tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-27 15:54:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

Combining several improvements: helpers, plugins, audit mode

Browse Source
This commit is contained in:
mboelen 2015-01-30 20:01:07 +01:00
parent f5550fa5d2
commit 912f60acc0
1 changed files with 147 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

252
lynis
View File

@ -23,17 +23,17 @@
# Program information # Program information
PROGRAM_name="Lynis" PROGRAM_name="Lynis"
PROGRAM_version="1.6.5" PROGRAM_version="1.6.5"
PROGRAM_releasedate="3 January 2015" PROGRAM_releasedate="30 January 2015"
PROGRAM_author="CISOfy" PROGRAM_author="CISOfy"
PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_author_contact="development@cisofy.com"
PROGRAM_website="https://cisofy.com" PROGRAM_website="https://cisofy.com"
PROGRAM_copyright="Copyright 2007-2015 - ${PROGRAM_author}, ${PROGRAM_website}" PROGRAM_copyright="Copyright 2007-2015 - ${PROGRAM_author}, ${PROGRAM_website}"
PROGRAM_license="${PROGRAM_name} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are PROGRAM_license="${PROGRAM_name} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License. welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software." See the LICENSE file for details about using this software."
PROGRAM_extrainfo="Enterprise support and plugins available via CISOfy - https://cisofy.com" PROGRAM_extrainfo="Enterprise support and plugins available via CISOfy"
# Release version (beta or final) # Release version (beta or final)
PROGRAM_releasetype="beta" PROGRAM_releasetype="final"
# Version number of report files (when format changes in future) # Version number of report files (when format changes in future)
REPORT_version_major="1"; REPORT_version_minor="0" REPORT_version_major="1"; REPORT_version_minor="0"
REPORT_version="${REPORT_version_major}.${REPORT_version_minor}" REPORT_version="${REPORT_version_major}.${REPORT_version_minor}"
@ -344,9 +344,20 @@
# Bail out if we didn't get any parameter, or incorrect ones # Bail out if we didn't get any parameter, or incorrect ones
if [ ${PARAMCOUNT} -eq 0 -o ${WRONGOPTION} -eq 1 -o ${VIEWHELP} -eq 1 ]; then if [ ${PARAMCOUNT} -eq 0 -o ${WRONGOPTION} -eq 1 -o ${VIEWHELP} -eq 1 ]; then
#echo " ==================================================" #echo " =================================================="
echo ""
echo " Usage: lynis ${WHITE}[options] ${CYAN}mode${NORMAL}"
echo ""
echo ""
echo " ${CYAN}Mode:${NORMAL}"
echo ""
echo " ${GREEN}audit${NORMAL}"
echo " audit system : Perform security scan"
echo " audit Dockerfile <file> : Analyze Dockerfile"
echo ""
echo ""
echo " ${WHITE}Scan options:${NORMAL}" echo " ${WHITE}Scan options:${NORMAL}"
echo " --auditor \"<name>\" : Auditor name" echo " --auditor \"<name>\" : Auditor name"
echo " --check-all (-c) : Check system"
echo " --dump-options : See all available options" echo " --dump-options : See all available options"
echo " --no-log : Don't create a log file" echo " --no-log : Don't create a log file"
echo " --pentest : Non-privileged scan (useful for pentest)" echo " --pentest : Non-privileged scan (useful for pentest)"
@ -366,16 +377,17 @@
echo " --view-manpage (--man) : View man page" echo " --view-manpage (--man) : View man page"
echo " --version (-V) : Display version number and quit" echo " --version (-V) : Display version number and quit"
echo "" echo ""
echo " ${GREEN}Enterprise options:${NORMAL}" echo " ${WHITE}Enterprise options:${NORMAL}"
echo " --plugin-dir \"<path>\" : Define path of available plugins" echo " --plugin-dir \"<path>\" : Define path of available plugins"
echo " --upload : Upload data to central node" echo " --upload : Upload data to central node"
echo "" echo ""
echo ""
if [ ${WRONGOPTION} -eq 1 ]; then if [ ${WRONGOPTION} -eq 1 ]; then
echo " ${RED}Error${NORMAL}: ${WHITE}Invalid option ${WRONGOPTION_value}!${NORMAL}" echo " ${RED}Error${NORMAL}: ${WHITE}Invalid option '${WRONGOPTION_value}'${NORMAL}"
else else
if [ ${VIEWHELP} -eq 0 ]; then if [ ${VIEWHELP} -eq 0 ]; then
echo " ${RED}Error${NORMAL}: ${WHITE}No parameters specified!${NORMAL}" echo " ${RED}Error${NORMAL}: ${WHITE}No scanning mode specified!${NORMAL}"
fi fi
fi fi
echo " See man page and documentation for all available options." echo " See man page and documentation for all available options."
