tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/rsmith-nl/lynis

This commit is contained in:
Roland Smith 2015-06-07 15:25:45 +02:00
parent 121b467fc0 4ae085ab87
commit a777e9183f
20 changed files with 524 additions and 198 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
extras/lynis.spec
View File

@ -3,6 +3,8 @@
# Lynis spec file
# -----------------
#
# This file helps to create your custom RPM package of Lynis.
#
# Usage:
# - Adjust version number (Version:)
# - Check if you have the directories in your home directory (or adjust topdir)
@ -12,9 +14,9 @@
#
#################################################################################
#
# (c) 2014 Michael Boelen
# Copyright 2015 CISOfy
#
# Website: http://cisofy.com/
# Documentation: https://cisofy.com/documentation/lynis/upgrading/
#
#################################################################################
@ -27,30 +29,32 @@
Summary: Security and system auditing tool.
Name: lynis
Version: 1.6.2
Version: 2.1.1
Release: 1
License: GPL
Group: Applications/System
Source: lynis-%{version}.tar.gz
BuildRoot: /tmp/lynis-root
URL: http://cisofy.com/
Vendor: CISOfy / Michael Boelen
Packager: Michael Boelen <michael@rootkit.nl>
URL: https://cisofy.com/
Vendor: CISOfy
Packager: Michael Boelen <michael.boelen@cisofy.com>
BuildArch: noarch
%description
Lynis is a security tool to audit and harden Unix/Linux based systems. It scans a
system and provides the user with suggestion and warnings regarding taken security
measures. Examples include:
- Security enhancements
- Logging and auditing options
- Banner identification
- Software availability
- Missing security patches
Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD
and Solaris. It performs an in-depth security scan on the system to detect software
and security issues. Besides information related to security, it will also scan for
general system information, installed packages, and possible
configuration issues.
This software is aimed at assisting with automated auditing, configuration management,
software patch management, penetration testing, vulnerability management, and malware
scanning of Unix-based systems.
Lynis is released as a GPLv3 licensed project and free for everyone to use.
Commercial support and extensions are available.
See http://cisofy.com for a full description and documentation.
See https://cisofy.com for a full description and documentation.
%prep
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT"
@ -84,11 +88,6 @@ install plugins/* ${RPM_BUILD_ROOT}%{_pluginsdir}
install -d ${RPM_BUILD_ROOT}%{_dbdir}
install db/* ${RPM_BUILD_ROOT}%{_dbdir}
# Patch default paths (not required for 1.1.2+)
#sed -i -e 's#INCLUDEDIR="include"#INCLUDEDIR="%{_includedir}"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis
#sed -i -e 's#PROFILE="default.prf"#PROFILE="/etc/lynis/default.prf"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis
%clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT"
@ -111,6 +110,9 @@ install db/* ${RPM_BUILD_ROOT}%{_dbdir}
#%attr(644, root, root) %{_plugindir}/*
%changelog
* Wed May 13 2015 Michael Boelen - 1.1.9-1
- Changed website address, version bump
* Sun Sep 14 2014 Michael Boelen - 1.1.8-1
- Changed permissions with regards of pentest option

3
include/binaries
View File

@ -90,6 +90,9 @@
as) ASFOUND=1; ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: as (compiler) - ${BINARY}" ;;
auditctl) AUDITCTLFOUND=1; AUDITCTLBINARY="${BINARY}"; logtext " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;;
autolog) AUTOLOGFOUND=1; AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; logtext " Found known binary: autolog (idle session killer) - ${BINARY}" ;;
debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;;
debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;;
docker) DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}" ;;
chkconfig) CHKCONFIGFOUND=1; CHKCONFIGBINARY=${BINARY}; logtext " Found known binary: chkconfig (administration tool) - ${BINARY}" ;;
clamscan) CLAMSCANFOUND=1; CLAMSCANBINARY=${BINARY}; logtext " Found known binary: clamscan (AV scanner) - ${BINARY}" ;;
cfagent) CFAGENTFOUND=1; CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; logtext " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;;

