tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1 from CISOfy/master 

Sync with CISOfy/lynis
This commit is contained in:
silentcreek 2020-10-10 14:59:03 +02:00 committed by GitHub
parent 353cf84413 21b5493a1c
commit b069d4cda8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
86 changed files with 6914 additions and 2682 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
.github/workflows/stale.yml vendored Normal file
View File

@ -0,0 +1,21 @@
name: Mark stale issues and pull requests
on:
schedule:
- cron: "0 0 * * *"
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'Stale issue message'
stale-pr-message: 'Stale pull request message'
stale-issue-label: 'no-issue-activity'
stale-pr-label: 'no-pr-activity'
days-before-stale: 14
days-before-close: 90

318
CHANGELOG.md
View File

@ -1,12 +1,322 @@
# Lynis Changelog
## Lynis 2.7.2 (not released yet)
## Lynis 3.0.1 (2020-10-05)
### Added
- Support for end-of-life detection of the operating system
- Detection of Alpine Linux
- Detection of CloudLinux
- Detection of Kali Linux
- Detection of Linux Mint
- Detection of macOS Big Sur (11.0)
- Detection of Pop!_OS
- Detection of PHP 7.4
- Malware detection tool: Microsoft Defender ATP
- New flag: --slow-warning to allow tests more time before showing a warning
- Test TIME-3185 to check systemd-timesyncd synchronized time
- rsh host file permissions
### Changed
- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions
- BOOT-5122 - Presence check for grub.d added
- CRYP-7902 - Added support for certificates in DER format
- CRYP-7931 - Added data to report
- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
- FILE-6430 - Don't grep nonexistant modprobe.d files
- FIRE-4535 - Set initial firewall state
- INSE-8312 - Corrected text on screen
- KRNL-5728 - Handle zipped kernel configuration correctly
- KRNL-5830 - Improved version detection for non-symlinked kernel
- MALW-3280 - Extended detection of BitDefender
- TIME-3104 - Find more time synchronization commands
- TIME-3182 - Corrected detection of time peers
- Fix: hostid generation routine would sometimes show too short IDs
- Fix: language detection
- Generic improvements for macOS
- German translation updated
- End-of-life database updated
- Several minor code enhancements
---------------------------------------------------------------------------------
## Lynis 3.0.0 (2020-06-18)
This is a major release of Lynis and includes several big changes.
Some of these changes may break your current usage of the tool, so test before
deployment!
### Security issues
This release resolves two security issues
* CVE-2020-13882 - Discovered by Sander Bos, code submission by Katarina Durechova
* CVE-2019-13033 - Discovered by Sander Bos
### Breaking change: Non-interactive by default
Lynis now runs non-interactive by default, to be more in line with the Unix
philosophy. So the previously used '--quick' option is now default, and the tool
will only wait when using the '--wait' option.
### Breaking change: Deprecated options
- Option: -c
- Option: --check-update/--info
- Option: --dump-options
- Option: --license-key
### Breaking change: Profile options
The format of all profile options are converted (from key:value to key=value).
You may have to update the changes you made in your custom.prf.
### Security
An important focus area for this release is on security. We added several
measures to further tighten any possible misuse.
## New: DevOps, Forensics, and pentesting mode
This release adds initial support to allow defining a specialized type of audit.
Using the relevant options, the scan will change base on the intended goal.
### Added
- Security: test PATH and warn or exit on discovery of dangerous location
- Security: additional safeguard by testing if common system tools are available
- Security: test parameters and arguments for presence of control characters
- Security: filtering out unexpected characters from profiles
- Security: test if setuid bit is set on Lynis binary
- New function: DisplayException
- New function: DisplayWarning
- New function: Equals
- New function: GetReportData
- New function: HasCorrectFilePermissions
- New function: Readonly
- New function: SafeFile
- New function: SafeInput
- New option: --usecwd - run from the current working directory
- New profile option: disable-plugin - disables a single plugin
- New profile option: ssl-certificate-paths-to-ignore - ignore a path
- New test: AUTH-9229 - check used password hashing methods
- New test: AUTH-9230 - check group password hashing rounds
- New test: BOOT-5109 - test presence rEFInd boot loader
- New test: BOOT-5264 - run systemd-analyze security
- New test: CRYP-7930 - test for LUKS encryption
- New test: CRYP-7931 - determine if system uses encrypted swap
- New test: CRYP-8004 - presence of hardware random number generator
- New test: CRYP-8005 - presence of software random number generator
- New test: DBS-1828 - PostgreSQL configuration files
- New test: FILE-6394 - test virtual memory swappiness (Linux)
- New test: FINT-4316 - presence of AIDE database and size test
- New test: FINT-4340 - check dm-integrity status (Linux)
- New test: FINT-4341 - verify status of dm-verity (Linux)
- New test: INSE-8314 - test for NIS client
- New test: INSE-8316 - test for NIS server
- New test: NETW-2400 - test hostname for valid characters and length
- New test: NETW-2706 - check DNSSEC (systemd)
- New test: NETW-3200 - determine enabled network protocols
- New test: PHP-2382 - detect listen option in PHP (FPM)
- New test: PROC-3802 - check presence of prelink tooling
- New test: TIME-3180 - report if ntpctl cannot communicate with OpenNTPD
- New test: TIME-3181 - check status of OpenNTPD time synchronisation
- New test: TIME-3182 - check OpenNTPD has working peers
- New report key: openssh_daemon_running
- New command: lynis generate systemd-units
- Sending USR1 signal to Lynis process will show active status
- Measure timing of tests and report slow tests (10+ seconds)
- Initial support for Clear Linux OS
- Initial support for PureOS
- Support for X Binary Package (xbps)
- Added end-of-life data for Arch Linux and Debian
- Detection and end-of-life data added for Amazon Linux
- Detection of linux-lts on Arch Linux
- Translations: Russian added
### Changed
- Function: CheckItem() now returns only exit code (ITEM_FOUND is dropped)
- Function: IsRunning supports the --user flag to define a related user
- Function: PackageIsInstalled extended with pacman support
- Profiles: unused options removed
- Profiles: message is displayed when old format "key:value" is used
- Binaries: skip pacman when it is the game instead of package manager
- Security: the 'nounset' (set -u) parameter is now activated by default
- AUTH-9228 - HP-UX support
- AUTH-9234 - NetBSD support
- AUTH-9252 - corrected permission check
- AUTH-9266 - skip .pam-old files in /etc/pam.d
- AUTH-9268 - Perform test also on DragonFly, FreeBSD, and NetBSD
- AUTH-9282 - fix: temporary variable was overwritten
- AUTH-9408 - added support for pam_tally2 to log failed logins
- AUTH-9489 - test removedd as it is merged with AUTH-9218
- BANN-7126 - additional words for login banner are accepted
- BOOT-5122 - check for defined password in all GRUB configuration files
- CONT-8106 - support newer 'docker info' output
- CRYP-7902 - optionally check also certificates provided by packages
- CRYP-8002 - gather kernel entropy on Linux systems
- FILE-6310 - support for HP-UX
- FILE-6330 - corrected description
- FILE-6374 - changed log and allow root location to be changed
- FILE-6374 - corrected condition to find 'defaults' flag in /etc/fstab
- FILE-6430 - minor code improvements and show suggestion with more details
- FILE-7524 - optimized file permissions testing
- FINT-4328 - corrected text in log
- FINT-4334 - improved process detection for lfd
- HOME-9304 - improved selection for normal users
- HOME-9306 - improved selection for normal users
- INSE-8050 - added com.apple.ftp-proxy and improved text output
- INSE-8050 - corrected function call for showing suggestion
- INSE-8116 - added rsync service
- INSE-8314 - changed text of suggestion
- INSE-8318 - test for TFTP client tools
- INSE-8320 - test for TFTP server tools
- INSE-8342 - renamed to INSE-8304
- KRNL-5788 - don't complain about missing /vmlinuz for Raspi
- KRNL-5820 - extended check to include limits.d directory
- KRNL-5830 - skip test partially when running non-privileged
- KRNL-5830 - detect required reboots on Raspbian
- LOGG-2154 - added support for rsyslog configurations
- LOGG-2190 - skip mysqld related entries
- MACF-6234 - SELinux tests extended
- MAIL-8804 - replaced static strings with translation-aware strings
- MALW-3280 - Kaspersky detection added
- MALW-3280 - CrowdStrike falcon-sensor detection added
- NAME-4402 - check if /etc/hosts exists before performing test
- NAME-4404 - improved screen and log output
- NAME-4408 - corrected Report function call
- NETW-3032 - small rewrite of test and extended with addrwatch
- PHP-2372 - don't look in the cli configuration files
- PKGS-7388 - only perform check for Debian/Ubuntu/Mint
- PKGS-7410 - use multiple package managers when available
- PKGS-7410 - added support for Zypper to test number of kernels
- PRNT-2308 - check also for Port and SSLListen statements
- PROC-3602 - allow different root directory
- PROC-3612 - show 'Not found' instead of 'OK'
- PROC-3614 - show 'Not found' instead of 'OK'
- PROC-3802 - limit to Linux only (prelink package check)
- SCHD-7702 - removed hardening points
- SINT-7010 - limit test to only macOS systems
- SSH-7402 - detect other SSH daemons like dropbear
- SSH-7406 - strip OpenSSH patch version and remove characters (carriage return)
- SSH-7408 - changed text in suggestion and report
- SSH-7408 - added forced-commands-only option
- SSH-7408 - VerifyReverseMapping removed (deprecated)
- SSH-7408 - corrected OpenSSH server version check
- STRG-1840 - renamed to USB-1000
- STRG-1842 - added default authorized devices and renamed to USB-2000
- TIME-3104 - use find to discover files in cron directories
- TOOL-5002 - differentiate between a discovered binary and running process
- TOOL-5160 - added support for OSSEC agent daemon
- Perform additional check to ensure pacman package manager is used
- Use 'pre-release/release' (was: 'dev/final') with 'lynis show release'
- Use only locations from PATH environment variable, unless it is not defined
- Show tip to use 'lynis generate hostids' when host IDs are missing
- The 'show changelog' command works again for newer versions
- Several code cleanups, simplification of commands, and code standardization
- Tests using lsof may ignore individual threads (if supported)
- Corrected end-of-life detection for CentOS 7 and CentOS 8
- Tests can require detected package manager (--package-manager-required)
- Do not show tool tips when quiet option is used
- Improved screen output in several tests
- Extended output of 'lynis update info'
- Improved support for NetBSD
- Test if profiles are readable
- systemd service file adjusted
- bash completion script extended
- Updated man page
---------------------------------------------------------------------------------
## Lynis 2.7.5 (2019-06-24)
### Added
- Danish translation
- Slackware end-of-life information
- Detect BSD-style (rc.d) init in Linux systems
- Detection of Bro and Suricata (IDS)
### Changed
- Corrected end-of-life entries for CentOS 5 and 6
- AUTH-9204 - change name to check in /etc/passwd file for QNAP devices
- AUTH-9268 - AIX enhancement to use correct find statement
- FILE-6310 - Filter on correct field for AIX
- NETW-3012 - set ss command as preferred option for Linux and changed output format
- List of PHP ini file locations has been extended
- Removed several pieces of the code as part of cleanup and code health
- Extended help
---------------------------------------------------------------------------------
## Lynis 2.7.4 (2019-04-21)
This is a bigger release than usual, including several new tests created by
Capashenn (GitHub). It is a coincidence that it is released exactly one month
after the previous version and on Easter. No easter eggs, only improvements!
### Added
- FILE-6324 - Discover XFS mount points
- INSE-8000 - Installed inetd package
- INSE-8100 - Installed xinetd package
- INSE-8102 - Status of xinet daemon
- INSE-8104 - xinetd configuration file
- INSE-8106 - xinetd configuration for inactive daemon
- INSE-8200 - Usage of TCP wrappers
- INSE-8300 - Presence of rsh client
- INSE-8302 - Presence of rsh server
- Detect equery binary detection
- New 'generate' command
### Changed
- AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems
- PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages
- PKGS-7420 - Detect toolkit to automatically download and apply upgrades
- PKGS-7328 - Added global Zypper option --non-interactive
- PKGS-7330 - Added global Zypper option --non-interactive
- PKGS-7386 - Only show warning when vulnerable packages were discovered
- PKGS-7392 - Skip test for Zypper-based systems
- Minor changes to improve text output, test descriptions, and logging
- Changed CentOS identifiers in end-of-life database
- AIX enhancement for IsRunning function
- Extended PackageIsInstalled function
- Improve text output on AIX systems
- Corrected lsvg binary detection
---------------------------------------------------------------------------------
## Lynis 2.7.3 (2019-03-21)
### Added
- Detection for Lynis being scheduled (e.g. cronjob)
### Changed
- HTTP-6624 - Improved logging for test
- KRNL-5820 - Changed color for default fs.suid_dumpable value
- LOGG-2154 - Adjusted test to search in configuration file correctly
- NETW-3015 - Added support for ip binary
- SQD-3610 - Description of test changed
- SQD-3613 - Corrected description in code
- SSH-7408 - Increased values for MaxAuthRetries
- Improvements to allow tailored tool tips in future
- Corrected detection of blkid binary
- Minor textual changes and cleanups
---------------------------------------------------------------------------------
## Lynis 2.7.2 (2019-03-07)
### Added
- AUTH-9409 - Support for doas (OpenBSD)
- AUTH-9410 - Test file permissions of doas configuration
- BOOT-5117 - Support for systemd-boot boot loader added
- BOOT-5177 - Simplify service filter and allow multiple dots in service names
- BOOT-5262 - Check OpenBSD boot daemons
- BOOT-5263 - Test permissions for boot files and scripts
- Support for end-of-life detection of the operating system
- New 'lynis show eol' command
- Korean translation
### Changed
- AUTH-9252 - Adds support for files in sudoers.d
- AUTH-9252 - Test extended to check file and directory ownership
- BOOT-5122 - Use NONE instead of WARNING if no password is set
- FIRE-4540 - Modify test to better measure rules
- KRNL-5788 - Resolve false positive warning on missing /vmlinuz
- NETW-2704 - Ignore inline comments in /etc/resolv.conf
- PKGS-7388 - Improve detection for security archive
- RPi/Raspian path to PAM_FILE_LOCATIONS
---------------------------------------------------------------------------------
## Lynis 2.7.1 (2019-01-30)
@ -2708,10 +3018,10 @@ Lynis 1.1.7 (2008-06-28)
- Added dig availability check to DNS test [NETW-2704]
- Bugfix: Fixed iptables test if the binary is not located in /sbin [FIRE-4512]
- Bugfix: Improved yum-utils check to display suggestions correctly [PKGS-7384]
- Bugfix: Fixed prequisits for grpck test [AUTH-9216]
- Bugfix: Fixed prerequisites for grpck test [AUTH-9216]
- Improved MySQL check [DBS-1804]
- Changed color at chkconfig boot services test [BOOT-5177]
- Added missing prequisits output to portaudit test [PKGS-7382]
- Added missing prerequisites output to portaudit test [PKGS-7382]
- Test output for FreeBSD mounts (UFS) improved [FILE-6329]
- Extended OpenLDAP test to avoid finding itself in ps output [LDAP-2219]
- Several tests have their warning reporting improved

11
CONTRIBUTING.md
View File

@ -1,3 +1,4 @@
# Contributions
## Helping out
@ -6,13 +7,13 @@
Run the tool in debug mode (use lynis audit system --profile developer.prf) and see if it shows any error.
### Report bugs
Create an GitHub issue on the issue tracker
Create a GitHub issue on the issue tracker.
### Suggest changes (pull request)
When you find something that can be improved, fork the project and create a pull request.
### Translations
See the db/languages directory
See the db/languages directory.
## Developer Guidelines
@ -30,13 +31,13 @@ Identation should be 4 spaces (no tab character).
### Comments
Comments: use # sign followed by a space. When needed, create a comment block.
Blank lines: allowed, one line maximum
Blank lines: allowed, one line maximum.
### Functions
All functions use CamelCase to clearly show a difference between shell built-in commands, or external commands.
### Variables
Variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1)
Variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1).
## Pull Requests
@ -56,7 +57,7 @@ to this repository, you agree that you:
4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution
If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com)
If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com).
## Unlimited Rights

2
CONTRIBUTORS.md
View File

@ -39,12 +39,14 @@ These people made a significant impact to the development of Lynis:
* C.J. Adams-Collier, US
* Charlie Heselton, US
* Dave Vehrs
* David Marzal Cánovas, Spain
* Eric Light, New Zealand
* Kamil Boratyński, Poland
* Mike Slifcak, US
* Mikko Lehtisalo, Finland
* Steve Bosek, France
* Thomas Siebel, Germany
* Topi Miettinen, Finland
* Zach Crownover

2
FAQ
View File

@ -98,4 +98,4 @@
================================================================================
Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com
Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com

38
HAPPY_USERS.md Normal file
View File

@ -0,0 +1,38 @@
# Happy users of the Lynis project
## Community
Since 2007, the Lynis project helped many system administrators and security
professionals to scan their systems and perform system hardening. Happy users
and contributors are the foundation of a healthy project.
## Your contribution
Are you also using Lynis? Contribute to the project by let others know:
1) What you like about the tool
2) How you use it
Your addition to the guestbook below will help existing and new users learn more
about how Lynis can help them.
### How to
Create a pull request and add your name above the first entry. Thanks!
## Our guestbook
* YOUR NAME AND STORY
* Michael Boelen - September 2019
The development of Lynis learned me a lot about Linux and Unix security. It is
installed on all my systems to uncover unexpected configuration issues. The
valuable feedback and contributions give me the energy to continue to work on
its development, even after 12+ years!
* Catalyst.net IT - January 2020
Lynis gave us great insight in to the security state of our systems, as well as where we can improve.

4
INSTALL
View File

@ -6,7 +6,7 @@
================================================================================
Author: 2007-2013, Michael Boelen (michael.boelen@cisofy.com)
2013-2016, CISOfy development team
2013-now, CISOfy development team
Description: Security and system auditing tool
Web site: https://cisofy.com
Support: See 'Support' and https://cisofy.com/support/
@ -48,4 +48,4 @@
================================================================================
Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com
Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com

18
README.md
View File

@ -1,4 +1,5 @@
[![Linux Security Expert badge](https://badges.linuxsecurity.expert/tools/ranking/lynis.svg)](https://linuxsecurity.expert/tools/lynis/)
[![Build Status](https://travis-ci.org/CISOfy/lynis.svg?branch=master)](https://travis-ci.org/CISOfy/lynis)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/96/badge)](https://bestpractices.coreinfrastructure.org/projects/96)
@ -14,7 +15,7 @@ Do you like this software? **Star the project** and become a [stargazer](https:/
> Lynis - Security auditing and hardening tool, for UNIX-based systems.
Lynis is a security auditing for system based on UNIX like Linux, macOS, BSD, and others. It performs an **in-depth security scan** and runs on the system itself. The primary goal is to test security defenses and **provide tips for further system hardening**. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by system administrators and auditors to assess the security defenses of their systems. Besides the "blue team", nowadays penetration testers also have Lynis in their toolkit.
Lynis is a security auditing tool for systems based on UNIX like Linux, macOS, BSD, and others. It performs an **in-depth security scan** and runs on the system itself. The primary goal is to test security defenses and **provide tips for further system hardening**. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by system administrators and auditors to assess the security defenses of their systems. Besides the "blue team," nowadays penetration testers also have Lynis in their toolkit.
We believe software should be **simple**, **updated on a regular basis**, and **open**. You should be able to trust, understand, and have the option to change the software. Many agree with us, as the software is being used by thousands every day to protect their systems.
@ -55,18 +56,21 @@ Typical users of the software:
If you want to run the software as `root`, we suggest changing the ownership of the files. Use `chown -R 0:0` to recursively alter the owner and group and set it to user ID `0` (`root`).
### Package
### Software Package
Stable releases of Lynis are packaged and made available as RPM or DEB package. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running :
For Linux, BSD, and macOS, there is typically a package available. The Lynis project also provides packages in RPM or DEB format. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running:
`CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others.
### Enterprise version
Some distributions may also have Lynis in their software repository: [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions)
If they don't provide an up-to-date version, consider the CISOfy repository, tarball (website), or GitHub release.
### Enterprise Version
This software component is also part of an enterprise solution. Same quality, yet with more functionality.
Focus areas include compliance (`PCI DSS`, `HIPAA`, `ISO27001`, and others). The Enterprise version comes with:
* a web interface and features a dashboard ;
* hardening snippets ;
* a web interface and features a dashboard;
* hardening snippets;
* and an improvement plan.
## Documentation
@ -100,7 +104,7 @@ Lynis is collecting some awards and we are proud of that.
> We love contributors.
Do you have something to share? Or help out with translating Lynis into your own language? Create an issue or pull request on GitHub, or send us an e-mail: lynis-dev@cisofy.com.
Do you have something to share? Want to help out with translating Lynis into your own language? Create an issue or pull request on GitHub, or send us an e-mail: lynis-dev@cisofy.com.
More details can be found in the [Contributors Guide](https://github.com/CISOfy/lynis/blob/master/CONTRIBUTING.md).

27
SECURITY.md Normal file
View File

@ -0,0 +1,27 @@
# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 3.x.x | :white_check_mark: |
| 2.x.x | :white_check_mark: |
| < 2.x | :x: |
## Reporting a Vulnerability
To report a vulnerability, use security@cisofy.com
See our [security page](https://cisofy.com/security/) for more details.
## Preferred language
English
## Acknowledgments
https://cisofy.com/security/#thanks
## Other
See the latest 'security.txt' at https://cisofy.com/.well-known/security.txt

41
db/languages/da Normal file
View File

@ -0,0 +1,41 @@
ERROR_NO_LICENSE="Ingen licensnøgle konfigureret"
ERROR_NO_UPLOAD_SERVER="Ingen upload server konfigureret"
GEN_CHECKING="Tjekker"
GEN_CURRENT_VERSION="Nuværende version"
GEN_DEBUG_MODE="Fejlfindingstilstand"
GEN_INITIALIZE_PROGRAM="Initialiserer program"
GEN_LATEST_VERSION="Seneste version"
GEN_PHASE="Fase"
GEN_PLUGINS_ENABLED="Plugins aktiverede"
GEN_UPDATE_AVAILABLE="opdatering tilgængelig"
GEN_VERBOSE_MODE="Detaljeret tilstand"
GEN_WHAT_TO_DO="At gøre"
NOTE_EXCEPTIONS_FOUND="Undtagelser fundet"
NOTE_EXCEPTIONS_FOUND_DETAILED="Nogle usædvanlige hændelser eller information var fundet"
NOTE_PLUGINS_TAKE_TIME="Bemærk: plugins har mere omfattende tests og kan tage flere minutter at fuldføre"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Sprang over tests på grund af ikke-privilegeret tilstand"
SECTION_CUSTOM_TESTS="Brugerdefinerede Tests"
SECTION_MALWARE="Malware"
SECTION_MEMORY_AND_PROCESSES="Hukommelse og Processer"
STATUS_DISABLED="DEAKTIVERET"
STATUS_DONE="FÆRDIG"
STATUS_ENABLED="AKTIVERET"
STATUS_NOT_ENABLED="IKKE AKTIVERET"
STATUS_ERROR="FEJL"
STATUS_FOUND="FUNDET"
STATUS_YES="JA"
STATUS_NO="NEJ"
STATUS_OFF="FRA"
STATUS_OK="OK"
STATUS_ON="TIL"
STATUS_NONE="INGEN"
STATUS_NOT_FOUND="IKKE FUNDET"
STATUS_NOT_RUNNING="KØRER IKKE"
STATUS_RUNNING="KØRER"
STATUS_SKIPPED="SPRUNGET OVER"
STATUS_SUGGESTION="FORSLAG"
STATUS_UNKNOWN="UKENDT"
STATUS_WARNING="ADVARSEL"
STATUS_WEAK="SVAG"
TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil"
TEXT_UPDATE_AVAILABLE="opdatering tilgængelig"

35
db/languages/de
View File

@ -1,38 +1,45 @@
GEN_PHASE="Phase"
ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet"
ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet"
GEN_CHECKING="Überprüfung"
GEN_CURRENT_VERSION="Aktuelle Version"
GEN_DEBUG_MODE="Debug-Modus"
GEN_INITIALIZE_PROGRAM="Initiiere Programm"
GEN_INITIALIZE_PROGRAM="Initialisiere Programm"
GEN_LATEST_VERSION="Aktuellste Version"
GEN_PHASE="Phase"
GEN_PLUGINS_ENABLED="Plugins aktiviert"
GEN_VERBOSE_MODE="Ausführlicher Modus"
GEN_UPDATE_AVAILABLE="Aktualisierung verfügbar"
GEN_VERBOSE_MODE="Ausführlicher Modus"
GEN_WHAT_TO_DO="Was zu tun ist"
NOTE_EXCEPTIONS_FOUND="Abweichungen gefunden"
NOTE_EXCEPTIONS_FOUND_DETAILED="Einige außergewöhnliche Ereignisse oder Informationen wurden gefunden"
NOTE_PLUGINS_TAKE_TIME="Beachte: Plugins beinhalten eingehendere Tests und können mehrere Minuten benötigen, bis sie abgeschlossen sind"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus"
SECTION_CUSTOM_TESTS="Benutzerdefinierte Tests"
SECTION_DATA_UPLOAD="Daten hochladen"
SECTION_INITIALIZING_PROGRAM="Initialisiere Programm"
SECTION_MALWARE="Malware"
SECTION_MEMORY_AND_PROCESSES="Speicher und Prozesse"
SECTION_SYSTEM_TOOLS="Systemwerkzeuge"
STATUS_DISABLED="DEAKTIVIERT"
STATUS_DONE="FERTIG"
STATUS_ENABLED="AKTIVIERT"
STATUS_ERROR="FEHLER"
STATUS_FAILED="FEHLERHAFT"
STATUS_FOUND="GEFUNDEN"
STATUS_YES="JA"
STATUS_NO="NEIN"
STATUS_NONE="NICHTS"
STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT"
STATUS_NOT_FOUND="NICHT GEFUNDEN"
STATUS_NOT_RUNNING="LÄUFT NICHT"
STATUS_OFF="AUS"
STATUS_OK="OK"
STATUS_ON="AN"
STATUS_NONE="NICHTS"
STATUS_NOT_FOUND="NICHT GEFUNDEN"
STATUS_NOT_RUNNING="LÄUFT NICHT"
STATUS_RUNNING="LÄUFT"
STATUS_SKIPPED="ÜBERSPRUNGEN"
STATUS_SUGGESTION="VORSCHLAG"
STATUS_UNKNOWN="UNBEKANNT"
STATUS_WARNING="WARNUNG"
TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
STATUS_WEAK="SCHWACH"
STATUS_YES="JA"
TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus"
STATUS_DISABLED="DEAKTIVIERT"
STATUS_ENABLED="AKTIVIERT"
STATUS_ERROR="FEHLER"
ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet"
ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet"
TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"

1
db/languages/de-AT Symbolic link
View File

@ -0,0 +1 @@
de

17
db/languages/en
View File

@ -14,27 +14,32 @@ NOTE_EXCEPTIONS_FOUND="Exceptions found"
NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found"
NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode"
SECTION_CUSTOM_TESTS="Custom Tests"
SECTION_CUSTOM_TESTS="Custom tests"
SECTION_DATA_UPLOAD="Data upload"
SECTION_INITIALIZING_PROGRAM="Initializing program"
SECTION_MALWARE="Malware"
SECTION_MEMORY_AND_PROCESSES="Memory and Processes"
SECTION_SYSTEM_TOOLS="System tools"
STATUS_DISABLED="DISABLED"
STATUS_DONE="DONE"
STATUS_ENABLED="ENABLED"
STATUS_ERROR="ERROR"
STATUS_FAILED="FAILED"
STATUS_FOUND="FOUND"
STATUS_YES="YES"
STATUS_NO="NO"
STATUS_NONE="NONE"
STATUS_NOT_CONFIGURED="NOT CONFIGURED"
STATUS_NOT_FOUND="NOT FOUND"
STATUS_NOT_RUNNING="NOT RUNNING"
STATUS_OFF="OFF"
STATUS_OK="OK"
STATUS_ON="ON"
STATUS_NONE="NONE"
STATUS_NOT_FOUND="NOT FOUND"
STATUS_NOT_RUNNING="NOT RUNNING"
STATUS_RUNNING="RUNNING"
STATUS_SKIPPED="SKIPPED"
STATUS_SUGGESTION="SUGGESTION"
STATUS_UNKNOWN="UNKNOWN"
STATUS_WARNING="WARNING"
STATUS_WEAK="WEAK"
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
STATUS_YES="YES"
TEXT_UPDATE_AVAILABLE="update available"
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"

40
db/languages/ko Normal file
View File

@ -0,0 +1,40 @@
ERROR_NO_LICENSE="라이선스 키가 없습니다"
ERROR_NO_UPLOAD_SERVER="업로드 서버가 설정되지 않았습니다"
GEN_CHECKING="확인중입니다"
GEN_CURRENT_VERSION="현재 버전"
GEN_DEBUG_MODE="디버그 모드"
GEN_INITIALIZE_PROGRAM="프로그램을 초기화합니다"
GEN_LATEST_VERSION="최신 버전"
GEN_PHASE="phase"
GEN_PLUGINS_ENABLED="플러그인이 활성화되었습니다"
GEN_UPDATE_AVAILABLE="업데이트 가능"
GEN_VERBOSE_MODE="상세 모드"
GEN_WHAT_TO_DO="할 일"
NOTE_EXCEPTIONS_FOUND="예외 발견"
NOTE_EXCEPTIONS_FOUND_DETAILED="몇 가지 예외 이벤트나 정보가 발견되었습니다"
NOTE_PLUGINS_TAKE_TIME="참고: 플러그인은 광범위한 테스트를 거치며 완료될 때까지 몇 분의 시간이 소요됩니다"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="비특권 모드로 인해 테스트를 생략했습니다"
SECTION_CUSTOM_TESTS="사용자정의 테스트"
SECTION_MALWARE="악성코드"
SECTION_MEMORY_AND_PROCESSES="메모리와 프로세스"
STATUS_DISABLED="비활성화됨"
STATUS_DONE="완료"
STATUS_ENABLED="활성화됨"
STATUS_ERROR="에러"
STATUS_FOUND="발견"
STATUS_YES="예"
STATUS_NO="아니오"
STATUS_OFF="끔"
STATUS_OK="OK"
STATUS_ON="켬"
STATUS_NONE="없음"
STATUS_NOT_FOUND="발견되지않음"
STATUS_NOT_RUNNING="동작하지않음"
STATUS_RUNNING="동작중"
STATUS_SKIPPED="생략"
STATUS_SUGGESTION="추천"
STATUS_UNKNOWN="알수없음"
STATUS_WARNING="경고"
STATUS_WEAK="취약"
TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다"
TEXT_UPDATE_AVAILABLE="업데이트 가능"

51
db/languages/nl
View File

@ -1,38 +1,45 @@
ERROR_NO_LICENSE="Geen licentiecode geconfigureerd"
ERROR_NO_UPLOAD_SERVER="Geen upload server geconfigureerd"
GEN_CHECKING="Zoeken naar"
GEN_CURRENT_VERSION="Huidige versie"
GEN_DEBUG_MODE="Debug modus"
GEN_INITIALIZE_PROGRAM="Programma initialiseren"
GEN_LATEST_VERSION="Laatste versie"
GEN_PHASE="fase"
GEN_INITIALIZE_PROGRAM="Initialiseren van programma"
NOTE_PLUGINS_TAKE_TIME="Plugins hebben uitgebreidere testen en kunnen derhalve enkele minuten duren"
NOTE_EXCEPTIONS_FOUND="Uitzonderingen gevonden"
SECTION_CUSTOM_TESTS="Eigen Testen"
GEN_PLUGINS_ENABLED="Plugins geactiveerd"
GEN_VERBOSE_MODE="Verbose modus"
GEN_UPDATE_AVAILABLE="Update beschikbaar"
GEN_WHAT_TO_DO="Wat te doen"
NOTE_EXCEPTIONS_FOUND="Bijzonderheden gevonden"
NOTE_EXCEPTIONS_FOUND_DETAILED="Enkele bijzondere gebeurtenissen of informatie gevonden"
NOTE_PLUGINS_TAKE_TIME="Let op: plugins hebben uitgebreidere testen en kunnen daardoor enkele minuten duren"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Overgeslagen testen vanwege beperkte rechten"
SECTION_CUSTOM_TESTS="Eigen testen"
SECTION_DATA_UPLOAD="Data upload"
SECTION_INITIALIZING_PROGRAM="Programma initialiseren"
SECTION_MALWARE="Kwaadaardige software (malware)"
SECTION_MEMORY_AND_PROCESSES="Geheugen en Processen"
STATUS_DONE="KLAAR"
SECTION_SYSTEM_TOOLS="Systeem gereedschap"
STATUS_DISABLED="UITGESCHAKELD"
STATUS_DONE="KLAAR"
STATUS_ENABLED="INGESCHAKELD"
STATUS_ERROR="FOUT"
STATUS_FAILED="MISLUKT"
STATUS_FOUND="GEVONDEN"
STATUS_NO="NEE"
STATUS_NONE="GEEN"
STATUS_NOT_FOUND="NIET GEVONDEN"
STATUS_NOT_RUNNING="NIET ACTIEF"
STATUS_OFF="UIT"
STATUS_OK="OK"
STATUS_ON="AAN"
STATUS_OFF="UIT"
STATUS_YES="JA"
STATUS_NO="NEE"
STATUS_NONE="GEEN"
STATUS_NOT_CONFIGURED="NIET GECONFIGUREERD"
STATUS_NOT_FOUND="NIET GEVONDEN"
STATUS_NOT_RUNNING="NIET ACTIEF"
STATUS_RUNNING="ACTIEF"
STATUS_SKIPPED="OVERGESLAGEN"
STATUS_SUGGESTION="SUGGESTIE"
STATUS_UNKNOWN="ONBEKEND"
STATUS_WARNING="WAARSCHUWING"
GEN_CURRENT_VERSION="Huidige versie"
GEN_DEBUG_MODE="Debug mode"
GEN_PLUGINS_ENABLED="Plugins geactiveerd"
GEN_VERBOSE_MODE="Verbose mode"
GEN_UPDATE_AVAILABLE="update beschikbaar"
GEN_WHAT_TO_DO="Wat te doen"
NOTE_EXCEPTIONS_FOUND_DETAILED="Enkele uitzonderingen gevonden"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Overgeslagen testen vanwege beperkte rechten"
STATUS_WEAK="ZWAK"
STATUS_YES="JA"
TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen"
TEXT_UPDATE_AVAILABLE="update beschikbaar"
STATUS_ERROR="FOUT"
ERROR_NO_LICENSE="geen licentiecode configureerd"
ERROR_NO_UPLOAD_SERVER="geen server configureerd voor uploads"

