - strip OpenSSH patch version and remove characters (carriage return)
- SSH-7408 - changed text in suggestion and report
- Show changelog works again for newer versions - Show changelog works again for newer versions
- systemd service file adjusted - systemd service file adjusted
- bash completion script extended - bash completion script extended

4
db/tests.db
View File

@ -181,6 +181,10 @@ INSE-8116:test:security:insecure_services::Insecure services enabled via xinetd:
INSE-8200:test:security:insecure_services::Usage of TCP wrappers: INSE-8200:test:security:insecure_services::Usage of TCP wrappers:
INSE-8300:test:security:insecure_services::Presence of rsh client: INSE-8300:test:security:insecure_services::Presence of rsh client:
INSE-8302:test:security:insecure_services::Presence of rsh server: INSE-8302:test:security:insecure_services::Presence of rsh server:
INSE-8310:test:security:insecure_services::Presence of telnet client:
INSE-8312:test:security:insecure_services::Presence of telnet server:
INSE-8314:test:security:insecure_services::Presence of NIS client:
INSE-8316:test:security:insecure_services::Presence of NIS server:
KRNL-5622:test:security:kernel:Linux:Determine Linux default run level: KRNL-5622:test:security:kernel:Linux:Determine Linux default run level:
KRNL-5677:test:security:kernel:Linux:Check CPU options and support: KRNL-5677:test:security:kernel:Linux:Check CPU options and support:
KRNL-5695:test:security:kernel:Linux:Determine Linux kernel version and release number: KRNL-5695:test:security:kernel:Linux:Determine Linux kernel version and release number:

11
include/binaries
View File

@ -304,12 +304,11 @@
[ "${WCBINARY:-}" ] || ExitFatal "wc binary not found" [ "${WCBINARY:-}" ] || ExitFatal "wc binary not found"
# Test a few other tools that we did not specifically define (yet) # Test a few other tools that we did not specifically define (yet)
TOOLS="xxd" #TOOLS="xxd"
for T in ${TOOLS}; do #for T in ${TOOLS}; do
DATA=$(type ${T}) # DATA=$(type ${T})
if [ $? -gt 0 ]; then ExitFatal "${T} binary not found"; fi # if [ $? -gt 0 ]; then ExitFatal "${T} binary not found"; fi
done #done
else else
LogText "Result: checking of binaries skipped in this mode" LogText "Result: checking of binaries skipped in this mode"

1
include/consts
View File

@ -327,7 +327,6 @@ unset LANG
HPTOTAL=0 # Maximum number of hardening points HPTOTAL=0 # Maximum number of hardening points
LOG_INCORRECT_OS=1 # Log tests with incorrect OS LOG_INCORRECT_OS=1 # Log tests with incorrect OS
NEVERBREAK=0 # Don't wait for user input NEVERBREAK=0 # Don't wait for user input
PENTESTINGMODE=0 # Try tests without root privileges
QUICKMODE=1 # Don't wait for user input QUICKMODE=1 # Don't wait for user input
QUIET=0 # Show normal messages and warnings as well QUIET=0 # Show normal messages and warnings as well
SKIPLOGTEST=0 # Skip logging for one test SKIPLOGTEST=0 # Skip logging for one test

