tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added tests considering Wazuh for file integrity and tooling

This commit is contained in:
Xavier Noguer 2023-05-23 15:07:42 +00:00
parent 59a3c4b536
commit 9f36e17ee0
4 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
db/tests.db
View File

@ -148,6 +148,7 @@ FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status
FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status
FINT-4341:test:security:file_integrity:Linux:Check dm-verity status FINT-4341:test:security:file_integrity:Linux:Check dm-verity status
FINT-4344:test:security:file_integrity::Wazuh syscheck daemon running:
FINT-4350:test:security:file_integrity::File integrity software installed: FINT-4350:test:security:file_integrity::File integrity software installed:
FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512): FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module: FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module:
@ -437,6 +438,7 @@ TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
TOOL-5120:test:security:tooling::Presence of Snort IDS: TOOL-5120:test:security:tooling::Presence of Snort IDS:
TOOL-5122:test:security:tooling::Snort IDS configuration file: TOOL-5122:test:security:tooling::Snort IDS configuration file:
TOOL-5128:test:security:tooling::Check for active Wazuh daemon:
TOOL-5130:test:security:tooling::Check for active Suricata daemon: TOOL-5130:test:security:tooling::Check for active Suricata daemon:
TOOL-5160:test:security:tooling::Check for active OSSEC daemon: TOOL-5160:test:security:tooling::Check for active OSSEC daemon:
TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling: TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:

19
include/tests_file_integrity
View File

@ -398,6 +398,25 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : FINT-4344
# Description : Check if Wazuh system integrity tool is running
Register --test-no FINT-4344 --weight L --network NO --category security --description "Wazuh syscheck daemon running"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if Wazuh syscheck daemon is running"
if IsRunning "wazuh-syscheckd"; then
LogText "Result: syscheck (Wazuh) active"
Report "file_integrity_tool[]=wazuh"
FILE_INT_TOOL="wazuh-syscheck"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Wazuh (syscheck)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: syscheck (Wazuh) is not active"
if IsVerbose; then Display --indent 4 --text "- Wazuh" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
#################################################################################
# #
# Test : FINT-4402 (was FINT-4316) # Test : FINT-4402 (was FINT-4316)
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums

2
include/tests_hardening
View File

@ -99,7 +99,7 @@
else else
Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED
fi fi
ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC" ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh"
AddHP 1 3 AddHP 1 3
LogText "Result: no malware scanner found" LogText "Result: no malware scanner found"
fi fi

29
include/tests_tooling
View File

@ -428,6 +428,35 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : TOOL-5128
# Description : Check for Wazuh daemon
Register --test-no TOOL-5128 --weight L --network NO --category security --description "Check for active Wazuh daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Server side
if IsRunning "wazuh-analysisd"; then
IDS_IPS_TOOL_FOUND=1
Report "ids_ips_tooling[]=wazuh"
Report "ids_ips_tooling[]=wazuh-analysisd"
LogText "Result: Wazuh analysis daemon is active"
Display --indent 2 --text "- Checking presence of Wazuh (analysis)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Wazuh analysis daemon not active"
fi
# Client side
if IsRunning "wazuh-agentd"; then
IDS_IPS_TOOL_FOUND=1
Report "ids_ips_tooling[]=wazuh"
Report "ids_ips_tooling[]=wazuh-agentd"
LogText "Result: Wazuh agent daemon is active"
Display --indent 2 --text "- Checking presence of Wazuh (agent)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Wazuh agent daemon not active"
fi
fi
#
#################################################################################
# #
# Test : TOOL-5190 # Test : TOOL-5190
# Description : Check for an IDS/IPS tool # Description : Check for an IDS/IPS tool