76
db/languages/ru
View File

@ -1,38 +1,38 @@
GEN_CHECKING="Checking"
GEN_CURRENT_VERSION="Current version"
GEN_DEBUG_MODE="Debug mode"
GEN_INITIALIZE_PROGRAM="Initializing program"
GEN_PHASE="phase"
GEN_PLUGINS_ENABLED="Plugins enabled"
GEN_VERBOSE_MODE="Verbose mode"
GEN_UPDATE_AVAILABLE="update available"
GEN_WHAT_TO_DO="What to do"
NOTE_EXCEPTIONS_FOUND="Exceptions found"
NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found"
NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete"
SECTION_CUSTOM_TESTS="Custom Tests"
SECTION_MALWARE="Malware"
SECTION_MEMORY_AND_PROCESSES="Memory and Processes"
STATUS_DONE="DONE"
STATUS_FOUND="FOUND"
STATUS_YES="YES"
STATUS_NO="NO"
STATUS_OFF="OFF"
STATUS_OK="OK"
STATUS_ON="ON"
STATUS_NONE="NONE"
STATUS_NOT_FOUND="NOT FOUND"
STATUS_NOT_RUNNING="NOT RUNNING"
STATUS_RUNNING="RUNNING"
STATUS_SKIPPED="SKIPPED"
STATUS_SUGGESTION="SUGGESTION"
STATUS_UNKNOWN="UNKNOWN"
STATUS_WARNING="WARNING"
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
TEXT_UPDATE_AVAILABLE="update available"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode"
STATUS_DISABLED="DISABLED"
STATUS_ENABLED="ENABLED"
STATUS_ERROR="ERROR"
ERROR_NO_LICENSE="No license key configured"
ERROR_NO_UPLOAD_SERVER="No upload server configured"
GEN_CHECKING="Проверка"
GEN_CURRENT_VERSION="Текущая версия"
GEN_DEBUG_MODE="Режим отладки"
GEN_INITIALIZE_PROGRAM="Инициализация программы"
GEN_PHASE="Стадия"
GEN_PLUGINS_ENABLED="Плагины включены"
GEN_VERBOSE_MODE="Подробный режим"
GEN_UPDATE_AVAILABLE="доступно обновление"
GEN_WHAT_TO_DO="Что сделать"
NOTE_EXCEPTIONS_FOUND="Найдены исключения"
NOTE_EXCEPTIONS_FOUND_DETAILED="Были найдены некоторые исключительные события или информация"
NOTE_PLUGINS_TAKE_TIME="Примечание: плагины имеют более обширные тесты и могут занять несколько минут до завершения"
SECTION_CUSTOM_TESTS="Пользовательские тесты"
SECTION_MALWARE="Вредоносное ПО"
SECTION_MEMORY_AND_PROCESSES="Память и процессы"
STATUS_DONE="Завершено"
STATUS_FOUND="Найдено"
STATUS_YES="ДА"
STATUS_NO="НЕТ"
STATUS_OFF="Выключено"
STATUS_OK="ОК"
STATUS_ON="Включено"
STATUS_NONE="Отсутствует"
STATUS_NOT_FOUND="НЕ НАЙДЕНО"
STATUS_NOT_RUNNING="НЕ ЗАПУЩЕНО"
STATUS_RUNNING="ЗАПУЩЕНО"
STATUS_SKIPPED="ПРОПУЩЕНО"
STATUS_SUGGESTION="ПРЕДЛОЖЕНИЕ"
STATUS_UNKNOWN="НЕИЗВЕСТНО"
STATUS_WARNING="ПРЕДУПРЕЖДЕНИЕ"
TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь предоставив ваш лог-файл"
TEXT_UPDATE_AVAILABLE="доступно обновление"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Тесты пропущены из-за использования непривилегированного режима"
STATUS_DISABLED="ОТКЛЮЧЕНО"
STATUS_ENABLED="ВКЛЮЧЕНО"
STATUS_ERROR="ОШИБКА"
ERROR_NO_LICENSE="Лицензионный ключ не настроен"
ERROR_NO_UPLOAD_SERVER="Загрузочный сервер не настроен"

196
db/software-eol.db
View File

@ -1,22 +1,176 @@
#
# End-of-life for operating systems and software
# FreeBSD - https://www.freebsd.org/releases/
os:FreeBSD 9.3:2014-07-01:
os:FreeBSD 10.0:2014-01-01:
os:FreeBSD 10.1:2014-11-01:
os:FreeBSD 10.2:2015-08-01:
os:FreeBSD 10.3:2016-04-01:
os:FreeBSD 10.4:2017-10-01:
os:FreeBSD 11.0:2016-10-01:
os:FreeBSD 11.1:2017-07-01:
# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack
os:Ubuntu 14.04:2019-05-01:
os:Ubuntu 14.10:2015-07-01:
os:Ubuntu 15.04:2016-01-01:
os:Ubuntu 15.10:2016-07-01:
os:Ubuntu 16.04:2021-05-01:
os:Ubuntu 16.10:2017-07-01:
os:Ubuntu 17.04:2018-01-01:
os:Ubuntu 17.10:2018-07-01:
os:Ubuntu 18.04:2023-05-01:
os:Ubuntu 18.10:2019-07-01:
os:Ubuntu 19.04:2020-01-01:
#
# This file has 4 fields:
# 1) category
# 2) name
# 3) date (human-readable) or empty
# 4) converted date (seconds since epoch) or -1
#
# Date can be converted on Linux using: date "+%s" --date=2020-01-01
# Seconds since epoch can be verified using: date -d @1467324000 +'%Y-%m-%d'
#
# Notes:
# For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1.
# Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching.
#
# Amazon Linux
#
# Note: shortest entry is listed at end due to regular expression matching being used
os:Amazon Linux 2:2023-06-26:1687730400:
os:Amazon Linux:2020-06-30:1593468000:
#
# Arch Linux
#
os:Arch Linux::-1:
#
# CentOS
#
os:CentOS release 5:2017-03-31:1490911200:
os:CentOS release 6:2020-11-30:1606690800:
os:CentOS Linux 7:2024-06-30:1719698400:
os:CentOS Linux 8:2029-05-31:1874872800:
#
# Debian - https://wiki.debian.org/DebianReleases#Production_Releases
#
os:Debian 5.0:2012-02-06:1328482800:
os:Debian 6.0:2016-02-29:1456700400:
os:Debian 7:2018-05-31:1527717600:
os:Debian 8:2020-06-30:1593468000:
os:Debian 9:2022-01-01:1640991600:
os:Debian 10:2022-01-01:1640991600:
#
# Fedora - https://fedoraproject.org/wiki/End_of_life
#
os:Fedora release 25:2017-12-12:1513033200:
os:Fedora release 26:2018-05-29:1527544800:
os:Fedora release 27:2018-11-30:1543532400:
os:Fedora release 28:2019-05-28:1558994400:
os:Fedora release 29:2019-11-26:1574722800:
os:Fedora release 30:2020-05-26:1590444000:
#
# FreeBSD - https://www.freebsd.org/security/unsupported.html
#
os:FreeBSD 9.3:2014-12-31:1419980400:
os:FreeBSD 10.0:2015-02-28:1425078000:
os:FreeBSD 10.1:2016-12-31:1483138800:
os:FreeBSD 10.2:2016-12-31:1483138800:
os:FreeBSD 10.3:2018-04-30:1525039200:
os:FreeBSD 10.4:2018-10-31:1540940400:
os:FreeBSD 11.0:2017-11-30:1511996400:
os:FreeBSD 11.1:2018-09-30:1538258400:
os:FreeBSD 11.2:2019-10-31:1572476400:
os:FreeBSD 12.0:2020-02-29:1582930800:
#
# Linux Mint
#
os:Linux Mint 18:2021-04-01:1617228000:
os:Linux Mint 19:2023-04-01:1680300000:
os:Linux Mint 20:2025-04-01:1743458400:
#
# NetBSD - https://www.netbsd.org/support/security/release.html and
# https://www.netbsd.org/releases/formal.html
#
os:NetBSD 2.0:2008-01-19:1200697200:
os:NetBSD 2.0.1:2008-01-19:1200697200:
os:NetBSD 2.0.2:2008-01-19:1200697200:
os:NetBSD 2.0.3:2008-01-19:1200697200:
os:NetBSD 2.1:2008-01-19:1200697200:
os:NetBSD 3.0:2009-09-29:1254175200:
os:NetBSD 3.0.1:2009-09-29:1254175200:
os:NetBSD 3.0.2:2009-09-29:1254175200:
os:NetBSD 3.1:2009-09-29:1254175200:
os:NetBSD 4.0:2012-11-17:1353106800:
os:NetBSD 4.0.1:2012-11-17:1353106800:
os:NetBSD 5.0:2015-11-17:1447714800:
os:NetBSD 5.0.1:2015-10-17:1445032800:
os:NetBSD 5.0.2:2015-10-17:1445032800:
os:NetBSD 5.1:2015-10-17:1445032800:
os:NetBSD 5.1.1:2015-10-17:1445032800:
os:NetBSD 5.1.2:2015-10-17:1445032800:
os:NetBSD 5.1.3:2015-10-17:1445032800:
os:NetBSD 5.1.4:2015-10-17:1445032800:
os:NetBSD 5.1.5:2015-10-17:1445032800:
os:NetBSD 5.2.1:2015-10-17:1445032800:
os:NetBSD 5.2.2:2015-10-17:1445032800:
os:NetBSD 5.2.3:2015-10-17:1445032800:
os:NetBSD 6.0:2017-09-17:1505599200:
os:NetBSD 6.0.1:2017-09-17:1505599200:
os:NetBSD 6.0.2:2017-09-17:1505599200:
os:NetBSD 6.0.3:2017-09-17:1505599200:
os:NetBSD 6.0.4:2017-09-17:1505599200:
os:NetBSD 6.0.5:2017-09-17:1505599200:
os:NetBSD 6.1:2017-09-17:1505599200:
os:NetBSD 6.1.1:2017-09-17:1505599200:
os:NetBSD 6.1.2:2017-09-17:1505599200:
os:NetBSD 6.1.3:2017-09-17:1505599200:
os:NetBSD 6.1.4:2017-09-17:1505599200:
os:NetBSD 6.1.5:2017-09-17:1505599200:
os:NetBSD 7.0:2020-03-14:1584162000:
os:NetBSD 7.0.1:2020-03-14:1584162000:
os:NetBSD 7.0.2:2020-03-14:1584162000:
os:NetBSD 7.1:2020-03-14:1584162000:
os:NetBSD 7.1.1:2020-03-14:1584162000:
os:NetBSD 7.1.1:2020-03-14:1584162000:
os:NetBSD 7.2:2020-03-14:1584162000:
os:NetBSD 8.0::-1:
os:NetBSD 8.1::-1:
os:NetBSD 9.0::-1:
#
# OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history
#
os:OpenBSD 5.8:2016-09-01:1472680800:
os:OpenBSD 5.9:2017-04-11:1491861600:
os:OpenBSD 6.0:2017-09-10:1505001600:
os:OpenBSD 6.1:2018-04-15:1523750400:
os:OpenBSD 6.2:2018-10-18:1539820800:
os:OpenBSD 6.3:2019-05-03:1556841600:
os:OpenBSD 6.4:2019-10-17:1571270400:
os:OpenBSD 6.5:2020-05-19:1589846400:
os:OpenBSD 6.6:2020-10-01:1601510400:
os:OpenBSD 6.7:2021-05-01:1619827200:
#
# Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/
#
os:Red Hat Enterprise Linux Server release 6:2020-11-30:1606690800:
os:Red Hat Enterprise Linux 7:2024-06-30:1719698400:
os:Red Hat Enterprise Linux 8:2029-05-07:1872799200:
#
# Slackware - https://en.wikipedia.org/wiki/Slackware#Releases
#
os:Slackware Linux 8.1:2012-08-01:1343768400:
os:Slackware Linux 9.0:2012-08-01:1343768400:
os:Slackware Linux 9.1:2012-08-01:1343768400:
os:Slackware Linux 10.0:2012-08-01:1343768400:
os:Slackware Linux 10.1:2012-08-01:1343768400:
os:Slackware Linux 10.2:2012-08-01:1343768400:
os:Slackware Linux 11.0:2012-08-01:1343768400:
os:Slackware Linux 12.0:2012-08-01:1343768400:
os:Slackware Linux 12.1:2013-12-09:1386540000:
os:Slackware Linux 12.2:2013-12-09:1386540000:
os:Slackware Linux 13.0:2018-07-05:1530738000:
os:Slackware Linux 13.1:2018-07-05:1530738000:
os:Slackware Linux 13.37:2018-07-05:1530738000:
#
# SuSE - https://www.suse.com/lifecycle/
#
os:SUSE Linux Enterprise Server 12:2024-10-31:1730329200:
os:SUSE Linux Enterprise Server 15:2028-07-31:1848607200:
#
# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and
# https://wiki.ubuntu.com/Releases
#
os:Ubuntu 14.04:2019-05-01:1556661600:
os:Ubuntu 14.10:2015-07-01:1435701600:
os:Ubuntu 15.04:2016-01-01:1451602800:
os:Ubuntu 15.10:2016-07-01:1467324000:
os:Ubuntu 16.04:2021-05-01:1619820000:
os:Ubuntu 16.10:2017-07-01:1498860000:
os:Ubuntu 17.04:2018-01-01:1514761200:
os:Ubuntu 17.10:2018-07-01:1530396000:
os:Ubuntu 18.04:2023-05-01:1682892000:
os:Ubuntu 18.10:2019-07-18:1563400800:
os:Ubuntu 19.04:2020-01-01:1577833200:
os:Ubuntu 20.04:2025-04-01:1743458400:
#
# EOF

61
db/tests.db
View File

@ -22,6 +22,8 @@ AUTH-9218:test:security:authentication:FreeBSD:Check harmful login shells:
AUTH-9222:test:security:authentication::Check for non unique groups:
AUTH-9226:test:security:authentication::Check non unique group names:
AUTH-9228:test:security:authentication::Check password file consistency with pwck:
AUTH-9229:test:security:authentication::Check password hashing methods:
AUTH-9230:test:security:authentication::Check group password hashing rounds:
AUTH-9234:test:security:authentication::Query user accounts:
AUTH-9240:test:security:authentication::Query NIS+ authentication support:
AUTH-9242:test:security:authentication::Query NIS authentication support:
@ -45,7 +47,8 @@ AUTH-9340:test:security:authentication:Solaris:Solaris account locking:
AUTH-9402:test:security:authentication::Query LDAP authentication support:
AUTH-9406:test:security:authentication::Query LDAP servers in client configuration:
AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs:
AUTH-9489:test:security:authentication:DragonFly:Check login shells for passwordless accounts:
AUTH-9409:test:security:authentication:OpenBSD:Check for doas file:
AUTH-9410:test:security:authentication:OpenBSD:Check for doas file permissions:
BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file:
BANN-7124:test:security:banners::Check issue banner file:
BANN-7126:test:security:banners::Check issue banner file contents:
@ -55,7 +58,9 @@ BOOT-5102:test:security:boot_services:AIX:Check for AIX boot device:
BOOT-5104:test:security:boot_services::Determine service manager:
BOOT-5106:test:security:boot_services:MacOS:Check EFI boot file on macOS:
BOOT-5108:test:security:boot_services:Linux:Test Syslinux boot loader:
BOOT-5109:test:security:boot_services:Linux:Test rEFInd boot loader:
BOOT-5116:test:security:boot_services::Check if system is booted in UEFI mode:
BOOT-5117:test:security:boot_services:Linux:Check for systemd-boot boot loader:
BOOT-5121:test:security:boot_services::Check for GRUB boot loader presence:
BOOT-5122:test:security:boot_services::Check for GRUB boot password:
BOOT-5124:test:security:boot_services:FreeBSD:Check for FreeBSD boot loader presence:
@ -71,6 +76,9 @@ BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scr
BOOT-5202:test:security:boot_services::Check uptime of system:
BOOT-5260:test:security:boot_services::Check single user mode for systemd:
BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot loader presence:
BOOT-5262:test:security:boot_services:OpenBSD:Check for OpenBSD boot daemons:
BOOT-5263:test:security:boot_services:OpenBSD:Check permissions for boot files/scripts:
BOOT-5264:test:security:boot_services:Linux:Run systemd-analyze security:
CONT-8004:test:security:containers:Solaris:Query running Solaris zones:
CONT-8102:test:security:containers::Checking Docker status and information:
CONT-8104:test:security:containers::Checking Docker info for any warnings:
@ -79,12 +87,18 @@ CONT-8107:test:performance:containers::Check number of unused Docker containers:
CONT-8108:test:security:containers::Check file permissions for Docker files:
CORE-1000:test:performance:system_integrity::Check all system binaries:
CRYP-7902:test:security:crypto::Check expire date of SSL certificates:
CRYP-7930:test:security:crypto:Linux:Determine if system uses LUKS encryption:
CRYP-7931:test:security:crypto:Linux:Determine if system uses encrypted swap:
CRYP-8002:test:security:crypto:Linux:Gather kernel entropy:
CRYP-8004:test:security:crypto:Linux:Presence of hardware random number generators:
CRYP-8005:test:security:crypto:Linux:Presence of software pseudo random number generators:
DNS-1600:test:security:dns::Validating that the DNSSEC signatures are checked:
DBS-1804:test:security:databases::Checking active MySQL process:
DBS-1816:test:security:databases::Checking MySQL root password:
DBS-1818:test:security:databases::MongoDB status:
DBS-1820:test:security:databases::Check MongoDB authentication:
DBS-1826:test:security:databases::Checking active PostgreSQL processes:
DBS-1828:test:security:databases::PostgreSQL configuration files:
DBS-1840:test:security:databases::Checking active Oracle processes:
DBS-1860:test:security:databases::Checking active DB2 instances:
DBS-1880:test:security:databases::Checking active Redis processes:
@ -106,8 +120,9 @@ FILE-6362:test:security:filesystems::Checking /tmp sticky bit:
FILE-6363:test:security:filesystems::Checking /var/tmp sticky bit:
FILE-6368:test:security:filesystems:Linux:Checking ACL support on root file system:
FILE-6372:test:security:filesystems:Linux:Checking / mount options:
FILE-6374:test:security:filesystems:Linux:Checking /boot mount options:
FILE-6374:test:security:filesystems:Linux:Linux mount options:
FILE-6376:test:security:filesystems:Linux:Determine if /var/tmp is bound to /tmp:
FILE-6394:test:performance:filesystems:Linux:Test swappiness of virtual memory:
FILE-6410:test:security:filesystems::Checking Locate database:
FILE-6430:test:security:filesystems::Disable mounting of some filesystems:
FILE-6439:test:security:filesystems:DragonFly:Checking HAMMER PFS mounts:
@ -115,6 +130,7 @@ FILE-7524:test:security:file_permissions::Perform file permissions check:
FINT-4310:test:security:file_integrity::AFICK availability:
FINT-4314:test:security:file_integrity::AIDE availability:
FINT-4315:test:security:file_integrity::Check AIDE configuration file:
FINT-4316:test:security:file_integirty::Presence of AIDE database and size check:
FINT-4318:test:security:file_integrity::Osiris availability:
FINT-4322:test:security:file_integrity::Samhain availability:
FINT-4326:test:security:file_integrity::Tripwire availability:
@ -123,6 +139,9 @@ FINT-4330:test:security:file_integrity::mtree availability:
FINT-4334:test:security:file_integrity::Check lfd daemon status:
FINT-4336:test:security:file_integrity::Check lfd configuration status:
FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status
FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status
FINT-4341:test:security:file_integrity:Linux:Check dm-verity status
FINT-4350:test:security:file_integrity::File integrity software installed:
FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module:
@ -143,6 +162,8 @@ FIRE-4586:test:security:firewalls::Check firewall logging:
FIRE-4590:test:security:firewalls::Check firewall status:
FIRE-4594:test:security:firewalls::Check for APF presence:
HOME-9302:test:security:homedirs::Create list with home directories:
HOME-9304:test:security:homedirs::Test permissions of user home directories:
HOME-9306:test:security:homedirs::Test ownership of user home directories:
HOME-9310:test:security:homedirs::Checking for suspicious shell history files:
HOME-9350:test:security:homedirs::Collecting information from home directories:
HRDN-7220:test:security:hardening::Check if one or more compilers are installed:
@ -164,11 +185,23 @@ HTTP-6712:test:security:webservers::Check nginx access logging:
HTTP-6714:test:security:webservers::Check for missing error logs in nginx:
HTTP-6716:test:security:webservers::Check for debug mode on error log in nginx:
HTTP-6720:test:security:webservers::Check Nginx log files:
INSE-8002:test:security:insecure_services::Check for enabled inet daemon:
INSE-8004:test:security:insecure_services::Check for enabled inet daemon:
INSE-8006:test:security:insecure_services::Check configuration of inetd when disabled:
INSE-8000:test:security:insecure_services::Installed inetd package:
INSE-8002:test:security:insecure_services::Status of inet daemon:
INSE-8004:test:security:insecure_services::Presence of inetd configuration file:
INSE-8006:test:security:insecure_services::Check configuration of inetd when it is disabled:
INSE-8016:test:security:insecure_services::Check for telnet via inetd:
INSE-8050:test:security:insecure_services:MacOS:Check for insecure services on macOS systems:
INSE-8100:test:security:insecure_services::Installed xinetd package:
INSE-8116:test:security:insecure_services::Insecure services enabled via xinetd:
INSE-8200:test:security:insecure_services::Usage of TCP wrappers:
INSE-8300:test:security:insecure_services::Presence of rsh client:
INSE-8302:test:security:insecure_services::Presence of rsh server:
INSE-8310:test:security:insecure_services::Presence of telnet client:
INSE-8312:test:security:insecure_services::Presence of telnet server:
INSE-8314:test:security:insecure_services::Presence of NIS client:
INSE-8316:test:security:insecure_services::Presence of NIS server:
INSE-8318:test:security:insecure_services::Presence of TFTP client:
INSE-8320:test:security:insecure_services::Presence of TFTP server:
KRNL-5622:test:security:kernel:Linux:Determine Linux default run level:
KRNL-5677:test:security:kernel:Linux:Check CPU options and support:
KRNL-5695:test:security:kernel:Linux:Determine Linux kernel version and release number:
@ -255,9 +288,11 @@ NAME-4402:test:security:nameservices::Check duplicate line in /etc/hosts:
NAME-4404:test:security:nameservices::Check /etc/hosts contains an entry for this server name:
NAME-4406:test:security:nameservices::Check server hostname mapping:
NAME-4408:test:security:nameservices::Check localhost to IP mapping:
NETW-2400:test:basics:networking::Test hostname for valid characters and length:
NETW-2600:test:security:networking:Linux:Checking IPv6 configuration:
NETW-2704:test:security:networking::Basic nameserver configuration tests:
NETW-2705:test:security:networking::Check availability two nameservers:
NETW-2706:test:security:networking::Check DNSSEC status:
NETW-3001:test:security:networking::Find default gateway (route):
NETW-3004:test:security:networking::Search available network interfaces:
NETW-3006:test:security:networking::Get network MAC addresses:
@ -268,6 +303,7 @@ NETW-3015:test:security:networking:Linux:Checking promiscuous interfaces (Linux)
NETW-3028:test:security:networking::Checking connections in WAIT state:
NETW-3030:test:security:networking::Checking DHCP client status:
NETW-3032:test:security:networking:Linux:Checking for ARP monitoring software:
NETW-3200:test:security:networking::Determine available network protocols:
PHP-2211:test:security:php::Check php.ini presence:
PHP-2320:test:security:php::Check PHP disabled functions:
PHP-2368:test:security:php::Check PHP register_globals option:
@ -276,6 +312,7 @@ PHP-2374:test:security:php::Check PHP enable_dl option:
PHP-2376:test:security:php::Check PHP allow_url_fopen option:
PHP-2378:test:security:php::Check PHP allow_url_include option:
PHP-2379:test:security:php::Check PHP suhosin extension status:
PHP-2382:test:security:php::Check PHP listen option:
PKGS-7301:test:security:ports_packages::Query NetBSD pkg:
PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info:
PKGS-7303:test:security:ports_packages::Query brew package manager:
@ -314,6 +351,7 @@ PKGS-7393:test:security:ports_packages::Check for Gentoo vulnerable packages:
PKGS-7394:test:security:ports_packages:Linux:Check for Ubuntu updates:
PKGS-7398:test:security:ports_packages::Check for package audit tool:
PKGS-7410:test:security:ports_packages::Count installed kernel packages:
PKGS-7420:test:security:ports_packages::Detect toolkit to automatically download and apply upgrades:
PRNT-2302:test:security:printers_spools:FreeBSD:Check for printcap consistency:
PRNT-2304:test:security:printers_spools::Check cupsd status:
PRNT-2306:test:security:printers_spools::Check CUPSd configuration file:
@ -327,6 +365,7 @@ PROC-3602:test:security:memory_processes:Linux:Checking /proc/meminfo for memory
PROC-3604:test:security:memory_processes:Solaris:Query prtconf for memory details:
PROC-3612:test:security:memory_processes::Check dead or zombie processes:
PROC-3614:test:security:memory_processes::Check heavy IO waiting based processes:
PROC-3802:test:security:memory_processes::Check presence of prelink tooling:
RBAC-6272:test:security:mac_frameworks::Check grsecurity presence:
SCHD-7702:test:security:scheduling::Check status of cron daemon:
SCHD-7704:test:security:scheduling::Check crontab/cronjobs:
@ -337,7 +376,7 @@ SHLL-6202:test:security:shells:FreeBSD:Check console TTYs:
SHLL-6211:test:security:shells::Checking available and valid shells:
SHLL-6220:test:security:shells::Checking available and valid shells:
SHLL-6230:test:security:shells::Perform umask check for shell configurations:
SINT-7010:test:security:system_integrity::System Integrity Status:
SINT-7010:test:security:system_integrity:MacOS:System Integrity Status:
SNMP-3302:test:security:snmp::Check for running SNMP daemon:
SNMP-3304:test:security:snmp::Check SNMP daemon file location:
SNMP-3306:test:security:snmp::Check SNMP communities:
@ -357,8 +396,6 @@ SSH-7404:test:security:ssh::Check SSH daemon file location:
SSH-7406:test:security:ssh::Detection of OpenSSH server version:
SSH-7408:test:security:ssh::Check SSH specific defined options:
SSH-7440:test:security:ssh::AllowUsers and AllowGroups:
STRG-1840:test:security:storage:Linux:Check if USB storage is disabled:
STRG-1842:test:security:storage:Linux:Check USB authorizations:
STRG-1846:test:security:storage:Linux:Check if firewire storage is disabled:
STRG-1902:test:security:storage_nfs::Check rpcinfo registered programs:
STRG-1904:test:security:storage_nfs::Check nfs rpc:
@ -379,12 +416,18 @@ TIME-3136:test:security:time:Linux:Check NTP protocol version:
TIME-3148:test:performance:time:Linux:Check TZ variable:
TIME-3160:test:security:time:Linux:Check empty NTP step-tickers:
TIME-3170:test:security:time::Check configuration files:
TIME-3180:test:security:time::Report if ntpctl cannot communicate with OpenNTPD:
TIME-3181:test:security:time::Check status of OpenNTPD time synchronisation
TIME-3182:test:security:time::Check OpenNTPD has working peers
TIME-3185:test:security:time::Check systemd-timesyncd synchronized time
TOOL-5002:test:security:tooling::Checking for automation tools:
TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
TOOL-5120:test:security:tooling::Presence of Snort IDS:
TOOL-5122:test:security:tooling::Snort IDS configuration file:
TOOL-5160:test:security:tooling::Check for active OSSEC analysis daemon:
TOOL-5160:test:security:tooling::Check for active OSSEC daemon:
TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:
USB-1000:test:security:storage:Linux:Check if USB storage is disabled:
USB-2000:test:security:storage:Linux:Check USB authorizations:
USB-3000:test:security:storage:Linux:Check for presence of USBGuard:
# EOF

228
default.prf
View File

@ -1,30 +1,33 @@
#################################################################################
#
#
# Lynis - Scan Profile (default)
#
# This is the default profile and contains default values.
# Lynis - Default scan profile
#
#
#################################################################################
#
#
# SUGGESTION
# This profile provides Lynis with most of its initial values to perform a
# system audit.
#
#
# WARNINGS
# ----------
#
# Do NOT make changes to this file, instead copy your preferred settings to
# custom.prf and put it in the same directory as default.prf
# Do NOT make changes to this file. Instead, copy only your changes into
# the file custom.prf and put it in the same directory as default.prf
#
# To discover where your profiles are located: lynis show profiles
#
#
# Lynis performs a strict check on profiles to avoid the inclusion of
# possibly harmful injections. See include/profiles for details.
#
#
#################################################################################
#
# All empty lines or with the # prefix will be skipped
#
# More information about this plugin can be found in the documentation:
# https://cisofy.com/documentation/lynis/
#
#################################################################################
# Use colored output
@ -33,6 +36,9 @@ colors=yes
# Compressed uploads (set to zero when errors with uploading occur)
compressed-uploads=yes
# Amount of connections in WAIT state before reporting it as a suggestion
#connections-max-wait-state=5000
# Debug mode (for debugging purposes, extra data logged to screen)
#debug=yes
@ -42,20 +48,27 @@ error-on-warnings=no
# Use Lynis in your own language (by default auto-detected)
language=
# Lynis Enterprise license key
license-key=
# Log tests from another guest operating system (default: yes)
#log-tests-incorrect-os=yes
# Define if available NTP daemon is configured as a server or client on the network
# values: server or client (default: client)
#ntpd-role=client
# Defines the role of the system (personal, workstation or server)
machine-role=server
# Ignore some stratum 16 hosts (for example when running as time source itself)
#ntp-ignore-stratum-16-peer=127.0.0.1
# Profile name, will be used as title/description
profile-name=Default Audit Template
# Number of seconds to pause between every test (0 is no pause)
pause-between-tests=0
# Enable quick mode (no waiting for keypresses, same as --quick option)
quick=no
# Quick mode (do not wait for keypresses)
quick=yes
# Refresh software repositories to help detecting vulnerable packages
refresh-repositories=yes
@ -76,39 +89,21 @@ skip-plugins=no
#skip-test=SSH-7408:loglevel
#skip-test=SSH-7408:permitrootlogin
# Skip Lynis upgrade availability test (default: no)
#skip-upgrade-test=yes
# Locations where to search for SSL certificates (separate paths with a colon)
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
ssl-certificate-include-packages=no
# Scan type - how deep the audit should be (light, normal or full)
test-scan-mode=full
# Upload data to central server
upload=no
# The hostname/IP address to receive the data
upload-server=
# Provide options to cURL (or other upload tool) when uploading data.
# upload-options=--insecure --> use HTTPS, but skip certificate check (e.g. self-signed)
upload-options=
# Verbose output
verbose=no
#################################################################################
#
# Upgrade and updating
# --------------------
#
# The old settings to do automatic updating are deprecated. It is suggested to
# use a package or deploy your the tarball via a custom script.
#
# The latest packages can be found at: https://packages.cisofy.com
#
#################################################################################
# Skip Lynis upgrade availability test (default: no)
#skip-upgrade-test=yes
#################################################################################
#
# Plugins
@ -119,10 +114,11 @@ verbose=no
# - Nothing happens if plugin isn't available
# - There is no order in execution of plugins
# - See documentation about how to use plugins and phases
# - Some are for Lynis Enterprise users only
#
#################################################################################
# Lynis Plugins (some are for Lynis Enterprise users only)
# Lynis plugins to enable
plugin=authentication
plugin=compliance
plugin=configuration
@ -149,17 +145,22 @@ plugin=system-integrity
plugin=systemd
plugin=users
# Disable a particular plugin (will overrule an enabled plugin)
#disable-plugin=authentication
#################################################################################
#
# Kernel options
# ---------------
# sysctl:<sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:
# config-data=, followed by:
#
# Sysctl key = name
# Expected value = value of sysctl key
# Hardening points = Number of hardening points. For most keys 1 HP will be suitable
# Description = Text description of key
# - Type = Set to 'sysctl'
# - Setting = value of sysctl key (e.g. kernel.sysrq)
# - Expected value = Preferred value for key (e.g. 0)
# - Hardening Points = Number of hardening points (typically 1 point per key) (1)
# - Description = Textual description about the sysctl key(Disable magic SysRQ)
# - Related file or command = For example, sysctl -a to retrieve more details
# - Solution field = Specifies more details or where to find them (url:URL, text:TEXT, or -)
#
#################################################################################
@ -269,86 +270,66 @@ config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes ar
config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;
#################################################################################
#
# Apache options
# columns: (1)apache : (2)option : (3)value
#
#################################################################################
apache:ServerTokens:Prod:
#################################################################################
#
# OpenLDAP options
# columns: (1)openldap : (2)file : (3)option : (4)expected value(s)
#
#################################################################################
openldap:slapd.conf:permissions:640-600:
openldap:slapd.conf:owner:ldap-root:
#################################################################################
#
# NTP options
#
#################################################################################
# Ignore some stratum 16 hosts (for example when running as time source itself)
#ntp-ignore-stratum-16-peer=127.0.0.1
#################################################################################
#
# File/directories permissions (currently not used yet)
#
#################################################################################
# Scan for exact file name match
#[scanfiles]
#scanfile:/etc/rc.conf:FreeBSD configuration:
# Scan for exact directory name match
#[scandirs]
#scandir:/etc:/etc directory:
#################################################################################
#
# permfile
# ---------------
# permfile:file name:file permissions:owner:group:action:
# permfile=file name:file permissions:owner:group:action:
# Action = NOTICE or WARN
# Examples:
# permfile:/etc/test1.dat:600:root:wheel:NOTICE:
# permfile:/etc/test1.dat:640:root:-:WARN:
# permfile=/etc/test1.dat:600:root:wheel:NOTICE:
# permfile=/etc/test1.dat:640:root:-:WARN:
#
#################################################################################
#permfile:/etc/inetd.conf:rw-------:root:-:WARN:
#permfile:/etc/fstab:rw-r--r--:root:-:WARN:
permfile:/etc/lilo.conf:rw-------:root:-:WARN:
#permfile=/etc/inetd.conf:rw-------:root:-:WARN:
#permfile=/etc/fstab:rw-r--r--:root:-:WARN:
permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN:
permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN:
permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN:
permfile=/etc/at.allow:rw-------:root:-:WARN:
permfile=/etc/at.deny:rw-------:root:-:WARN:
permfile=/etc/cron.allow:rw-------:root:-:WARN:
permfile=/etc/cron.deny:rw-------:root:-:WARN:
permfile=/etc/crontab:rw-------:root:-:WARN:
permfile=/etc/group:rw-r--r--:root:-:WARN:
permfile=/etc/group-:rw-r--r--:root:-:WARN:
permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN:
permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN:
permfile=/etc/issue:rw-r--r--:root:root:WARN:
permfile=/etc/issue.net:rw-r--r--:root:root:WARN:
permfile=/etc/lilo.conf:rw-------:root:-:WARN:
permfile=/etc/motd:rw-r--r--:root:root:WARN:
permfile=/etc/passwd:rw-r--r--:root:-:WARN:
permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN:
permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN:
permfile=/root/.rhosts:rw-------:root:root:WARN:
permfile=/root/.rlogin:rw-------:root:root:WARN:
permfile=/root/.shosts:rw-------:root:root:WARN:
# These permissions differ by OS
#permfile=/etc/gshadow:---------:root:-:WARN:
#permfile=/etc/gshadow-:---------:root:-:WARN:
#permfile=/etc/shadow:---------:root:-:WARN:
#permfile=/etc/shadow-:---------:root:-:WARN:
#################################################################################
#
# permdir
# ---------------
# permdir:directory name:file permissions:owner:group:action when permissions are different:
# permdir=directory name:file permissions:owner:group:action when permissions are different:
#
#################################################################################
permdir:/root/.ssh:rwx------:root:-:WARN:
# Scan for a program/binary in BINPATHs
#scanbinary:Rootkit Hunter:rkhunter:
# Amount of connections in WAIT state before reporting it as a suggestion
#connections-max-wait-state=5000
permdir=/root/.ssh:rwx------:root:-:WARN:
permdir=/etc/cron.d:rwx------:root:root:WARN:
permdir=/etc/cron.daily:rwx------:root:root:WARN:
permdir=/etc/cron.hourly:rwx------:root:root:WARN:
permdir=/etc/cron.weekly:rwx------:root:root:WARN:
permdir=/etc/cron.monthly:rwx------:root:root:WARN:
# Ignore some specific home directories
@ -356,12 +337,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
# checks, like file permissions, SSH and other configuration files
#ignore-home-dir=/home/user
# Do not log tests with another guest operating system (default: yes)
#log-tests-incorrect-os=no
# Define if available NTP daemon is configured as a server or client on the network
# values: server or client (default: client)
#ntpd-role=client
# Allow promiscuous interfaces
# <option>:<promiscuous interface name>:<description>:
@ -395,21 +370,10 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
#################################################################################
#
# SSL certificates
#
#################################################################################
# Locations where to search for SSL certificates
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
#################################################################################
#
# Lynis Enterprise options
# -----------------
# ------------------------
#
#################################################################################
@ -423,6 +387,9 @@ ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc
#hostid=40-char-hash
#hostid2=64-char-hash
# Lynis Enterprise license key
license-key=
# Proxy settings
# Protocol (http, https, socks5)
#proxy-protocol=https
@ -443,9 +410,18 @@ compliance-standards=cis,hipaa,iso27001,pci-dss
# Provide the name of the customer/client
#system-customer-name=mycustomer
# Upload data to central server
upload=no
# The hostname/IP address to receive the data
upload-server=
# Provide options to cURL (or other upload tool) when uploading data.
# upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates)
upload-options=
# Link one or more tags to a system
#tags=db,production,ssn-1304
#EOF