56
include/functions
View File

@ -52,6 +52,7 @@
# FileIsEmpty Check if a file is empty # FileIsEmpty Check if a file is empty
# FileIsReadable Check if a file is readable or directory accessible # FileIsReadable Check if a file is readable or directory accessible
# GetHostID Retrieve an unique ID for this host # GetHostID Retrieve an unique ID for this host
# GetReportData Request data from report
# HasData Checks for data in variable # HasData Checks for data in variable
# InsertSection Insert a section block # InsertSection Insert a section block
# InsertPluginSection Insert a section block for plugins # InsertPluginSection Insert a section block for plugins
@ -1176,6 +1177,47 @@
fi fi
} }
################################################################################
# Name : GetReportData()
# Description : Request data from report
# Returns : Data (when matches were found)
# Exit code: True (0) or False (1) when search was cancelled
################################################################################
GetReportData() {
KEY=""
VALID_CHARS="[:alnum:]/:;\-,\._\[\]\n "
if [ $# -eq 0 ]; then ExitFatal "No parameters provided to GetReportData() function"; fi
while [ $# -ge 1 ]; do
case $1 in
--key)
shift
KEY="$1"
;;
--valid-chars)
shift
VALID_CHARS="$1"
;;
*)
ExitFatal "Invalid option provided to GetReportData() function"
;;
esac
# Go to next parameter
shift
done
if [ "${REPORTFILE}" = "/dev/null" ]; then
return 1
else
${AWKBINARY} -v pattern="^${KEY}" -F= '$1 ~ pattern {print $2}' ${REPORTFILE} | ${TRBINARY} -cd "${VALID_CHARS}" | ${TRBINARY} '[:blank:]' '__space__'
fi
return 0
}
################################################################################ ################################################################################
# Name : HasData() # Name : HasData()
# Description : Check for a filled variable # Description : Check for a filled variable
@ -2742,9 +2784,8 @@
fi fi
# Check file permissions # Check file permissions
if [ ! -f "$1" ]; then if [ ! -f "$1" ]; then
LogText "Fatal error: file $1 does not exist. Quitting." LogText "Fatal error: file $1 does not exist."
echo "Fatal error: file $1 does not exist" ExitFatal "Fatal error: file $1 does not exist"
ExitFatal
else else
PERMS=$(ls -l $1) PERMS=$(ls -l $1)
@ -2771,21 +2812,22 @@
# Owner permissions # Owner permissions
OWNER_PERMS=$(echo ${PERMS} | cut -c2-4) OWNER_PERMS=$(echo ${PERMS} | cut -c2-4)
if [ ! "${OWNER_PERMS}" = "rw-" -a ! "${OWNER_PERMS}" = "r--" ]; then if [ ! "${OWNER_PERMS}" = "rw-" -a ! "${OWNER_PERMS}" = "r--" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod 600 $1" echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod u=rw $1"
ExitFatal ExitFatal
fi fi
# Owner permissions # Group permissions
# TODO - harden this even more by setting default to read-only for group (like 'other')
GROUP_PERMS=$(echo ${PERMS} | cut -c5-7) GROUP_PERMS=$(echo ${PERMS} | cut -c5-7)
if [ ! "${GROUP_PERMS}" = "rw-" -a ! "${GROUP_PERMS}" = "r--" -a ! "${GROUP_PERMS}" = "---" ]; then if [ ! "${GROUP_PERMS}" = "rw-" -a ! "${GROUP_PERMS}" = "r--" -a ! "${GROUP_PERMS}" = "---" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod 600 $1" echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod g=r $1"
ExitFatal ExitFatal
fi fi
# Other permissions # Other permissions
OTHER_PERMS=$(echo ${PERMS} | cut -c8-10) OTHER_PERMS=$(echo ${PERMS} | cut -c8-10)
if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only. Change with: chmod 600 $1" echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only. Change with: chmod o=r $1"
ExitFatal ExitFatal
fi fi
# Set PERMS_OK to 1 if no fatal errors occurred # Set PERMS_OK to 1 if no fatal errors occurred

10
include/helper_generate
View File

@ -43,8 +43,18 @@ if [ $# -gt 0 ]; then
fi fi
# Generate random host IDs # Generate random host IDs
case "${OS}" in
"AIX")
# hexdump does not exist on AIX
HOSTID=$(head -c20 < /dev/urandom | xxd -c 20 -p) HOSTID=$(head -c20 < /dev/urandom | xxd -c 20 -p)
HOSTID2=$(head -c32 < /dev/urandom | xxd -c 32 -p) HOSTID2=$(head -c32 < /dev/urandom | xxd -c 32 -p)
;;
*)
# xxd does not exist on FreeBSD
HOSTID=$(head -c20 < /dev/urandom | hexdump -ve '"%.2x"')
HOSTID2=$(head -c32 < /dev/urandom | hexdump -ve '"%.2x"')
;;
esac
${ECHOCMD} "Generated host identifiers" ${ECHOCMD} "Generated host identifiers"
${ECHOCMD} "- hostid: ${HOSTID}" ${ECHOCMD} "- hostid: ${HOSTID}"

8
include/profiles
View File

@ -35,10 +35,8 @@
# Show deprecation message for old config entries # Show deprecation message for old config entries
FOUND=0 FOUND=0
#DATA=$(egrep "^config:" ${PROFILE} | od --address-radix=none -t a | sed 's/ /!space!/g') # Items such as 'config:' and 'apache:'
#if ! IsEmpty "${DATA}"; then FOUND=1; fi DATA=$(egrep "^[a-z-]{1,}:" ${PROFILE} | od -An -ta | sed 's/ /!space!/g') # od -An (no file offset), -ta (named character, to be on safe side)
# Items such as 'apache:'
DATA=$(egrep "^[a-z-]{1,}:" ${PROFILE} | od --address-radix=none -t a | sed 's/ /!space!/g')
if ! IsEmpty "${DATA}"; then FOUND=1; fi if ! IsEmpty "${DATA}"; then FOUND=1; fi
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
@ -49,7 +47,7 @@
fi fi
# Security check for unexpected and possibly harmful escape characters # Security check for unexpected and possibly harmful escape characters
DATA=$(grep -v '^$\|^ \|^#\|^config:' ${PROFILE} | tr -d '[:alnum:]/\[\]\(\)\-_\|,\.:;= \n\r' | od --address-radix=none -t a | sed 's/ /!space!/g') DATA=$(grep -v '^$\|^ \|^#\|^config:' ${PROFILE} | tr -d '[:alnum:]/\[\]\(\)\-_\|,\.:;= \n\r' | od -An -ta | sed 's/ /!space!/g')
if ! IsEmpty "${DATA}"; then if ! IsEmpty "${DATA}"; then
DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information." DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
LogText "Found unexpected or possibly harmful characters in the profile. See output below." LogText "Found unexpected or possibly harmful characters in the profile. See output below."