@ -447,9 +459,7 @@
# #
# Clear log file and test if it's writable # Clear log file and test if it's writable
logtext "### Starting ${PROGRAM_name} ${PROGRAM_version} with PID ${OURPID}, build date ${PROGRAM_releasedate} ###" > ${LOGFILE} logtext "### Starting ${PROGRAM_name} ${PROGRAM_version} with PID ${OURPID}, build date ${PROGRAM_releasedate} ###" > ${LOGFILE}
if [ $? -eq 0 ]; then if [ $? -gt 0 ]; then
Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result DONE --color GREEN
else
Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result WARNING --color RED Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result WARNING --color RED
echo "${WARNING}Fatal error${NORMAL}: problem while writing to log file. Check location and permissions." echo "${WARNING}Fatal error${NORMAL}: problem while writing to log file. Check location and permissions."
RemovePIDFile RemovePIDFile
@ -521,7 +531,7 @@
logtext "Plugin directory: ${PLUGINDIR}" logtext "Plugin directory: ${PLUGINDIR}"
logtext "Database directory: ${DBDIR}" logtext "Database directory: ${DBDIR}"
logtextbreak logtextbreak
wait_for_keypress #wait_for_keypress
# #
################################################################################# #################################################################################
@ -620,67 +630,70 @@
# #
################################################################################# #################################################################################
# #
logtextbreak
InsertPluginSection "Plugins (phase 1)"
Display --text "Note: plugins have more extensive tests, which may take a few minutes to complete"
Display --text " "
logtext "Searching plugins..."
N_PLUGIN=0
N_PLUGIN_ENABLED=0
# Search plugins if [ ${RUN_PLUGINS} -eq 1 ]; then
FIND=`find ${PLUGINDIR} -type f -name "plugin_[a-z]*" -exec echo \{\} \; | sort` logtextbreak
for I in ${FIND}; do InsertPluginSection "Plugins (phase 1)"
logtext "Found plugin file: ${I}" Display --text "Note: plugins have more extensive tests, which may take a few minutes to complete"
# Double check if output is a valid file name Display --text " "
if [ -f ${I} ]; then logtext "Searching plugins..."
FIND2=`grep "^# PLUGIN_NAME=" ${I} | awk -F= '{ print $2 }'` N_PLUGIN=0
if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then N_PLUGIN_ENABLED=0
N_PLUGIN=`expr ${N_PLUGIN} + 1`
FIND3=`grep "^plugin=${FIND2}" ${PROFILE}` # Search plugins
if [ ! "${FIND3}" = "" ]; then FIND=`find ${PLUGINDIR} -type f -name "plugin_[a-z]*" -exec echo \{\} \; | sort`
logtext "Plugin ${FIND2} is enabled" for I in ${FIND}; do
# Plugins should have at least a _phase1 part, _phase2 is optional at this moment logtext "Found plugin file: ${I}"
PLUGINFILE="${PLUGINDIR}/plugin_${FIND2}_phase1" # Double check if output is a valid file name
if [ -f ${PLUGINFILE} ]; then if [ -f ${I} ]; then
PLUGIN_VERSION=`grep "^# PLUGIN_VERSION=" ${I} | awk -F= '{ print $2 }'` FIND2=`grep "^# PLUGIN_NAME=" ${I} | awk -F= '{ print $2 }'`
PLUGIN_VERSION_NODOTS=`echo ${PLUGIN_VERSION} | sed 's/.//g'` if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then
FIND4=`ls -l ${PLUGINFILE} | cut -c 2-10` N_PLUGIN=`expr ${N_PLUGIN} + 1`
if [ "${FIND4}" = "rw-r--r--" -o "${FIND4}" = "rw-r-----" -o "${FIND4}" = "rw-------" -o "${FIND4}" = "r--------" ]; then FIND3=`grep "^plugin=${FIND2}" ${PROFILE}`
logtext "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})" if [ ! "${FIND3}" = "" ]; then
report "plugin_enabled_phase1[]=${FIND2}|${PLUGIN_VERSION}|" logtext "Plugin ${FIND2} is enabled"
N_PLUGIN_ENABLED=`expr ${N_PLUGIN_ENABLED} + 1` # Plugins should have at least a _phase1 part, _phase2 is optional at this moment
Display --indent 2 --text "- ${CYAN}Plugin${NORMAL}: ${WHITE}${FIND2}${NORMAL}" PLUGINFILE="${PLUGINDIR}/plugin_${FIND2}_phase1"
#Display --indent 0 --text " [" --no-break if [ -f ${PLUGINFILE} ]; then
Progress " [" PLUGIN_VERSION=`grep "^# PLUGIN_VERSION=" ${I} | awk -F= '{ print $2 }'`
. ${PLUGINFILE} PLUGIN_VERSION_NODOTS=`echo ${PLUGIN_VERSION} | sed 's/.//g'`