2
include/consts
View File

@ -77,6 +77,7 @@ unset LANG
CONTROL_URL_PREPEND=""
CUSTOM_URL_APPEND=""
CUSTOM_URL_PREPEND=""
DOCKER_DAEMON_RUNNING=0
FILEVALUE=""
FIND=""
FIREWALL_ACTIVE=0
@ -142,6 +143,7 @@ unset LANG
UPLOAD_OPTIONS=""
UPDATE_CHECK_SKIPPED=0
VALUE=""
VMTYPE=""
#
#################################################################################
#

32
include/functions
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015 - Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2015, Michael Boelen - CISOfy
# https://cisofy.com
#
# This software is licensed under GPL, version 3. See LICENSE file for
@ -20,14 +20,15 @@
# Function Description
# ----------------------- -------------------------------------------------
# AddHP Add Hardening points to plot a graph later
# AddSystemGroup Adds a system to a group
# CheckFilePermissions Check file permissions
# CheckUpdates Determine if a new version of Lynis is available
# counttests Count number of performed tests
# Debug Display additional information on the screen (not suited for cronjob)
# DirectoryExists Check if a directory exists on the disk
# Display Output text to screen with colors and identation
# ExitClean Stop the program (cleanly)
# ExitFatal Stop the program (cleanly), with fatal
# ExitClean Stop the program (cleanly), with exit code 0
# ExitFatal Stop the program (cleanly), with exit code 1
# FileExists Check if a file exists on the disk
# FileIsEmpty Check if a file is empty
# FileIsReadable Check if a file is readable or directory accessible
@ -50,6 +51,7 @@
# ShowSymlinkPath Show a path behind a symlink
# ViewCategories Display tests categories
# logtext Log text strings to logfile, prefixed with date/time
# report Add string of data to report file
#
#################################################################################
@ -62,6 +64,19 @@
logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}"
}
################################################################################
# Name : AddSystemGroup
# Description : Adds a system to a group, which can be used for categorizing
# Returns : <nothing>
################################################################################
AddSystemGroup()
{
report "system_group[]=$1"
}
# Check file permissions
# Parameter 1 is file/dir
# Result: FILE_NOT_FOUND | OK | BAD
@ -637,7 +652,7 @@
docker) ISVIRTUALMACHINE=1; VMTYPE="docker"; VMFULLTYPE="Docker container" ;;
kvm) ISVIRTUALMACHINE=1; VMTYPE="kvm"; VMFULLTYPE="KVM" ;;
lxc) ISVIRTUALMACHINE=1; VMTYPE="lxc"; VMFULLTYPE="Linux Containers" ;;
lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers" ;;
lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers)" ;;
microsoft) ISVIRTUALMACHINE=1; VMTYPE="microsoft"; VMFULLTYPE="Microsoft Virtual PC" ;;
openvz) ISVIRTUALMACHINE=1; VMTYPE="openvz"; VMFULLTYPE="OpenVZ" ;;
oracle|virtualbox) ISVIRTUALMACHINE=1; VMTYPE="virtualbox"; VMFULLTYPE="Oracle VM VirtualBox" ;;
@ -1285,6 +1300,7 @@
SYMLINK_USE_READLINK=1
logtext "Note: Using real readlink binary to determine symlinks"
tFILE=`${READLINKBINARY} -f ${sFILE}`
logtext "Result: readlink shows ${tFILE} as output"
fi
fi
# Check if we can find the file now
@ -1294,6 +1310,14 @@
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to file ${sFILE}"
FOUNDPATH=1
elif [ -b ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to block device ${sFILE}"
FOUNDPATH=1
elif [ -c ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to character device ${sFILE}"
FOUNDPATH=1
elif [ -d ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to directory ${sFILE}"