36
include/report
View File

@ -22,8 +22,7 @@
# #
################################################################################# #################################################################################
# #
# Add additional data fields to the report file at the end of the scan
# Add data fields to report file
Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}" Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
Report "arpwatch_running=${ARPWATCH_RUNNING}" Report "arpwatch_running=${ARPWATCH_RUNNING}"
@ -37,10 +36,11 @@
Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}" Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}"
Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}" Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}"
Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}" Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}"
#
#################################################################################
#
# Hardening Index # Hardening Index
#
# Goal: # Goal:
# Provide a visual way to show how much the system is hardened # Provide a visual way to show how much the system is hardened
# #
@ -95,8 +95,9 @@
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]" HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
LogText "Hardening strength: ${HIDESCRIPTION}" LogText "Hardening strength: ${HIDESCRIPTION}"
#
#################################################################################
#
# Only show overview if not running in quiet mode # Only show overview if not running in quiet mode
if [ ${QUIET} -eq 0 ]; then if [ ${QUIET} -eq 0 ]; then
echo ""; echo "================================================================================" echo ""; echo "================================================================================"
@ -108,19 +109,14 @@
LogTextBreak LogTextBreak
#
#################################################################################
#
# Show test results overview # Show test results overview
#
################################################################################# if [ -z "${CONTROL_URL_PROTOCOL}" ]; then CONTROL_URL_PROTOCOL="https"; fi
# if [ -z "${CONTROL_URL_PREPEND}" ]; then CONTROL_URL_PREPEND="cisofy.com/lynis/controls/"; fi
if [ "${CONTROL_URL_PROTOCOL}" = "" ]; then CONTROL_URL_PROTOCOL="https"; fi if [ -z "${CONTROL_URL_APPEND}" ]; then CONTROL_URL_APPEND="/"; fi
if [ "${CONTROL_URL_PREPEND}" = "" ]; then CONTROL_URL_PREPEND="cisofy.com/lynis/controls/"; fi if [ -z "${CUSTOM_URL_PROTOCOL}" ]; then CUSTOM_URL_PROTOCOL="https"; fi
if [ "${CONTROL_URL_APPEND}" = "" ]; then CONTROL_URL_APPEND="/"; fi if [ -z "${CUSTOM_URL_PREPEND}" ]; then CUSTOM_URL_PREPEND="your-domain.example.org/controls/"; fi
if [ "${CUSTOM_URL_PROTOCOL}" = "" ]; then CUSTOM_URL_PROTOCOL="https"; fi if [ -z "${CUSTOM_URL_APPEND}" ]; then CUSTOM_URL_APPEND="/"; fi
if [ "${CUSTOM_URL_PREPEND}" = "" ]; then CUSTOM_URL_PREPEND="your-domain.example.org/controls/"; fi
if [ "${CUSTOM_URL_APPEND}" = "" ]; then CUSTOM_URL_APPEND="/"; fi
# Show warnings from logfile # Show warnings from logfile
SWARNINGS=$(${GREPBINARY} 'Warning: ' ${LOGFILE} | sed 's/ /!space!/g') SWARNINGS=$(${GREPBINARY} 'Warning: ' ${LOGFILE} | sed 's/ /!space!/g')
@ -249,7 +245,7 @@
if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
# Determine if the quality of the program can be increased by filtering out the exceptions # Determine if the quality of the program can be increased by filtering out the exceptions
FIND=$(${GREPBINARY} "^exception" ${REPORTFILE}) FIND=$(${GREPBINARY} "^exception" ${REPORTFILE})
if [ ! "${FIND}" = "" ]; then if [ -n "${FIND}" ]; then
echo "" echo ""
echo " ${RED}${NOTE_EXCEPTIONS_FOUND}${NORMAL}" echo " ${RED}${NOTE_EXCEPTIONS_FOUND}${NORMAL}"
echo " ${WHITE}${NOTE_EXCEPTIONS_FOUND_DETAILED}!${NORMAL}" echo " ${WHITE}${NOTE_EXCEPTIONS_FOUND_DETAILED}!${NORMAL}"