1
developer.prf
View File

@ -3,6 +3,5 @@
debug=yes
developer-mode=yes
quick=yes
strict=yes
verbose=yes

126
extras/bash_completion.d/lynis
View File

@ -1,6 +1,6 @@
# bash completion for lynis
# version 1.0.0 (22 September 2014)
# version 1.0.1 (2019-07-13)
# Michael Boelen <michael.boelen@cisofy.com>
# lynis(8) completion
@ -10,7 +10,7 @@ _lynis()
# opts nodig nosig
COMPREPLY=()
_get_comp_words_by_ref cur prev
_get_comp_words_by_ref cur prev words
if [ $COMP_CWORD -eq 1 ]; then
# first parameter on line
@ -19,24 +19,134 @@ _lynis()
COMPREPLY=( $( compgen -W '--help --info --version' -- "$cur" ) )
;;
*)
COMPREPLY=( $( compgen -W 'audit --help --info --version' -- "$cur" ) )
COMPREPLY=( $( compgen -W 'audit generate show' -- "$cur" ) )
;;
esac
return 0
return 0
elif [ $COMP_CWORD -eq 4 ]; then
# Stop after some specifics
if [ "${COMP_WORDS[1]}" = "show" -a "${COMP_WORDS[2]}" = "details" ]; then
return 0
fi
fi
# Check previous argument to share the available options
case $prev in
audit)
COMPREPLY=( $( compgen -W 'dockerfile system ' -- "$cur" ) )
;;
show)
COMPREPLY=( $( compgen -W 'help version ' -- "$cur" ) )
COMPREPLY=( $( compgen -W 'categories changelog commands dbdir details environment eol groups help hostids includedir language license logfile man options os pidfile plugindir profiles release releasedate report settings tests version workdir ' -- "$cur" ) )
;;
# Related items to show (lynis show XYZ)
categories)
return 0
;;
changelog)
return 0
;;
commands)
return 0
;;
dbdir)
return 0
;;
details)
local dbfile=""
local dirs="/data/development/lynis /usr/local/lynis /usr/share/lynis"
for d in ${dirs}; do
if [ -f "${d}/db/tests.db" ]; then
local dbfile="/data/development/lynis/db/tests.db"
fi
done
if [ -f "${dbfile}" ]; then
local suggestions=($(compgen -W "$(awk -F: '$1 ~ /^[A-Z]/ {print $1}' ${dbfile})" -- "${cur}"))
COMPREPLY=("${suggestions[@]}")
else
COMPREPLY=($(compgen -W "TEST-1234" -- "$cur"))
fi
;;
environment)
return 0
;;
eol)
return 0
;;
groups)
return 0
;;
help)
return 0
;;
hostids)
if [ "${COMP_WORDS[1]}" = "generate" -a "${COMP_WORDS[2]}" = "hostids" ]; then
COMPREPLY=($(compgen -W "save" -- "$cur"))
else
return 0
fi
;;
includedir)
return 0
;;
language)
return 0
;;
license)
return 0
;;
logfile)
return 0
;;
man)
return 0
;;
options)
return 0
;;
os)
return 0
;;
pidfile)
return 0
;;
plugindir)
return 0
;;
profiles)
return 0
;;
release)
return 0
;;
releasedate)
return 0
;;
report)
return 0
;;
settiings)
return 0
;;
tests)
return 0
;;
version)
return 0
;;
workdir)
return 0
;;
generate)
COMPREPLY=( $( compgen -W 'hostids ' -- "$cur" ) )
;;
# Options
--auditor)
COMPREPLY=( '"Mr. Auditor"' )
return 0
#return 0
;;
--check-update|--help|--info|--version)
# all other options are noop with this command
@ -69,7 +179,7 @@ _lynis()
*)
COMPREPLY=( $( compgen -W ' \
--auditor --cronjob --debug --quick --quiet --logfile --no-colors --no-log --pentest --reverse-colors \
--tests --tests-from-category --tests-from-group --upload --verbose' -- "$cur" ) )
--tests --tests-from-category --tests-from-group --upload --verbose --slow-warning' -- "$cur" ) )
;;
esac

52
extras/build-lynis.sh
View File

@ -55,23 +55,20 @@
# Functions:
# Clean temporary files up
CleanUp()
{
CleanUp() {
if [ ! "${TMPDIR}" = "" -a -d "${TMPDIR}" ]; then
rm -rf ${TMPDIR}
fi
}
}
Exit()
{
Exit() {
CleanUp
exit 0
}
ExitFatal()
{
}
ExitFatal() {
CleanUp
exit 1
}
}
#
#########################################################################
#
@ -95,7 +92,7 @@
if [ ! -d ${MYWORKDIR} ]; then
echo "[X] Could not determine workdir (result: ${MYWORKDIR} seems invalid)"
ExitFatal
else
else
echo "[=] workdir: ${MYWORKDIR}"
fi
@ -105,7 +102,7 @@
echo "[X] ${MYBUILDDIR} not found"
echo " Hint: create it with mkdir ${MYBUILDDIR}"
ExitFatal
else
else
echo "[=] builddir: ${MYBUILDDIR}"
fi
@ -129,7 +126,7 @@
GITBUILDPACKAGEBINARY=$(which git-buildpackage)
if [ ! "${GITBUILDPACKAGEBINARY}" = "" ]; then
echo "[=] git-buildpackage = ${GITBUILDPACKAGEBINARY}"
else
else
echo "[X] Can not find git-buildpackage binary"
echo " Hint: install git-buildpackage"
ExitFatal
@ -138,7 +135,7 @@
RPMBUILDBINARY=$(which rpmbuild)
if [ ! "${RPMBUILDBINARY}" = "" ]; then
echo "[=] rpmbuild = ${RPMBUILDBINARY}"
else
else
echo "[X] Can not find rpmbuild binary"
echo " Hint: install rpmbuild"
ExitFatal
@ -149,7 +146,7 @@
umask ${OPTION_UMASK}
if [ $? -eq 0 ]; then
echo "[V] Setting umask to ${OPTION_UMASK}"
else
else
echo "[X] Could not set umask"
ExitFatal
fi
@ -157,7 +154,7 @@
# Check if we are in dev directory
if [ -f ../lynis -a -f ./build-lynis.sh ]; then
echo "[V] Active in proper directory"
else
else
echo "[X] This script should be executed from dev directory itself"
ExitFatal
fi
@ -172,7 +169,7 @@
if [ $? -eq 0 ]; then
echo "[V] Creating temporary build directory"
#echo " BUILDROOT: ${TMPDIR}"
else
else
echo "[X] Could not create temporary build directory"
ExitFatal
fi
@ -192,11 +189,11 @@
if [ -f ${TARBALL} ]; then
echo "Tarball already exists for this version, not overwriting it"
else
else
tar -C ${MYWORKDIR} --exclude=debian --exclude=README.md --exclude=.bzr* --exclude=.git* -c -z -f ${TARBALL} lynis 2> /dev/null
if [ -f ${TARBALL} ]; then
echo "[V] Tarball created"
else
else
echo "[X] Tarball ${TARBALL} could not be created"
ExitFatal
fi
@ -220,7 +217,7 @@
fi
echo "[*] Start RPM building"
#${RPMBUILDBINARY} --quiet -ba -bl lynis.spec 2> /dev/null
else
else
echo "[X] lynis.spec not found"
ExitFatal
fi
@ -228,12 +225,12 @@
RPMFILE="${RPMWORKDIR}/RPMS/noarch/lynis-${LYNIS_VERSION}-1.noarch.rpm"
if [ -f ${RPMFILE} ]; then
echo "[V] Building RPM successful!"
else
else
echo "[X] Could not find RPM file, most likely failed"
echo " Expected: ${RPMFILE}"
ExitFatal
fi
else
else
echo "[X] Could not find source file (${SOURCEFILE_RPM})"
echo " Hint: cp <lynis.tar.gz> ${SOURCEFILE_RPM}"
#ExitFatal
@ -246,7 +243,7 @@
DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }')
if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then
echo "[V] Debian/changelog up-to-date"
else
else
echo "[X] Debian/changelog outdated"
ExitFatal
fi
@ -260,17 +257,17 @@
# echo "[=] Version in Debian changelog: ${DEBCHANGELOGVERSION} (revision: ${DEBCHANGELOGVERSIONREV})"
# if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then
# echo "[V] Debian/changelog up-to-date"
# else
# else
# echo "[X] Debian/changelog outdated"
## ExitFatal
# fi
# # execute command
# # bzr builddeb . --build-dir ${DEBWORKDIR}/build-area/ --result-dir ${DEBWORKDIR}
# elif [ "${BZRSTATUS}" = "3" ]; then
# elif [ "${BZRSTATUS}" = "3" ]; then
# echo "[X] Tree is not initialized for BZR"
# echo " Hint: run bzr init while being in lynis directory (or bzr init ..)"
# ExitFatal
# else
# else
# echo "[X] Unknown error"
# echo "Output: ${BZRSTATUS}"
# fi
@ -284,6 +281,7 @@
rm -rf ${MYBUILDDIR}/git/Lynis
#git checkout tags/${LYNIS_VERSION}
fi
git clone https://github.com/CISOfy/Lynis.git ${MYBUILDDIR}/git/Lynis
if [ -d ${MYBUILDDIR}/git/Lynis/debian/ ]; then
@ -292,7 +290,7 @@
cd ${MYBUILDDIR}/git/Lynis/debian/
git add .
git commit -m "Building process for Lynis release version ${LYNIS_VERSION}"
else
else
echo "[X] Could not copy debian directory and commit changes"
fi
#git tag -l ${MYBUILDDIR}/git/Lynis
@ -346,7 +344,7 @@ Exit
FIND=$(sh -n ${OPTION_BINARY_FILE} ; echo $?)
if [ $FIND -eq 0 ]; then
echo "OK"
else
else
echo "BAD"
fi

15
extras/systemd/lynis.service
View File

@ -5,19 +5,26 @@
#################################################################################
#
# - Adjust path to link to location where Lynis binary is installed
# - Place this file together with the timer file in systemd directory
# - Run: systemctl enable lynis.service
#
# - Place this file together with the lynis.timer file in the related
# systemd directory (e.g. /etc/systemd/system/)
#
# - See details in lynis.timer file
#
#################################################################################
[Unit]
Description=Lynis security audit and vulnerability scan
Description=Security audit and vulnerability scanner
Documentation=https://cisofy.com/docs/
[Service]
Nice=19
IOSchedulingClass=best-effort
IOSchedulingPriority=7
Type=simple
ExecStart=/path/to/lynis -c --cronjob
ExecStart=/path/to/lynis audit system --cronjob
[Install]
WantedBy=multi-user.target
#EOF

14
extras/systemd/lynis.timer
View File

@ -4,17 +4,23 @@
#
#################################################################################
#
# - Place this file together with the service file in systemd directory
# - Run: systemctl enable lynis.timer
# systemctl start lynis.service
# - Place this file together with the lynis.service file in the related
# systemd directory (e.g. /etc/systemd/system)
#
# - Tell systemd you made changes
# systemctl daemon-reload
#
# - Enable and start the timer (so no reboot is needed):
# systemctl enable --now lynis.timer
#
#################################################################################
[Unit]
Description=Daily run for Lynis security audit and vulnerability scan
Description=Daily timer for the Lynis security audit and vulnerability scanner
[Timer]
OnCalendar=daily
RandomizedDelaySec=1800
Persistent=false
[Install]

153
include/binaries
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -42,28 +42,54 @@
Display --indent 2 --text "- Checking system binaries..."
LogText "Status: Starting binary scan..."
# Test if our PATH variable provides a set of paths
# If so, reverse the order. If we discover the same binary multiple times, the one first in PATH
# should be used.
# If PATH is empty, we use the predefined list in include/consts. Common paths first, then followed
# by more specific paths. This helps on the slightly ancient UNIX derivatives.
if [ ! -z "${PATH}" ]; then
PATH_REVERSED=$(echo ${PATH} | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
BIN_PATHS=$(echo "${PATH_REVERSED} ${BIN_PATHS}" | tr ':' ' ')
# Notes:
# - If PATH is empty, we use the predefined list in include/consts
# - Common paths first, then followed by more specific paths. This helps on the slightly ancient UNIX derivatives.
# - Avoid sorting the path list, as this might result in incorrect order of finding binaries (e.g. awk binary)
# Test if our PATH variable provides a set of paths. If so, reverse the order. If we discover the same binary
# multiple times, the one first in PATH should be used.
if [ -n "${PATH}" ]; then
PATH_REVERSED=$(echo "${PATH}" | sed 's/ /!!space!!/g' | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
BIN_PATHS=$(echo "${PATH_REVERSED}" | tr ':' ' ')
fi
# Avoid sorting, as this might result in incorrect order of finding binaries (e.g. awk binary)
#SORTED_BIN_PATHS=$(echo ${BIN_PATHS} | tr ' ' '\n' | sort | uniq | tr '\n' ' ')
# First test available locations that may be suspicious or dangerous
for SCANDIR in ${BIN_PATHS}; do
FOUND=0
if [ "${SCANDIR}" = "." ]; then FOUND=1; MSG="Found single dot (.) in PATH"
elif [ "${SCANDIR}" = ".." ]; then FOUND=1; MSG="Found double dot (..) in PATH"
elif echo "${SCANDIR}" | grep '^\.\.' > /dev/null; then FOUND=1; MSG="Found path starting with double dot (..) in PATH"
elif echo "${SCANDIR}" | grep '^[a-zA-Z]' > /dev/null; then FOUND=1; MSG="Found relative path in PATH"
fi
if [ ${FOUND} -eq 1 ]; then
# Stop execution if privileged, otherwise continue but warn user
if [ ${PRIVILEGED} -eq 1 ]; then
ExitFatal "Suspicious location (${SCANDIR}) in PATH discovered. Quitting..."
else
Display --indent 4 --text "Warning: suspicious location (${SCANDIR}) in PATH"
ReportWarning "${TEST_NO}" "Suspicious location in PATH discovered" "text:${MSG}"
sleep 1
fi
fi
done
NSUID_BINARIES=0
NSGID_BINARIES=0
SUID_BINARIES=
SGID_BINARIES=
# Now perform binary detection
for SCANDIR in ${BIN_PATHS}; do
SCANDIR=$(echo "${SCANDIR}" | sed 's/!!space!!/ /g')
LogText "Test: Checking binaries in directory ${SCANDIR}"
ORGPATH=""
if [ -d ${SCANDIR} ]; then
if [ -d "${SCANDIR}" ]; then
SKIPDIR=0
if [ -L ${SCANDIR} ]; then
if [ -L "${SCANDIR}" ]; then
LogText "Result: directory exists, but is actually a symlink"
ShowSymlinkPath ${SCANDIR}
if [ ${FOUNDPATH} -eq 1 ]; then
if [ ! -z "${SYMLINK}" -a -d ${SYMLINK} ]; then
if [ -n "${SYMLINK}" -a -d ${SYMLINK} ]; then
# Set path to new location
LogText "Result: found the path behind this symlink (${SCANDIR} --> ${sFILE})"
ORGPATH="${SCANDIR}"
@ -79,7 +105,7 @@
# Add a space to make sure we discover a related directory if it was already scanned
# The grep -v is to prevent a match /usr/bin in something like /usr/bin/core_perl
FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}" | grep -v ", ${SCANDIR}/")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
SKIPDIR=1; LogText "Result: Skipping this directory as it was already scanned"
fi
@ -88,33 +114,46 @@
LogText "Directory ${SCANDIR} exists. Starting directory scanning..."
# Show the contents of the directory with binaries, ignore directories
FIND=$(ls -p ${SCANDIR} | grep -v '/$')
FIND=$(ls -p "${SCANDIR}" | grep -v '/$')
for FILENAME in ${FIND}; do
COUNT=$((COUNT + 1))
BINARY="${SCANDIR}/${FILENAME}"
DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
if [ -u ${BINARY} ]; then
NSUID_BINARIES=$((NSUID_BINARIES + 1))
SUID_BINARIES="${SUID_BINARIES}${BINARY} "
fi
if [ -g ${BINARY} ]; then
NSGID_BINARIES=$((NSGID_BINARIES + 1))
SGID_BINARIES="${SGID_BINARIES}${BINARY} "
fi
# Optimized, much quicker (limited file access needed)
case ${FILENAME} in
aa-status) AASTATUSBINARY=${BINARY}; LogText " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
afick.pl) AFICKBINARY=${BINARY}; LogText " Found known binary: afick (file integrity checker) - ${BINARY}" ;;
aide) AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;;
apache2) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;;
apt) APTBINARY=${BINARY}; LogText " Found known binary: apt (package manager) - ${BINARY}" ;;
arch-audit) ARCH_AUDIT_BINARY="${BINARY}"; LogText " Found known binary: arch-audit (auditing utility to test for vulnerable packages) - ${BINARY}" ;;
auditd) AUDITDBINARY=${BINARY}; LogText " Found known binary: auditd (audit framework) - ${BINARY}" ;;
awk) AWKBINARY=${BINARY}; LogText " Found known binary: awk (string tool) - ${BINARY}" ;;
dig) DIGBINARY=${BINARY}; LogText " Found known binary: dig (nameservice tool) - ${BINARY}" ;;
as) ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: as (compiler) - ${BINARY}" ;;
auditctl) AUDITCTLBINARY="${BINARY}"; LogText " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;;
autolog) AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; LogText " Found known binary: autolog (idle session killer) - ${BINARY}" ;;
base64) BASE64BINARY="${BINARY}"; LogText " Found known binary: base64 (encoding tool) - ${BINARY}" ;;
blkid) BLKDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;;
blkid) BLKIDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;;
bootctl) BOOTCTLBINARY="${BINARY}"; LogText " Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;;
bro) BROBINARY="${BINARY}"; LogText " Found known binary: bro (IDS) - ${BINARY}" ;;
cat) CAT_BINARY="${BINARY}"; LogText " Found known binary: cat (generic file handling) - ${BINARY}" ;;
cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;;
chkconfig) CHKCONFIGBINARY=${BINARY}; LogText " Found known binary: chkconfig (administration tool) - ${BINARY}" ;;
clamconf) CLAMCONF_BINARY=${BINARY}; LogText " Found known binary: clamconf (information about ClamAV) - ${BINARY}" ;;
clamscan) CLAMSCANBINARY=${BINARY}; LogText " Found known binary: clamscan (AV scanner) - ${BINARY}" ;;
clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;;
cfagent) CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; LogText " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;;
chkrootkit) CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;;
comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;;
cryptsetup) CRYPTSETUPBINARY="${BINARY}"; LogText " Found known binary: cryptsetup (block device encryption) - ${BINARY}" ;;
csum) CSUMBINARY="${BINARY}"; LogText " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;;
curl) CURLBINARY="${BINARY}"; CURLVERSION=$(${BINARY} --version | grep "^curl" | awk '{ if ($1=="curl") { print $2 }}'); LogText " Found known binary: curl (browser, download utility) - ${BINARY}" ;;
cut) CUTBINARY="${BINARY}"; LogText " Found known binary: cut (text stream editor) - ${BINARY}" ;;
@ -127,8 +166,11 @@
docker) DOCKERBINARY="${BINARY}"; LogText " Found known binary: docker (container technology) - ${BINARY}" ;;
domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;;
xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;;
egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;;
exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "Found ${BINARY} (version ${EXIMVERSION})" ;;
equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;;
evmctl) EVMCTLBINARY=${BINARY}; LogText " Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;;
exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
fail2ban-server) FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;;
file) FILEBINARY="${BINARY}"; LogText " Found known binary: file (file type detection) - ${BINARY}" ;;
find) FINDBINARY="${BINARY}"; LogText " Found known binary: find (search tool) - ${BINARY}" ;;
@ -146,6 +188,7 @@
httpd2-prefork) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;;
initctl) INITCTLBINARY=${BINARY}; SERVICE_MANAGER="upstart"; LogText " Found known binary: initctl (client to upstart init) - ${BINARY}" ;;
ifconfig) IFCONFIGBINARY="${BINARY}"; LogText " Found known binary: ipconfig (IP configuration) - ${BINARY}" ;;
integritysetup) INTEGRITYSETUPBINARY="${BINARY}"; LogText " Found known binary: integritysetup (dm-integrity setup tool) - ${BINARY}" ;;
ip) IPBINARY="${BINARY}"; LogText " Found known binary: ip (IP configuration) - ${BINARY}" ;;
ipf) IPFBINARY="${BINARY}"; LogText " Found known binary: ipf (firewall) - ${BINARY}" ;;
iptables) IPTABLESBINARY="${BINARY}"; LogText " Found known binary: iptables (firewall) - ${BINARY}" ;;
@ -159,14 +202,24 @@
logrotate) LOGROTATEBINARY="${BINARY}"; LogText " Found known binary: logrotate (log rotation tool) - ${BINARY}" ;;
ls) LSBINARY="${BINARY}"; LogText " Found known binary: ls (file listing) - ${BINARY}" ;;
lsattr) LSATTRBINARY="${BINARY}"; LogText " Found known binary: lsattr (file attributes) - ${BINARY}" ;;
lsblk) LSBLKBINARY="${BINARY}"; LogText " Found known binary: lsblk (block devices) - ${BINARY}" ;;
lsmod) LSMODBINARY="${BINARY}"; LogText " Found known binary: lsmod (kernel modules) - ${BINARY}" ;;
lsof) LSOFBINARY="${BINARY}"; LogText " Found known binary: lsof (open files) - ${BINARY}" ;;
lsvg) LVSGBINARY=${BINARY}; LogText " Found known binary: lsvg (volume manager) - ${BINARY}" ;;
lsof)
LSOFBINARY="${BINARY}"
LogText " Found known binary: lsof (open files) - ${BINARY}"
DATA=$(${LSOFBINARY} -h 2>&1 | grep "\-K \[i\] list\|\(i\)gn tasKs")
if [ $? -eq 0 ]; then
LogText "Note: added -K i to ignore tasks on Linux"
LSOF_EXTRA_OPTIONS=" -K i"
fi
;;
lsvg) LSVGBINARY=${BINARY}; LogText " Found known binary: lsvg (volume manager) - ${BINARY}" ;;
lvdisplay) LVDISPLAYBINARY="${BINARY}"; LogText " Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;;
lynx) LYNXBINARY="${BINARY}"; LYNXVERSION=$(${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3); LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;;
maldet) LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;;
md5) MD5BINARY="${BINARY}"; LogText " Found known binary: md5 (hash tool) - ${BINARY}" ;;
md5sum) MD5BINARY="${BINARY}"; LogText " Found known binary: md5sum (hash tool) - ${BINARY}" ;;
mdatp) MDATPBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: mdatp (Microsoft Defender ATP, malware scanner) - ${BINARY}" ;;
modprobe) MODPROBEBINARY="${BINARY}"; LogText " Found known binary: modprobe (kernel modules) - ${BINARY}" ;;
mount) MOUNTBINARY="${BINARY}"; LogText " Found known binary: mount (disk utility) - ${BINARY}" ;;
mtree) MTREEBINARY="${BINARY}"; LogText " Found known binary: mtree (mapping directory tree) - ${BINARY}" ;;
@ -175,15 +228,22 @@
netstat) NETSTATBINARY="${BINARY}"; LogText " Found known binary: netstat (network statistics) - ${BINARY}" ;;
nft) NFTBINARY="${BINARY}"; LogText " Found known binary: nft (nftables client) - ${BINARY}" ;;
nmap) NMAPBINARY="${BINARY}"; NMAPVERSION=$(${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${NMAPVERSION})" ;;
ntpctl) NTPCTLBINARY="${BINARY}"; LogText " Found known binary: ntpctl (openntpd client) - ${BINARY}" ;;
ntpq) NTPQBINARY="${BINARY}"; LogText " Found known binary ntpq (time daemon client) - ${BINARY}" ;;
osiris) OSIRISBINARY="${BINARY}"; LogText " Found known binary: osiris - ${BINARY}" ;;
openssl) OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=$(${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs); LogText "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
pacman) PACMANBINARY="${BINARY}"; LogText " Found known binary: pacman (package manager) - ${BINARY}" ;;
pacman)
if [ -z "$(echo "${BINARY}" | grep -E "/usr(/local)?/games")" ]; then
PACMANBINARY="${BINARY}"
LogText " Found known binary: pacman (package manager) - ${BINARY}"
fi
;;
perl) PERLBINARY="${BINARY}"; PERLVERSION=$(${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs); LogText "Found ${BINARY} (version ${PERLVERSION})" ;;
pgrep) PGREPBINARY="${BINARY}"; LogText " Found known binary: pgrep (search in process list) - ${BINARY}" ;;
php) PHPBINARY="${BINARY}"; PHPVERSION=$(${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1); LogText "Found known binary: php (programming language interpreter) - ${BINARY} (version ${PHPVERSION})" ;;
pkg) PKG_BINARY="${BINARY}"; LogText " Found known binary: pkg (software package administration) - ${BINARY}" ;;
pkg_admin) PKGADMINBINARY="${BINARY}"; LogText " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;;
pkg_info) PKGINFOBINARY="${BINARY}"; LogText " Found known binary: pkg_info (software package information) - ${BINARY}" ;;
postconf) POSTCONFBINARY="${BINARY}"; LogText " Found known binary: postconf (postfix configuration) - ${BINARY}" ;;
postfix) POSTFIXBINARY="${BINARY}"; LogText " Found known binary: postfix (postfix binary) - ${BINARY}" ;;
prelink) PRELINKBINARY="${BINARY}"; LogText " Found known binary: prelink (system optimizer) - ${BINARY}" ;;
@ -194,7 +254,9 @@
python) PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
python2) PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
python3) PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
rcctl) RCCTLBINARY="${BINARY}"; LogText " Found known binary: rcctl (services and daemons configuration and control) - ${BINARY}" ;;
readlink) READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
resolvectl) RESOLVECTLBINARY="${BINARY}"; LogText " Found known binary: resolvectl (systemd-resolved DNS resolver manager) - ${BINARY}" ;;
rkhunter) RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rootsh) ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
rpcinfo) RPCINFOBINARY="${BINARY}"; LogText " Found known binary: rpcinfo (RPC information) - ${BINARY}" ;;
@ -205,7 +267,8 @@
samhain) SAMHAINBINARY="${BINARY}"; LogText " Found known binary: samhain (integrity tool) - ${BINARY}" ;;
service) SERVICEBINARY="${BINARY}"; LogText " Found known binary: service (system services) - ${BINARY}" ;;
sed) SEDBINARY="${BINARY}"; LogText " Found known binary: sed (text stream editor) - ${BINARY}" ;;
sestatus) SESTATUSBINARY="${BINARY}"; LogText " Found known binary: sestatus (SELinux client) - ${BINARY}" ;;
semanage) SEMANAGEBINARY="${BINARY}"; LogText " Found known binary: semanage (SELinux policy management tool) - ${BINARY}" ;;
sestatus) SESTATUSBINARY="${BINARY}"; LogText " Found known binary: sestatus (SELinux status tool) - ${BINARY}" ;;
slocate) LOCATEBINARY="${BINARY}"; LogText " Found known binary: slocate (file database) - ${BINARY}" ;;
smbd) SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;;
smtpctl) SMTPCTLBINARY="${BINARY}"; LogText " Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;;
@ -221,17 +284,24 @@
sha1|sha1sum|shasum) SHA1SUMBINARY="${BINARY}"; LogText " Found known binary: sha1/sha1sum/shasum (crypto hashing) - ${BINARY}" ;;
sha256|sha256sum) SHA256SUMBINARY="${BINARY}"; LogText " Found known binary: sha256/sha256sum (crypto hashing) - ${BINARY}" ;;
ssh-keyscan) SSHKEYSCANBINARY="${BINARY}"; LogText " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;;
suricata) SURICATABINARY="${BINARY}"; LogText " Found known binary: suricata (IDS) - ${BINARY}" ;;
swapon) SWAPONBINARY="${BINARY}"; LogText " Found known binary: swapon (swap device tool) - ${BINARY}" ;;
swupd) SWUPDBINARY="${BINARY}"; LogText " Found known binary: swupd (package manager) - ${BINARY}" ;;
sysctl) SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;;
syslog-ng) SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;;
systemctl) SYSTEMCTLBINARY="${BINARY}"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;;
systemd-analyze) SYSTEMDANALYZEBINARY="${BINARY}"; LogText " Found known binary: systemd-analyze (systemd service analysis tool) - ${BINARY}" ;;
tail) TAILBINARY="${BINARY}"; LogText " Found known binary: tail (text filter) - ${BINARY}" ;;
timedatectl) TIMEDATECTL="${BINARY}"; LogText " Found known binary: timedatectl (timedate client) - ${BINARY}" ;;
tomoyo-init) TOMOYOINITBINARY=${BINARY}; LogText " Found known binary: tomoyo-init (tomoyo component) - ${BINARY}" ;;
tomoyo-pstree) TOMOYOPSTREEBINARY=${BINARY}; LogText " Found known binary: tomoyo-pstree (tomoyo process tree) - ${BINARY}" ;;
tr) TRBINARY="${BINARY}"; LogText " Found known binary: tr (text transformation) - ${BINARY}" ;;
tripwire) TRIPWIREBINARY="${BINARY}"; LogText " Found known binary: tripwire (file integrity) - ${BINARY}" ;;
tune2fs) TUNE2FSBINARY="${BINARY}"; LogText " Found known binary: tune2fs (file system tool) - ${BINARY}" ;;
uname) UNAMEBINARY="${BINARY}"; LogText " Found known binary: uname (operating system details) - ${BINARY}" ;;
uniq) UNIQBINARY="${BINARY}"; LogText " Found known binary: uniq (text manipulation utility) - ${BINARY}";;
usbguard) USBGUARDBINARY="${BINARY}"; LogText " Found known binary: usbguard (USB security tool) - ${BINARY}" ;;
veritysetup) VERITYSETUPBINARY="${BINARY}"; LogText " Found known binary: veritysetup (dm-verity setup tool) - ${BINARY}" ;;
vgdisplay) VGDISPLAYBINARY="${BINARY}"; LogText " Found known binary: vgdisplay (LVM tool) - ${BINARY}" ;;
vmtoolsd) VMWARETOOLSDBINARY="${BINARY}"; LogText " Found known binary: vmtoolsd (VMWare tools) - ${BINARY}" ;;
wc) WCBINARY="${BINARY}"; LogText " Found known binary: wc (word count) - ${BINARY}" ;;
@ -244,23 +314,54 @@
done
else
LogText "Result: Directory ${SCANDIR} skipped"
if [ ! -z "${ORGPATH}" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi
if [ -n "${ORGPATH}" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi
fi
else
LogText "Result: Directory ${SCANDIR} does NOT exist"
fi
done
# unset SORTED_BIN_PATHS
BINARY_SCAN_FINISHED=1
BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g')
BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/, /,/g')
LogText "Discovered directories: ${BINARY_PATHS_FOUND}"
LogText "Result: found ${COUNT} binaries"
LogText "Result: found ${COUNT} binaries including ${NSUID_BINARIES} set-uid and ${NSGID_BINARIES} set-gid"
LogText "Result: set-uid binaries: ${SUID_BINARIES}"
LogText "Result: set-gid binaries: ${SGID_BINARIES}"
Report "binaries_count=${COUNT}"
Report "binaries_suid_count=${SUID_BINARIES}"
Report "binaries_sgid_count=${SGID_BINARIES}"
Report "binary_paths=${BINARY_PATHS_FOUND}"
# Test if the basic system tools are defined. These will be used during the audit.
[ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found"
[ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found"
[ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found"
[ "${EGREPBINARY:-}" ] || ExitFatal "grep binary not found"
[ "${FINDBINARY:-}" ] || ExitFatal "find binary not found"
[ "${GREPBINARY:-}" ] || ExitFatal "grep binary not found"
[ "${HEADBINARY:-}" ] || ExitFatal "head binary not found"
[ "${TAILBINARY:-}" ] || ExitFatal "tail binary not found"
[ "${LSBINARY:-}" ] || ExitFatal "ls binary not found"
[ "${PSBINARY:-}" ] || ExitFatal "ps binary not found"
[ "${SEDBINARY:-}" ] || ExitFatal "sed binary not found"
[ "${SORTBINARY:-}" ] || ExitFatal "sort binary not found"
[ "${TRBINARY:-}" ] || ExitFatal "tr binary not found"
[ "${UNIQBINARY:-}" ] || ExitFatal "uniq binary not found"
[ "${WCBINARY:-}" ] || ExitFatal "wc binary not found"
# Test a few other tools that we did not specifically define (yet)
#TOOLS="xxd"
#for T in ${TOOLS}; do
# DATA=$(type ${T})
# if [ $? -gt 0 ]; then ExitFatal "${T} binary not found"; fi
#done
else
LogText "Result: checking of binaries skipped in this mode"
fi
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com