4
include/tests_accounting
View File

@ -126,7 +126,9 @@
else
logtext "Result: auditd not active"
Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE
if [ ! "${VMTYPE}" = "openvz" ]; then
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
fi
AUDITD_RUNNING=0
report "audit_daemon_running=0"
AddHP 0 1
@ -427,4 +429,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen / CISOfy - https://cisofy.com

2
include/tests_authentication
View File

@ -1329,4 +1329,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

2
include/tests_banners
View File

@ -23,7 +23,7 @@
#################################################################################
#
BANNER_FILES="/etc/issue /etc/issue.net /etc/motd"
LEGAL_BANNER_STRINGS="access authorized legal monitor owner policy policies private prohibited restricted this unauthorized"
LEGAL_BANNER_STRINGS="audit access authori intrusion law legal monitor owner policy policies private prohibited restricted subject terms this unauthorized"
#
#################################################################################
#

167
include/tests_containers Normal file
View File

@ -0,0 +1,167 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Containers, Zones, Jails
#
#################################################################################
#
InsertSection "Containers"
#
#################################################################################
#
# Test : CONT-8004
# Description : Query running Solaris zones
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8004 --os Solaris --weight L --network NO --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
N=`expr ${N} + 1`
ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2`
logtext "Result: found zone ${ZONENAME} (running)"
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : CONT-1906
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no CONT-1906 --weight L --network NO --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
#logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi
#
#################################################################################
#
# Test : CONT-8102
# Description : Checking Docker daemon status and basic information for later tests
Register --test-no CONT-8102 --weight L --network NO --description "Checking Docker status and information"
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning "docker -d"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found Docker daemon running"
report "docker_daemon_running=1"
DOCKER_DAEMON_RUNNING=1
Display --indent 4 --text "- Docker"
Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN
fi
fi
#
#################################################################################
#
# Test : CONT-8104
# Description : Checking Docker info for any warnings
# Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory
if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
logtext "Test: Check for any warnings"
FIND=`${DOCKERBINARY} info 2>&1 | grep "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found warning(s) in output"
for I in ${FIND}; do
J=`echo ${I} | sed 's/:space:/ /g'`
logtext "Output: ${J}"
COUNT=`expr ${COUNT} + 1`
done
Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color RED
ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon"
AddHP 3 4
else
logtext "Result: no warnings found from 'docker info' output"
Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN
AddHP 1 1
fi
fi
#
#################################################################################
#
# Test : CONT-8106
# Description : Checking Docker containers (basic stats)
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 6 --text "- Containers"
# Check total of containers
logtext "Test: checking total amount of Docker containers"
DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'`
logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers"
DOCKER_CONTAINERS_TOTAL2=`${DOCKERBINARY} ps -a 2> /dev/null | grep -v "CONTAINER" | wc -l`
logtext "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers"
if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then
logtext "Result: difference detected, which is unexpected"
ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers"
Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED
else
Display --indent 8 --text "- Total containers" --result "${DOCKER_CONTAINERS_TOTAL}" --color WHITE
fi
# Check running instances
DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps | grep -v "CONTAINER" | wc -l`
Display --indent 8 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN
if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then
logtext "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active"
report "docker_containers_running=${DOCKER_CONTAINERS_RUNNING}"
else
logtext "Result: no active containers"
report "docker_containers_running=0"
fi
# Check if there aren't too many unused containers on the system
if [ ${DOCKER_CONTAINERS_TOTAL} -gt 0 ]; then
DOCKER_CONTAINERS_UNUSED=`expr ${DOCKER_CONTAINERS_TOTAL} - ${DOCKER_CONTAINERS_RUNNING}`
if [ ${DOCKER_CONTAINERS_UNUSED} -gt 10 ]; then
ReportSuggestion "${TEST_NO}" "More than 10 unused containers found on the system. Clean up old containers by using output of 'docker ps -a' command"
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color RED
AddHP 0 2
else
logtext "Result: found ${DOCKER_CONTAINERS_UNUSED} unused containers"
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color YELLOW
AddHP 1 1
fi
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