Progress "]" FIND4=`ls -l ${PLUGINFILE} | cut -c 2-10`
Progress --finish if [ "${FIND4}" = "rw-r--r--" -o "${FIND4}" = "rw-r-----" -o "${FIND4}" = "rw-------" -o "${FIND4}" = "r--------" ]; then
logtextbreak logtext "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})"
logtext "Result: ${FIND2} plugin (phase 1) finished" report "plugin_enabled_phase1[]=${FIND2}|${PLUGIN_VERSION}|"
N_PLUGIN_ENABLED=`expr ${N_PLUGIN_ENABLED} + 1`
Display --indent 2 --text "- ${CYAN}Plugin${NORMAL}: ${WHITE}${FIND2}${NORMAL}"
#Display --indent 0 --text " [" --no-break
Progress " ["
. ${PLUGINFILE}
Progress "]"
Progress --finish
logtextbreak
logtext "Result: ${FIND2} plugin (phase 1) finished"
else
logtext "Plugin ${FIND2}: Skipped (bad file permissions, should be 640, 600 or 400)"
fi
else else
logtext "Plugin ${FIND2}: Skipped (bad file permissions, should be 640, 600 or 400)" logtext "Plugin ${FIND2}: Skipped (can't find file ${PLUGINFILE})"
fi fi
else else
logtext "Plugin ${FIND2}: Skipped (can't find file ${PLUGINFILE})" logtext "Plugin ${FIND2}: Skipped (not enabled)"
fi fi
else else
logtext "Plugin ${FIND2}: Skipped (not enabled)" logtext "Skipping plugin file ${I} (no valid plugin name found)"
fi fi
else
logtext "Skipping plugin file ${I} (no valid plugin name found)"
fi fi
fi logtext "--"
logtext "--" done
done logtext "Result: Found ${N_PLUGIN} plugins of which ${N_PLUGIN_ENABLED} are enabled"
logtext "Result: Found ${N_PLUGIN} plugins of which ${N_PLUGIN_ENABLED} are enabled" logtext "Result: Plugins finished"
logtext "Result: Plugins finished"
if [ ${N_PLUGIN_ENABLED} -eq 0 ]; then if [ ${N_PLUGIN_ENABLED} -eq 0 ]; then
Display --indent 2 --text "- Plugins enabled " --result "NONE" --color WHITE Display --indent 2 --text "- Plugins enabled " --result "NONE" --color WHITE
report "plugins_enabled=0" report "plugins_enabled=0"
else else
report "plugins_enabled=1" report "plugins_enabled=1"
fi
fi fi
# #
################################################################################# #################################################################################
@ -704,12 +717,15 @@
# #
################################################################################# #################################################################################
# #
logtextbreak
# Test sections
if [ "${TESTS_CATEGORY_TO_PERFORM}" = "" ]; then
logtext "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ if [ ${RUN_TESTS} -eq 1 ]; then
logtextbreak
# Test sections
if [ "${TESTS_CATEGORY_TO_PERFORM}" = "" ]; then
logtext "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
filesystems storage storage_nfs \ filesystems storage storage_nfs \
nameservices ports_packages networking printers_spools \ nameservices ports_packages networking printers_spools \
mail_messaging firewalls \ mail_messaging firewalls \
@ -717,54 +733,78 @@
insecure_services banners scheduling accounting \ insecure_services banners scheduling accounting \
time crypto virtualization mac_frameworks file_integrity hardening_tools tooling \ time crypto virtualization mac_frameworks file_integrity hardening_tools tooling \
malware file_permissions homedirs kernel_hardening hardening" malware file_permissions homedirs kernel_hardening hardening"
else else
INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}" INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}"
logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}" logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}"
fi fi
# Include available tests # Include available tests
for INCLUDE_TEST in ${INCLUDE_TESTS}; do for INCLUDE_TEST in ${INCLUDE_TESTS}; do
# Test if file exists, then if permissions are correct # Test if file exists, then if permissions are correct
if [ -f ${INCLUDEDIR}/tests_${INCLUDE_TEST} ]; then if [ -f ${INCLUDEDIR}/tests_${INCLUDE_TEST} ]; then
FIND=`ls -l ${INCLUDEDIR}/tests_${INCLUDE_TEST} | cut -c 2-10` FIND=`ls -l ${INCLUDEDIR}/tests_${INCLUDE_TEST} | cut -c 2-10`