63
include/tests_homedirs
View File

@ -37,8 +37,8 @@
Register --test-no HOME-9302 --weight L --network NO --category security --description "Create list with home directories" Register --test-no HOME-9302 --weight L --network NO --category security --description "Create list with home directories"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Read sixth field of /etc/passwd # Read sixth field of /etc/passwd
LogText "Test: query /etc/passwd to obtain home directories" LogText "Test: query ${ROOTDIR}etc/passwd to obtain home directories"
FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | ${SORTBINARY} -u) FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' ${ROOTDIR}etc/passwd | ${SORTBINARY} -u)
for I in ${FIND}; do for I in ${FIND}; do
if [ -d ${I} ]; then if [ -d ${I} ]; then
LogText "Result: found home directory: ${I} (directory exists)" LogText "Result: found home directory: ${I} (directory exists)"
@ -50,6 +50,65 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : HOME-9304
# Description : Check if users' home directories permissions are 750 or more restrictive
Register --test-no HOME-9304 --weight L --network NO --category security --description "Check if users' home directories permissions are 750 or more restrictive"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if users' home directories permissions are 750 or more restrictive
FOUND=0
for LINE in "$(${CAT_BINARY} ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }')"; do
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
if [ -d ${DIR} ]; then
WRITE_GROUP_PERM=$(ls -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c6)
OTHER_PERMS=$(ls -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c8-10)
if [ ! ${WRITE_GROUP_PERM} = "-" -o ! ${OTHER_PERMS} = "---" ]; then
LogText "Result: permissions of home directory ${DIR} of user ${USER} are not strict enough. Should be 750 or more restrictive. Change with: chmod 750 ${DIR}"
FOUND=1
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking users' home directories permissions" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Permissions of some users' home directories are not strict enough. Should be 750 or more restrictive."
else
Display --indent 2 --text "- Checking users' home directories permissions" --result "${STATUS_OK}" --color GREEN
LogText "Result: Ok, All users' home directories permissions are 750 or more restrictive"
fi
fi
#
#################################################################################
#
# Test : HOME-9306
# Description : Check if users own their home directories
Register --test-no HOME-9306 --weight L --network NO --category security --description "Check if users own their home directories"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if users own their home directories
FOUND=0
for LINE in "$(${CAT_BINARY} ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }')"; do
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
if [ -d ${DIR} ]; then
OWNER=$(ls -ld ${DIR} | awk -F" " '{ print $3 }')
if [ ! ${OWNER} = ${USER} ]; then
LogText "Result: The home directory ${DIR} of user ${USER} is owned by ${OWNER}. Change with: chown ${USER} ${DIR}"
FOUND=1
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking users' home directories ownership" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Owner of some users' home directories are not correctly set"
else
Display --indent 2 --text "- Checking users' home directories ownership" --result "${STATUS_OK}" --color GREEN
LogText "Result: Ok, All users own their home directories"
fi
fi
#
#################################################################################
# #
# Test : HOME-9310 # Test : HOME-9310
# Description : Check for suspicious shell history files # Description : Check for suspicious shell history files