69
include/tests_file_integrity
View File

@ -14,6 +14,8 @@
#
#################################################################################
#
CSF_CONFIG="/etc/csf/csf.conf"
FILE_INT_TOOL=""
FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found
#
#################################################################################
@ -30,11 +32,11 @@
logtext "Test: Checking AFICK binary"
if [ ! "${AFICKBINARY}" = "" ]; then
logtext "Result: AFICK is installed (${AFICKBINARY})"
FILE_INT_TOOL="afick"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK" --result FOUND --color GREEN
else
logtext "Result: AFICK is not installed"
Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -47,11 +49,11 @@
logtext "Test: Checking AIDE binary"
if [ ! "${AIDEBINARY}" = "" ]; then
logtext "Result: AIDE is installed (${AIDEBINARY})"
FILE_INT_TOOL="aide"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE" --result FOUND --color GREEN
else
logtext "Result: AIDE is not installed"
Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -119,11 +121,11 @@
logtext "Test: Checking Osiris binary"
if [ ! "${OSIRISBINARY}" = "" ]; then
logtext "Result: Osiris is installed (${OSIRISBINARY})"
FILE_INT_TOOL="osiris"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris" --result FOUND --color GREEN
else
logtext "Result: Osiris is not installed"
Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -136,11 +138,11 @@
logtext "Test: Checking Samhain binary"
if [ ! "${SAMHAINBINARY}" = "" ]; then
logtext "Result: Samhain is installed (${SAMHAINBINARY})"
FILE_INT_TOOL="samhain"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain" --result FOUND --color GREEN
else
logtext "Result: Samhain is not installed"
Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -153,11 +155,11 @@
logtext "Test: Checking Tripwire binary"
if [ ! "${TRIPWIREBINARY}" = "" ]; then
logtext "Result: Tripwire is installed (${TRIPWIREBINARY})"
FILE_INT_TOOL="tripwire"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN
else
logtext "Result: Tripwire is not installed"
Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -170,10 +172,12 @@
logtext "Test: Checking if OSSEC syscheck daemon is running"
IsRunning ossec-syscheckd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: syscheck (OSSEC) installed"
FILE_INT_TOOL="ossec-syscheck"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN
else
Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE
logtext "Result: syscheck (OSSEC) not installed"
fi
fi
#
@ -187,11 +191,59 @@
logtext "Test: Checking mtree binary"
if [ ! "${MTREEBINARY}" = "" ]; then
logtext "Result: mtree is installed (${MTREEBINARY})"
FILE_INT_TOOL="mtree"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree" --result FOUND --color GREEN
else
logtext "Result: mtree is not installed"
Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : FINT-4334
# Description : Check if LFD is used (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN
IsRunning 'lfd '
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: lfd daemon is running (CSF)"
Display --indent 6 --text "- Daemon status" --result RUNNING --color GREEN
FILE_INT_TOOL="csf-lfd"
FILE_INT_TOOL_FOUND=1
else
Display --indent 6 --text "- Daemon status" --result "NOT RUNNING" --color YELLOW
fi
fi
# Test : FINT-4336
# Description : Check if LFD is enabled (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd configuration status"
if [ ${SKIPTEST} -eq 0 ]; then
# LFD configuration parameters
ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}`
if [ ! "${ENABLED}" = "" ]; then
logtext "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN
else
logtext "Result: lfd service is configured NOT to run"
Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
logtext "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN
else
logtext "Result: lfd directory watching is disabled"
Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
Display --indent 6 --text "- Directory/File watches" --result ENABLED --color GREEN
else
Display --indent 6 --text "- Directory/File watches" --result DISABLED --color YELLOW
fi
fi
#
@ -209,7 +261,7 @@
else
logtext "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool"
ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
AddHP 0 5
fi
fi
@ -217,6 +269,7 @@
#################################################################################
#
report "file_integrity_tool=${FILE_INT_TOOL}"
report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}"
wait_for_keypress