53
include/consts
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -33,10 +33,6 @@ BIN_PATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \
ETC_PATHS="/etc /usr/local/etc"
# Do not use specific language, fall back to default
# Some tools with translated strings are very hard to parse
unset LANG
#
#################################################################################
#
@ -46,6 +42,7 @@ unset LANG
#
# == Variable initializing ==
#
APTBINARY=""
ARCH_AUDIT_BINARY=""
AUDITORNAME=""
AUDITCTLBINARY=""
@ -70,6 +67,7 @@ unset LANG
CHKCONFIGBINARY=""
CLAMCONF_BINARY=""
CLAMSCANBINARY=""
CLANGBINARY=""
COLORS=1
COMPLIANCE_ENABLE_CIS=0
COMPLIANCE_ENABLE_HIPAA=0
@ -84,6 +82,7 @@ unset LANG
CONTAINER_TYPE=""
CREATE_REPORT_FILE=1
CSUMBINARY=""
CURRENT_TS=0
CUSTOM_URL_APPEND=""
CUSTOM_URL_PREPEND=""
CUSTOM_URL_PROTOCOL=""
@ -94,19 +93,26 @@ unset LANG
DEBSECANBINARY=""
DEBSUMSBINARY=""
DEVELOPER_MODE=0
DEVOPS_MODE=0
DIGBINARY=""
DISABLED_PLUGINS=""
DISCOVERED_BINARIES=""
DMIDECODEBINARY=""
DNFBINARY=""
DOCKERBINARY=""
DOCKER_DAEMON_RUNNING=0
DPKGBINARY=""
ECHOCMD=""
ERROR_ON_WARNINGS=0
EQUERYBINARY=""
EXIMBINARY=""
FAIL2BANBINARY=""
FILEBINARY=""
FILEVALUE=""
FIND=""
FIREWALL_ACTIVE=0
FOUNDPATH=0
FORENSICS_MODE=0
GETENT_BINARY=""
GRADMBINARY=""
GREPBINARY="grep"
@ -115,6 +121,7 @@ unset LANG
GRSEC_FOUND=0
GRUBCONFFILE=""
GRUB2INSTALLBINARY=""
HAS_PACKAGE_MANAGER=0
HAS_SYSTEMD=0
HEADBINARY=""
HELPER=""
@ -122,6 +129,7 @@ unset LANG
HOSTID2=""
HTTPDBINARY=""
IDS_IPS_TOOL_FOUND=0
IFCONFIGBINARY=""
IPBINARY=""
IPFBINARY=""
IPTABLESBINARY=""
@ -129,16 +137,22 @@ unset LANG
KLDSTATBINARY=""
LAUNCHCTL_BINARY=""
LDAP_CLIENT_CONFIG_FILE=""
LICENSE_KEY=""
LICENSE_SERVER=""
LINUX_VERSION=""
LINUXCONFIGFILE=""
LMDBINARY=""
LMDFOUND=0
LOCATEBINARY=""
LOGFILE=""
LOGDIR=""
LOGROTATEBINARY=""
LOGTEXT=1
LSMODBINARY=""
LSOFBINARY=""
LSOF_EXTRA_OPTIONS=""
LSVGBINARY=""
LYNIS_CRONJOB=""
MACHINEID=""
MACHINE_ROLE=""
MALWARE_SCANNER_INSTALLED=0
@ -179,6 +193,7 @@ unset LANG
NGINX_WEAK_SSL_PROTOCOL_FOUND=0
NTPD_ROLE=""
NTPQBINARY=""
OPENSSLBINARY=""
OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY=0
OPTIONS_CONN_MAX_WAIT_STATE=""
ORACLE_RUNNING=0
@ -204,12 +219,14 @@ unset LANG
PGREPBINARY=""
PIDFILE=""
PKG_BINARY=""
PKGINFOBINARY=""
PKGADMINBINARY=""
PLUGINDIR=""
PLUGIN_PHASE=0
POSTFIXBINARY=""
POSTGRES_RUNNING=0
PRIVILEGED=0
PREVIOUS_TEST="No test ID"
PREVIOUS_TS=0
PROFILES=""
PROFILEVALUE=""
PSBINARY="ps"
@ -234,12 +251,15 @@ unset LANG
SAMHAINBINARY=""
SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW=""
SEARCH_PROFILES=""
SEARCH_VERSION=""
SESTATUSBINARY=""
SERVICE_MANAGER=""
SETBINARY=""
SETTINGS=""
SETTINGS_FILE=""
SET_STRICT=0
SHA1SUMBINARY=""
SHA256SUMBINARY=""
SHELL_IS_BUSYBOX=0
SHOWMOUNTBINARY=""
SHOW_PROGRAM_DETAILS=1
@ -247,16 +267,22 @@ unset LANG
SHOW_REPORT_SOLUTION=1
SHOW_TOOL_TIPS=1 # Show inline tool tips (default true)
SHOW_WARNINGS_ONLY=0
SKIP_GETHOSTID=0
SKIP_PLUGINS=0
SKIP_TESTS=""
SKIP_VM_DETECTION=0
SKIPREASON=""
SKIPPED_TESTS_ROOTONLY=""
SLOW_TEST_THRESHOLD=10
SMTPCTLBINARY=""
SNORTBINARY=""
SSHKEYSCANBINARY=""
SSHKEYSCANFOUND=0
SSL_CERTIFICATE_INCLUDE_PACKAGES=0
SSL_CERTIFICATE_PATHS=""
SSL_CERTIFICATE_PATHS_TO_IGNORE=""
STUNNELBINARY=""
SWUPDBINARY=""
SYSLOGNGBINARY=""
SYSTEMCTLBINARY=""
SYSTEM_IS_NOTEBOOK=255
@ -269,6 +295,7 @@ unset LANG
TESTS_EXECUTED=""
TESTS_SKIPPED=""
TMPFILE=""
TOMOYOINITBINARY=""
TOOLTIP_SHOWED=0
TOTAL_SUGGESTIONS=0
TOTAL_WARNINGS=0
@ -297,8 +324,10 @@ unset LANG
VULNERABLE_PACKAGES_FOUND=0
WCBINARY=""
XARGSBINARY=""
XBPSBINARY=""
YUMBINARY=""
ZYPPERBINARY=""
#
#################################################################################
#
@ -313,7 +342,6 @@ unset LANG
HPTOTAL=0 # Maximum number of hardening points
LOG_INCORRECT_OS=1 # Log tests with incorrect OS
NEVERBREAK=0 # Don't wait for user input
PENTESTINGMODE=0 # Try tests without root privileges
QUICKMODE=1 # Don't wait for user input
QUIET=0 # Show normal messages and warnings as well
SKIPLOGTEST=0 # Skip logging for one test
@ -339,7 +367,8 @@ unset LANG
#################################################################################
#
# Normal color names
# Normal color names (BG will color background)
BG_BLUE="$(printf '\033[0;44m')"
CYAN="$(printf '\033[0;36m')"
BLUE="$(printf '\033[0;34m')"
BROWN="$(printf '\033[0;33m')"
@ -353,15 +382,13 @@ unset LANG
YELLOW="$(printf '\033[1;33m')"
WHITE="$(printf '\033[1;37m')"
# Markup
# Special markup
BOLD="${WHITE}"
# With background
BG_BLUE="$(printf '\033[0;44m')"
NORMAL="$(printf '\033[0m')"
# Semantic names
BG_WARNING="$(printf '\033[30;43m')" # Yellow background with grey text
HEADER="${WHITE}"
NORMAL="$(printf '\033[0m')"
WARNING="${RED}"
SECTION="${YELLOW}"
NOTICE="${YELLOW}"

58
include/data_upload
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -22,6 +22,8 @@
#
#################################################################################
#
InsertSection "${SECTION_DATA_UPLOAD}"
PROGRAM_VERSION="105"
# Data upload destination
@ -75,6 +77,10 @@
ExitFatal
else
Output "License key = ${LICENSE_KEY}"
# Create a temporary file to use during upload (prevent license key being displayed in process table)
CreateTempFile || ExitFatal
LICENSE_KEY_FILE="${TEMP_FILE}"
echo "${LICENSE_KEY}" | ${TRBINARY} -cd '[a-f0-9-]' > ${LICENSE_KEY_FILE}
fi
@ -95,7 +101,6 @@
Output "${WHITE}Report file found.${NORMAL} Starting with connectivity check."
if [ ! "${UPLOAD_PROXY_SERVER}" = "" ]; then
LogText "Upload: Proxy is configured: ${UPLOAD_SERVER}"
# Port is optional
@ -125,16 +130,18 @@
# CURL_OPTIONS="${CURL_OPTIONS} --compressed -H 'Content-Encoding: gzip'"
#fi
# Quit if license is not valid, to reduce load on both client and server.
LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null"
UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null)
# License check
LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null"
UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null)
EXITCODE=$?
LogText "Exit code: ${EXITCODE}"
if [ ${EXITCODE} -gt 0 ]; then
echo ""
echo "${RED}Upload Error${NORMAL}: License could not be checked. See ${LOGFILE} for details."
echo "Suggested command: tail -n 20 ${LOGFILE}"
Display --indent 2 --text "- License check" --result "FAILED" --color RED
echo ""
case ${EXITCODE} in
@ -142,7 +149,7 @@
LogText "Result: could not initialize"
LogText "Possible cause: most likely your cURL version is too old and does not support the --data-urlencode option."
LogText "Suggestion: copy the data to a different server and use a new cURL version there, or use the Lynis Collector tool."
echo "${RED}Error (2)${NORMAL}: could not initialize cURL. See ${LOGFILE} for details."
echo "${RED}Error (2)${NORMAL}: could not initialize cURL."
;;
5)
LogText "Result: could not resolve the defined proxy server (${UPLOAD_PROXY_SERVER})."
@ -156,7 +163,7 @@
LogText "Result: could not contact license server."
LogText "Details: used URL ${LICENSE_SERVER_URL}"
LogText "Suggestion: check if the upload host is correctly configured."
echo "${RED}Error (7)${NORMAL}: license server not available. See ${LOGFILE} for details."
echo "${RED}Error (7)${NORMAL}: license server not available."
;;
59)
echo "${RED}Error (59)${NORMAL}: Could not connect because of used SSL cipher."
@ -181,14 +188,23 @@
LogText "Result: cURL exited with code ${EXITCODE}. See man page of cURL for the meaning of this code."
;;
esac
echo ""
echo "${RED}Upload Error${NORMAL}: License could not be checked. See ${LOGFILE} for details."
echo "Suggested command: tail -n 20 ${LOGFILE}"
echo ""
LogText "Suggestion: run the cURL command manually without the options -s and -S"
LogText "Result: quitting, can't check license"
# Quit if license is not valid, to reduce load on both client and server.
ExitFatal
fi
UPLOAD_CODE=$(echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}')
if [ "${UPLOAD_CODE}" = "100" ]; then
Output "${WHITE}License is valid${NORMAL}"
LogText "Result: license is valid"
Display --indent 2 --text "- License check" --result "${STATUS_DONE}" --color GREEN
else
LogText "Result: error while checking license"
LogText "Output: ${UPLOAD_CODE}"
@ -210,17 +226,19 @@
fi
# Check for host IDs
if [ ! "${HOSTID}" = "" -a ! "${HOSTID2}" = "" ]; then
if [ -n "${HOSTID}" -a -n "${HOSTID2}" ]; then
Output "${WHITE}Found hostid: ${HOSTID}${NORMAL}"
# Try to connect
Output "Uploading data.."
LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
LogText "Tip: to just retry an upload, use: lynis upload-only"
UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null)
UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null)
EXITCODE=$?
LogText "Exit code: ${EXITCODE}"
if [ ${EXITCODE} -gt 0 ]; then
Display --indent 2 --text "- Data upload (${UPLOAD_SERVER})" --result "${STATUS_FAILED}" --color RED
echo ""
echo "${RED}Upload Error${NORMAL}: cURL could not upload data. See ${LOGFILE} for details."
echo "Suggested command: tail -n 20 ${LOGFILE}"
@ -231,24 +249,20 @@
7) echo "${YELLOW}Error (7): ${NORMAL}Could not connect to central server or proxy server." ;;
59) echo "${YELLOW}Error (59): ${NORMAL}Could not connect because of used SSL cipher." ;;
83) echo "${YELLOW}Error (83): ${NORMAL}Could not check used certificate of server." ;;
*) echo "Related exit code: ${YELLOW}{EXITCODE}${NORMAL}. See man page of cURL for the meaning of this code." ;;
*) echo "Related exit code: ${YELLOW}${EXITCODE}${NORMAL}. See man page of cURL for the meaning of this code." ;;
esac
if [ ! "${UPLOAD}" = "" ]; then echo ""; echo "Debug:"; echo ${UPLOAD}; fi
echo ""
# Quit
ExitClean
else
Display --indent 2 --text "Data upload status (${UPLOAD_SERVER})" --result OK --color GREEN
Display --indent 2 --text "- Data upload (${UPLOAD_SERVER})" --result "${STATUS_DONE}" --color GREEN
fi
else
echo "${RED}Error${NORMAL}: No hostid and/or hostid2 found. Can not upload report file."
echo "Suggested command: lynis show hostids"
echo "Suggested command: lynis generate hostids --save"
echo ""
echo "If hostid2 is the only ID that is missing, use the following step:"
echo "Create hash and add it to custom.prf"
echo "echo \"hostid2=\$(cat /dev/urandom | tr -dc 'a-f0-9' | fold -w 64 | head -n 1)\" >> /etc/lynis/custom.prf"
echo ""
echo "Note: do not replicate this ID to other systems, as it needs to be unique per system"
echo "Note: do not replicate the values to other systems, as it needs to be unique per system"
# Quit
ExitFatal

1282
include/functions
View File

File diff suppressed because it is too large Load Diff

70
include/helper_audit_dockerfile
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -19,25 +19,14 @@
#################################################################################
if [ $# -eq 0 ]; then
Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
Display --indent 2 --text "${RED}Error: ${WHITE}Provide a file${NORMAL}"
Display --text " "; Display --text " "
ExitFatal
else
FILE=$(echo $1 | egrep "^http|https")
FILE=$(echo $1 | grep -E "^http|https")
if HasData "${FILE}"; then
CreateTempFile
TMP_FILE="${TEMP_FILE}"
Display --indent 2 --text "Downloading URL ${FILE} with wget"
wget -o ${TMP_FILE} ${FILE}
if [ $? -gt 0 ]; then
AUDIT_FILE="${TMP_FILE}"
else
if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE}
fi
Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
ExitFatal
fi
echo "Provide a file (not a URL)"
ExitFatal
else
if [ -f $1 ]; then
AUDIT_FILE="$1"
@ -70,13 +59,12 @@ fi
IS_ALPINE=$(echo ${IMAGE} | grep -i alpine)
IS_LATEST=$(echo ${TAG} | grep -i latest)
if [ ! "${IS_DEBIAN}" = "" ]; then IMAGE="debian"; fi
if [ ! "${IS_FEDORA}" = "" ]; then IMAGE="fedora"; fi
if [ ! "${IS_UBUNTU}" = "" ]; then IMAGE="ubuntu"; fi
if [ ! "${IS_ALPINE}" = "" ]; then IMAGE="alpine"; fi
if [ ! "${IS_LATEST}" = "" ]; then
ReportWarning "dockerfile" "latest TAG used. Specifying the version is better."
if [ -n "${IS_DEBIAN}" ]; then IMAGE="debian"; fi
if [ -n "${IS_FEDORA}" ]; then IMAGE="fedora"; fi
if [ -n "${IS_UBUNTU}" ]; then IMAGE="ubuntu"; fi
if [ -n "${IS_ALPINE}" ]; then IMAGE="alpine"; fi
if [ -n "${IS_LATEST}" ]; then
ReportWarning "dockerfile" "latest TAG used. Specifying a targeted OS image and version is better for reproducible results."
fi
case ${IMAGE} in
@ -105,29 +93,24 @@ fi
#
##################################################################################################
#
InsertSection "Basics"
InsertSection "Basics"
#FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g')
FIND=$(egrep -i "*MAINTAINER" ${AUDIT_FILE} | sed 's/=/ /g' | cut -d'"' -f 2)
if [ "${FIND}" = "" ]; then
MAINTAINER=$(grep -E -i "*MAINTAINER" ${AUDIT_FILE} | sed 's/=/ /g' | cut -d'"' -f 2)
if [ -z "${MAINTAINER}" ]; then
ReportWarning "dockerfile" "No maintainer found. Unclear who created this file."
else
#MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}')
MAINTAINER=$(echo ${FIND})
Display --indent 2 --text "Maintainer" --result "${MAINTAINER}"
fi
FIND=$(grep "^ENTRYPOINT" ${AUDIT_FILE} | cut -d' ' -f2 )
if [ "${FIND}" = "" ]; then
ENTRYPOINT=$(grep "^ENTRYPOINT" ${AUDIT_FILE} | cut -d' ' -f2 )
if [ -z "${ENTRYPOINT}" ]; then
ReportWarning "dockerfile" "No ENTRYPOINT defined in Dockerfile."
else
ENTRYPOINT=$(echo ${FIND})
Display --indent 2 --text "ENTRYPOINT" --result "${ENTRYPOINT}"
fi
FIND=$(grep "^CMD" ${AUDIT_FILE} | cut -d' ' -f2 )
if [ "${FIND}" = "" ]; then
if [ -z "${FIND}" ]; then
ReportWarning "dockerfile" "No CMD defines in Dockerfile."
else
CMD=$(echo ${FIND})
@ -135,23 +118,20 @@ InsertSection "Basics"
fi
FIND=$(grep "^USER" ${AUDIT_FILE} | cut -d' ' -f2 )
if [ "${FIND}" = "" ]; then
if [ -z "${FIND}" ]; then
ReportWarning "dockerfile" "No user declared in Dockerfile. Container will execute command as root"
else
USER=$(echo ${FIND})
Display --indent 2 --text "User" --result "${USER}"
fi
#
##################################################################################################
#
InsertSection "Software"
case $PKGMGR in
"apt")
FIND=$(egrep "apt-get(.*) install" ${AUDIT_FILE})
FIND=$(grep -E "apt-get(.*) install" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then
LogText "Found installation via apt-get"
else
@ -159,7 +139,7 @@ InsertSection "Basics"
fi
;;
"apk")
FIND=$(egrep "apk(.*) add" ${AUDIT_FILE})
FIND=$(grep -E "apk(.*) add" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then
LogText "Found installation via apk"
else
@ -171,7 +151,7 @@ InsertSection "Basics"
;;
esac
FIND=$(egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#")
FIND=$(grep -E " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#")
if [ ! "${FIND}" = "" ]; then
ReportWarning "dockerfile" "Possible development utilities found, which is not advised for production environment"
LogText "Details: ${FIND}"
@ -214,7 +194,7 @@ InsertSection "Basics"
if [ ${FILE_DOWNLOAD} -eq 1 ]; then
SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE})
SSL_USED_FIND=$(grep -E "(https)" ${AUDIT_FILE})
if HasData "${SSL_USED_FIND}"; then
SSL_USED="YES"
@ -225,9 +205,9 @@ InsertSection "Basics"
ReportSuggestion "Use SSL downloads when possible to increase security (DNSSEC, HTTPS, validation of domain, avoid MitM)"
fi
Display --indent 2 --text "Integrity testing performed" --result "${SSL_USED}" --color ${COLOR}
HASHING_USED=$(egrep "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE})
HASHING_USED=$(grep -E "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE})
Display --indent 2 --text "Hashing" --result "${HASHING_USED}"
KEYS_USED=$(egrep "(apt-key adv)" ${AUDIT_FILE}| sed 's/RUN apt-key adv//g'| sed 's/--keyserver/Key Server:/g' | sed 's/--recv/Key Value:/g')
KEYS_USED=$(grep -E "(apt-key adv)" ${AUDIT_FILE}| sed 's/RUN apt-key adv//g'| sed 's/--keyserver/Key Server:/g' | sed 's/--recv/Key Value:/g')
Display --indent 2 --text "Signing keys used" --result "${KEYS_USED}"
Display --indent 2 --text "All downloads properly checked" --result "?"
else

2
include/helper_configure
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com

192
include/helper_generate Normal file
View File

@ -0,0 +1,192 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
######################################################################
#
# Helper program to generate specific details such as host IDs
#
######################################################################
#
# How to use:
# ------------
# Run: lynis generate <option>
#
######################################################################
SAVEFILE=0
GENERATE_ARGS="hostids systemd-units"
if [ $# -gt 0 ]; then
case $1 in
"hostids")
if [ $# -gt 1 ]; then
shift
if [ $1 = "--save" ]; then
SAVEFILE=1
fi
fi
# Generate random host IDs
case "${OS}" in
"AIX")
# hexdump does not exist on AIX
HOSTID=$(head -c20 < /dev/urandom | xxd -c 20 -p)
HOSTID2=$(head -c32 < /dev/urandom | xxd -c 32 -p)
;;
*)
# xxd does not exist on FreeBSD
# Note: hexdump may omit leading or trailing zeroes.
# Take 100 characters as input, turn to hex, then take first 40/64.
HOSTID=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c40)
HOSTID2=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c64)
;;
esac
${ECHOCMD} "Generated host identifiers"
${ECHOCMD} "- hostid: ${HOSTID}"
${ECHOCMD} "- hostid2: ${HOSTID2}"
if [ ${SAVEFILE} -eq 1 ]; then
FILE="${ROOTDIR}etc/lynis/hostids"
if [ -f ${FILE} ]; then
${ECHOCMD} "Error: hostids file already exists (${FILE})"
${ECHOCMD} "Remove the file first and rerun command"
ExitFatal
else
OUTPUT=$(touch ${FILE} 2> /dev/null)
if [ $? -eq 0 ]; then
${ECHOCMD} "Created hostids file (${FILE})"
echo "# generated using 'lynis generate hostids --save'" > ${FILE}
echo "hostid=${HOSTID}" >> ${FILE}
echo "hostid2=${HOSTID2}" >> ${FILE}
else
ExitFatal "Error: could not created hostids file (${FILE}). Issue with permissions?"
fi
fi
fi
ExitClean
;;
"cronjob")
${ECHOCMD} "Not implemented yet"
;;
"systemd-units")
${ECHOCMD} ""
${ECHOCMD} "${BG_BLUE}Step 1: create service unit (/etc/systemd/system/lynis.service)${NORMAL}"
${ECHOCMD} ""
${ECHOCMD} "#################################################################################"
${ECHOCMD} "#"
${ECHOCMD} "# Lynis service file for systemd"
${ECHOCMD} "#"
${ECHOCMD} "#################################################################################"
${ECHOCMD} "# Do not remove, so Lynis can provide a hint when a newer unit is available"
${ECHOCMD} "# Generator=lynis"
${ECHOCMD} "# Version=1"
${ECHOCMD} "#################################################################################"
${ECHOCMD} ""
${ECHOCMD} "[Unit]"
${ECHOCMD} "Description=Security audit and vulnerability scanner"
${ECHOCMD} "Documentation=https://cisofy.com/docs/"
${ECHOCMD} ""
${ECHOCMD} "[Service]"
${ECHOCMD} "Nice=19"
${ECHOCMD} "IOSchedulingClass=best-effort"
${ECHOCMD} "IOSchedulingPriority=7"
${ECHOCMD} "Type=simple"
MYBINARY=$(which lynis 2>/dev/null)
MOREOPTIONS=""
if [ -n "${LICENSE_KEY}" ]; then
MOREOPTIONS=" --upload"
fi
${ECHOCMD} "ExecStart=${MYBINARY:-/path/to/lynis} audit system --cronjob${MOREOPTIONS}"
${ECHOCMD} ""
${ECHOCMD} "[Install]"
${ECHOCMD} "WantedBy=multi-user.target"
${ECHOCMD} ""
${ECHOCMD} "#################################################################################"
${ECHOCMD} ""
${ECHOCMD} ""
${ECHOCMD} "${BG_BLUE}Step 2: create timer unit (/etc/systemd/system/lynis.timer)${NORMAL}"
${ECHOCMD} ""
${ECHOCMD} "#################################################################################"
${ECHOCMD} "#"
${ECHOCMD} "# Lynis timer file for systemd"
${ECHOCMD} "#"
${ECHOCMD} "#################################################################################"
${ECHOCMD} "# Do not remove, so Lynis can provide a hint when a newer unit is available"
${ECHOCMD} "# Generator=lynis"
${ECHOCMD} "# Version=1"
${ECHOCMD} "#################################################################################"
${ECHOCMD} ""
${ECHOCMD} "[Unit]"
${ECHOCMD} "Description=Daily timer for the Lynis security audit and vulnerability scanner"
${ECHOCMD} ""
${ECHOCMD} "[Timer]"
${ECHOCMD} "OnCalendar=daily"
${ECHOCMD} "RandomizedDelaySec=1800"
${ECHOCMD} "Persistent=false"
${ECHOCMD} ""
${ECHOCMD} "[Install]"
${ECHOCMD} "WantedBy=timers.target"
${ECHOCMD} ""
${ECHOCMD} "#################################################################################"
${ECHOCMD} ""
${ECHOCMD} ""
${ECHOCMD} "${BG_BLUE}Step 3 - Enable the timer${NORMAL}"
${ECHOCMD} ""
${ECHOCMD} "Tell systemd you made changes: systemctl daemon-reload"
${ECHOCMD} ""
${ECHOCMD} "Enable and start the timer (so no reboot is needed): systemctl enable --now lynis.timer"
${ECHOCMD} ""
${ECHOCMD} ""
${ECHOCMD} "${BG_BLUE}Optional - Customize${NORMAL}"
${ECHOCMD} ""
${ECHOCMD} "Want to override the timer? Run: systemctl edit lynis.timer"
${ECHOCMD} "Note: set the timer by first resetting it, then set the preferred value"
${ECHOCMD} ""
${ECHOCMD} "[Timer]"
${ECHOCMD} "OnCalendar="
${ECHOCMD} "OnCalendar=*-*-* 03:00:00"
${ECHOCMD} ""
;;
*) ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis generate" ;;
esac
else
${ECHOCMD} "\n ${WHITE}Provide an additional argument${NORMAL}\n\n"
for ITEM in ${GENERATE_ARGS}; do
${ECHOCMD} " lynis generate ${BROWN}${ITEM}${NORMAL}"
done
${ECHOCMD} "\n"
${ECHOCMD} ""
${ECHOCMD} "Extended help about the generate command can be provided with: $0 show commands generate"
fi
ExitClean
# The End

70
include/helper_show
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -28,17 +28,18 @@
#
######################################################################
COMMANDS="audit configure show update upload-only"
COMMANDS="audit configure generate show update upload-only"
HELPERS="audit configure show update"
OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--help (-h)\n--license-key\n--log-file\n--manpage (--man)\n--no-colors\n--no-log\n--pentest\n--profile\n--plugin-dir\n--quick (-Q)\n--quiet (-q)\n--report-file\n--reverse-colors\n--skip-plugins\n--tests\n--tests-from-category\n--tests-from-group\n--upload\n--verbose\n--version (-V)\n--wait\n--warnings-only"
OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--devops\n--forensics\n--help (-h)\n--log-file\n--manpage (--man)\n--no-colors\n--no-log\n--no-plugins\n--pentest\n--profile\n--plugin-dir\n--quick (-Q)\n--quiet (-q)\n--report-file\n--reverse-colors\n--tests\n--tests-from-category\n--tests-from-group\n--usecwd\n--upload\n--verbose\n--version (-V)\n--wait\n--warnings-only"
SHOW_ARGS="categories changelog commands dbdir details environment groups help hostids includedir language license logfile man options os pidfile plugindir profiles release releasedate report settings tests version workdir"
SHOW_ARGS="categories changelog commands dbdir details environment eol groups help hostids includedir language license logfile man options os pidfile plugindir profiles release releasedate report settings tests version workdir"
SHOW_HELP="lynis show ${BROWN}categories${NORMAL} (display test categories)
lynis show ${BROWN}changelog${NORMAL} ${GRAY}[version]${NORMAL} (release details)
lynis show ${BROWN}commands${NORMAL} (all available commands)
lynis show ${BROWN}dbdir${NORMAL} (database directory)
lynis show ${BROWN}details${NORMAL} (display test details from log file)
lynis show ${BROWN}environment${NORMAL} (hardware, virtual machine, or container type)
lynis show ${BROWN}eol${NORMAL} (OS end-of-life status)
lynis show ${BROWN}groups${NORMAL} (test groups)
lynis show ${BROWN}help${NORMAL} (detailed information about arguments)
lynis show ${BROWN}hostids${NORMAL} (unique IDs for this system)
@ -93,11 +94,29 @@ AUDIT_HELP="
"
UPDATE_ARGS="check info"
GENERATE_ARGS="( --save )"
GENERATE_HELP="
Generate random value for hostid and hostid2
${WHITE}lynis generate hostids${NORMAL}
Generate and save values
${WHITE}lynis generate hostids --save${NORMAL}
Generate systemd units to run Lynis on a schedule (e.g. daily)
${WHITE}lynis generate systemd-units${NORMAL}
"
UPDATE_ARGS="check | info"
UPDATE_HELP="
${CYAN}update info${NORMAL}
Check version information
Check and show version information
${CYAN}update check${NORMAL}
Just check if version is up-to-date
"
@ -135,7 +154,7 @@ if [ $# -gt 0 ]; then
# Check also for gzipped changelog
elif [ -f ${FILEPATH}/changelog.gz ]; then
ZCAT=$(which zcat 2> /dev/null | grep -v "no [^ ]* in ")
if [ ! -z "${ZCAT}" ]; then
if [ -n "${ZCAT}" ]; then
CreateTempFile
CHANGELOG="${TEMP_FILE}"
LogText "Result: found gzipped changelog in ${FILEPATH}"
@ -145,18 +164,18 @@ if [ $# -gt 0 ]; then
DisplayError "Could not find zcat utility to use on gzipped changelog"
fi
fi
if [ ! -z "${CHANGELOG}" ]; then LogText "Result: found changelog file: ${CHANGELOG}"; break; fi
if [ -n "${CHANGELOG}" ]; then LogText "Result: found changelog file: ${CHANGELOG}"; break; fi
done
if [ ! -z "${CHANGELOG}" ]; then
SEARCH=$(egrep "^${PROGRAM_NAME} ${SEARCH_VERSION}" ${CHANGELOG})
if [ -n "${CHANGELOG}" ]; then
SEARCH=$(sed 's/^## //' ${CHANGELOG} | grep -E "^${PROGRAM_NAME} ${SEARCH_VERSION}")
if [ $? -eq 0 ]; then
while read -r LINE; do
if [ ${STARTED} -eq 0 ]; then
SEARCH=$(echo ${LINE} | egrep "^${PROGRAM_NAME} ${SEARCH_VERSION}")
SEARCH=$(echo ${LINE} | sed 's/^## //' | grep -E "^${PROGRAM_NAME} ${SEARCH_VERSION}")
if [ $? -eq 0 ]; then STARTED=1; ${ECHOCMD} "${BOLD}${LINE}${NORMAL}"; fi
else
# Stop if we find the next Lynis version
SEARCH=$(echo ${LINE} | egrep "^${PROGRAM_NAME} [0-9]\.[0-9]\.[0-9]")
SEARCH=$(echo ${LINE} | sed 's/^## //' | grep -E "^${PROGRAM_NAME} [0-9]\.[0-9]\.[0-9]")
if [ $? -eq 0 ]; then
break
else
@ -171,7 +190,7 @@ if [ $# -gt 0 ]; then
${ECHOCMD} "$0 lynis show changelog [version]"
${ECHOCMD} ""
${ECHOCMD} "${HEADER}${PROGRAM_NAME} versions:${NORMAL}"
SEARCH=$(egrep "^Lynis [0-9]\.[0-9]\.[0-9] " ${CHANGELOG} | awk '{print $2}' | sort -n)
SEARCH=$(sed 's/^## //' ${CHANGELOG} | grep -E "^Lynis [0-9]\.[0-9]\.[0-9] " | awk '{print $2}' | sort -n)
${ECHOCMD} ${SEARCH}
ExitFatal
fi
@ -192,8 +211,11 @@ if [ $# -gt 0 ]; then
if [ $# -eq 1 ]; then
case $1 in
"audit") ${ECHOCMD} "${AUDIT_HELP}" ;;
"configure") ${ECHOCMD} "No help available yet" ;;
"generate") ${ECHOCMD} "${GENERATE_HELP}" ;;
"show") ${ECHOCMD} "${SHOW_HELP}" ;;
"update") ${ECHOCMD} "No help available yet" ;;
"update") ${ECHOCMD} "${UPDATE_HELP}" ;;
"upload-only") ${ECHOCMD} "${UPLOAD_ONLY_HELP}" ;;
*) DisplayError "Unknown argument for 'commands'"
esac
else
@ -223,7 +245,7 @@ if [ $# -gt 0 ]; then
shift
if [ $# -eq 1 ]; then
TESTID="$1"
awk -v search="Performing test ID $TESTID" '$0 ~ search {++f;p=1}p&&f==1;/===---/{p=0}' ${LOGFILE}
awk -v search="Performing test ID $TESTID" '$0 ~ search {++f;p=1}p&&f==1;/====/{p=0}' ${LOGFILE}
fi
fi
;;
@ -242,6 +264,18 @@ if [ $# -gt 0 ]; then
${ECHOCMD} "virtual-machine=0"
fi
;;
"eol")
${ECHOCMD} "Operating-system=${OS_FULLNAME}"
if [ ${EOL} -eq 0 ]; then
${ECHOCMD} "End-of-life=No"
elif [ ${EOL} -eq 1 ]; then
${ECHOCMD} "End-of-life=Yes"
elif [ ${EOL} -eq 255 ]; then
${ECHOCMD} "End-of-life=Not tested"
else
${ECHOCMD} "End-of-life=Unknown"
fi
;;
"groups")
ViewGroups
;;
@ -262,6 +296,8 @@ if [ $# -gt 0 ]; then
shift
case $1 in
"audit") ${ECHOCMD} "${AUDIT_HELP}" ;;
"configure") ${ECHOCMD} "No help available yet" ;;
"generate") ${ECHOCMD} "${GENERATE_HELP}" ;;
"show") ${ECHOCMD} "${SHOW_HELP}" ;;
"update") ${ECHOCMD} "${UPDATE_HELP}" ;;
"upload-only") ${ECHOCMD} "${UPLOAD_ONLY_HELP}" ;;
@ -323,7 +359,7 @@ if [ $# -gt 0 ]; then
VALUE=$(echo ${LINE} | awk -F';' '{print $2}')
DESCRIPTION=$(echo ${LINE} | awk -F';' '{print $3}' | sed 's/:space:/ /g')
if [ -z "${VALUE}" -a ${CONFIGURED_ONLY_OUTPUT} -eq 0 ]; then VALUE="${GRAY}[not configured]${NORMAL}"; fi
if [ ! -z "${VALUE}" ]; then
if [ -n "${VALUE}" ]; then
if [ ${BRIEF_OUTPUT} -eq 0 ]; then ${ECHOCMD} "${GRAY}# ${DESCRIPTION}${NORMAL}"; fi
${ECHOCMD} "${WHITE}${SETTING}${NORMAL}=${CYAN}${VALUE}${NORMAL}"
if [ ${BRIEF_OUTPUT} -eq 0 ]; then ${ECHOCMD} ""; fi
@ -388,7 +424,7 @@ if [ $# -gt 0 ]; then
if [ -z "${SKIP_TESTS}" ]; then
${ECHOCMD} " Profile: ${GREEN}Yes${NORMAL} (not configured)"
else
FIND=$(echo ${SKIP_TESTS} | egrep "${TEST}")
FIND=$(echo ${SKIP_TESTS} | grep -E "${TEST}")
if [ -z "${FIND}" ]; then
${ECHOCMD} " Profile: ${GREEN}Yes${NORMAL} (test not marked to be skipped)"
else