75
include/tests_insecure_services
View File

@ -213,7 +213,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
XINETD_INSECURE_SERVICE_FOUND=0 XINETD_INSECURE_SERVICE_FOUND=0
ITEMS="chargen chargen-dgram chargen-stream daytime daytime-dgram daytime-stream discard discard-dgram discard-stream echo echo-dgram echo-stream time time-dgram time-stream ntalk rexec rlogin rsh talk telnet tftp" ITEMS="chargen chargen-dgram chargen-stream daytime daytime-dgram daytime-stream discard discard-dgram discard-stream echo echo-dgram echo-stream time time-dgram time-stream ntalk rexec rlogin rsh rsync talk telnet tftp"
for SERVICE in ${ITEMS}; do for SERVICE in ${ITEMS}; do
LogText "Test: checking service ${SERVICE}" LogText "Test: checking service ${SERVICE}"
@ -246,26 +246,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : INSE-8150
# Description : Check for rsync enabled via xinetd
#RSYNC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsync"
#if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSYNC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no INSE-8150 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsync via xinetd"
#if [ ${SKIPTEST} -eq 0 ]; then
# LogText "Test: checking rsync presence in xinetd configuration"
# FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSYNC_XINETD_CONFIG_FILE})
# if [ "${FIND}" = "" ]; then
# LogText "Result: rsync not enabled in ${RSYNC_XINETD_CONFIG_FILE}"
# Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_DISABLED}" --color GREEN
# else
# LogText "Result: rsync enabled in ${RSYNC_XINETD_CONFIG_FILE}"
# Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_ENABLED}" --color RED
# ReportSuggestion "${TEST_NO}" "Disable rsync in xinetd configuration"
# fi
#fi
#
#################################################################################
# #
# Test : INSE-8200 # Test : INSE-8200
# Description : Check if tcp_wrappers is installed when inetd/xinetd is active # Description : Check if tcp_wrappers is installed when inetd/xinetd is active
@ -348,7 +328,7 @@
# #
# Test : INSE-8304 # Test : INSE-8304
# Description : Check if rsh server is installed # Description : Check if rsh server is installed
Register --test-no INSE-8342 --weight L --network NO --category security --description "Check if rsh server is installed" Register --test-no INSE-8304 --weight L --network NO --category security --description "Check if rsh server is installed"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check if rsh server is installed # Check if rsh server is installed
LogText "Test: Checking if rsh server is installed" LogText "Test: Checking if rsh server is installed"
@ -412,6 +392,57 @@
Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_NOT_FOUND}" --color GREEN Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_NOT_FOUND}" --color GREEN
fi fi
fi fi
#
#################################################################################
#
# Test : INSE-8314
# Description : Check if NIS client is installed
Register --test-no INSE-8314 --weight L --network NO --category security --description "Check if NIS client is installed"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=""
LogText "Test: Checking if NIS client is installed"
PACKAGES="nis ypbind"
for PACKAGE in ${PACKAGES}; do
PackageIsInstalled "${PACKAGE}"
if [ $? -eq 0 ]; then
FOUND="${PACKAGE}"
fi
done
if [ ${FOUND} ]; then
LogText "Result: NIS client is installed"
Display --indent 2 --text "- Checking NIS client installation" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "NIS client should be removed as it contains numerous security exposures and have been replaced with the more secure SSH package"
else
LogText "Result: NIS client is NOT installed"
Display --indent 2 --text "- Checking NIS client installation" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8316
# Description : Check if NIS server is installed
Register --test-no INSE-8316 --weight L --network NO --category security --description "Check if NIS server is installed"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=""
LogText "Test: Checking if NIS server is installed"
PACKAGES="nis ypserv"
for PACKAGE in ${PACKAGES}; do
PackageIsInstalled "${PACKAGE}"
if [ $? -eq 0 ]; then
FOUND="${PACKAGE}"
fi
done
if [ ${FOUND} ]; then
LogText "Result: NIS server is installed"
Display --indent 2 --text "- Checking NIS server installation" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services"
else
LogText "Result: NIS server is NOT installed"
Display --indent 2 --text "- Checking NIS server installation" --result "${STATUS_OK}" --color GREEN
fi
fi
# #
################################################################################# #################################################################################
# #