43
include/tests_filesystems
View File

@ -209,23 +209,46 @@
FOUND=0
logtext "Test: query swap partitions from /etc/fstab file"
# Check if third field contains 'swap'
FIND=`awk '{ if ($3=="swap") print $1 }' /etc/fstab`
FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"`
for I in ${FIND}; do
FOUND=1
REAL=""
UUID=""
logtext "Swap partition found: ${I}"
# YYY Add a test if partition is not a normal partition (e.g. UUID=)
# Can be ^/dev/mapper/vg-name_lv-name
# Can be ^/dev/partition
# Can be ^UUID=uuid --> /dev/disk/by-uuid/<uuid>
# if [ ! "${BLKIDBINARY}" = "" ]; then
# FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'`
# else
# logtext "Result: blkid binary not found, trying by checking device listing"
# if [ -f /dev/disk/by-uuid/${UUID} ]; then
# logtext "Result: found disk via /dev/disk/by-uuid listing"
# fi
# fi
report "swap_partition[]=${I}"
HAS_UUID=`echo ${I} | grep "^UUID="`
if [ ! "${HAS_UUID}" = "" ]; then
UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'`
logtext "Result: Using ${UUID} as UUID"
if [ ! "${BLKIDBINARYx}" = "" ]; then
FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'`
if [ ! "${FIND2}" = "" ]; then
REAL="${FIND2}"
fi
else
logtext "Result: blkid binary not found, trying by checking device listing"
sFILE=""
if [ -L /dev/disk/by-uuid/${UUID} ]; then
logtext "Result: found disk via /dev/disk/by-uuid listing"
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
if [ ! "${sFILE}" = "" ]; then
REAL="${sFILE}"
logtext "Result: disk is ${REAL}"
fi
else
logtext "Result: no symlink found to /dev/disk/by-uuid/${UUID}"
fi
fi
fi
# Set real device
if [ "${REAL}" = "" ]; then
REAL="${I}"
fi
report "swap_partition[]=${I},${REAL},"
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN

6
include/tests_kernel
View File

@ -340,7 +340,6 @@
logtext "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x /usr/bin/apt-cache ]; then
logtext "Result: found /usr/bin/apt-cache"
# YYY Test for presence /usr/bin/apt-cache and dpkg
logtext "Test: checking readlink location of /vmlinuz"
FINDKERNFILE=`readlink -f /vmlinuz`
logtext "Output: readlink reported file ${FINDKERNFILE}"
@ -516,7 +515,8 @@
FIND=`ls /boot/vmlinuz* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
# Remove generic. and huge. for Slackware machines
KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
elif [ ! `ls /boot/kernel* 2> /dev/null` = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
# Examples:
@ -580,4 +580,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

3
include/tests_logging
View File

@ -274,7 +274,7 @@
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking which directories can be found in logrotate configuration"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq`
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort | uniq`
if [ "${FIND}" = "" ]; then
logtext "Result: nothing found"
else
@ -285,7 +285,6 @@
report "log_directory[]=${I}"
else
logtext "Directory could not be found: ${I}"
# YYY strip more parts of the name, until it can be found (and stop at /)
fi
done
fi