2
include/helper_system_remote_scan
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com

6
include/helper_update
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -77,7 +77,9 @@ elif [ "$1" = "info" ]; then
echo "${GREEN}Up-to-date${NORMAL}"
fi
echo " Release date : ${PROGRAM_RELEASE_DATE}"
echo " Update location : ${PROGRAM_WEBSITE}"
echo " Project page : ${PROGRAM_WEBSITE}"
echo " Source code : ${PROGRAM_SOURCE}"
echo " Latest package : ${PROGRAM_PACKAGE}"
echo ""; echo ""
echo "${PROGRAM_COPYRIGHT}"
echo ""

171
include/osdetection
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -61,6 +61,8 @@
10.12 | 10.12.[0-9]*) OS_FULLNAME="macOS Sierra (${OS_VERSION})" ;;
10.13 | 10.13.[0-9]*) OS_FULLNAME="macOS High Sierra (${OS_VERSION})" ;;
10.14 | 10.14.[0-9]*) OS_FULLNAME="macOS Mojave (${OS_VERSION})" ;;
10.15 | 10.15.[0-9]*) OS_FULLNAME="macOS Catalina (${OS_VERSION})" ;;
11.0 | 11.0[0-9]*) OS_FULLNAME="macOS Big Sur (${OS_VERSION})" ;;
*) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;;
esac
else
@ -138,55 +140,153 @@
# Generic
if [ -e /etc/os-release ]; then
OS_FULLNAME=$(awk -F= '/^PRETTY_NAME=/ {print substr($2,2,length($2)-2)}' /etc/os-release)
OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
if [ ! -z "${OS_ID}" ]; then
if [ -n "${OS_ID}" ]; then
case ${OS_ID} in
"alpine")
LINUX_VERSION="Alpine Linux"
OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"amzn")
LINUX_VERSION="Amazon Linux"
OS_NAME="Amazon Linux"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"arch")
LINUX_VERSION="Arch Linux"
OS_FULLNAME="Arch Linux"
OS_VERSION="Rolling release"
;;
"coreos")
LINUX_VERSION="CoreOS"
OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
"centos")
LINUX_VERSION="CentOS"
OS_NAME="CentOS Linux"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="CoreOS Linux"
;;
"manjaro")
LINUX_VERSION="Manjaro Linux"
OS_FULLNAME="Manjaro Linux"
"clear-linux-os")
LINUX_VERSION="Clear Linux OS"
OS_NAME="Clear Linux OS"
OS_REDHAT_OR_CLONE=1
OS_VERSION="Rolling release"
;;
"ubuntu")
LINUX_VERSION="Ubuntu"
OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
"cloudlinux")
LINUX_VERSION="CloudLinux"
OS_NAME="CloudLinux"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"coreos")
LINUX_VERSION="CoreOS"
OS_NAME="CoreOS Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"debian")
LINUX_VERSION="Debian"
OS_NAME="Debian"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"fedora")
LINUX_VERSION="Fedora"
OS_NAME="Fedora Linux"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"gentoo")
LINUX_VERSION="Gentoo"
OS_NAME="Gentoo Linux"
OS_VERSION="Rolling release"
;;
"kali")
LINUX_VERSION="Kali"
OS_NAME="Kali Linux"
OS_VERSION="Rolling release"
;;
"linuxmint")
LINUX_VERSION="Linux Mint"
OS_NAME="Linux Mint"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"manjaro")
LINUX_VERSION="Manjaro"
OS_FULLNAME="Manjaro Linux"
OS_NAME="Manjaro"
OS_VERSION="Rolling release"
;;
"ol")
LINUX_VERSION="Oracle Linux"
OS_NAME="Oracle Linux"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Ubuntu Linux"
;;
"opensuse-tumbleweed")
LINUX_VERSION="openSUSE Tumbleweed"
OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
# It's rolling release but has a snapshot version (the date of the snapshot)
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="openSUSE"
;;
"opensuse-leap")
LINUX_VERSION="openSUSE Leap"
OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="openSUSE"
;;
"pop")
LINUX_VERSION="Pop!_OS"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Pop!_OS"
;;
"pureos")
LINUX_VERSION="PureOS"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="PureOS"
;;
"raspbian")
LINUX_VERSION="Raspbian"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Raspbian"
;;
"rhel")
LINUX_VERSION="RHEL"
OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_FULLNAME="${OS_NAME} ${OS_VERSION_FULL}"
OS_REDHAT_OR_CLONE=1
;;
"slackware")
LINUX_VERSION="Slackware"
OS_NAME="Slackware Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"ubuntu")
LINUX_VERSION="Ubuntu"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Ubuntu"
;;
*)
Debug "Unknown OS found in /etc/os-release. Do you know what it is? Create an issue at ${PROGRAM_SOURCE}"
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}"
;;
esac
fi
fi
# Alpine
if [ -e "/etc/alpine-release" ]; then LINUX_VERSION="Alpine Linux"; OS_VERSION=$(cat /etc/alpine-release); fi
# Amazon
if [ -e "/etc/system-release" ]; then
FIND=$(grep "Amazon" /etc/system-release)
if [ ! "${FIND}" = "" ]; then
if [ -z "${LINUX_VERSION}" -a -e "/etc/system-release" ]; then
FIND=$(grep "^Amazon" /etc/system-release)
if [ -n "${FIND}" ]; then
OS_REDHAT_OR_CLONE=1
OS_FULLNAME=$(grep "^Amazon" /etc/system-release)
OS_VERSION=$(grep "^Amazon" /etc/system-release | awk '{ if ($4=="release") { print $5 } }')
@ -210,6 +310,7 @@
# Cobalt
if [ -e "/etc/cobalt-release" ]; then OS_FULLNAME=$(cat /etc/cobalt-release); fi
# CPUBuilders Linux
if [ -e "/etc/cpub-release" ]; then OS_FULLNAME=$(cat /etc/cpub-release); fi
@ -257,12 +358,11 @@
if [ -e "/etc/gentoo-release" ]; then LINUX_VERSION="Gentoo"; OS_FULLNAME=$(cat /etc/gentoo-release); fi
# Red Hat and others
if [ -e "/etc/redhat-release" ]; then
if [ -z "${LINUX_VERSION}" -a -e "/etc/redhat-release" ]; then
OS_REDHAT_OR_CLONE=1
# CentOS
FIND=$(grep "CentOS" /etc/redhat-release)
if [ ! "${FIND}" = "" ]; then
if grep "CentOS" /etc/redhat-release; then
OS_FULLNAME=$(grep "CentOS" /etc/redhat-release)
LINUX_VERSION="CentOS"
OS_VERSION="${OS_FULLNAME}"
@ -477,7 +577,7 @@
ECHONB=""
case ${OS} in
"AIX") ECHOCMD="echo" ;;
"AIX") ECHOCMD="echo"; ECHONB="printf" ;;
"DragonFly"|"FreeBSD"|"NetBSD") ECHOCMD="echo -e"; ECHONB="echo -n" ;;
"macOS" | "Mac OS X") ECHOCMD="echo"; ECHONB="/bin/echo -n" ;;
"Solaris") ECHOCMD="echo" ; test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" ;;
@ -512,19 +612,24 @@
# Check if this OS is end-of-life
EOL=255
EOL_DATE=""
if [ ! -z "${OS_VERSION}" ]; then
EOL_TIMESTAMP=0
if [ -n "${OS_VERSION}" ]; then
if [ -f "${DBDIR}/software-eol.db" ]; then
FIND="${OS_FULLNAME}"
EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && $2 ~ value){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
if [ ! -z "${EOL_DATE}" ]; then
NOW=$(date "+%s")
FIND=$(date "+%s" --date=${EOL_DATE})
if [ ! -z "${FIND}" ]; then
if [ ${NOW} -gt ${FIND} ]; then
EOL=1
else
EOL=0
EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1)
if [ -n "${EOL_TIMESTAMP}" ]; then
EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
if [ -n "${EOL_DATE}" ]; then
NOW=$(date "+%s")
if [ -n "${NOW}" ]; then
if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then
EOL=1
else
EOL=0
fi
fi
else
EOL=0
fi
fi
fi

181
include/parameters
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -22,8 +22,21 @@
#
#################################################################################
#
# Check number of parameters submitted (at least one is needed)
PARAMCOUNT=$#
# Input validation on provided parameters and their arguments
COUNT=0
for I in "$@"; do
COUNT=$((COUNT + 1))
if ! SafeInput "${I}"; then
echo "Execution of ${PROGRAM_NAME} stopped as we found unexpected input or invalid characters in argument ${COUNT}"
echo "Do you believe this is in error? Let us know: ${PROGRAM_AUTHOR_CONTACT}"
ExitFatal "Program execution stopped due to security measure"
fi
done
# Parse arguments
while [ $# -ge 1 ]; do
case $1 in
# Helpers first
@ -36,12 +49,13 @@
if [ $# -gt 1 ]; then
case $2 in
"dockerfile")
if [ "$3" = "" ]; then
if [ $# = 2 ]; then
echo "${RED}Error: ${WHITE}Missing file name or URL${NORMAL}"
echo "Example: $0 audit dockerfile /root/Dockerfile"
echo "Example: $0 audit dockerfile /path/to/Dockerfile"
ExitFatal
else
shift; shift
CHECK_BINARIES=1
HELPER_PARAMS="$1"
HELPER="audit_dockerfile"
break
@ -84,7 +98,14 @@
SKIP_PLUGINS=0
RUN_TESTS=1
shift
;;
*)
echo "${RED}Error: ${WHITE}Need a target to audit${NORMAL}"
echo " "
echo "Examples:"
echo "lynis audit dockerfile"
echo "lynis audit system"
ExitFatal
;;
esac
else
@ -111,6 +132,24 @@
break
;;
# Generate data
generate)
CHECK_BINARIES=0
HELPER="generate"
LOGTEXT=0
QUIET=1
RUN_HELPERS=1
RUN_TESTS=0
RUN_UPDATE_CHECK=0
SKIP_GETHOSTID=1
SKIP_PLUGINS=1
SKIP_VM_DETECTION=1
SHOW_PROGRAM_DETAILS=0
SHOW_TOOL_TIPS=0
shift; HELPER_PARAMS="$@"
break
;;
# Show Lynis details
show)
CHECK_BINARIES=0
@ -192,16 +231,10 @@
fi
;;
# Perform tests (deprecated, use audit system)
--check-all | --checkall | -c)
DisplayToolTip "Usage of option -c is deprecated. Please use: lynis audit system [options]"
CHECK=1
;;
# Cronjob support
--cron-job | --cronjob | --cron)
CRONJOB=1
CHECK=1; QUICKMODE=1; COLORS=0; NEVERBREAK=1 # Use some defaults (-c, -Q, no colors)
CHECK=1; COLORS=0; NEVERBREAK=1 # Use some defaults ('audit system', -Q, no colors)
RemoveColors
;;
@ -215,29 +248,14 @@
DEVELOPER_MODE=1
;;
# Display all available options with short alias
--dump-options | --dumpoptions)
OPTIONS="--auditor
--check-all_(-c) --cronjob_(--cron)
--debug
--help_(-h)
--info
--license-key --log-file
--manpage_(--man)
--no-colors --no-log
--pentest --profile --plugins-dir
--quiet_(-q) --quick_(-Q)
--report-file --reverse-colors
--tests
--upload
--version_(-V)"
for ITEM in ${OPTIONS}; do
echo "${ITEM}" | tr '_' ' '
done
echo "This option is deprecated"
echo "Use: lynis show options"
# DevOps mode (continuous integration)
--devops)
DEVOPS_MODE=1
;;
ExitClean
# Enable forensics mode (gather information from a mounted directory)
--forensics)
FORENSICS=1
;;
# View help
@ -245,19 +263,6 @@
VIEWHELP=1
;;
# View program/database information
--check-update | --check-updates | --info)
echo "This option is deprecated"
echo "Use: lynis update info"
ExitClean
;;
# License key for Lynis Enterprise
--license-key)
shift
LICENSE_KEY=$1
;;
# Adjust default logfile location
--logfile | --log-file)
shift
@ -265,7 +270,7 @@
;;
# Don't use colors
--no-colors | --nocolors)
--no-colors | --nocolors | --no-colour | --nocolour)
COLORS=0
RemoveColors
;;
@ -275,6 +280,11 @@
LOGFILE="/dev/null"
;;
# Skip execution of plugins
--no-plugins | --noplugins | --skip-plugins)
SKIP_PLUGINS=1
;;
--pen-test | --pentest)
PENTESTINGMODE=1
;;
@ -283,7 +293,7 @@
--profile)
if [ $# -gt 1 ]; then
shift
SEARCH_PROFILES=$1
SEARCH_PROFILES="$1"
else
echo "Specify the profile (lynis audit system --profile /home/michael/myprofile.prf)"
exit 1
@ -313,7 +323,6 @@
# Quiet mode
--quiet | -q | --silent)
QUIET=1
QUICKMODE=1 # Run non-interactive
;;
# Non-interactive mode
@ -328,7 +337,7 @@
;;
# Strip the colors which aren't clearly visible on light backgrounds
--reverse-colors)
--reverse-colors | --reverse-colour)
BLUE="${NORMAL}";
SECTION="${NORMAL}";
NOTICE="${NORMAL}";
@ -355,11 +364,6 @@
fi
;;
# Skip execution of plugins
--skip-plugins | --no-plugins | --noplugins)
SKIP_PLUGINS=1
;;
# Only scan these tests
--tests)
shift
@ -373,7 +377,7 @@
;;
# Scan one or more tests from just on group
--tests-from-group | --tests-from-groups | --test-from-group | --test-from-group)
--tests-from-group | --tests-from-groups | --test-from-group | --test-from-groups)
shift
TEST_GROUP_TO_CHECK=$1
;;
@ -383,6 +387,10 @@
UPLOAD_DATA=1
;;
--usecwd | --use-cwd)
USE_CWD=1
;;
--verbose)
VERBOSE=1
;;
@ -412,15 +420,62 @@
# Warnings
--warnings-only | --show-warnings-only)
SHOW_WARNINGS_ONLY=1
QUICKMODE=1
QUIET=1
;;
# Warning when test is slow
--slow-warning)
if [ $# -gt 1 ]; then
shift
if [ "$1" -gt 0 ] 2>/dev/null; then
SLOW_TEST_THRESHOLD="$1"
else
echo "Argument has to be number."
exit 1
fi
else
echo "Specify threshold as number of seconds above which should Lynis warn about long test."
exit 1
fi
;;
--tests-category | --tests-categories | --view-categories | --list-categories | --show-categories)
echo "Error: Deprecated option ($1)"
exit 1
;;
# Soon to be deprecated options
# Perform tests (deprecated, use audit system)
--check-all | --checkall | -c)
echo "This option (-c) is deprecated."
echo "Use: lynis audit system [options]"
ExitFatal
;;
# View program/database information
--check-update | --check-updates | --info)
echo "This option (--info) is deprecated"
echo "Use: lynis update info"
ExitFatal
;;
# Display all available options with short alias
--dump-options | --dumpoptions)
echo "This option (--dump-options) is deprecated"
echo "Use: lynis show options"
ExitFatal
;;
# License key for Lynis Enterprise
--license-key)
echo "This option is deprecated"
echo "Define a license key in /etc/lynis/custom.prf"
ExitFatal
;;
# Drop out when using wrong option(s)
*)
# Wrong option used, we bail out later
@ -433,5 +488,15 @@
done
# Ensure non-interactive mode when running quietly or as cronjob
if [ ${CRONJOB} -eq 1 -o ${QUIET} -eq 1 ]; then
if [ ${QUICKMODE} -eq 0 ]; then
if [ ${QUIET} -eq 0 ]; then
echo "Switched back to quick mode (cron/non-interactive/quiet)"
fi
QUICKMODE=1
fi
fi
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com

155
include/profiles
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -32,9 +32,46 @@
for PROFILE in ${PROFILES}; do
LogText "Reading profile/configuration ${PROFILE}"
FIND=$(egrep "^config:|^[a-z-].*=" ${PROFILE} | sed 's/ /!space!/g')
for CONFIGOPTION in ${FIND}; do
if ContainsString "config:" "${CONFIGOPTION}"; then
# Show deprecation message for old config entries such as 'config:' and 'apache:'
FOUND=0
DATA=$(grep -E "^[a-z-]{1,}:" ${PROFILE} | od -An -ta | sed 's/ /!space!/g') # od -An (no file offset), -ta (named character, to be on safe side)
if ! IsEmpty "${DATA}"; then FOUND=1; fi
if [ ${FOUND} -eq 1 ]; then
Display --text " "
Display --text "=================================================================================================="
DisplayWarning "Your profile contains old-style configuration entries. See log file for more details and how to convert these entries"
Display --indent 2 --text "* ${RED}ISSUE${NORMAL}"
Display --indent 2 --text "Your profile has one or more lines that are in an old format (key:value). They need to be converted into the new format (key=value) or disabled."
Display --text " "
Display --indent 2 --text "* ${GREEN}HOW TO RESOLVE${NORMAL}"
Display --indent 2 --text "Use grep to see the relevant matches (grep -E \"^[a-z-]{1,}:\" custom.prf)"
Display --text " "
Display --text "=================================================================================================="
Display --text " "
LogText "Insight: Profile '${PROFILE}' contians one or more old-style configuration entries"
ReportWarning "GEN-0020" "Your profile contains one or more old-style configuration entries"
sleep 10
fi
# Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character)
DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | od -An -ta | sed 's/ /!space!/g')
if ! IsEmpty "${DATA}"; then
DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile."
for I in ${DATA}; do
I=$(echo ${I} | sed 's/!space!/ /g')
LogText "Output: ${I}"
done
LogText "Suggestion: comment incorrect lines with a '#' and try again. Open a GitHub issue if valid characters are blocked"
ExitFatal "unexpected characters in profile. Stopping execution (security measure)"
fi
# Now parse the profile and filter out unwanted characters
DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g')
for CONFIGOPTION in ${DATA}; do
if ContainsString "^config:" "${CONFIGOPTION}"; then
# Old style configuration
OPTION=$(echo ${CONFIGOPTION} | cut -d ':' -f2)
VALUE=$(echo ${CONFIGOPTION} | cut -d ':' -f3 | sed 's/!space!/ /g')
@ -49,8 +86,8 @@
# Is Lynis Enterprise allowed to purge this system when it is becomes outdated?
allow-auto-purge)
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$")
if [ ! -z "${FIND}" ]; then
FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)$")
if [ -n "${FIND}" ]; then
Report "allow-auto-purge=1"
else
Report "allow-auto-purge=0"
@ -82,15 +119,15 @@
colors)
# Quick mode (SKIP_PLUGINS) might already be set outside profile, so store in different variable
SETTING_COLORS=1 # default is yes
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && COLORS=0
if [ ! -z "${FIND}" ]; then SETTING_COLORS=0; RemoveColors; fi
FIND=$(echo "${VALUE}" | grep -E "^(0|false|no)$") && COLORS=0
if [ -n "${FIND}" ]; then SETTING_COLORS=0; RemoveColors; fi
Debug "Colors set to ${SETTING_COLORS}"
AddSetting "colors" "${SETTING_COLORS}" "Colored screen output"
unset SETTING_COLORS
;;
# Ignore configuration data
config-data)
config-data | permdir | permfile)
Debug "Ignoring configuration option, as it will be used by a specific test"
;;
@ -138,27 +175,27 @@
# Do not check security repository in sources.list (Debian/Ubuntu)
debian-skip-security-repository | debian_skip_security_repository)
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY=1
FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY=1
AddSetting "debian-skip-security-repository" "OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY" "Skip checking for a security repository (Debian and others)"
;;
# Debug status to show more details while running program
debug)
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && DEBUG=1
FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && DEBUG=1
Debug "Debug mode set to '${DEBUG}'"
AddSetting "debug" "${DEBUG}" "Debugging mode"
;;
# Development mode (--developer)
developer-mode)
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && DEVELOPER_MODE=1
FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && DEVELOPER_MODE=1
Debug "Developer mode set to ${DEVELOPER_MODE}"
AddSetting "developer" "${DEVELOPER_MODE}" "Developer mode"
;;
# Show non-zero exit code when errors are found
error-on-warnings)
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && ERROR_ON_WARNINGS=1
FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && ERROR_ON_WARNINGS=1
Debug "Exit with different code on warnings is set to ${ERROR_ON_WARNINGS}"
AddSetting "error-on-warnings" "${ERROR_ON_WARNINGS}" "Use non-zero exit code if one or more warnings were found"
;;
@ -169,7 +206,7 @@
OPTION_FREEBSD_SKIP_PORTAUDIT="${VALUE}"
;;
# Lynis Enterprise: group name - deprecrated option
# Lynis Enterprise: group name - deprecated option
group)
GROUP_NAME="${VALUE}"
AddSetting "group" "${GROUP_NAME}" "Group"
@ -177,7 +214,7 @@
;;
hostalias | host-alias)
if [ ! -z "${VALUE}" ]; then Report "hostname_alias=${VALUE}"; fi
if [ -n "${VALUE}" ]; then Report "hostname_alias=${VALUE}"; fi
;;
hostid)
@ -196,13 +233,13 @@
# Language
language | lang)
LogText "Language set via profile to '${VALUE}'"
if [ ! -z "${VALUE}" ]; then LANGUAGE="${VALUE}"; fi
if [ -n "${VALUE}" ]; then LANGUAGE="${VALUE}"; fi
AddSetting "language" "${LANGUAGE}" "Language"
;;
# Lynis Enterprise license key
license-key | license_key)
if [ ! -z "${VALUE}" ]; then
if [ -n "${VALUE}" ]; then
LICENSE_KEY="${VALUE}"
Report "license_key=${VALUE}"
fi
@ -211,7 +248,7 @@
# Do (not) log tests if they have an different operating system
log-tests-incorrect-os | log_tests_incorrect_os)
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)") && SETTING_LOG_TESTS_INCORRECT_OS=0
FIND=$(echo "${VALUE}" | grep -E "^(0|false|no)") && SETTING_LOG_TESTS_INCORRECT_OS=0
Debug "Logging of tests with incorrect operating system set to ${SETTING_LOG_TESTS_INCORRECT_OS}"
LOG_INCORRECT_OS=${SETTING_LOG_TESTS_INCORRECT_OS}
;;
@ -239,6 +276,11 @@
LogText "Plugin '${VALUE}' enabled according profile (${PROFILE})"
;;
disable-plugin)
LogText "Plugin '${VALUE}' disabled according profile (${PROFILE})"
DISABLED_PLUGINS="${DISABLED_PLUGINS} ${VALUE}"
;;
# Plugin directory
plugindir | plugin-dir)
if IsEmpty "${PLUGINDIR}"; then
@ -256,10 +298,10 @@
# Quick (no waiting for keypresses)
quick)
# Quick mode (SKIP_PLUGINS) might already be set outside profile, so store in different variable
SETTING_QUICK_MODE=0 # default is no
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && QUICKMODE=1
if [ ! -z "${FIND}" ]; then SETTING_QUICK_MODE=1; fi
# Quick mode might already be set outside profile, so store in different variable
SETTING_QUICK_MODE=1 # default is yes
FIND=$(echo "${VALUE}" | grep -E "^(0|false|no)$") && QUICKMODE=0
if [ -n "${FIND}" ]; then SETTING_QUICK_MODE=1; fi
Debug "Quickmode set to ${SETTING_QUICK_MODE}"
AddSetting "quick" "${SETTING_QUICK_MODE}" "Quick mode (non-interactive)"
;;
@ -267,8 +309,8 @@
# Refresh software repositories
refresh-repositories)
SETTING_REFRESH_REPOSITORIES=1 # default is yes
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && REFRESH_REPOSITORIES=0
if [ ! -z "${FIND}" ]; then SETTING_REFRESH_REPOSITORIES=0; fi
FIND=$(echo "${VALUE}" | grep -E "^(0|false|no)$") && REFRESH_REPOSITORIES=0
if [ -n "${FIND}" ]; then SETTING_REFRESH_REPOSITORIES=0; fi
Debug "Refreshing repositories set to ${SETTING_REFRESH_REPOSITORIES}"
AddSetting "refresh-repositories" "${SETTING_REFRESH_REPOSITORIES}" "Refresh repositories (for vulnerable package detection)"
;;
@ -276,16 +318,16 @@
# Show more details in report
show-report-solution)
SETTING_SHOW_REPORT_SOLUTION=${SHOW_REPORT_SOLUTION}
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && SHOW_REPORT_SOLUTION=0
if [ ! -z "${FIND}" ]; then SETTING_SHOW_REPORT_SOLUTION=0; fi
FIND=$(echo "${VALUE}" | grep -E "^(0|false|no)$") && SHOW_REPORT_SOLUTION=0
if [ -n "${FIND}" ]; then SETTING_SHOW_REPORT_SOLUTION=0; fi
Debug "Show report details (solution) set to ${SETTING_SHOW_REPORT_SOLUTION}"
;;
# Inline tips about tool (default enabled)
show_tool_tips | show-tool-tips)
SETTING_SHOW_TOOL_TIPS=1 # default is yes
FIND=$(echo "${VALUE}" | egrep "^(0|false|no)$") && SHOW_TOOL_TIPS=0
if [ ! -z "${FIND}" ]; then SETTING_SHOW_TOOL_TIPS=0; fi
FIND=$(echo "${VALUE}" | grep -E "^(0|false|no)$") && SHOW_TOOL_TIPS=0
if [ -n "${FIND}" ]; then SETTING_SHOW_TOOL_TIPS=0; fi
Debug "Show tool tips set to ${SETTING_SHOW_TOOL_TIPS}"
AddSetting "show-tool-tips" "${SETTING_SHOW_TOOL_TIPS}" "Show tool tips"
;;
@ -294,7 +336,7 @@
show-warnings-only)
QUIET=1
QUICKMODE=1
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && SHOW_WARNINGS_ONLY=1
FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)$") && SHOW_WARNINGS_ONLY=1
Debug "Show warnings only set to ${SHOW_WARNINGS_ONLY}"
AddSetting "show-warnings-only" "${SHOW_WARNINGS_ONLY}" "Show only warnings"
;;
@ -303,8 +345,8 @@
skip-plugins)
# Skip plugins (SKIP_PLUGINS) might already be set, so store in different variable
SETTING_SKIP_PLUGINS=0 # default is no
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && SKIP_PLUGINS=1
if [ ! -z "${FIND}" ]; then SETTING_SKIP_PLUGINS=1; fi
FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)$") && SKIP_PLUGINS=1
if [ -n "${FIND}" ]; then SETTING_SKIP_PLUGINS=1; fi
Debug "Skip plugins is set to ${SETTING_SKIP_PLUGINS}"
AddSetting "skip-plugins" "${SETTING_SKIP_PLUGINS}" "Skip plugins"
;;
@ -317,7 +359,7 @@
# Do not check the latest version on the internet
skip_upgrade_test | skip-upgrade-test)
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && SKIP_UPGRADE_TEST=1
FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SKIP_UPGRADE_TEST=1
Debug "Skip upgrade test set to ${SKIP_UPGRADE_TEST}"
;;
@ -328,24 +370,38 @@
AddSetting "ssl-certificate-paths" "${SSL_CERTIFICATE_PATHS}" "Paths for SSL certificates"
;;
ssl-certificate-paths-to-ignore)
# Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces
SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /__space__/g' | tr ':' ' ')
Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}"
AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
;;
# Check also certificates provided by packages?
ssl-certificate-include-packages)
FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SSL_CERTIFICATE_INCLUDE_PACKAGES=1
Debug "Check also certificates provided by packages set to ${SSL_CERTIFICATE_INCLUDE_PACKAGES}"
;;
# Set strict mode for development and quality purposes
strict)
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && SET_STRICT=1
FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SET_STRICT=1
;;
# The name of the customer/client that uses this system
system-customer-name)
if [ ! -z "${VALUE}" ]; then Report "system-customer-name=${VALUE}"; fi
if [ -n "${VALUE}" ]; then Report "system-customer-name=${VALUE}"; fi
;;
# The groups linked to a system (system-groups=customers,webservers,production)
system-groups)
if [ ! -z "${VALUE}" ]; then Report "system-groups=${VALUE}"; fi
if [ -n "${VALUE}" ]; then Report "system-groups=${VALUE}"; fi
;;
# Tags (tags=db,production,ssn-1304)
tags)
if [ ! -z "${VALUE}" ]; then Report "tags=${VALUE}"; fi
if [ -n "${VALUE}" ]; then Report "tags=${VALUE}"; fi
;;
# Define what kind of scan we are performing
@ -359,8 +415,8 @@
# Perform upload
upload)
SETTING_UPLOAD=no # default
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)$") && UPLOAD_DATA=1
if [ ! -z "${FIND}" ]; then SETTING_UPLOAD=1; fi
FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)$") && UPLOAD_DATA=1
if [ -n "${FIND}" ]; then SETTING_UPLOAD=1; fi
Debug "Upload set to ${SETTING_UPLOAD}"
AddSetting "upload" "${SETTING_UPLOAD}" "Data upload after scanning"
unset SETTING_UPLOAD
@ -413,7 +469,7 @@
# Verbose output (--verbose)
verbose)
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && VERBOSE=1
FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && VERBOSE=1
Debug "Verbose set to ${VERBOSE}"
AddSetting "verbose" "${VERBOSE}" "Verbose output"
;;
@ -441,10 +497,14 @@
# Catch all bad options and bail out
*)
LogText "Unknown option ${OPTION} (with value: ${VALUE})"
${ECHOCMD} ""
${ECHOCMD} "${RED}Error${NORMAL}: found one or more errors in profile ${PROFILE}"
${ECHOCMD} "${WHITE}Details${NORMAL}: Unknown option '${YELLOW}${OPTION}${NORMAL}' found (with value: ${VALUE})"
${ECHOCMD} ""
${ECHOCMD:-echo} ""
${ECHOCMD:-echo} "${RED}Error${NORMAL}: found one or more errors in profile ${PROFILE}"
${ECHOCMD:-echo} ""
${ECHOCMD:-echo} ""
${ECHOCMD:-echo} "Full line: ${CONFIGOPTION}"
${ECHOCMD:-echo} "${WHITE}Details${NORMAL}: Unknown option '${YELLOW}${OPTION}${NORMAL}' found (with value: ${VALUE})"
${ECHOCMD:-echo} ""
ExitFatal
;;
@ -456,12 +516,12 @@
#################################################################################
#
SKIP_TESTS=$(echo ${SKIP_TESTS} | sed "s/^ //")
if [ ! -z "${SKIP_TESTS}" ]; then LogText "Skip tests: ${SKIP_TESTS}"; fi
if [ -n "${SKIP_TESTS}" ]; then LogText "Skip tests: ${SKIP_TESTS}"; fi
#
#################################################################################
#
# Add group name to report - deprecated
if [ ! -z "${GROUP_NAME}" ]; then Report "group=${GROUP_NAME}"; fi
if [ -n "${GROUP_NAME}" ]; then Report "group=${GROUP_NAME}"; fi
#
#################################################################################
#
@ -488,8 +548,8 @@
#
#################################################################################
#
if [ ! -z "${DEPRECATED_OPTION}" ]; then
ReportWarning "LYNIS" "One or more deprecated options used" "${DEPRECATED_OPTION}" "Update your profile"
if [ -n "${DEPRECATED_OPTION}" ]; then
ReportWarning "GEN-0030" "One or more deprecated options used in profile" "${DEPRECATED_OPTION}" "Update your profile"
fi
#
#################################################################################
@ -497,7 +557,6 @@
Display --indent 2 --text "- Checking profiles..." --result "DONE" --color GREEN
LogTextBreak
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com