67
include/tests_kernel
View File

@ -31,6 +31,7 @@
CPU_NX=0 CPU_NX=0
LINUXCONFIGFILE="" LINUXCONFIGFILE=""
LINUXCONFIGFILE_ZIPPED=0 LINUXCONFIGFILE_ZIPPED=0
LIMITS_DIRECTORY="${ROOTDIR}etc/security/limits.d"
# #
################################################################################# #################################################################################
# #
@ -234,18 +235,18 @@
# Description : Checking for available Linux kernel configuration file in /boot # Description : Checking for available Linux kernel configuration file in /boot
Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config" Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
CHECKFILE="/boot/config-$(uname -r)" CHECKFILE="${ROOTDIR}boot/config-$(uname -r)"
if [ -f ${CHECKFILE} ]; then if [ -f ${CHECKFILE} ]; then
LINUXCONFIGFILE="${CHECKFILE}" LINUXCONFIGFILE="${CHECKFILE}"
LogText "Result: found config (${LINUXCONFIGFILE})" LogText "Result: found config (${LINUXCONFIGFILE})"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
elif [ -f /proc/config.gz ]; then elif [ -f ${ROOTDIR}proc/config.gz ]; then
LINUXCONFIGFILE="${CHECKFILE}" LINUXCONFIGFILE="${CHECKFILE}"
LINUXCONFIGFILE_ZIPPED=1 LINUXCONFIGFILE_ZIPPED=1
LogText "Result: found config: /proc/config.gz (compressed)" LogText "Result: found config: ${ROOTDIR}proc/config.gz (compressed)"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: no Linux kernel configuration file found in /boot" LogText "Result: no Linux kernel configuration file found in ${ROOTDIR}boot"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
if HasData "${LINUXCONFIGFILE}"; then if HasData "${LINUXCONFIGFILE}"; then
@ -266,15 +267,15 @@
Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking disk I/O kernel scheduler" Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking disk I/O kernel scheduler"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi
if [ ! "${GREPTOOL}" = "" ]; then if [ -n "${GREPTOOL}" ]; then
LogText "Test: Checking the default I/O kernel scheduler" LogText "Test: Checking the default I/O kernel scheduler"
LINUX_KERNEL_IOSCHED=$(${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g) LINUX_KERNEL_IOSCHED=$(${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g)
if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then if [ -n "${LINUX_KERNEL_IOSCHED}" ]; then
LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'" LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN
Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}" Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
else else
LogText "Result: no default i/o kernel scheduler found" LogText "Result: no default I/O kernel scheduler found"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE
fi fi
else else
@ -322,8 +323,8 @@
LogText "Test: Active kernel modules (KLDs)" LogText "Test: Active kernel modules (KLDs)"
LogText "Description: View all active kernel modules (including kernel)" LogText "Description: View all active kernel modules (including kernel)"
LogText "Test: Checking modules" LogText "Test: Checking modules"
if [ -f ${ROOTDIR}sbin/kldstat ]; then if [ -x /sbin/kldstat ]; then
FIND=$(${ROOTDIR}sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6) FIND=$(/sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:" LogText "Loaded modules according kldstat:"
COUNT=0 COUNT=0
@ -339,7 +340,7 @@
fi fi
else else
echo "[ ${WHITE}SKIPPED${NORMAL} ]" echo "[ ${WHITE}SKIPPED${NORMAL} ]"
LogText "Result: no results, can NOT find ${ROOTDIR}sbin/kldstat" LogText "Result: no results, can NOT find /sbin/kldstat"
fi fi
fi fi
# #
@ -436,23 +437,33 @@
# Description : Checking core dumps configuration (Linux) # Description : Checking core dumps configuration (Linux)
Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration" Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking presence /etc/security/limits.conf" # Limits option
if [ -f /etc/security/limits.conf ]; then LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf"
LogText "Result: file /etc/security/limits.conf exists" if [ -f ${ROOTDIR}etc/security/limits.conf ]; then
LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf" LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists"
FIND1=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }') LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${ROOTDIR}etc/security/limits.d/*"
FIND2=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }') FIND1=$(${GREPBINARY} -r -v "^#" ${ROOTDIR}etc/security/limits.conf ${LIMITS_DIRECTORY} | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }')
if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then FIND2=$(${GREPBINARY} -r -v "^#" ${ROOTDIR}etc/security/limits.conf ${LIMITS_DIRECTORY} | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }')
LogText "Result: core dumps (soft or hard) are enabled" if [ "${FIND2}" = "hard core disabled" ]; then
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system"
AddHP 1 2
else
LogText "Result: core dumps (soft and hard) are both disabled" LogText "Result: core dumps (soft and hard) are both disabled"
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN
CORE_DUMPS_DISABLED=1 CORE_DUMPS_DISABLED=1
AddHP 3 3 AddHP 3 3
elif [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system"
AddHP 1 3
else
LogText "Result: core dumps are not explicitly disabled"
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_NOT_FOUND}" --color WHITE
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file"
AddHP 2 3
fi fi
else
LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test"
fi
# TODO: Check ulimit settings in /etc/profile and /etc/profile.d
# Sysctl option # Sysctl option
LogText "Test: Checking sysctl value of fs.suid_dumpable" LogText "Test: Checking sysctl value of fs.suid_dumpable"
@ -476,19 +487,7 @@
Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE
AddHP 1 1 AddHP 1 1
fi fi
else
LogText "Result: file /etc/security/limits.conf does not exist, skipping test"
fi fi
# TODO: Check ulimit settings in /etc/profile and /etc/profile.d
fi
#
#################################################################################
#
# Test : KRNL-5826
# Description : Checking core dumps configuration (Solaris)
#Register --test-no KRNL-5826 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
# #
################################################################################# #################################################################################
# #

1
include/tests_scheduling
View File

@ -38,7 +38,6 @@
FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )") FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )")
if IsEmpty "${FIND}"; then if IsEmpty "${FIND}"; then
LogText "Result: no cron daemon found" LogText "Result: no cron daemon found"
AddHP 3 3
else else
LogText "Result: cron daemon running" LogText "Result: cron daemon running"
CROND_RUNNING=1 CROND_RUNNING=1