36
include/tests_malware
View File

@ -23,7 +23,9 @@
#################################################################################
#
CLAMD_RUNNING=0
MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0
SOPHOS_SCANNER_RUNNING=0
#
#################################################################################
#
@ -66,27 +68,36 @@
Register --test-no MALW-3280 --weight L --network NO --description "Check if anti-virus tool is installed"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
MCAFEE_RUNNING=0
logtext "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first
if [ -x /opt/McAfee/cma/bin/cma ]; then
IsRunning cma
if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi
if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
else
IsRunning cmdagent
if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi
if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
fi
if [ ${MCAFEE_RUNNING} -eq 1 ]; then
if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN
logtext "Result: Found McAfee"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
fi
# Sophos savscand/SophosScanD
logtext "Test: checking process savscand"
IsRunning savscand
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1;
fi
logtext "Test: checking process SophosScanD"
IsRunning SophosScanD
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1;
fi
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN
logtext "Result: Found Sophos"
MALWARE_SCANNER_INSTALLED=1
@ -114,7 +125,6 @@
logtext "Result: clamscan couldn't be found"
fi
fi
#
#################################################################################
#
@ -185,22 +195,6 @@
# Description : Check for LMD
#
#################################################################################
#
# Test : MALW-3292
# Description : Check if at least one malware scanner is installed
# Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner"
# if [ ${SKIPTEST} -eq 0 ]; then
# if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
# logtext "Result: At least one malware scanner is installed"
# Display --indent 2 --text "- Checking presence malware scanner" --result "FOUND" --color GREEN
# #AddHP 3 3
# else
# logtext "Result: No malware scanners found"
# Display --indent 2 --text "- Checking presence malware scanner" --result "NOT FOUND" --color YELLOW
# ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system"
# #AddHP 0 3
# fi
# fi
#
#################################################################################
#

102
include/tests_ports_packages
View File

@ -402,9 +402,67 @@
fi
#
#################################################################################
#
# Test : PKGS-7366
# Description : Checking if debsecan is installed and enabled on Debian systems
if [ ! "${DEBSECANBINARY}" = "" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsecan utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSECANBINARY}" = "" ]; then
logtext "Result: debsecan utility is installed"
Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN
AddHP 3 3
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="debsecan"
FIND=`find /etc/cron* -name debsecan`
if [ ! ${FIND} = "" ]; then
logtext "Result: cron job is configured for debsecan"
Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: no cron job is configured for debsecan"
Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW
AddHP 1 3
ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
fi
else
logtext "Result: debsecan is not installed."
Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
fi
fi
#
#################################################################################
#
# Test : PKGS-7370
# Description : Check debsums output
# Description : Checking debsums installation status and presence in cron job
# Note : Run this only when it is a DPKG based system
if [ ! "${DPKGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsums utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSUMSBINARY}" = "" ]; then
logtext "Result: debsums utility is installed"
Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN
AddHP 1 1
# Check in /etc/cron.hourly, daily, weekly, monthly etc
COUNT=`find /etc/cron* -name debsums | wc -l`
if [ ${COUNT} -gt 0 ]; then
logtext "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW
AddHP 1 3
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job."
fi
else
logtext "Result: debsums utility is not installed."
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database."
fi
fi
#
#################################################################################
#
@ -933,9 +991,45 @@
#
#################################################################################
#
# check for popularity-contest (Debian/Ubuntu)
# check for yum-changelog
# Test : PKGS-7410
# Description : Count number of installed kernel packages
Register --test-no PKGS-7410 --weight L --network NO --description "Count installed kernel packages"
if [ ${SKIPTEST} -eq 0 ]; then
KERNELS=0
if [ ! "${RPMBINARY}" = "" ]; then
logtext "Test: Checking how many kernel packages are installed"
KERNELS=`rpm -q kernel 2> /dev/null | wc -l`
if [ ${KERNELS} -eq 0 ]; then
logtext "Result: found no kernels from rpm -q kernel output, which is unexpected"
ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output"
elif [ ${KERNELS} -gt 5 ]; then
logtext "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)"
AddHP 4 5
else
logtext "Result: found ${KERNELS} on the system, which is fine"
AddHP 1 1
fi
fi
fi
#
#################################################################################
#
# Test : PKGS-7414
# Description : Check installonly_limit in yum.conf
#
#################################################################################
#
# Test : PKGS-7416
# Description : Check for popularity-contest (Debian/Ubuntu)
#
#################################################################################
#
# Test : PKGS-7418
# Description : Check for yum-changelog
#
#################################################################################
#
if [ ! "${INSTALLED_PACKAGES}" = "" ]; then
report "installed_packages_array=${INSTALLED_PACKAGES}"