176
include/report
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -21,58 +21,83 @@
# Report
#
#################################################################################
#
# Add additional data fields to the report file at the end of the scan
Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
Report "arpwatch_running=${ARPWATCH_RUNNING}"
# Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.
Report "firewall_active=${FIREWALL_ACTIVE}"
Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}"
Report "firewall_installed=${FIREWALL_ACTIVE}"
if [ -n "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi
Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}"
Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}"
Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}"
#
#################################################################################
#
# Hardening Index
# Define approximately how strong a machine has been hardened
#
# Goal:
# Provide a visual way to show how much the system is hardened
#
# Important:
# The index gives a simplified version of the measures taken on the system.
# It should be used to get a first impression about the state of the system or to compare similar systems.
# Getting the maximum score (100 or full bar) does not indicate that the system is fully secured.
# If no hardening has been found, set value to 1
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL))
# Set color related to rating
if [ ${HPINDEX} -lt 50 ]; then
HPCOLOR="${RED}"
HIDESCRIPTION="System has not or a low amount been hardened"
elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
HPCOLOR="${YELLOW}"
HIDESCRIPTION="System has been hardened, but could use additional hardening"
elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be decent hardened"
elif [ ${HPINDEX} -gt 89 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be well hardened"
fi
case ${HPAOBLOCKS} in
0) HPBLOCKS="#"; HPEMPTY=" " ;;
1) HPBLOCKS="#"; HPEMPTY=" " ;;
2) HPBLOCKS="##"; HPEMPTY=" " ;;
3) HPBLOCKS="###"; HPEMPTY=" " ;;
4) HPBLOCKS="####"; HPEMPTY=" " ;;
5) HPBLOCKS="#####"; HPEMPTY=" " ;;
6) HPBLOCKS="######"; HPEMPTY=" " ;;
7) HPBLOCKS="#######"; HPEMPTY=" " ;;
8) HPBLOCKS="########"; HPEMPTY=" " ;;
9) HPBLOCKS="#########"; HPEMPTY=" " ;;
10) HPBLOCKS="##########"; HPEMPTY=" " ;;
11) HPBLOCKS="###########"; HPEMPTY=" " ;;
12) HPBLOCKS="############"; HPEMPTY=" " ;;
13) HPBLOCKS="#############"; HPEMPTY=" " ;;
14) HPBLOCKS="##############"; HPEMPTY=" " ;;
15) HPBLOCKS="###############"; HPEMPTY=" " ;;
16) HPBLOCKS="################"; HPEMPTY=" " ;;
17) HPBLOCKS="#################"; HPEMPTY=" " ;;
18) HPBLOCKS="##################"; HPEMPTY=" " ;;
19) HPBLOCKS="###################"; HPEMPTY=" " ;;
20) HPBLOCKS="####################"; HPEMPTY="" ;;
esac
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
LogText "Hardening strength: ${HIDESCRIPTION}"
# If no hardening has been found, set value to 1
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL))
# Set color related to rating
if [ ${HPINDEX} -lt 50 ]; then
HPCOLOR="${RED}"
HIDESCRIPTION="System has not or a low amount been hardened"
elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
HPCOLOR="${YELLOW}"
HIDESCRIPTION="System has been hardened, but could use additional hardening"
elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be decent hardened"
elif [ ${HPINDEX} -gt 89 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be well hardened"
fi
case ${HPAOBLOCKS} in
0) HPBLOCKS="#"; HPEMPTY=" " ;;
1) HPBLOCKS="#"; HPEMPTY=" " ;;
2) HPBLOCKS="##"; HPEMPTY=" " ;;
3) HPBLOCKS="###"; HPEMPTY=" " ;;
4) HPBLOCKS="####"; HPEMPTY=" " ;;
5) HPBLOCKS="#####"; HPEMPTY=" " ;;
6) HPBLOCKS="######"; HPEMPTY=" " ;;
7) HPBLOCKS="#######"; HPEMPTY=" " ;;
8) HPBLOCKS="########"; HPEMPTY=" " ;;
9) HPBLOCKS="#########"; HPEMPTY=" " ;;
10) HPBLOCKS="##########"; HPEMPTY=" " ;;
11) HPBLOCKS="###########"; HPEMPTY=" " ;;
12) HPBLOCKS="############"; HPEMPTY=" " ;;
13) HPBLOCKS="#############"; HPEMPTY=" " ;;
14) HPBLOCKS="##############"; HPEMPTY=" " ;;
15) HPBLOCKS="###############"; HPEMPTY=" " ;;
16) HPBLOCKS="################"; HPEMPTY=" " ;;
17) HPBLOCKS="#################"; HPEMPTY=" " ;;
18) HPBLOCKS="##################"; HPEMPTY=" " ;;
19) HPBLOCKS="###################"; HPEMPTY=" " ;;
20) HPBLOCKS="####################"; HPEMPTY="" ;;
esac
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
LogText "Hardening strength: ${HIDESCRIPTION}"
#
#################################################################################
#
# Only show overview if not running in quiet mode
if [ ${QUIET} -eq 0 ]; then
echo ""; echo "================================================================================"
@ -84,19 +109,14 @@
LogTextBreak
#
#################################################################################
#
# Show test results overview
#
#################################################################################
#
if [ "${CONTROL_URL_PROTOCOL}" = "" ]; then CONTROL_URL_PROTOCOL="https"; fi
if [ "${CONTROL_URL_PREPEND}" = "" ]; then CONTROL_URL_PREPEND="cisofy.com/lynis/controls/"; fi
if [ "${CONTROL_URL_APPEND}" = "" ]; then CONTROL_URL_APPEND="/"; fi
if [ "${CUSTOM_URL_PROTOCOL}" = "" ]; then CUSTOM_URL_PROTOCOL="https"; fi
if [ "${CUSTOM_URL_PREPEND}" = "" ]; then CUSTOM_URL_PREPEND="your-domain.example.org/controls/"; fi
if [ "${CUSTOM_URL_APPEND}" = "" ]; then CUSTOM_URL_APPEND="/"; fi
if [ -z "${CONTROL_URL_PROTOCOL}" ]; then CONTROL_URL_PROTOCOL="https"; fi
if [ -z "${CONTROL_URL_PREPEND}" ]; then CONTROL_URL_PREPEND="cisofy.com/lynis/controls/"; fi
if [ -z "${CONTROL_URL_APPEND}" ]; then CONTROL_URL_APPEND="/"; fi
if [ -z "${CUSTOM_URL_PROTOCOL}" ]; then CUSTOM_URL_PROTOCOL="https"; fi
if [ -z "${CUSTOM_URL_PREPEND}" ]; then CUSTOM_URL_PREPEND="your-domain.example.org/controls/"; fi
if [ -z "${CUSTOM_URL_APPEND}" ]; then CUSTOM_URL_APPEND="/"; fi
# Show warnings from logfile
SWARNINGS=$(${GREPBINARY} 'Warning: ' ${LOGFILE} | sed 's/ /!space!/g')
@ -119,7 +139,7 @@
done
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
echo " ${RED}!${NORMAL} ${SHOWWARNING}"
if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
if [ -z "${IS_CUSTOM}" ]; then
echo " ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}"
@ -152,7 +172,7 @@
done
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}"
if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
if [ -z "${IS_CUSTOM}" ]; then
echo " ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
@ -178,7 +198,11 @@
echo ""
echo " ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}"
echo " ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}"
if [ ${SKIP_PLUGINS} -eq 0 ]; then echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"; fi
if [ ${SKIP_PLUGINS} -eq 0 ]; then
echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"
else
echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}Skipped${NORMAL}"
fi
echo ""
echo " ${WHITE}Components${NORMAL}:"
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then FIREWALL="${GREEN}V"; else FIREWALL="${RED}X"; fi
@ -191,15 +215,31 @@
echo " - Malware scanner [${MALWARE}${NORMAL}]"
echo ""
echo " ${SECTION}Lynis Modules${NORMAL}:"
echo " ${SECTION}Scan mode${NORMAL}:"
if [ ${DEVOPS_MODE} -eq 1 ]; then
echo " Normal [ ] Forensics [ ] Integration [V] Pentest [ ]"
elif [ ${FORENSICS_MODE} -eq 1 ]; then
echo " Normal [ ] Forensics [V] Integration [ ] Pentest [ ]"
elif [ ${PENTESTINGMODE} -eq 1 ]; then
if [ ${PRIVILEGED} -eq 0 ]; then
echo " Normal [ ] Forensics [ ] Integration [ ] Pentest [V] (running non-privileged)"
else
echo " Normal [ ] Forensics [ ] Integration [ ] Pentest [V] (running privileged)"
fi
else
echo " Normal [V] Forensics [ ] Integration [ ] Pentest [ ]"
fi
echo ""
echo " ${SECTION}Lynis modules${NORMAL}:"
if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then
if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
else
COMPLIANCE="${YELLOW}?"
fi
echo " - Compliance Status [${COMPLIANCE}${NORMAL}]"
echo " - Security Audit [${GREEN}V${NORMAL}]"
echo " - Vulnerability Scan [${GREEN}V${NORMAL}]"
echo " - Compliance status [${COMPLIANCE}${NORMAL}]"
echo " - Security audit [${GREEN}V${NORMAL}]"
echo " - Vulnerability scan [${GREEN}V${NORMAL}]"
echo ""
echo " ${SECTION}Files${NORMAL}:"
echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}"
@ -221,7 +261,7 @@
if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
# Determine if the quality of the program can be increased by filtering out the exceptions
FIND=$(${GREPBINARY} "^exception" ${REPORTFILE})
if [ ! "${FIND}" = "" ]; then
if [ -n "${FIND}" ]; then
echo ""
echo " ${RED}${NOTE_EXCEPTIONS_FOUND}${NORMAL}"
echo " ${WHITE}${NOTE_EXCEPTIONS_FOUND_DETAILED}!${NORMAL}"

60
include/tests_accounting
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -42,7 +42,7 @@
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: No accounting information available"
LogText "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"
ReportSuggestion "${TEST_NO}" "Enable process accounting"
AddHP 2 3
fi
fi
@ -61,7 +61,7 @@
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: No accounting information available"
LogText "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"
ReportSuggestion "${TEST_NO}" "Enable process accounting"
AddHP 2 3
fi
fi
@ -90,7 +90,7 @@
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: No accounting information available (${ROOTDIR}var/account/pacct, ${ROOTDIR}var/log/account/pact nor ${ROOTDIR}var/log/pact exist)"
LogText "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"
ReportSuggestion "${TEST_NO}" "Enable process accounting"
AddHP 2 3
fi
fi
@ -105,28 +105,28 @@
if [ -f ${ROOTDIR}etc/default/sysstat ]; then
LogText "Result: ${ROOTDIR}etc/default/sysstat found"
FIND=$(${GREPBINARY} "^ENABLED" ${ROOTDIR}etc/default/sysstat | ${GREPBINARY} -i true)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: sysstat enabled via ${ROOTDIR}etc/default/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: sysstat disabled via ${ROOTDIR}etc/default/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)"
ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (disabled)"
fi
elif [ -f ${ROOTDIR}etc/cron.d/sysstat ]; then
FIND=$(${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: sysstat enabled via ${ROOTDIR}etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: sysstat disabled via ${ROOTDIR}etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)"
ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (cron disabled)"
fi
else
LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or ${ROOTDIR}etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)"
ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (no results)"
fi
fi
#
@ -134,13 +134,12 @@
#
# Test : ACCT-9628
# Description : Check auditd status
if [ ! -z "${AUDITDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${AUDITDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9628 --os Linux --weight L --network NO --category security --description "Check for auditd"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check auditd status"
# Should not get kauditd
IsRunning auditd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "auditd"; then
LogText "Result: auditd running"
Display --indent 2 --text "- Checking auditd" --result "${STATUS_ENABLED}" --color GREEN
LINUX_AUDITD_RUNNING=1
@ -152,7 +151,7 @@
LogText "Result: auditd not active"
Display --indent 2 --text "- Checking auditd" --result "${STATUS_NOT_FOUND}" --color WHITE
if [ ! "${VMTYPE}" = "openvz" ]; then
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
ReportSuggestion "${TEST_NO}" "Enable auditd to collect audit information"
fi
AddHP 0 1
Report "linux_auditd_running=0"
@ -163,7 +162,7 @@
#
# Test : ACCT-9630
# Description : Check auditd rules
if [ ! -z "${AUDITDBINARY}" -a ! -z "${AUDITCTLBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${AUDITDBINARY}" -a -n "${AUDITCTLBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for auditd rules"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking auditd rules"
@ -172,7 +171,7 @@
LogText "Result: auditd rules empty"
Display --indent 4 --text "- Checking audit rules" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 0 2
ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules"
ReportSuggestion "${TEST_NO}" "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules"
else
LogText "Result: found auditd rules"
Display --indent 4 --text "- Checking audit rules" --result "${STATUS_OK}" --color GREEN
@ -189,7 +188,7 @@
#
# Test : ACCT-9632
# Description : Check auditd configuration file
if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking auditd configuration file"
@ -202,12 +201,12 @@
fi
done
# Check if we discovered the configuration file. It should be there is the binaries are available and process is running
if [ ! -z "${AUDITD_CONF_FILE}" ]; then
if [ -n "${AUDITD_CONF_FILE}" ]; then
Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: could not find auditd configuration file"
Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file"
ReportSuggestion "${TEST_NO}" "Determine the location of auditd configuration file"
fi
fi
#
@ -215,12 +214,12 @@
#
# Test : ACCT-9634
# Description : Check auditd log file
if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a ! -z "${AUDITD_CONF_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a -n "${AUDITD_CONF_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking auditd log file"
FIND=$(${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: log file is defined"
LogText "Defined value: ${FIND}"
if [ -f ${FIND} ]; then
@ -230,12 +229,12 @@
else
LogText "Result: can't find log file ${FIND} on disk"
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check auditd log file location"
ReportSuggestion "${TEST_NO}" "Check auditd log file location"
fi
else
LogText "Result: no log file found"
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Auditd log file is defined but can not be found on disk"
ReportWarning "${TEST_NO}" "Auditd log file is defined but can not be found on disk"
fi
fi
#
@ -252,14 +251,14 @@
if [ -f ${ROOTDIR}etc/ld.so.preload ]; then
LogText "Result: found ${ROOTDIR}etc/ld.so.preload, testing if snoopy.so is listed"
FIND=$(${GREPBINARY} ${FILE} ${ROOTDIR}etc/ld.so.preload)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found snoopy in ld.so.preload"
LogText "Output: ${FIND}"
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
Report "audit_trail_tool[]=snoopy"
else
Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via ${ROOTDIR}etc/ld.so.preload"
ReportSuggestion "${TEST_NO}" "Snoopy is installed but not loaded via ${ROOTDIR}etc/ld.so.preload"
AddHP 3 3
fi
else
@ -277,8 +276,7 @@
Register --test-no ACCT-9650 --os Solaris --weight L --network NO --category security --description "Check Solaris audit daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check if audit daemon is running"
IsRunning auditd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "auditd"; then
LogText "Result: Solaris audit daemon is running"
SOLARIS_AUDITD_RUNNING=1
AUDIT_DAEMON_RUNNING=1
@ -298,7 +296,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check if auditd service is enabled and online"
FIND=$(${ROOTDIR}usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: auditd service is online"
Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN
else
@ -317,7 +315,7 @@
LogText "Test: check if BSM is enabled in ${ROOTDIR}etc/system"
if [ -f ${ROOTDIR}etc/system ]; then
FIND=$(${GREPBINARY} 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: BSM is enabled in ${ROOTDIR}etc/system"
Display --indent 4 --text "- Checking Solaris BSM (${ROOTDIR}etc/system)" --result "${STATUS_ENABLED}" --color GREEN
else
@ -339,7 +337,7 @@
LogText "Test: check if c2audit module is active"
if [ -x ${ROOTDIR}usr/sbin/modinfo ]; then
FIND=$(${ROOTDIR}usr/sbin/modinfo | ${GREPBINARY} c2audit)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: c2audit found in modinfo output"
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN
else
@ -362,7 +360,7 @@
if [ -f ${ROOTDIR}etc/security/audit_control ]; then
LogText "Result: file ${ROOTDIR}etc/security/audit_control found"
FIND=$(${GREPBINARY} "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found location ${FIND}"
LogText "Test: Checking if location is a valid directory"
if [ -d ${FIND} ]; then
@ -415,4 +413,4 @@ WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2019, Michael Boelen / CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2020, Michael Boelen / CISOfy - https://cisofy.com