4
include/tests_ssh
View File

@ -267,13 +267,13 @@
AddHP 3 3 AddHP 3 3
elif [ "${RESULT}" = "MIDSCORED" ]; then elif [ "${RESULT}" = "MIDSCORED" ]; then
LogText "Result: OpenSSH option ${OPTIONNAME} is configured reasonably" LogText "Result: OpenSSH option ${OPTIONNAME} is configured reasonably"
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-"
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}" ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 1 3 AddHP 1 3
elif [ "${RESULT}" = "WEAK" ]; then elif [ "${RESULT}" = "WEAK" ]; then
LogText "Result: OpenSSH option ${OPTIONNAME} is in a weak configuration state and should be fixed" LogText "Result: OpenSSH option ${OPTIONNAME} is in a weak configuration state and should be fixed"
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-"
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}" ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 0 3 AddHP 0 3

105
lynis
View File

@ -21,27 +21,29 @@
# Lynis is an automated auditing tool for Unix based operating systems. # Lynis is an automated auditing tool for Unix based operating systems.
# #
################################################################################# #################################################################################
#
# In Solaris /bin/sh is not POSIX, but /usr/xpg4/bin/sh is.
# Switch to /usr/xpg4/bin/sh if it exists and we are not already running it.
if [ "$(uname)" = "SunOS" ]; then
test "$_" != "/usr/xpg4/bin/sh" && test -f /usr/xpg4/bin/sh && exec /usr/xpg4/bin/sh "$0" "$@"
fi
#
#################################################################################
# #
# Code quality: don't allow using undefined variables # Code quality: don't allow using undefined variables
# Notes: $_ may be empty on FreeBSD
set -o nounset set -o nounset
# #
################################################################################# #################################################################################
# #
# In Solaris /bin/sh is not POSIX, but /usr/xpg4/bin/sh is.
# Switch to /usr/xpg4/bin/sh if it exists and we are not already running it.
test "$_" != "/usr/xpg4/bin/sh" && test -f /usr/xpg4/bin/sh && exec /usr/xpg4/bin/sh "$0" "$@"
#
#################################################################################
#
# Program information # Program information
PROGRAM_NAME="Lynis" PROGRAM_NAME="Lynis"
PROGRAM_AUTHOR="CISOfy" PROGRAM_AUTHOR="CISOfy"
PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com" PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com"
# Version details # Version details
PROGRAM_RELEASE_DATE="2019-06-29" PROGRAM_RELEASE_DATE="2019-07-14"
PROGRAM_RELEASE_TIMESTAMP=1561383761 PROGRAM_RELEASE_TIMESTAMP=1563094548
PROGRAM_RELEASE_TYPE="dev" # dev or final PROGRAM_RELEASE_TYPE="dev" # dev or final
PROGRAM_VERSION="3.0.0" PROGRAM_VERSION="3.0.0"
@ -58,7 +60,6 @@
REPORT_version_major="1"; REPORT_version_minor="0" REPORT_version_major="1"; REPORT_version_minor="0"
REPORT_version="${REPORT_version_major}.${REPORT_version_minor}" REPORT_version="${REPORT_version_major}.${REPORT_version_minor}"
DISPLAY_LANG="${LANG}" # required by function Display to deal with multi-bytes characters.
# #
################################################################################# #################################################################################
@ -74,8 +75,7 @@
WORKDIR=$(pwd) WORKDIR=$(pwd)
# Test from which directories we can use all functions and tests # Test from which directories we can use all functions and tests
INCLUDEDIR=""
INCLUDEDIR="" # Set default include directory to none
tINCLUDE_TARGETS="/usr/local/include/lynis /usr/local/lynis/include /usr/share/lynis/include ./include" # Default paths to check (CWD as last option, in case we run from standalone) tINCLUDE_TARGETS="/usr/local/include/lynis /usr/local/lynis/include /usr/share/lynis/include ./include" # Default paths to check (CWD as last option, in case we run from standalone)
for I in ${tINCLUDE_TARGETS}; do for I in ${tINCLUDE_TARGETS}; do
if [ "${I}" = "./include" ]; then if [ "${I}" = "./include" ]; then
@ -87,14 +87,11 @@
# Drop out if our include directory can't be found # Drop out if our include directory can't be found
if [ -z "${INCLUDEDIR}" ]; then if [ -z "${INCLUDEDIR}" ]; then
printf "%s" " printf "%s" "\nFatal error: can't find include directory\nMake sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
Fatal error: can't find include directory
Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
exit 1 exit 1
fi fi
# Test for database directory # Test for database directory
DBDIR=""; tDB_TARGETS="/usr/local/share/lynis/db /usr/local/lynis/db /usr/share/lynis/db ./db" DBDIR=""; tDB_TARGETS="/usr/local/share/lynis/db /usr/local/lynis/db /usr/share/lynis/db ./db"