48
include/tests_shells
View File

@ -57,16 +57,9 @@
logtext "Output /etc/ttys:"
logtext "${FIND}"
ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys"
#ReportSuggestion ${TEST_NO} "Change the console line from 'secure' to 'insecure'."
logtext "Possible solution: Change the console line from 'secure' to 'insecure'."
fi
fi
#
#################################################################################
#
# Test : SHLL-6214
# Description : check for idle session killing tools (timeoutd)
#
#################################################################################
#
@ -220,43 +213,6 @@
fi
#
#################################################################################
#
# Test : SHLL-6236
# Description : Check /etc/profile
#
#################################################################################
#
# Test : SHLL-6240
# Description : Check default umask
# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking /etc/profile"
# if [ -f /etc/profile ]; then
# FIND=`grep "^umask" | awk '{ print $2 }'`
# if [ "${FIND}" = "" ]; then
# logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask" --result OK --color GREEN
# else
# logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask" --result WARNING --color RED
# #ReportWarning ${TEST_NO} "M" "xxx"
# #ReportSuggestion ${TEST_NO} "xxx"
# fi
# fi
# fi
#
#################################################################################
#
# Test : SHLL-6250
# Description : Check /etc/bash.bashrc
# Register --test-no SHLL-6250 --weight L --network NO --description "Check default umask"
# if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
#
#################################################################################
#
# Test : SHLL-6290
# Description : Check for Shellshock vulnerability
@ -395,4 +351,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy & Michael Boelen - http://cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, CISOfy - http://cisofy.com

16
include/tests_storage
View File

@ -33,7 +33,7 @@
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
FIND=`grep -r "install usb-storage /bin/true" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"`
FIND=`grep -r "install usb-storage /bin/(false|true)" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"`
FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*`
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
@ -44,7 +44,7 @@
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND=`grep "install usb-storage /bin/true" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
FIND=`grep "install usb-storage /bin/(false|true)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
if [ ! "${FIND}" = "" ]; then
FOUND=1
logtext "Result: found usb-storage driver in disabled state"
@ -66,6 +66,7 @@
#
# Test : STRG-1846
# Description : Check for disabled firewire storage
# Explanation : Best option is to use the install function, or else drivers can still be loaded manually
Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@ -73,8 +74,8 @@
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
FIND1=`egrep "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
FIND2=`egrep "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
FIND1=`egrep "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
FIND2=`egrep "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found firewire ohci driver in disabled state"
@ -84,8 +85,8 @@
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
FIND2=`egrep -r "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
FIND2=`egrep -r "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found firewire ohci driver in disabled state"
@ -107,6 +108,7 @@
#
#################################################################################
#
# Use modprobe --showconfig to test for options
# NetBSD: amd (auto mount daemon)
@ -119,4 +121,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, CISOfy, Michael Boelen - https://cisofy.com