556
include/tests_authentication
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -40,8 +40,13 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Search accounts with UID 0
LogText "Test: Searching accounts with UID 0"
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
if [ ! -z "${FIND}" ]; then
# Check if device is a QNAP, as the root user is called admin, and not root
if [ ${QNAP_DEVICE} -eq 1 ]; then
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
else
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
fi
if [ -n "${FIND}" ]; then
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found more than one administrator accounts"
ReportWarning "${TEST_NO}" "Multiple users with UID 0 found in passwd file"
@ -51,7 +56,7 @@
if [ "${USER}" = "toor" ]; then
LogText "BSD note: default there is a user 'toor' installed. This account is considered useless unless it"
LogText "is assigned a password and used for daily operations or emergencies. ie: bad shell for root user."
ReportSuggestion ${TEST_NO} "Use vipw to delete the 'toor' user if not used."
ReportSuggestion "${TEST_NO}" "Use vipw to delete the 'toor' user if not used."
fi
done
else
@ -82,7 +87,7 @@
Display --indent 2 --text "- Unique UIDs" --result "${STATUS_WARNING}" --color RED
LogText "Result: found multiple accounts with same UID"
LogText "Output (non-unique UIDs): ${FIND}"
ReportWarning ${TEST_NO} "Multiple accounts found with same UID"
ReportWarning "${TEST_NO}" "Multiple accounts found with same UID"
fi
else
Display --indent 2 --text "- Unique UIDs" --result "${STATUS_SKIPPED}" --color WHITE
@ -110,7 +115,7 @@
Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_WARNING}" --color RED
LogText "Result: chkgrp found some errors. Run the tool manually to see details."
LogText "chkgrp output: ${FIND}"
ReportWarning ${TEST_NO} "chkgrp reported inconsistencies in /etc/group file"
ReportWarning "${TEST_NO}" "chkgrp reported inconsistencies in /etc/group file"
fi
fi
#
@ -119,7 +124,7 @@
# Test : AUTH-9216
# Description : Check /etc/group and shadow group files
# Notes : Run grpck to test group files (most likely /etc/group and shadow group files)
if [ ! -z "${GRPCKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${GRPCKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check group and shadow group files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for grpck binary output"
@ -142,7 +147,7 @@
LogText "Result: grpck binary didn't find any errors in the group files"
else
Display --indent 2 --text "- Consistency of group files (grpck)" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "grpck binary found errors in one or more group files"
ReportWarning "${TEST_NO}" "grpck binary found errors in one or more group files"
fi
unset FIND
fi
@ -152,51 +157,7 @@
# Test : AUTH-9218
# Description : Check login shells for passwordless accounts
# Notes : Results should be checked
Register --test-no AUTH-9218 --os FreeBSD --weight L --network NO --category security --description "Check login shells for passwordless accounts"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: Checking login shells"
if [ -f ${ROOTDIR}etc/master.passwd ]; then
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Login shells" --result "${STATUS_WARNING}" --color RED
for LINE in ${FIND}; do
LINE=$(echo ${LINE} | ${SEDBINARY} 's/!space!/ /g')
SHELL=$(echo ${LINE} | ${AWKBINARY} -F: '{ print $10 }')
LogText "Output: ${LINE}"
if [ -z "${SHELL}" ]; then
LogText "Result: found no shell on line"
else
LogText "Result: found possible harmful shell ${SHELL}"
if [ -f ${SHELL} ]; then
LogText "Result: shell ${SHELL} does exist"
FOUND=1
else
LogText "Result: shell ${SHELL} does not exist"
ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${SHELL} does not exist"
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
ReportWarning ${TEST_NO} "Possible harmful shell found (for passwordless account!)"
fi
fi
else
Display --indent 2 --text "- Login shells" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: No /etc/master.passwd file found"
fi
unset LINE SHELL
fi
#
#################################################################################
#
# Test : AUTH-9489
# Description : Check login shells for passwordless accounts
# Notes : Results should be checked
Register --test-no AUTH-9489 --os DragonFly --weight L --network NO --category security --description "Check login shells for passwordless accounts"
Register --test-no AUTH-9218 --os "DragonFly FreeBSD NetBSD OpenBSD" --root-only YES --weight L --network NO --category security --description "Check login shells for passwordless accounts"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: Checking login shells"
@ -220,12 +181,12 @@
FOUND=1
else
LogText "Result: shell ${SHELL} does not exist"
ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${SHELL} does not exist"
ReportSuggestion "${TEST_NO}" "Determine if account is needed, as shell ${SHELL} does not exist"
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
ReportWarning ${TEST_NO} "Possible harmful shell found (for passwordless account!)"
ReportWarning "${TEST_NO}" "Possible harmful shell found (for passwordless account!)"
fi
fi
else
@ -254,7 +215,7 @@
Report "auth_groups_nonunique[]=${I}"
LogText "Non-unique group: ${I}"
done
ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct any inconsistencies"
ReportSuggestion "${TEST_NO}" "Check your /etc/group file and correct any inconsistencies"
fi
fi
#
@ -278,7 +239,7 @@
Report "auth_groups_nonunique[]=${I}"
LogText "Non-unique group: ${I}"
done
ReportSuggestion ${TEST_NO} "Check your ${ROOTDIR}etc/group file and correct any inconsistencies"
ReportSuggestion "${TEST_NO}" "Check your ${ROOTDIR}etc/group file and correct any inconsistencies"
fi
fi
#
@ -297,7 +258,7 @@
FIND=$(${ROOTDIR}usr/sbin/pwck -q -r 2> /dev/null; echo $?)
TESTED=1
;;
"Solaris")
"Solaris" | "HP-UX")
FIND=$(${ROOTDIR}usr/sbin/pwck 2> /dev/null; echo $?)
TESTED=1
;;
@ -314,19 +275,138 @@
else
Display --indent 2 --text "- Password file consistency" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: pwck found one or more errors/warnings in the password file."
ReportSuggestion ${TEST_NO} "Run pwck manually and correct any errors in the password file"
ReportSuggestion "${TEST_NO}" "Run pwck manually and correct any errors in the password file"
AddHP 0 2
fi
fi
#
#################################################################################
#
# Test : AUTH-9229
# Description : Check password hashing methods vs. recommendations in crypt(5)
# Notes : Applicable to all Unix-like OS
# Requires read access to /etc/shadow (if it exists)
ParsePasswordEntry() {
METHOD=$1
case ${METHOD} in
1:\* | 1:x | 0: | *:!* | *LOCK*)
# disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED)
;;
*:\$5\$*| *:\$6\$*)
# sha256crypt | sha512crypt: check number of rounds, should be >5000
ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp')
if [ -z "${ROUNDS}" ]; then
echo 'sha256crypt/sha512crypt(default<=5000rounds)'
elif [ "${ROUNDS}" -le 5000 ]; then
echo 'sha256crypt/sha512crypt(<=5000rounds)'
fi
;;
*:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*)
# yescrypt | gost-yescrypt | bcrypt | scrypt
;;
*:_*)
echo bsdicrypt
;;
*:\$1\$*)
echo md5crypt
;;
*:\$3\$*)
echo NT
;;
*:\$md5*)
echo SunMD5
;;
*:\$sha1*)
echo sha1crypt
;;
13:* | 178:*)
echo bigcrypt/descrypt
;;
*)
echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com"
;;
esac
}
Register --test-no AUTH-9229 --root-only YES --weight L --network NO --category security --description "Check password hashing methods"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking password hashing methods"
SHADOW="";
if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi
FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do
ParsePasswordEntry ${METHOD}
done | ${SORTBINARY} -u | ${TRBINARY} '\n' ' ')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN
LogText "Result: no poor password hashing methods found"
AddHP 2 2
else
Display --indent 2 --text "- Password hashing methods" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: poor password hashing methods found: ${FIND}"
ReportSuggestion "${TEST_NO}" "Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values"
AddHP 0 2
fi
fi
#
#################################################################################
#
# Test : AUTH-9230
# Description : Check group password hashing rounds in login.defs
# Notes : Applicable to all Unix-like OS
PREQS_MET="NO"
if [ -f ${ROOTDIR}etc/login.defs ]; then
PREQS_MET="YES"
fi
Register --test-no AUTH-9230 --preqs-met ${PREQS_MET} --root-only NO --weight L --network NO --category security --description "Check group password hashing rounds"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking SHA_CRYPT_MIN_ROUNDS option in ${ROOTDIR}etc/login.defs"
FIND=$(${GREPBINARY} "^SHA_CRYPT_MIN_ROUNDS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MIN_ROUNDS") { print $2 } }')
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
LogText "Result: number of minimum rounds used by the encryption algorithm is not configured"
Display --indent 2 --text "- Checking minimum group password hashing rounds" --result "${STATUS_DISABLED}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Configure minimum encryption algorithm rounds in /etc/login.defs"
AddHP 0 2
elif [ "${FIND}" -lt 5000 ]; then
LogText "Result: low number of minimum encryption algorithm rounds found: ${FIND}"
PASSWORD_MINIMUM_ROUNDS=${FIND}
Display --indent 2 --text "- Group password hashing rounds (minimum)" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 1 2
else
LogText "Result: number of encryption algorithm rounds is ${FIND}"
PASSWORD_MINIMUM_ROUNDS=${FIND}
Display --indent 2 --text "- Group password hashing rounds (minimum)" --result CONFIGURED --color GREEN
AddHP 2 2
fi
LogText "Test: Checking SHA_CRYPT_MAX_ROUNDS option in ${ROOTDIR}etc/login.defs"
FIND=$(${GREPBINARY} "^SHA_CRYPT_MAX_ROUNDS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MAX_ROUNDS") { print $2 } }')
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
LogText "Result: number of maximum rounds used by the encryption algorithm is not configured"
Display --indent 2 --text "- Checking maximum group password hashing rounds" --result "${STATUS_DISABLED}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Configure maximum encryption algorithm rounds in /etc/login.defs"
AddHP 0 2
elif [ "${FIND}" -lt 10000 ]; then
LogText "Result: low number of maximum encryption algorithm rounds found: ${FIND}"
PASSWORD_MINIMUM_ROUNDS=${FIND}
Display --indent 2 --text "- Group password hashing rounds (maximum)" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 1 2
else
LogText "Result: number of encryption algorithm rounds is ${FIND}"
PASSWORD_MINIMUM_ROUNDS=${FIND}
Display --indent 2 --text "- Group password hashing rounds (maximum)" --result CONFIGURED --color GREEN
AddHP 2 2
fi
fi
#
#################################################################################
#
# Test : AUTH-9234
# Description : Query user accounts
# Notes : AIX: 100+
# HPUX: 100+
# macOS doesn't have any user info in /etc/passwd, users are managed with opendirectoryd)
# OpenBSD/NetBSD: unknown
# OpenBSD/NetBSD: 1000-60000, excluding 32767 (default)
# Arch Linux / CentOS / Ubuntu: 1000+
Register --test-no AUTH-9234 --weight L --network NO --category security --description "Query user accounts"
if [ ${SKIPTEST} -eq 0 ]; then
@ -358,7 +438,7 @@
"macOS")
LogText "macOS real users output (ID = 0, or 500-599) using dscacheutil"
FIND_USERS=$(dscacheutil -q user | ${GREPBINARY} -A 3 -B 2 -e "^uid: 5[0-9][0-9]" | ${GREPBINARY} "^name: " | ${AWKBINARY} '{print $2}')
if [ ! -z "${FIND_USERS}" ]; then
if [ -n "${FIND_USERS}" ]; then
for FUSERNAME in ${FIND_USERS}; do
FDETAILS=$(dscacheutil -q user -a name ${FUSERNAME} | ${GREPBINARY} "^uid: " | ${AWKBINARY} '{print $2}')
FIND="${FUSERNAME},${FDETAILS} ${FIND}"
@ -368,9 +448,21 @@
fi
;;
"OpenBSD")
LogText "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):"
FIND=$(${AWKBINARY} -F: '($3 >= 1000 && $3 <= 60000 && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd)
"NetBSD"|"OpenBSD")
if [ -f ${ROOTDIR}etc/usermgmt.conf ]; then
UID_RANGE=$(${GREPBINARY} "^range" ${ROOTDIR}etc/usermgmt.conf | ${AWKBINARY} '{ sub(/\.\./, "-", $2); print $2 }')
fi
if [ -n "${UID_RANGE}" ]; then
LogText "Result: found configured user id range specified: ${UID_RANGE}"
UID_MIN=$(echo $UID_RANGE | ${AWKBINARY} -F- '{ print $1 }')
UID_MAX=$(echo $UID_RANGE | ${AWKBINARY} -F- '{ print $2 }')
else
UID_MIN=1000
UID_MAX=60000
LogText "Result: no configured user id range specified; using default ${UID_MIN}-${UID_MAX}"
fi
LogText "${OS} real users output (ID = 0, or ${UID_MIN}-${UID_MAX}, but not 32767):"
FIND=$(${AWKBINARY} -v UID_MIN="${UID_MIN}" -v UID_MAX="${UID_MAX}" -F: '($3 >= UID_MIN && $3 <= UID_MAX && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd)
;;
"Solaris")
@ -392,7 +484,7 @@
else
Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_DONE}" --color GREEN
for I in ${FIND}; do
if [ ! -z "${I}" ]; then
if [ -n "${I}" ]; then
LogText "Real user: ${I}"
Report "real_user[]=${I}"
fi
@ -414,7 +506,7 @@
else
FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
if [ ! -z "${FIND2}" -o ! -z "${FIND3}" ]; then
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
LogText "Result: NIS+ authentication enabled"
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
else
@ -441,7 +533,7 @@
else
FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
if [ ! -z "${FIND2}" -o ! -z "${FIND3}" ]; then
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
LogText "Result: NIS authentication enabled"
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
else
@ -473,10 +565,10 @@
done
if [ ${FOUND} -eq 1 ]; then
LogText "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- sudoers file" --result "${STATUS_FOUND}" --color GREEN
Display --indent 2 --text "- Sudoers file(s)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: sudoers file NOT found"
Display --indent 2 --text "- sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
Display --indent 2 --text "- Sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
#
@ -484,38 +576,66 @@
#
# Test : AUTH-9252
# Description : Check ownership and permissions for sudo configuration files
if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
SUDO_CONFIG_FILES="${SUDOERS_FILE}"
SUDOERS_D="${SUDOERS_FILE}.d"
if [ -d "${SUDOERS_D}" ]; then
LogText "Test: checking drop-in directory (${SUDOERS_D})"
FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10)
FIND1=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND1}"
if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND1}" = "00" ]; then
LogText "Result: directory ${SUDOERS_D} permissions/ownership OK"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: directory has possibly unsafe permissions/ownership"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
fi
SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)"
fi
for f in ${SUDO_CONFIG_FILES}; do
LogText "Test: checking file (${f})"
FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10)
FIND1=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}')
LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND1}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND1}" = "00" ]; then
LogText "Result: file ${f} permissions/ownerhsip OK"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: file has possibly unsafe permissions/ownership"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
SUDO_CONFIG_FILES="${SUDOERS_FILE}"
SUDOERS_D="${SUDOERS_FILE}.d"
if [ -d "${SUDOERS_D}" ]; then
LogText "Test: checking drop-in directory (${SUDOERS_D})"
FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10)
FIND2=$(${LSBINARY} -lnd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND2}"
case "${FIND}" in
rwx[r-][w-][x-]--- )
LogText "Result: directory ${SUDOERS_D} permissions OK"
if [ "${FIND2}" = "00" ]; then
LogText "Result: directory ${SUDOERS_D} ownership OK"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: directory ${SUDOERS_D} has possibly unsafe ownership"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
fi
;;
* )
LogText "Result: directory ${SUDOERS_D} has possibly unsafe permissions"
if [ "${FIND2}" = "00" ]; then
LogText "Result: directory ${SUDOERS_D} ownership OK"
else
LogText "Result: directory ${SUDOERS_D} has possibly unsafe ownership"
fi
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
;;
esac
SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)"
fi
done
for f in ${SUDO_CONFIG_FILES}; do
LogText "Test: checking file (${f})"
FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10)
FIND2=$(${LSBINARY} -ln ${f} | ${AWKBINARY} '{print $3$4}')
LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND2}"
case "${FIND}" in
r[w-]-[r-][w-]---- )
LogText "Result: file ${f} permissions OK"
if [ "${FIND2}" = "00" ]; then
LogText "Result: file ${f} ownership OK"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: file ${f} has possibly unsafe ownership"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
fi
;;
* )
LogText "Result: file ${f} has possibly unsafe permissions"
if [ "${FIND2}" = "00" ]; then
LogText "Result: file ${f} ownership OK"
else
LogText "Result: file ${f} has possibly unsafe ownership"
fi
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
;;
esac
done
fi
#
#################################################################################
@ -530,7 +650,7 @@
Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN
else
for I in ${FIND}; do
ReportWarning ${TEST_NO} "Found passwordless account (${I})"
ReportWarning "${TEST_NO}" "Found passwordless account (${I})"
done
Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_WARNING}" --color RED
fi
@ -597,7 +717,7 @@
if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: no PAM modules for password strength testing found"
ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
AddHP 0 3
else
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN
@ -639,12 +759,12 @@
# Description : Searching available PAM configurations (/etc/pam.d)
Register --test-no AUTH-9266 --weight L --network NO --category security --description "Checking presence pam.d files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking directory /etc/pam.d"
LogText "Test: Checking directory ${ROOTDIR}etc/pam.d"
if [ -d ${ROOTDIR}etc/pam.d ]; then
LogText "Result: directory /etc/pam.d exists"
Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files"
FIND=$(find /etc/pam.d -type f -print | sort)
FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort)
for FILE in ${FIND}; do
LogText "Found file: ${FILE}"
done
@ -658,9 +778,9 @@
#
# Test : AUTH-9268
# Description : Searching available PAM files
# Notes : PAM is used on AIX, FreeBSD, Linux, HPUX, Solaris
if [ ${OS} = "AIX" -o ${OS} = "Linux" -o ${OS} = "HPUX" -o ${OS} = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9268 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking presence pam.d files"
# Notes : PAM is used on AIX, FreeBSD, Linux, HPUX, NetBSD, Solaris
OS_USES_PAM="AIX DragonFly FreeBSD Linux HPUX NetBSD Solaris"
Register --test-no AUTH-9268 --os "${OS_USES_PAM}" --weight L --network NO --category security --description "Checking presence pam.d files"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: Searching pam modules"
@ -669,13 +789,13 @@
if [ -d ${DIR} -a ! -L ${DIR} ]; then
LogText "Result: directory ${DIR} exists"
# Search in the specified directory
if [ "${OS}" = "Solaris" ]; then
# Solaris does not support -maxdepth
if [ "${OS}" = "AIX" -o "${OS}" = "Solaris" ]; then
# AIX/Solaris does not support -maxdepth
FIND=$(find ${DIR} -type f -name "pam_*.so" -print | sort)
else
FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort)
fi
if [ ! -z "${FIND}" ]; then FOUND=1; fi
if [ -n "${FIND}" ]; then FOUND=1; fi
for FILE in ${FIND}; do
LogText "Found file: ${FILE}"
Report "pam_module[]=${FILE}"
@ -691,32 +811,39 @@
else
Display --indent 2 --text "- PAM modules" --result "${STATUS_FOUND}" --color GREEN
fi
unset DIR; unset FILE; unset FIND
unset DIR FILE FIND
fi
#
#################################################################################
#
# Test : AUTH-9278
# Description : Search LDAP support in PAM files
Register --test-no AUTH-9278 --weight L --network NO --category security --description "Checking LDAP pam status"
Register --test-no AUTH-9278 --weight L --network NO --category security --description "Determine LDAP support in PAM files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence /etc/pam.d/common-auth"
if [ -f /etc/pam.d/common-auth ]; then
LogText "Result: file /etc/pam.d/common-auth exists"
LogText "Test: checking presence LDAP module"
FIND=$(${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth)
if [ ! "${FIND}" = "" ]; then
LogText "Result: LDAP module present"
LogText "Output: ${FIND}"
Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN
LDAP_AUTH_ENABLED=1
LDAP_PAM_ENABLED=1
AUTH_FILES="${ROOTDIR}etc/pam.d/common-auth ${ROOTDIR}etc/pam.d/system-auth"
for FILE in ${AUTH_FILES}; do
LogText "Test: checking presence ${FILE}"
if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists"
LogText "Test: checking presence LDAP module"
FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE})
if [ -n "${FIND}" ]; then
LogText "Result: LDAP module present"
LogText "Output: ${FIND}"
LDAP_AUTH_ENABLED=1
LDAP_PAM_ENABLED=1
else
LogText "Result: LDAP module not found"
fi
else
LogText "Result: LDAP module not found"
Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: file ${FILE} not found, skipping test"
fi
done
if [ ${LDAP_PAM_ENABLED} -eq 1 ]; then
Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: file /etc/pam.d/common-auth not found, skipping test"
Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -726,28 +853,28 @@
# Note : Every Linux based operating system seem to have different passwd
# options, so we have to check the version first.
if [ "${OS}" = "Linux" ]; then
if [ ${OS_REDHAT_OR_CLONE} -eq 0 ]; then
if [ "${OS_REDHAT_OR_CLONE}" -eq 0 ]; then
case ${LINUX_VERSION} in
"SuSE")
PREQS_MET="YES"
FIND=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
FIND_P=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
;;
*)
PREQS_MET="YES"
FIND=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
FIND_P=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
;;
esac
elif [ ${OS_REDHAT_OR_CLONE} -eq 1 ]; then
elif [ "${OS_REDHAT_OR_CLONE}" -eq 1 ]; then
PREQS_MET="YES"
FIND=$(for I in $(${AWKBINARY} -F: '{print $1}' ${ROOTDIR}etc/passwd) ; do passwd -S $I | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done)
FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' ${ROOTDIR}etc/passwd) ; do passwd -S $I | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done)
FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done)
FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done)
else
LogText "Result: skipping test for this Linux version"
ReportManual "AUTH-9282:01"
PREQS_MET="NO"
FIND=""
FIND_P=""
FIND2=""
fi
else
@ -757,18 +884,18 @@
# Test : AUTH-9282
# Description : Search password protected accounts without expire (Linux)
Register --test-no AUTH-9282 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking password protected account without expire date"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${SKIPTEST}" -eq 0 ]; then
LogText "Test: Checking Linux version and password expire date status"
if [ -z "${FIND}" ]; then
if [ -z "${FIND_P}" ]; then
LogText "Result: all accounts seem to have an expire date"
Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found one or more accounts with expire date set"
for I in ${FIND}; do
LogText "Result: found one or more accounts without expire date set"
for I in ${FIND_P}; do
LogText "Account without expire date: ${I}"
done
Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts"
ReportSuggestion "${TEST_NO}" "When possible set expire dates for all password protected accounts"
fi
fi
#
@ -777,7 +904,7 @@
# Test : AUTH-9283
# Description : Search passwordless accounts
Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking accounts without password"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${SKIPTEST}" -eq 0 ]; then
LogText "Test: Checking passwordless accounts"
if [ -z "${FIND2}" ]; then
LogText "Result: all accounts seem to have a password"
@ -789,7 +916,7 @@
Report "account_without_password=${I}"
done
Display --indent 2 --text "- Accounts without password" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found accounts without password"
ReportWarning "${TEST_NO}" "Found accounts without password"
fi
fi
#
@ -808,10 +935,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PASS_MIN_DAYS option in ${ROOTDIR}etc/login.defs"
FIND=$(${GREPBINARY} "^PASS_MIN_DAYS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="PASS_MIN_DAYS") { print $2 } }')
if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
LogText "Result: password minimum age is not configured"
Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW
ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs"
ReportSuggestion "${TEST_NO}" "Configure minimum password age in /etc/login.defs"
AddHP 0 1
else
LogText "Result: password needs to be at least ${FIND} days old"
@ -825,7 +952,7 @@
if [ -z "${FIND}" -o "${FIND}" = "99999" ]; then
LogText "Result: password aging limits are not configured"
Display --indent 2 --text "- User password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW
ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs"
ReportSuggestion "${TEST_NO}" "Configure maximum password age in /etc/login.defs"
AddHP 0 1
else
LogText "Result: max password age is ${FIND} days"
@ -851,12 +978,12 @@
NOW=$(date "+%s")
fi
DAYS_SINCE_EPOCH=$((${NOW}/86400))
DAYS_SINCE_EPOCH=$((NOW / 86400))
LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}"
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for ACCOUNT in ${FIND}; do
LogText "Result: password of user ${ACCOUNT} has been expired"
Report "account_password_expired[]=${ACCOUNT}"
@ -893,7 +1020,7 @@
else
LogText "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "No password needed for single user mode login"
ReportWarning "${TEST_NO}" "No password needed for single user mode login"
AddHP 0 1
fi
else
@ -923,7 +1050,7 @@
else
LogText "Result: option present, no password needed at single user mode login"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Set password for system boot"
ReportSuggestion "${TEST_NO}" "Set password for system boot"
AddHP 0 1
fi
else
@ -949,7 +1076,7 @@
LogText "Test: checking presence sulogin for single user mode"
FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
fi
@ -964,7 +1091,7 @@
LogText "Result: file ${ROOTDIR}etc/sysconfig/init exists"
LogText "Test: checking presence sulogin for single user mode"
FIND=$(${GREPBINARY} "^SINGLE=/sbin/sulogin" ${ROOTDIR}etc/sysconfig/init)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
fi
@ -1002,8 +1129,8 @@
if [ ${FOUND} -eq 0 ]; then
LogText "Result: option not set, no password needed at single user mode boot"
Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "No password set for single mode"
ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface"
ReportWarning "${TEST_NO}" "No password set for single mode"
ReportSuggestion "${TEST_NO}" "Set password for single user mode to minimize physical access attack surface"
AddHP 0 2
else
LogText "Result: option set, password is needed at single user mode boot"
@ -1033,10 +1160,10 @@
if [ -d ${ROOTDIR}etc/profile.d ]; then
FOUND=0
FIND=$(ls ${ROOTDIR}etc/profile.d/* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found /etc/profile.d, with one or more files in it"
for FILE in ${FIND}; do
HAS_MASK=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }')
HAS_MASK=$(${GREPBINARY} umask ${FILE} 2> /dev/null | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }')
for MASK in ${HAS_MASK}; do
if [ "${MASK}" = "077" -o "${MASK}" = "027" -o "${MASK}" = "0077" -o "${MASK}" = "0027" ]; then
LogText "Result: found a strong umask '${MASK}' set in ${FILE}"
@ -1096,11 +1223,11 @@
AddHP 2 2
elif [ ${GOOD_UMASK} -eq 1 -a ${WEAK_UMASK} -eq 1 ]; then
Display --indent 4 --text "- umask (/etc/profile and /etc/profile.d)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Some umasks found could be more strict (e.g. 027)"
ReportSuggestion "${TEST_NO}" "Some umasks found could be more strict (e.g. 027)"
AddHP 1 2
else
Display --indent 4 --text "- umask (/etc/profile and /etc/profile.d)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)"
ReportSuggestion "${TEST_NO}" "Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)"
AddHP 0 2
fi
else
@ -1134,7 +1261,7 @@
if [ "${FIND}" = "" ]; then
LogText "Result: umask value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
ReportSuggestion "${TEST_NO}" "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then
LogText "Result: umask is ${FIND}, which is fine"
@ -1143,7 +1270,7 @@
else
LogText "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027"
ReportSuggestion "${TEST_NO}" "Default umask in /etc/login.defs could be more strict like 027"
AddHP 0 2
fi
else
@ -1181,7 +1308,7 @@
if [ "${FIND}" = "" ]; then
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then
LogText "Result: umask is ${FIND}, which is fine"
@ -1190,7 +1317,7 @@
else
LogText "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027"
ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rc could be more strict like 027"
AddHP 0 2
fi
else
@ -1225,7 +1352,7 @@
Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_OK}" --color GREEN
else
Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_WEAK}" --color YELLOW
ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027"
ReportSuggestion "${TEST_NO}" "Umask in /etc/login.conf could be more strict like 027"
fi
else
LogText "Result: no umask setting found in /etc/login.conf, which is unexpected"
@ -1244,7 +1371,7 @@
if [ "${FIND2}" = "" ]; then
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2
elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then
LogText "Result: umask is ${FIND2}, which is fine"
@ -1253,7 +1380,7 @@
else
LogText "Result: found umask ${FIND2}, which could be improved"
Display --indent 4 --text "- umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027"
ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rcS could be more strict like 027"
AddHP 0 2
fi
else
@ -1297,7 +1424,7 @@
if [ -f ${ROOTDIR}etc/default/login ]; then
LogText "Result: file ${ROOTDIR}etc/default/login exists"
FIND=$(${GREPBINARY} "^RETRIES" ${ROOTDIR}etc/default/login)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FOUND=1
LogText "Result: retries option configured"
LogText "Output: ${FIND}"
@ -1369,32 +1496,113 @@
#
# Test : AUTH-9408
# Description : Logging of failed login attempts
if [ -f ${ROOTDIR}etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Logging of failed login attempts via /etc/login.defs"
Register --test-no AUTH-9408 --weight L --network NO --category security --description "Logging of failed login attempts"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking FAILLOG_ENAB option in ${ROOTDIR}etc/login.defs "
FIND=$(${GREPBINARY} "^FAILLOG_ENAB" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }')
# Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
if [ "${FIND}" = "yes" ]; then
AUTH_FAILED_LOGINS_LOGGED=1
LogText "Result: failed login attempts are logged in /var/log/faillog"
Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_ENABLED}" --color GREEN
if [ -f "${ROOTDIR}etc/pam.conf" ]; then
FOUND_PAM_TALLY2=0
FOUND_TALLYLOG=0
if [ -s "${ROOTDIR}var/log/tallylog" ]; then
FOUND_TALLYLOG=1
LogText "Result: found ${ROOTDIR}var/log/tallylog with a size bigger than zero"
else
LogText "Result: did not find ${ROOTDIR}var/log/tallylog on disk or its file size is zero bytes"
fi
# Determine if pam_tally2 is available
for D in $(GetReportData --key "pam_module\\\[\\\]"); do
if ContainsString "pam_tally2" "${D}"; then
LogText "Result: found pam_tally2 module on disk"
FOUND_PAM_TALLY2=1
fi
done
if [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then
LogText "Outcome: authentication failures are logged using pam_tally2"
AUTH_FAILED_LOGINS_LOGGED=1
Report "auth_failed_logins_tooling[]=pam_tally2"
else
LogText "Outcome: it looks like pam_tally2 is not configured to log failed login attempts"
fi
unset FOUND_PAM_TALLY2 FOUND_TALLYLOG
fi
# Also check /etc/logins.defs, although its usage decreased over the years
if [ -f ${ROOTDIR}etc/login.defs ]; then
LogText "Test: Checking FAILLOG_ENAB option in ${ROOTDIR}etc/login.defs "
FIND=$(${GREPBINARY} "^FAILLOG_ENAB" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }')
# Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
if [ "${FIND}" = "yes" ]; then
AUTH_FAILED_LOGINS_LOGGED=1
Report "auth_failed_logins_tooling[]=/etc/login.defs"
LogText "Result: FAILLOG_ENAB is set to 'yes'"
LogText "Outcome: failed login attempts are logged in ${ROOTDIR}var/log/faillog"
Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: failed login attempts may not logged"
Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_DISABLED}" --color YELLOW
fi
fi
if [ ${AUTH_FAILED_LOGINS_LOGGED} -eq 1 ]; then
AddHP 3 3
else
LogText "Result: failed login attempts are not logged"
Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_DISABLED}" --color YELLOW
#ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog"
AddHP 0 1
#ReportSuggestion "${TEST_NO}" "Configure failed login attempts to be logged using pam_tally2 or /etc/login.defs"
fi
fi
#
#################################################################################
#
# Test : AUTH-9409
# Description : Check for doas file
DOAS_FILE=""
Register --test-no AUTH-9409 --os OpenBSD --weight L --network NO --category security --description "Checking /etc/doas.conf file"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: checking presence /etc/doas.conf"
if [ -f /etc/doas.conf ]; then
DOAS_FILE=/etc/doas.conf
FOUND=1
LogText "Result: file /etc/doas.conf found"
else
LogText "Result: file /etc/doas.conf not found"
fi
if [ ${FOUND} -eq 1 ]; then
LogText "Result: /etc/doas.conf file found"
Display --indent 2 --text "- doas file" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: doas file NOT found"
Display --indent 2 --text "- doas file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : AUTH-9410
# Description : Check for doas file permissions
if [ -n "${DOAS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9410 --os OpenBSD --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/doas.conf file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking /etc/doas.conf permissions"
FIND=$(ls -l ${DOAS_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: Found /etc/doas.conf file permissions: ${FIND}"
case "${FIND}" in
r[w-]-[r-][w-]---- )
LogText "Result: file /etc/doas.conf has correct permissions"
Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_OK}" --color GREEN
;;
* )
LogText "Result: file has possibly unsafe file permissions"
Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_WARNING}" --color RED
;;
esac
fi
#
#################################################################################
#
Report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}"
Report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
Report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
if [ ! -z "${LDAP_CLIENT_CONFIG_FILE}" ]; then Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"; fi
if [ -n "${LDAP_CLIENT_CONFIG_FILE}" ]; then Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"; fi
Report "password_min_days=${PASSWORD_MINIMUM_DAYS}"
Report "password_max_days=${PASSWORD_MAXIMUM_DAYS}"

8
include/tests_banners
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -27,7 +27,7 @@
#################################################################################
#
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence forbidden intrusion law legal monitor owner policy policies privacy private prohibited record restricted secure subject system terms unauthorized"
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning"
#
#################################################################################
#
@ -108,7 +108,7 @@
else
LogText "Result: Found only ${COUNT} key words (5 or more suggested), to warn unauthorized users and could be increased"
Display --indent 4 --text "- ${FILE} contents" --result "${STATUS_WEAK}" --color YELLOW
ReportSuggestion ${TEST_NO} "Add a legal banner to ${FILE}, to warn unauthorized users"
ReportSuggestion "${TEST_NO}" "Add a legal banner to ${FILE}, to warn unauthorized users"
AddHP 0 1
Report "weak_banner_file[]=${FILE}"
fi
@ -161,7 +161,7 @@
else
LogText "Result: Found only ${COUNT} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result "${STATUS_WEAK}" --color YELLOW
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
ReportSuggestion "${TEST_NO}" "Add legal banner to /etc/issue.net, to warn unauthorized users"
AddHP 0 1
fi
fi

333
include/tests_boot_services
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -46,7 +46,7 @@
LogText "Test: Query bootinfo for AIX boot device"
if [ -x /usr/sbin/bootinfo ]; then
FIND=$(/usr/sbin/bootinfo -b)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found boot device ${FIND}"
Display --indent 2 --text "- Checking boot device (bootinfo)" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="ROS"
@ -76,7 +76,7 @@
FILENAME=$(echo "${OUTPUT}" | ${AWKBINARY} '{print $1}')
LogText "Result: file on disk = ${FILENAME}"
ISFILE=$(echo ${FILENAME} | ${GREPBINARY} "^/")
if [ ! -z "${ISFILE}" ]; then
if [ -n "${ISFILE}" ]; then
if [ -L ${ISFILE} ]; then
ShowSymlinkPath ${ISFILE}
FILENAME="${SYMLINK}"
@ -86,7 +86,7 @@
LogText "Result: cmdline of PID 1 is not a file"
fi
fi
if [ ! -z "${FILENAME}" ]; then
if [ -n "${FILENAME}" ]; then
SHORTNAME=$(echo ${FILENAME} | ${AWKBINARY} -F/ '{ print $NF }')
LogText "Found: ${SHORTNAME}"
if [ "${SERVICE_MANAGER}" = "unknown" ]; then
@ -96,7 +96,11 @@
;;
"init" | "initsplash")
SERVICE_MANAGER="SysV Init"
if [ -d ${ROOTDIR}etc/rc.d ]; then
SERVICE_MANAGER="bsdrc.d"
else
SERVICE_MANAGER="SysV Init"
fi
;;
systemd)
SERVICE_MANAGER="systemd"
@ -106,7 +110,7 @@
;;
*)
CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd")
if [ ! -z "${CONTAINS_SYSTEMD}" ]; then
if [ -n "${CONTAINS_SYSTEMD}" ]; then
SERVICE_MANAGER="systemd"
else
LogText "Found ${SHORTNAME}. Unclear what service manager this is"
@ -125,7 +129,7 @@
if [ -f /usr/bin/init-openrc ]; then SERVICE_MANAGER="openrc"; fi
fi
;;
"DragonFly" | "NetBSD" | "FreeBSD")
"DragonFly" | "NetBSD" | "FreeBSD" | "OpenBSD")
if [ -x /sbin/init -a -d ${ROOTDIR}etc/rc.d -a -f ${ROOTDIR}etc/rc ]; then
SERVICE_MANAGER="bsdrc"
fi
@ -178,6 +182,21 @@
fi
#
#################################################################################
#
# Test : BOOT-5109
# Description : Check for rEFInd
Register --test-no BOOT-5109 --os "Linux" --weight L --network NO --root-only YES --category security --description "Check rEFInd as bootloader"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
FileExists ${ROOTDIR}boot/refind_linux.conf
if [ ${FILE_FOUND} -eq 1 ]; then
LogText "Result: found rEFInd"
BOOT_LOADER="rEFInd"
BOOT_LOADER_FOUND=1
fi
fi
#
#################################################################################
#
# Test : BOOT-5116
# Description : Check if system is booted in UEFI mode
@ -200,7 +219,7 @@
LogText "Test: determine if Secure Boot is used"
if [ -d ${ROOTDIR}sys/firmware/efi/efivars ]; then
FIND=$(${LSBINARY} ${ROOTDIR}sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for FILE in ${FIND}; do
LogText "Test: checking file ${FILE}"
# TODO: add detection for od
@ -239,6 +258,23 @@
fi
#
#################################################################################
#
# Test : BOOT-5117
# Description : Check for systemd-boot boot loader
if [ ! "${BOOTCTLBINARY}" = "" -a ${HAS_SYSTEMD} -eq 1 -a ${UEFI_BOOTED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BOOT-5117 --preqs-met ${PREQS_MET} --os "Linux" --weight L --network NO --category security --description "Check for systemd-boot bootloader presence"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
CURRENT_BOOT_LOADER=$(${BOOTCTLBINARY} status --no-pager 2>/dev/null | ${AWKBINARY} '/Current Boot Loader/{ getline; print $2 }')
if [ "${CURRENT_BOOT_LOADER}" = "systemd-boot" ]; then
Display --indent 2 --text "- Checking systemd-boot presence" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found systemd-boot"
BOOT_LOADER="systemd-boot"
BOOT_LOADER_FOUND=1
fi
fi
#
#################################################################################
#
# Test : BOOT-5121
# Description : Check for GRUB boot loader
@ -274,7 +310,7 @@
# Some OSes like Gentoo do not have /boot mounted by default
# TODO: root directory and rewrite ls statement
if [ -d /boot ]; then
if [ "$(ls /boot/* 2> /dev/null)" = "" -a ! -z "${GRUB2INSTALLBINARY}" ]; then
if [ "$(ls /boot/* 2> /dev/null)" = "" -a -n "${GRUB2INSTALLBINARY}" ]; then
BOOT_LOADER_FOUND=1
LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW
@ -291,38 +327,54 @@
#
# Test : BOOT-5122
# Description : Check for GRUB boot loader configuration
if [ ! -z "${GRUBCONFFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${GRUBCONFFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Found file ${GRUBCONFFILE}, proceeding with tests."
FileIsReadable ${GRUBCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=$(${GREPBINARY} 'password --md5' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
FIND2=$(${GREPBINARY} 'password --encrypted' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
FIND3=$(${GREPBINARY} 'set superusers' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
FIND4=$(${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
# GRUB1: Password should be set (MD5 or SHA1)
if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
FOUND=1
# GRUB2: Superusers AND password should be defined
elif [ ! -z "${FIND3}" ]; then
if [ ! -z "${FIND4}" -o ! -z "${FIND5}" ]; then FOUND=1; fi
if [ "${ROOTDIR}etc/grub.d" ]; then
CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]')
CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}"
else
CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg"
fi
for FILE in ${CONF_FILES}; do
if [ -f "${FILE}" ]; then
LogText "Found file ${FILE}, proceeding with tests."
if FileIsReadable "${FILE}"; then
FIND=$(${GREPBINARY} 'password --md5' ${FILE} | ${GREPBINARY} -v '^#')
FIND2=$(${GREPBINARY} 'password --encrypted' ${FILE} | ${GREPBINARY} -v '^#')
FIND3=$(${GREPBINARY} 'set superusers' ${FILE} | ${GREPBINARY} -v '^#')
FIND4=$(${GREPBINARY} 'password_pbkdf2' ${FILE} | ${GREPBINARY} -v '^#')
FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${FILE} | ${GREPBINARY} -v '^#')
# GRUB1: Password should be set (MD5 or SHA1)
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
FOUND=1
# GRUB2: Superusers AND password should be defined
elif [ -n "${FIND3}" ]; then
if [ -n "${FIND4}" -o -n "${FIND5}" ]; then FOUND=1; fi
else
LogText "Result: did not find hashed password line in this file"
fi
else
LogText "Result: Can not read '${FILE}' (no permission?)"
fi
else
LogText "Result: File '${FILE}' does not exist"
fi
if [ ${FOUND} -eq 1 ]; then
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN
LogText "Result: GRUB has password protection."
AddHP 4 4
else
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_WARNING}" --color RED
LogText "Result: Didn't find hashed password line in GRUB boot file!"
ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
AddHP 0 2
fi
else
LogText "Result: Can not read ${GRUBCONFFILE} (no permission)"
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_NONE}" --color RED
LogText "Result: Didn't find hashed password line in GRUB configuration"
ReportSuggestion "${TEST_NO}" "Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)"
AddHP 0 2
fi
unset CONF_FILES FILE FIND FIND2 FIND3 FIND4 FIND5 FOUND
fi
#
#################################################################################
@ -399,13 +451,13 @@
if [ "${MACHINE_ROLE}" = "server" -o "${MACHINE_ROLE}" = "workstation" ]; then
Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED
LogText "Result: no password set for LILO. Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data."
ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportWarning ${TEST_NO} "No password set on LILO bootloader"
ReportSuggestion "${TEST_NO}" "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportWarning "${TEST_NO}" "No password set on LILO bootloader"
AddHP 0 2
elif [ "${MACHINE_ROLE}" = "personal" ]; then
Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color yellow
LogText "Result: no password set for LILO. Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data."
ReportSuggestion ${TEST_NO} "No password set on LILO bootloader. Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportSuggestion "${TEST_NO}" "No password set on LILO bootloader. Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
AddHP 1 2
else
LogText "Result: no password set for LILO, with unknown machine role"
@ -480,8 +532,8 @@
FIND=$(${GREPBINARY} '^boot' ${ROOTDIR}etc/boot.conf)
if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking boot option" --result "${STATUS_WARNING}" --color RED
#ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
ReportWarning ${TEST_NO} "System can be booted into single user mode without password"
#ReportSuggestion "${TEST_NO}" "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
ReportWarning "${TEST_NO}" "System can be booted into single user mode without password"
else
Display --indent 4 --text "- Checking boot option" --result "${STATUS_OK}" --color GREEN
LogText "Ok, boot option is enabled."
@ -490,7 +542,7 @@
Display --indent 2 --text "- Checking ${ROOTDIR}etc/boot.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: no ${ROOTDIR}etc/boot.conf found. When using the default boot loader, physical"
LogText "access to the server can be used to possibly enter single user mode."
ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time."
ReportSuggestion "${TEST_NO}" "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time."
fi
if [ ${FOUND} -eq 1 ]; then
LogText "Result: found OpenBSD boot loader"
@ -547,7 +599,7 @@
LogText "Result: systemctl binary found, trying that to discover information"
# Running services
LogText "Searching for running services (systemctl services only)"
FIND=$(${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
FIND=$(${SYSTEMCTLBINARY} --no-legend --full --type=service --state=running | ${AWKBINARY} -F.service '{ print $1 }')
COUNT=0
Report "running_service_tool=systemctl"
for ITEM in ${FIND}; do
@ -558,11 +610,11 @@
LogText "Hint: Run systemctl --full --type=service to see all services"
Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found ${COUNT} running services"
LogText "Result: Found ${COUNT} enabled services"
LogText "Result: Found ${COUNT} running services"
# Services at boot
LogText "Searching for enabled services (systemctl services only)"
FIND=$(${SYSTEMCTLBINARY} list-unit-files --type=service | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
FIND=$(${SYSTEMCTLBINARY} list-unit-files --no-legend --type=service --state=enabled | ${SORTBINARY} -u | ${AWKBINARY} -F.service '{ print $1 }')
COUNT=0
Report "boot_service_tool=systemctl"
for ITEM in ${FIND}; do
@ -573,12 +625,12 @@
LogText "Hint: Run systemctl list-unit-files --type=service to see all services"
Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found ${COUNT} enabled services"
LogText "Result: Found ${COUNT} running services"
LogText "Result: Found ${COUNT} enabled services"
else
LogText "Result: systemctl binary not found, checking chkconfig binary"
if [ ! -z "${CHKCONFIGBINARY}" ]; then
if [ -n "${CHKCONFIGBINARY}" ]; then
LogText "Result: chkconfig binary found, trying that to discover information"
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
@ -613,7 +665,7 @@
if [ "${sRUNLEVEL}" = "2" ]; then
LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
COUNT=0
for SERVICE in ${FIND}; do
LogText "Found service (at boot, runlevel 2): ${SERVICE}"
@ -624,7 +676,7 @@
LogText "Result: found ${COUNT} services"
fi
elif [ -z "${sRUNLEVEL}" ]; then
ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
ReportSuggestion "${TEST_NO}" "Determine runlevel and services at startup"
else
LogText "Result: skipping further actions"
fi
@ -646,7 +698,7 @@
LogText "Result: directory ${DIR} found"
LogText "Test: checking for available files in directory"
FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found files in directory, checking permissions now"
for FILE in ${FIND}; do
LogText "Test: checking permissions of file ${FILE}"
@ -695,7 +747,7 @@
LogText "Test: Checking ${CHECKFILE} file for writable bit"
if IsWorldWritable ${CHECKFILE}; then
FOUND=1
ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}"
ReportWarning "${TEST_NO}" "Found writable startup script ${CHECKFILE}"
LogText "Result: warning, file ${CHECKFILE} is world writable"
else
LogText "Result: good, file ${CHECKFILE} not world writable"
@ -706,7 +758,7 @@
# Check results
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-"
ReportWarning "${TEST_NO}" "Found world writable startup scripts" "-" "-"
LogText "Result: found one or more scripts which are possibly writable by other users"
AddHP 0 3
else
@ -728,20 +780,20 @@
Linux)
# Idle time, not real uptime
if [ -f /proc/uptime ]; then
UPTIME_IN_SECS=$(cat /proc/uptime | ${CUTBINARY} -d ' ' -f1 | ${CUTBINARY} -d '.' -f1)
UPTIME_IN_SECS=$(${CUTBINARY} -d ' ' -f1 /proc/uptime | ${CUTBINARY} -d '.' -f1)
else
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:1" "No uptime test available for this operating system (/proc/uptime missing)"
fi
;;
;;
DragonFly | FreeBSD | macOS)
if [ ! -z "${SYSCTLBINARY}" ]; then
DragonFly | FreeBSD | macOS)
if [ -n "${SYSCTLBINARY}" ]; then
TIME_BOOT=$(${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | ${SEDBINARY} -e 's/,//' | ${GREPBINARY} "[0-9]")
TIME_NOW=$(date "+%s")
LogText "Boot time: ${TIME_BOOT}"
LogText "Current time: ${TIME_NOW}"
if [ ! -z "${TIME_BOOT}" -a ! -z "${TIME_NOW}" ]; then
if [ -n "${TIME_BOOT}" -a -n "${TIME_NOW}" ]; then
UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
else
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
@ -750,15 +802,15 @@
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
fi
;;
;;
NetBSD | OpenBSD)
if [ ! -z "${SYSCTLBINARY}" ]; then
NetBSD | OpenBSD)
if [ -n "${SYSCTLBINARY}" ]; then
TIME_BOOT=$(${SYSCTLBINARY} -n kern.boottime)
TIME_NOW=$(date "+%s")
LogText "Boot time: ${TIME_BOOT}"
LogText "Current time: ${TIME_NOW}"
if [ ! -z "${TIME_BOOT}" -a ! -z "${TIME_NOW}" ]; then
if [ -n "${TIME_BOOT}" -a -n "${TIME_NOW}" ]; then
UPTIME_IN_SECS=$((TIME_NOW - TIME_BOOT))
else
ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
@ -767,25 +819,26 @@
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
fi
;;
;;
Solaris)
if [ ! -z "${KSTATBINARY}" ]; then
if [ -n "${KSTATBINARY}" ]; then
UPTIME_IN_SECS=$(${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | ${CUTBINARY} -d "." -f1)
else
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)"
fi
;;
;;
*)
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
# Want to help improving Lynis? Share your operating system and a way to determine the uptime (in seconds)
ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system"
;;
;;
esac
if [ ! -z "${UPTIME_IN_SECS}" ]; then
if [ -n "${UPTIME_IN_SECS}" ]; then
UPTIME_IN_DAYS=$((UPTIME_IN_SECS / 60 / 60 / 24))
LogText "Uptime (in seconds): ${UPTIME_IN_SECS}"
LogText "Uptime (in days): ${UPTIME_IN_DAYS}"
@ -800,14 +853,14 @@
#
# Test : BOOT-5260
# Description : Check single user mode for systemd
Register --test-no BOOT-5260 --weight L --network NO --category security --description "Check single user mode for systemd"
Register --test-no BOOT-5260 --os Linux --weight L --network NO --category security --description "Check single user mode for systemd"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching /usr/lib/systemd/system/rescue.service"
if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then
LogText "Result: file /usr/lib/systemd/system/rescue.service"
LogText "Test: checking presence sulogin for single user mode"
FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
AddHP 3 3
@ -823,6 +876,158 @@
fi
#
#################################################################################
#
# Test : BOOT-5262
# Description : Check for OpenBSD boot daemons
Register --test-no BOOT-5262 --os OpenBSD --weight L --network NO --category security --description "Check for OpenBSD boot daemons"
if [ ${SKIPTEST} -eq 0 ]; then
if HasData "${RCCTLBINARY}"; then
LogText "Result: rcctl binary found, trying that to discover information"
# OpenBSD (Ask rcctl(8) for running daemons)
LogText "Searching for running daemons (rcctl)"
FIND=$(${RCCTLBINARY} ls started)
COUNT=0
Report "running_service_tool=rcctl"
for ITEM in ${FIND}; do
LogText "Found running daemon: ${ITEM}"
Report "running_service[]=${ITEM}"
COUNT=$((COUNT + 1 ))
done
LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons"
Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found ${COUNT} running daemons"
LogText "Result: Found ${COUNT} running daemons"
# OpenBSD (Ask rcctl(8) for enabled daemons)
LogText "Searching for enabled daemons (rcctl)"
FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$')
COUNT=0
Report "boot_service_tool=rcctl"
for ITEM in ${FIND}; do
LogText "Found enabled daemon at boot: ${ITEM}"
Report "boot_service[]=${ITEM}"
COUNT=$((COUNT + 1 ))
done
LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons"
Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot"
LogText "Result: Found ${COUNT} enabled daemons at boot"
fi
fi
#
#################################################################################
#
# Test : BOOT-5263
# Description : Check OpenBSD world writable startup scripts
Register --test-no BOOT-5263 --os OpenBSD --weight L --network NO --category security --description "Check permissions for boot files/scripts"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
CHECKDIR="${ROOTDIR}etc/rc.d"
LogText "Result: checking ${ROOTDIR}etc/rc.d scripts for writable bit"
LogText "Test: checking if directory ${DIR} exists"
if [ -d ${CHECKDIR} ]; then
LogText "Result: directory ${DIR} found"
LogText "Test: checking for available files in directory"
# OpenBSD uses symlinks to create another instance of daemons
FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY})
if [ -n "${FIND}" ]; then
LogText "Result: found files in directory, checking permissions now"
for FILE in ${FIND}; do
LogText "Test: checking permissions of file ${FILE}"
ShowSymlinkPath "${FILE}"
if [ ${FOUNDPATH} -eq 1 ]; then
CHECKFILE="${SYMLINK}"
LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${FILE})"
else
CHECKFILE="${FILE}"
fi
if IsWorldWritable ${CHECKFILE}; then
FOUND=1
LogText "Result: warning, file ${CHECKFILE} is world writable"
else
LogText "Result: good, file ${CHECKFILE} not world writable"
fi
done
else
LogText "Result: found no files in directory."
fi
else
LogText "Result: directory ${CHECKDIR} not found. Skipping.."
fi
# Other files
CHECKFILES="${ROOTDIR}etc/rc ${ROOT}etc/rc.conf ${ROOT}etc/rc.conf.local ${ROOTDIR}etc/rc.local"
for I in ${CHECKFILES}; do
if [ -f ${I} ]; then
ShowSymlinkPath "${I}"
if [ ${FOUNDPATH} -eq 1 ]; then
CHECKFILE="${SYMLINK}"
LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${I})"
else
CHECKFILE="${I}"
fi
LogText "Test: Checking ${CHECKFILE} file for writable bit"
if IsWorldWritable ${CHECKFILE}; then
FOUND=1
ReportWarning "${TEST_NO}" "Found writable startup script ${CHECKFILE}"
LogText "Result: warning, file ${CHECKFILE} is world writable"
else
LogText "Result: good, file ${CHECKFILE} not world writable"
fi
fi
done
# Check results
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED
ReportWarning "${TEST_NO}" "Found world writable startup scripts" "-" "-"
LogText "Result: found one or more scripts which are possibly writable by other users"
AddHP 0 3
else
Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : BOOT-5264
# Description : Run systemd-analyze security
if [ -z "${SYSTEMDANALYZEBINARY}" ]; then SKIPREASON="systemd-analyze not available"; PREQS_MET="NO";
else
SYSTEMD_VERSION=$("${SYSTEMDANALYZEBINARY}" --version | ${AWKBINARY} '/^systemd / {print $2}')
if [ "${SYSTEMD_VERSION}" -ge 240 ]; then PREQS_MET="YES"; else SKIPREASON="systemd-analyze too old (v${SYSTEMD_VERSION}), need at least v240"; PREQS_MET="NO"; fi
fi
Register --test-no BOOT-5264 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --os Linux --weight L --network NO --category security --description "Run systemd-analyze security"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Run systemd-analyze security"
Display --indent 2 --text "- Running 'systemd-analyze security'"
${SYSTEMDANALYZEBINARY} security | while read UNIT EXPOSURE PREDICATE HAPPY; do
if [ "${UNIT}" = "UNIT" ]; then
continue
fi
COLOR="BLACK"
case ${PREDICATE} in
PERFECT | SAFE | OK)
COLOR=GREEN
;;
MEDIUM)
COLOR=WHITE
;;
EXPOSED)
COLOR=YELLOW
;;
UNSAFE | DANGEROUS)
COLOR=RED
;;
esac
Display --indent 8 --text "- ${UNIT}:" --result "${PREDICATE}" --color "${COLOR}"
LogText "Result: ${UNIT}: ${EXPOSURE} ${PREDICATE}"
done
ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service"
fi
#
#################################################################################
#
Report "boot_loader=${BOOT_LOADER}"