if [ "${FIND}" = "rw-r--r--" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-------" -o "${FIND}" = "r--------" ]; then if [ "${FIND}" = "rw-r--r--" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-------" -o "${FIND}" = "r--------" ]; then
. ${INCLUDEDIR}/tests_${INCLUDE_TEST} . ${INCLUDEDIR}/tests_${INCLUDE_TEST}
else
logtext "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDEDIR}/tests_${INCLUDE_TEST} has bad permissions (should be 640, 600 or 400)"
ReportWarning "NONE" "H" "Invalid permissions on tests file tests_${INCLUDE_TEST}"
# Insert a section and warn user also on screen
InsertSection "General"
Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED
fi
else else
logtext "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDEDIR}/tests_${INCLUDE_TEST} has bad permissions (should be 640, 600 or 400)" echo "Error: Can't find file (category: ${INCLUDE_TEST})"
ReportWarning "NONE" "H" "Invalid permissions on tests file tests_${INCLUDE_TEST}" fi
# Insert a section and warn user also on screen
InsertSection "General"
Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED
fi
else
echo "Error: Can't find file (category: ${INCLUDE_TEST})"
fi
done done
fi
# #
################################################################################# #################################################################################
# #
#logtextbreak
InsertSection "Custom Tests" if [ ${RUN_TESTS} -eq 1 ]; then
logtext "Test: Checking for tests_custom file"
# Custom tests InsertSection "Custom Tests"
if [ -f ${INCLUDEDIR}/tests_custom ]; then logtext "Test: Checking for tests_custom file"
logtext "Result: tests_custom file found in include directory" # Custom tests
logtext "Test: checking file permissions of tests_custom file" if [ -f ${INCLUDEDIR}/tests_custom ]; then
FIND=`ls -l ${INCLUDEDIR}/tests_custom | cut -c 2-10` logtext "Result: tests_custom file found in include directory"
if [ "${FIND}" = "rw-r--r--" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-------" -o "${FIND}" = "r--------" ]; then logtext "Test: checking file permissions of tests_custom file"
Display --indent 2 --text "- Start custom tests... " FIND=`ls -l ${INCLUDEDIR}/tests_custom | cut -c 2-10`
logtext "Result: file permissions fine, running custom tests" if [ "${FIND}" = "rw-r--r--" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-------" -o "${FIND}" = "r--------" ]; then
SafePerms ${INCLUDEDIR}/tests_custom Display --indent 2 --text "- Start custom tests... "
. ${INCLUDEDIR}/tests_custom logtext "Result: file permissions fine, running custom tests"
SafePerms ${INCLUDEDIR}/tests_custom
. ${INCLUDEDIR}/tests_custom
else
logtext "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)"
ReportWarning "NONE" "H" "Invalid permissions on custom tests file"
Display --indent 2 --text "- Running custom tests... " --result "WARNING" --color RED
fi
else else
logtext "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)" Display --indent 2 --text "- Running custom tests... " --result "NONE" --color WHITE
ReportWarning "NONE" "H" "Invalid permissions on custom tests file" fi
Display --indent 2 --text "- Running custom tests... " --result "WARNING" --color RED fi
#
#################################################################################
#
# Run helpers
#
#################################################################################
#
if [ ${RUN_HELPERS} -eq 1 ]; then
InsertPluginSection "Audit Module"
if [ ! "${HELPER}" = "" ]; then
logtext "Helper tool is $HELPER"
if [ -f ${INCLUDEDIR}/helper_${HELPER} ]; then
SafePerms ${INCLUDEDIR}/helper_${HELPER}
logtext "Running helper tool ${HELPER} with params: ${HELPER_PARAMS}"
. ${INCLUDEDIR}/helper_${HELPER} ${HELPER_PARAMS}
else
echo "Error, could not find helper"
fi
fi fi
else
Display --indent 2 --text "- Running custom tests... " --result "NONE" --color WHITE
fi fi
# #
################################################################################# #################################################################################