59
include/tests_time
View File

@ -32,6 +32,7 @@
# Specific for ntpd
NTPD_RUNNING=0
CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
SYSTEMD_NTP_ENABLED=0
#
#################################################################################
#
@ -46,10 +47,25 @@
fi
Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client"
if [ ${SKIPTEST} -eq 0 ]; then
# Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate)
# Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate), Chrony, systemd-timesyncd
logtext "Test: Searching for a running NTP daemon or available client"
FOUND=0
if [ -f /etc/chrony.conf ]; then
IsRunning chronyd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN
fi
fi
# Check time daemon (eg DragonFly BSD)
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
fi
# Check running processes
FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
@ -66,19 +82,18 @@
Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN
fi
# Check time daemon (eg DragonFly BSD)
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
fi
# Check timedate daemon (systemd)
if [ ! "${TIMEDATECTL}" = "" ]; then
FIND=`${TIMEDATECTL} status | grep "NTP enabled: yes"`
if [ ! "${FIND}" = "" ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timedated"
Display --indent 2 --text "- NTP daemon found: timedated" --result "FOUND" --color GREEN
# Check for systemd-timesyncd
if [ -f /etc/systemd/timesyncd.conf ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "FOUND" --color GREEN
SYSTEMD_NTP_ENABLED=1
fi
else
logtext "Result: time sychronization not performed according timedatectl command"
fi
fi
@ -94,7 +109,7 @@
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate reference in crontab file ${I}"
else
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE
#Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate reference found in crontab file ${I}"
fi
else
@ -133,11 +148,10 @@
Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate in cron directory"
else
Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
#Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate found in cron directories"
fi
# Checking if ntpdate is performed by event
logtext "Test: checking for file /etc/network/if-up.d/ntpdate"
if [ -f /etc/network/if-up.d/ntpdate ]; then
@ -181,6 +195,21 @@
fi
#
#################################################################################
#
# Test : TIME-3106
# Description : Check status of systemd time synchronization
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check systemd NTP time synchronization status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check the status of time synchronization via timedatectl"
FIND=`${TIMEDATECTL} status | grep "NTP sychronized: yes"`
if [ "${FIND}" = "" ]; then
logtext "Result: time not synchronized via NTP"
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized"
fi
fi
#
#################################################################################
#
# Test : TIME-3112
# Description : Check for valid associations from ntpq peers list
@ -404,6 +433,8 @@
#
#################################################################################
#
# For VMs check ntpd.conf : tinker panic 0
#
wait_for_keypress
@ -429,4 +460,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

21
include/tests_tooling
View File

@ -45,6 +45,25 @@
Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN
fi
CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin"
for I in ${CHEF_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/chef-client ]; then
CHEFCLIENTBINARY="${I}/chef-client"
AUTOMATION_TOOL_FOUND=1
Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN
logtext "Result: found chef-client (chef client daemon) in ${I}"
fi
if [ -f ${I}/erchef ]; then
CHEFSERVERBINARY="${I}/erchef"
logtext "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
AUTOMATION_TOOL_FOUND=1
Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN
logtext "Result: found erchef (chef server daemon) in ${I}"
fi
fi
done
# Puppet
if [ ! "${PUPPETBINARY}" = "" ]; then
logtext "Result: Puppet is installed (${PUPPETBINARY})"
@ -106,4 +125,4 @@
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

47
include/tests_virtualization
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -22,49 +22,6 @@
#
#################################################################################
#
# Test : VIRT-1902
# Description : Query running Solaris zones
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no VIRT-1902 --os Solaris --weight L --network NO --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
N=`expr ${N} + 1`
ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2`
logtext "Result: found zone ${ZONENAME} (running)"
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : VIRT-1906
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no VIRT-1906 --weight L --network NO --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
#logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi
#
#################################################################################
#
# # Test : VIRT-1920
# # Description : Checking VMware
# Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status"

14
lynis
View File

@ -23,7 +23,7 @@
# Program information
PROGRAM_name="Lynis"
PROGRAM_version="2.1.1"
PROGRAM_releasedate="29 April 2015"
PROGRAM_releasedate="27 May 2015"
PROGRAM_author="CISOfy"
PROGRAM_author_contact="lynis-dev@cisofy.com"
PROGRAM_website="https://cisofy.com"
@ -719,13 +719,11 @@
logtext "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
filesystems storage storage_nfs \
nameservices ports_packages networking printers_spools \
mail_messaging firewalls \
webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting \
time crypto virtualization mac_frameworks file_integrity hardening_tools tooling \
malware file_permissions homedirs kernel_hardening hardening"
filesystems storage storage_nfs nameservices ports_packages networking printers_spools \
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting time crypto virtualization containers \
mac_frameworks file_integrity hardening_tools tooling malware file_permissions homedirs \
kernel_hardening hardening"
else
INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}"
logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}"