for I in ${tDB_TARGETS}; do for I in ${tDB_TARGETS}; do
if [ "${I}" = "./db" ]; then if [ "${I}" = "./db" ]; then
@ -103,24 +100,6 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
DBDIR="${I}" DBDIR="${I}"
fi fi
done done
# Import translations. First import English to prefill all texts
if [ ! -f ${DBDIR}/languages/en ]; then
echo "Could not find languages directory (file: ${DBDIR}/languages/en)"
exit 1
else
. ${DBDIR}/languages/en
fi
# Auto detection of language based on locale (first two characters). Set to English when nothing found.
if [ -x "$(command -v locale 2> /dev/null)" ]; then
LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | egrep "^[a-z]{2}$")
fi
if [ -z "${LANGUAGE}" ]; then
#Debug "Result: no (valid) language found, setting to default language (en)"
LANGUAGE="en"
fi
# #
################################################################################# #################################################################################
# #
@ -128,7 +107,7 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
# Check user to determine file permissions later on. If we encounter Solaris, use related id binary instead # Check user to determine file permissions later on. If we encounter Solaris, use related id binary instead
if [ -x /usr/xpg4/bin/id ]; then if [ -x /usr/xpg4/bin/id ]; then
MYID=$(/usr/xpg4/bin/id -u 2> /dev/null) MYID=$(/usr/xpg4/bin/id -u 2> /dev/null)
elif [ $(uname) = "SunOS" ]; then elif [ "$(uname)" = "SunOS" ]; then
MYID=$(id | tr '=' ' ' | tr '(' ' ' | awk '{ print $2 }' 2> /dev/null) MYID=$(id | tr '=' ' ' | tr '(' ' ' | awk '{ print $2 }' 2> /dev/null)
else else
MYID=$(id -u 2> /dev/null) MYID=$(id -u 2> /dev/null)
@ -137,10 +116,21 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
# #
################################################################################# #################################################################################
# #
# Consts (bin paths, text strings, colors) # Set basic values and test permissions of the files to include, such as:
# - consts: bin paths, text strings, colors
# - functions: function library
# #
################################################################################# #################################################################################
# #
# Determine if we are root (UID = 0)
if [ ${MYID} -eq 0 ]; then
PRIVILEGED=1
PENTESTINGMODE=0
else
# Set to pentesting mode if scan is with root privileges
PENTESTINGMODE=1
fi
# Perform a basic check for permissions. After including functions, using SafePerms() # Perform a basic check for permissions. After including functions, using SafePerms()
IGNORE_FILE_PERMISSION_ISSUES=0 IGNORE_FILE_PERMISSION_ISSUES=0
@ -204,6 +194,41 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
# #
################################################################################# #################################################################################
# #
# Language settings
#
#################################################################################
#
# Auto detection of language based on shell LANG variable. This is required by the Display() function to deal with multi-bytes characters.
DISPLAY_LANG="${LANG:-}"
# Try locale command if shell variable had no value
if [ -z "${DISPLAY_LANG}" ]; then
DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2)
fi
# Extract the short notation of the language (first two characters).
if [ -x "$(command -v locale 2> /dev/null)" ]; then
LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | egrep "^[a-z]{2}$")
fi
# Set default language: 'en' (English) if no value is set
if [ -z "${LANGUAGE}" ]; then
LANGUAGE="en"
fi
# Import translations. First import English to prefill all texts
if [ -f ${DBDIR}/languages/en ]; then
if SafeFile "${DBDIR}/languages/en"; then
. ${DBDIR}/languages/en
else
ExitFatal "Incorrect ownership or permissions of language file (${DBDIR}/languages/en)"
fi
else
echo "Could not find languages directory (file: ${DBDIR}/languages/en)"
exit 1
fi
#
#################################################################################
#
# Traps # Traps
# #
################################################################################# #################################################################################
@ -222,14 +247,6 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
SafePerms ${INCLUDEDIR}/parameters SafePerms ${INCLUDEDIR}/parameters
. ${INCLUDEDIR}/parameters . ${INCLUDEDIR}/parameters
# Now determine if we are root (UID = 0)
if [ ${MYID} -eq 0 ]; then
PRIVILEGED=1
else
Debug "Starting Lynis non-privileged"
# Implied pentesting mode if not performed by root user
PENTESTINGMODE=1
fi
# Disable logging if no alternative was provided # Disable logging if no alternative was provided
if [ ${PRIVILEGED} -eq 0 ]; then if [ ${PRIVILEGED} -eq 0 ]; then