17
include/tests_containers
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -40,7 +40,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: query zoneadm to list all running zones"
FIND=$(${ROOTDIR}usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
COUNT=0
for ITEM in ${FIND}; do
COUNT=$((COUNT + 1))
@ -81,8 +81,7 @@
# Description : Checking Docker daemon status and basic information for later tests
Register --test-no CONT-8102 --weight L --network NO --category security --description "Checking Docker status and information"
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning "dockerd"
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "dockerd"; then
LogText "Result: found Docker daemon running"
Report "docker_daemon_running=1"
DOCKER_DAEMON_RUNNING=1
@ -131,14 +130,14 @@
# Test : CONT-8106
# Description : Checking Docker containers (basic stats)
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather basic stats from Docker"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 6 --text "- Containers"
# Check total of containers
LogText "Test: checking total amount of Docker containers"
DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${GREPBINARY} "^Containers: " | ${AWKBINARY} '{ print $2 }')
DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${EGREPBINARY} "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }')
if [ -z "${DOCKER_CONTAINERS_TOTAL}" ]; then
DOCKER_CONTAINERS_TOTAL=0
fi
@ -171,7 +170,7 @@
# Test : CONT-8107
# Description : Checking Docker number of unused containers
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8107 --preqs-met ${PREQS_MET} --weight L --network NO --category performance --description "Check number of Docker containers"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if there aren't too many unused containers on the system
@ -194,7 +193,7 @@
# Test : CONT-8108
# Description : Checking Docker file permissions
# Notes : /var/run/docker.sock - Usually root as owner, docker as group - should not be world writable
if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check file permissions for Docker files"
if [ ${SKIPTEST} -eq 0 ]; then
NOT_WORLD_WRITABLE="${ROOTDIR}var/run/docker.sock"
@ -227,4 +226,4 @@ WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2019, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com

261
include/tests_crypto
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -21,6 +21,10 @@
# Cryptography
#
#################################################################################
#
RNG_FOUND=0
#
#################################################################################
#
InsertSection "Cryptography"
#
@ -28,61 +32,91 @@
#
# Test : CRYP-7902
# Description : check for expired SSL certificates
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT_EXPIRED=0
COUNT_TOTAL=0
FOUNDPROBLEM=0
sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:/ /g')
sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${TRBINARY} " " "\n" | ${SORTBINARY} | uniq | ${TRBINARY} "\n" " ")
SKIP=0
sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:space:/__space__/g' | ${SEDBINARY} 's/:/ /g')
sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${SORTBINARY} -u)
LogText "Paths to scan: ${sSSL_PATHS}"
IGNORE_PATHS_PRINT=$(echo ${SSL_CERTIFICATE_PATHS_TO_IGNORE} | ${SEDBINARY} 's/:/, /g' | ${SEDBINARY} 's/__space__/ /g' | ${SEDBINARY} 's/^ //' | ${SORTBINARY} -u)
LogText "Paths to ignore: ${IGNORE_PATHS_PRINT}"
for DIR in ${sSSL_PATHS}; do
COUNT_DIR=0
if [ -d ${DIR} ]; then
FileIsReadable ${DIR}
if [ ${CANREAD} -eq 1 ]; then
LASTSUBDIR=""
LogText "Result: found directory ${DIR}"
# Search for certificate files
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /:space:/g')
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
for FILE in ${FILES}; do
FILE=$(echo ${FILE} |${SEDBINARY} 's/:space:/ /g')
COUNT_DIR=$((COUNT_DIR + 1))
FileIsReadable "${FILE}"
if [ ${CANREAD} -eq 1 ]; then
# Only check the files that are not installed by a package
if ! FileInstalledByPackage "${FILE}"; then
LogText "Test: test if file is a certificate"
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
if [ $? -eq 0 ]; then
LogText "Result: file is a certificate"
LogText "Test: checking certificate details"
FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
if [ $? -eq 0 ]; then
# Check certificate where 'end date' has been expired
FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
EXIT_CODE=$?
CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
if [ ${EXIT_CODE} -eq 0 ]; then
LogText "Result: certificate ${FILE} seems to be correct and still valid"
FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
# See if we need to skip this path
SUBDIR=$(echo ${FILE} | ${AWKBINARY} -F/ 'sub(FS $NF,x)' | ${SEDBINARY} 's/__space__/ /g')
# If we discover a new directory, do evaluation
#Debug "File : ${FILE}"
#Debug "Lastdir: ${LASTSUBDIR}"
#Debug "Curdir : ${SUBDIR}"
if [ ! "${SUBDIR}" = "${LASTSUBDIR}" ]; then
SKIP=0
# Now check if this path is on the to-be-ignored list
for D in ${SSL_CERTIFICATE_PATHS_TO_IGNORE}; do
if ContainsString "${D}" "${SUBDIR}"; then
SKIP=1
LogText "Result: skipping directory (${SUBDIR}) as it is on ignore list"
fi
done
fi
if [ ${SKIP} -eq 0 ]; then
#Debug "Testing ${FILE} in path: $SUBDIR"
COUNT_DIR=$((COUNT_DIR + 1))
FileIsReadable "${FILE}"
if [ ${CANREAD} -eq 1 ]; then
# Only check the files that are not installed by a package, unless enabled by profile
if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
echo ${FILE} | ${EGREPBINARY} --quiet ".cer$|.der$"
CER_DER=$?
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then
LogText "Result: file is a certificate file"
if [ ${CER_DER} -eq 0 ]; then
SSL_DER_OPT="-inform der"
else
FOUNDPROBLEM=1
COUNT_EXPIRED=$((COUNT_EXPIRED + 1))
LogText "Result: certificate ${FILE} has been expired"
SSL_DER_OPT=
fi
FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
if [ $? -eq 0 ]; then
# Check certificate where 'end date' has been expired
FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
EXIT_CODE=$?
CERT_CN=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
if [ ${EXIT_CODE} -eq 0 ]; then
LogText "Result: certificate ${FILE} seems to be correct and still valid"
else
FOUNDPROBLEM=1
COUNT_EXPIRED=$((COUNT_EXPIRED + 1))
LogText "Result: certificate ${FILE} has been expired"
fi
else
LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (is it a key file?)"
fi
else
LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)"
LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'"
fi
else
LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'"
fi
else
LogText "Result: can not read file ${FILE} (no permission)"
fi
else
LogText "Result: can not read file ${FILE} (no permission)"
fi
LASTSUBDIR="${SUBDIR}"
done
COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))
LogText "Result: found ${COUNT_DIR} certificates in ${DIR}"
@ -100,9 +134,166 @@
Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_NONE}" --color GREEN
else
Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
ReportSuggestion "${TEST_NO}" "Check available certificates for expiration"
fi
fi
#
#################################################################################
#
# Test : CRYP-7930
# Description : Determine if system uses LUKS block device encryption
Register --test-no CRYP-7930 --os Linux --weight L --network NO --root-only YES --category security --description "Determine if system uses LUKS block device encryption"
if [ ${SKIPTEST} -eq 0 ]; then
CRYPTTABFILE="${ROOTDIR}etc/crypttab"
FOUND=0
# cryptsetup only works as root
if [ -n "${LSBLKBINARY}" ] && [ -n "${CRYPTSETUPBINARY}" ] && [ ${FORENSICS_MODE} -eq 0 ]; then
for BLOCK_DEV in $(${LSBLKBINARY} --noheadings --list -o NAME 2> /dev/null | cut -d' ' -f1); do
if ${CRYPTSETUPBINARY} isLuks $(${FINDBINARY} /dev/ -name "${BLOCK_DEV}" 2> /dev/null) 2> /dev/null; then
LogText "Result: Found LUKS encrypted block device: ${BLOCK_DEV}"
Report "encryption[]=luks,block_device,${BLOCK_DEV}"
FOUND=$((FOUND +1))
else
LogText "Result: block device ${BLOCK_DEV} is not LUKS encrypted"
fi
done
unset BLOCK_DEV
# This will enable us to do a test for forensics or when crypsetup/lsblk are not available
elif [ -f ${CRYPTTABFILE} ]; then
LogText "Result: crypttab (${CRYPTTABFILE}) exists"
DATA=$(${GREPBINARY} "^[a-z]" ${CRYPTTABFILE} | ${TRBINARY} -cd '[:alnum:]_\-=,\n\t ' | ${SEDBINARY} 's/[[:blank:]]/__space__/g')
for LINE in ${DATA}; do
LINE=$(echo ${LINE} | ${SEDBINARY} 's/__space__/ /g')
if ContainsString "luks," "${LINE}"; then
PARTITION=$(echo ${LINE} | ${AWKBINARY} '{print $1}' | ${AWKBINARY} -F_ '{print $1}')
LogText "Result: Found LUKS encryption on partition ${PARTITION}"
Report "encryption[]=luks,partition,${PARTITION}"
FOUND=$((FOUND +1))
fi
done
unset DATA LINE PARTITION
fi
if [ ${FOUND} -gt 0 ]; then
Display --indent 2 --text "- Found ${FOUND} LUKS encrypted block devices." --result OK --color WHITE
fi
unset FOUND
fi
#
#################################################################################
#
# Test : CRYP-7931
# Description : Determine if system uses encrypted swap
if [ -e "${SWAPONBINARY}" -a -e "${CRYPTSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CRYP-7931 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Determine if system uses encrypted swap"
if [ ${SKIPTEST} -eq 0 ]; then
ENCRYPTED_SWAPS=0
UNENCRYPTED_SWAPS=0
# Redirect errors, as RHEL 5/6 and others don't have the --show option
SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings 2> /dev/null)
if [ $? -eq 0 ]; then
for BLOCK_DEV in ${SWAPS}; do
if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then
LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}"
ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
Report "encrypted_swap[]=${BLOCK_DEV},LUKS"
elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} --quiet "cipher:"; then
LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}"
ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
Report "encrypted_swap[]=${BLOCK_DEV},other"
else
LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}"
UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1))
Report "non_encrypted_swap[]=${BLOCK_DEV}"
fi
done
Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE
else
LogText "Result: skipping testing as swapon returned an error."
fi
fi
#
#################################################################################
#
# Test : CRYP-8002
# Description : Gather available kernel entropy
Register --test-no CRYP-8002 --os Linux --weight L --network NO --root-only NO --category security --description "Gather available kernel entropy"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f ${ROOTDIR}proc/sys/kernel/random/entropy_avail ]; then
DATA=$(${AWKBINARY} '$1 ~ /^[0-9]+$/ {print $1}' ${ROOTDIR}proc/sys/kernel/random/entropy_avail)
if [ -n "${DATA}" ]; then
LogText "Result: found kernel entropy value of ${DATA}"
Report "kernel_entropy=${DATA}"
if [ ${DATA} -gt 200 ]; then
Display --indent 2 --text "- Kernel entropy is sufficient" --result "${STATUS_YES}" --color GREEN
else
Display --indent 2 --text "- Kernel entropy is sufficient" --result "${STATUS_NO}" --color YELLOW
# TODO - enable suggestion when information on website is available
fi
fi
fi
fi
#
#################################################################################
#
# Test : CRYP-8004
# Description : Test for presence of hardware random number generators
Register --test-no CRYP-8004 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of hardware random number generators"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: looking for ${ROOTDIR}sys/class/misc/hw_random/rng_current"
if [ -f "${ROOTDIR}sys/class/misc/hw_random/rng_current" ]; then
DATA=$(${HEADBINARY} --lines=1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]')
if [ "${DATA}" != "none" ]; then
LogText "Result: positive match, found RNG: ${DATA}"
if IsRunning "rngd"; then
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_YES}" --color GREEN
LogText "Result: rngd is running"
RNG_FOUND=1
else
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW
# TODO - enable suggestion when website has listing for this control
# ReportSuggestion "${TEST_NO}" "Utilize hardware random number generation by running rngd"
fi
else
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW
LogText "Result: no HW RNG available"
fi
else
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color RED
LogText "Result: could not find ${ROOTDIR}sys/class/misc/hw_random/rng_current"
fi
fi
#
#################################################################################
#
# Test : CRYP-8005
# Description : Test for presence of software pseudo random number generators
Register --test-no CRYP-8005 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of software pseudo random number generators"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: looking for software pseudo random number generators"
FOUND=""
for SERVICE in audio-entropyd haveged jitterentropy-rngd; do
# Using --full as jitterentropy-rngd would otherwise not match
if IsRunning --full "${SERVICE}"; then
FOUND="${FOUND} ${SERVICE}"
fi
done
if [ -z "${FOUND}" ]; then
Display --indent 2 --text "- SW prng" --result "${STATUS_NO}" --color YELLOW
# ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators"
else
RNG_FOUND=1
Display --indent 2 --text "- SW prng" --result "${STATUS_YES}" --color GREEN
LogText "Result: found ${FOUND} running"
fi
fi
#
#################################################################################
#
Report "rng_found=${RNG_FOUND}"
#
#################################################################################
#

4
include/tests_custom.template
View File

@ -109,7 +109,7 @@
#################################################################################
#
# Test : CUST-0040
# Description : Our second test, with a prequisite test
# Description : Our second test, with a prerequisite test
# First check if OPENSSLBINARY is known as a prerequisite for this test
# ! means "not". So if the binary is known, the prerequisite is matched. Otherwise we set it to NO and define a reason why we skipped this test
@ -134,7 +134,7 @@
Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "This is a suggestion"
ReportSuggestion "${TEST_NO}" "This is a suggestion"
fi
fi
#

53
include/tests_databases
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -28,6 +28,14 @@
sMYCNFLOCS="${ROOTDIR}etc/mysql/my.cnf ${ROOTDIR}usr/etc/my.cnf"
REDIS_CONFIGURATION_FILES=""
REDIS_CONFIGURATION_FOUND=0
MYSQL_RUNNING=0
DATABASE_ENGINE_RUNNING=0
MONGODB_RUNNING=0
POSTGRESQL_RUNNING=0
ORACLE_RUNNING=0
DB2_RUNNING=0
REDIS_RUNNING=0
#
#################################################################################
#
@ -71,7 +79,7 @@
# Test : DBS-1816
# Description : Check empty MySQL root password
# Notes : Only perform test when MySQL is running and client is available
if [ ! -z "${MYSQLCLIENTBINARY}" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="MySQL not installed, or not running"; fi
if [ -n "${MYSQLCLIENTBINARY}" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="MySQL not installed, or not running"; fi
Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking MySQL root password"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Trying to login to local MySQL server without password"
@ -81,7 +89,7 @@
FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql 2>/dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: Login succeeded, no MySQL root password set!"
ReportWarning ${TEST_NO} "No MySQL root password set"
ReportWarning "${TEST_NO}" "No MySQL root password set"
Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED
AddHP 0 5
else
@ -144,7 +152,7 @@
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
if HasData "${PGREPBINARY}"; then
AUTH_ON_CMDLINE=$(for I in $(${PGREPBINARY} mongo); do cat /proc/${I}/cmdline | xargs -0 echo | ${GREPBINARY} -E "\-\-auth( |$)"; done)
if [ ! -z "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
if [ -n "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
else
LogText "Result: skipped this part of the test, as pgrep is not available"
fi
@ -152,7 +160,7 @@
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
LogText "Result: no authorization enabled via parameter or configuration file"
Report "mongodb_authorization_disabled=1"
ReportWarning ${TEST_NO} "MongoDB instance allows any user to access databases"
ReportWarning "${TEST_NO}" "MongoDB instance allows any user to access databases"
Display --indent 4 --text "- Checking MongoDB authorization" --result "${STATUS_DISABLED}" --color RED
else
if IsVerbose; then Display --indent 4 --text "- Checking MongoDB authorization" --result "${STATUS_ENABLED}" --color GREEN; fi
@ -179,6 +187,31 @@
fi
#
#################################################################################
#
# Test : DBS-1828
# Description : Test PostgreSQL configuration file(s)
#
# Authentication:
# /var/lib/pgsql/data/pg_hba.conf
#
# Configuration
# Arch /var/lib/postgres/data/postgresql.conf
# CentOS/Fedora /var/lib/pgsql/data/postgresql.conf
# Ubuntu /etc/postgresql/x.y/main/postgresql.conf
if [ "${POSTGRESQL_RUNNING}" -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="PostgreSQL not installed or not running"; fi
Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data"
CONFIG_FILES=$(${FINDBINARY} ${FIND_PATHS} -type f -name "postgresql.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}" | ${SEDBINARY} "s/ /:space:/g"')
for CF in ${CONFIG_FILES}; do
Report "postgresql_config_file[]=${CF}"
LogText "Found configuration file (${CF})"
done
fi
#
#################################################################################
#
# Test : DBS-1840
# Description : Check if Oracle is being used
@ -219,7 +252,7 @@
#################################################################################
#
# Test : DBS-1860
# Description : Checks if a DB2 instance is currently runnigng
# Description : Checks if a DB2 instance is currently running
Register --test-no DBS-1860 --weight L --network NO --category security --description "Checking active DB2 instances"
if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning db2sysc; then
@ -268,7 +301,7 @@
for DIR in ${PATHS}; do
LogText "Action: scanning directory (${DIR}) for Redis configuration files"
FILES=$(${LSBINARY} ${DIR}/*.conf 2> /dev/null)
if [ ! -z "${FILES}" ]; then
if [ -n "${FILES}" ]; then
ALLFILES="${ALLFILES} ${FILES}"
else
LogText "Result: no configuration files found in this directory"
@ -279,12 +312,12 @@
LogText "Action: checking if ${CONFFILE} is a Sentinel configuration file"
# Exclude Sentinel configuration file
FIND=$(${GREPBINARY} "^sentinel " ${CONFFILE})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: file is a Sentinel configuration file, skipping it"
else
LogText "Result: file is NOT a Sentinel configuration file. Now scanning if it is a Redis configuration file"
FIND=$(${GREPBINARY} "Redis" ${CONFFILE})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
REDIS_CONFIGURATION_FILES="${REDIS_CONFIGURATION_FILES} ${CONFFILE}"
REDIS_CONFIGURATION_FOUND=1
LogText "Result: found a Redis configuration file (${CONFFILE})"
@ -297,7 +330,7 @@
fi
done
# Sort the list of discovered configuration files so we can make them unique
REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | ${SEDBINARY} 's/^ //' | ${TRBINARY} ' ' '\n' | ${SORTBINARY} | ${UNIQBINARY} | ${TRBINARY} '\n' ' ')
REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | ${SEDBINARY} 's/^ //' | ${TRBINARY} ' ' '\n' | ${SORTBINARY} -u | ${TRBINARY} '\n' ' ')
for FILE in ${REDIS_CONFIGURATION_FILES}; do
if IsWorldReadable ${FILE}; then
LogText "Result: configuration file ${FILE} is world readable, this might leak sensitive information!"

18
include/tests_dns
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -24,8 +24,8 @@
#
# # TODO create records on test domain
# # TODO after update even IP match can be checked to detect hijacking
# SIGOKDNS="sigok.example.org" # adress with good DNSSEC signature
# SIGFAILDNS="sigfail.example.org" # adress with bad DNSSEC signature
# SIGOKDNS="sigok.example.org" # address with good DNSSEC signature
# SIGFAILDNS="sigfail.example.org" # address with bad DNSSEC signature
# TIMEOUT=";; connection timed out; no servers could be reached"
#
#################################################################################
@ -35,10 +35,10 @@
#################################################################################
#
# # Test : DNS-1600
# # Description : Validate DNSSEC signiture is checked
# # Description : Validate DNSSEC signature is checked
# Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked"
# if [ "${SKIPTEST}" -eq 0 ]; then
# if [ ! -z "${DIGBINARY}" ]; then
# if [ -n "${DIGBINARY}" ]; then
#
# GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS)
# BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS)
@ -47,16 +47,16 @@
# LogText "Result: received timeout, can't determine DNSSEC validation"
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
# #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
# elif [ -z "${GOOD}" -a ! -z "${BAD}" ]; then
# elif [ -z "${GOOD}" -a -n "${BAD}" ]; then
# LogText "Result: good signature failed, yet bad signature was accepted"
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
# #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted"
# elif [ ! -z "${GOOD}" -a ! -z "${BAD}" ]; then
# elif [ -n "${GOOD}" -a -n "${BAD}" ]; then
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW
# LogText "Note: Using DNSSEC validation can protect from DNS hijacking"
# #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC valdating name servers"
# #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC validating name servers"
# AddHP 2 2
# elif [ ! -z "${GOOD}" -a -z "${BAD}" ]; then
# elif [ -n "${GOOD}" -a -z "${BAD}" ]; then
# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN
# LogText "Result: altered DNS responses were ignored"
# AddHP 0 2

181
include/tests_file_integrity
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -35,7 +35,7 @@
Register --test-no FINT-4310 --weight L --network NO --category security --description "AFICK availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking AFICK binary"
if [ ! -z "${AFICKBINARY}" ]; then
if [ -n "${AFICKBINARY}" ]; then
LogText "Result: AFICK is installed (${AFICKBINARY})"
Report "file_integrity_tool[]=afick"
FILE_INT_TOOL="afick"
@ -54,7 +54,7 @@
Register --test-no FINT-4314 --weight L --network NO --category security --description "AIDE availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking AIDE binary"
if [ ! -z "${AIDEBINARY}" ]; then
if [ -n "${AIDEBINARY}" ]; then
LogText "Result: AIDE is installed (${AIDEBINARY})"
Report "file_integrity_tool[]=aide"
FILE_INT_TOOL="aide"
@ -70,13 +70,13 @@
#
# Test : FINT-4315
# Description : Check AIDE configuration file
if [ ! -z "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check AIDE configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
AIDE_CONFIG_LOCS="/etc /etc/aide /usr/local/etc"
AIDE_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/aide ${ROOTDIR}usr/local/etc"
LogText "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}"
for I in ${AIDE_CONFIG_LOCS}; do
if [ -f ${I}/aide.conf ]; then
if [ -f "${I}/aide.conf" ]; then
LogText "Result: found aide.conf in directory ${I}"
AIDECONFIG="${I}/aide.conf"
fi
@ -98,13 +98,45 @@
fi
#
#################################################################################
#
# Test : FINT-4316
# Description : Presence of AIDE database and size check
if [ -n "${AIDEBINARY}" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of AIDE database and size check"
if [ ${SKIPTEST} -eq 0 ]; then
AIDE_DB=$(${GREPBINARY} ^database= ${AIDECONFIG} | ${SEDBINARY} "s/.*://")
if case ${AIDE_DB} in @@*) ;; *) false;; esac; then
I=$(${GREPBINARY} "@@define.*DBDIR" ${AIDECONFIG} | ${AWKBINARY} '{print $3}')
AIDE_DB=$(echo ${AIDE_DB} | ${SEDBINARY} "s#.*}#${I}#")
fi
LogText "Test: search for AIDE database on disk ${AIDE_DB}"
if [ ! -e "${AIDE_DB}" ]; then
Display --indent 6 --text "- AIDE database" --result "${STATUS_NOT_FOUND}" --color RED
LogText "Result: AIDE database ${AIDE_DB} does not exist"
ReportWarning "${TEST_NO}" "No AIDE database was found, needed for AIDE functionality"
else
LogText "Checking database size ${AIDE_DB}"
if [ -s "${AIDE_DB}" ]; then
Display --indent 6 --text "- AIDE database" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: AIDE database ${AIDE_DB} exist and has a size greater than zero"
else
Display --indent 6 --text "- AIDE database" --result "${STATUS_WARNING}" --color YELLOW
LogText "Result: AIDE database ${AIDE_DB} exist but has a size of zero"
ReportSuggestion "${TEST_NO}" "Check the AIDE database as it may contain errors"
fi
fi
unset AIDE_DB I
fi
#
#################################################################################
#
# Test : FINT-4318
# Description : Check if Osiris is installed
Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Osiris binary"
if [ ! -z "${OSIRISBINARY}" ]; then
if [ -n "${OSIRISBINARY}" ]; then
LogText "Result: Osiris is installed (${OSIRISBINARY})"
Report "file_integrity_tool[]=osiris"
FILE_INT_TOOL="osiris"
@ -123,7 +155,7 @@
Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Samhain binary"
if [ ! -z "${SAMHAINBINARY}" ]; then
if [ -n "${SAMHAINBINARY}" ]; then
LogText "Result: Samhain is installed (${SAMHAINBINARY})"
Report "file_integrity_tool[]=samhain"
FILE_INT_TOOL="samhain"
@ -142,7 +174,7 @@
Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Tripwire binary"
if [ ! -z "${TRIPWIREBINARY}" ]; then
if [ -n "${TRIPWIREBINARY}" ]; then
LogText "Result: Tripwire is installed (${TRIPWIREBINARY})"
Report "file_integrity_tool[]=tripwire"
FILE_INT_TOOL="tripwire"
@ -161,15 +193,14 @@
Register --test-no FINT-4328 --weight L --network NO --category security --description "OSSEC syscheck daemon running"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if OSSEC syscheck daemon is running"
IsRunning ossec-syscheckd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: syscheck (OSSEC) installed"
if IsRunning "ossec-syscheckd"; then
LogText "Result: syscheck (OSSEC) active"
Report "file_integrity_tool[]=ossec"
FILE_INT_TOOL="ossec-syscheck"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: syscheck (OSSEC) not installed"
LogText "Result: syscheck (OSSEC) is not active"
if IsVerbose; then Display --indent 4 --text "- OSSEC" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
@ -182,7 +213,7 @@
Register --test-no FINT-4330 --weight L --network NO --category security --description "mtree availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking mtree binary"
if [ ! -z "${MTREEBINARY}" ]; then
if [ -n "${MTREEBINARY}" ]; then
LogText "Result: mtree is installed (${MTREEBINARY})"
Report "file_integrity_tool[]=mtree"
FILE_INT_TOOL="mtree"
@ -202,8 +233,8 @@
Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd daemon status"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- lfd (CSF)" --result "${STATUS_FOUND}" --color GREEN
IsRunning 'lfd '
if [ ${RUNNING} -eq 1 ]; then
LogText "Test: determine lfd status"
if IsRunning "lfd - sleeping"; then
LogText "Result: lfd daemon is running (CSF)"
Report "file_integrity_tool[]=csf-lfd"
Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_RUNNING}" --color GREEN
@ -223,7 +254,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# LFD configuration parameters
ENABLED=$(${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG})
if [ ! -z "${ENABLED}" ]; then
if [ -n "${ENABLED}" ]; then
LogText "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN
else
@ -231,7 +262,7 @@
Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
fi
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then
if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
else
@ -239,7 +270,7 @@
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
fi
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then
if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
else
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW
@ -253,8 +284,7 @@
Register --test-no FINT-4338 --weight L --network NO --category security --description "osqueryd syscheck daemon running"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if osqueryd syscheck daemon is running"
IsRunning osqueryd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "osqueryd"; then
LogText "Result: syscheck (osquery) installed"
Report "file_integrity_tool[]=osquery"
FILE_INT_TOOL="osquery"
@ -267,17 +297,118 @@
fi
#
#################################################################################
#
# Test : FINT-4339
# Description : Check IMA/EVM status
if [ ! -z "${EVMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No evmctl binary found"; fi
Register --test-no FINT-4339 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check IMA/EVM status"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
if [ -e /sys/kernel/security/ima ]; then
FOUND=$(${CAT_BINARY} /sys/kernel/security/ima/runtime_measurements_count)
fi
if [ "${FOUND}" -ne 1 ]; then
LogText "Result: EVM tools found but IMA/EVM disabled"
Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_DISABLED}" --color YELLOW
else
LogText "Result: EVM tools found, IMA/EVM enabled"
FILE_INT_TOOL="evmctl"
FILE_INT_TOOL_FOUND=1
Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_ENABLED}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : FINT-4340
# Description : Check dm-integrity status
if [ ! -z "${INTEGRITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No integritysetup binary found"; fi
Register --test-no FINT-4340 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-integrity status"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
ROOTPROTECTED=0
ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
for DEVICE in /dev/mapper/*; do
if [ -e "${DEVICE}" ]; then
FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY')
if [ ! -z "${FIND}" ]; then
FOUND=1
LogText "Result: found dm-integrity device ${DEVICE}"
if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then
ROOTPROTECTED=1
fi
fi
fi
done
if [ "${FOUND}" -ne 1 ]; then
LogText "Result: dm-integrity tools found but no active devices"
Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_DISABLED}" --color WHITE
else
LogText "Result: dm-integrity tools found, active devices"
if [ ${ROOTPROTECTED} -eq 1 ]; then
LogText "Result: root filesystem is protected by dm-integrity"
Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: root filesystem is not protected by dm-integrity but active devices found"
Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_FOUND}" --color YELLOW
fi
FILE_INT_TOOL="dm-integrity"
FILE_INT_TOOL_FOUND=1
Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : FINT-4341
# Description : Check dm-verity status
if [ ! -z "${VERITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No veritysetup binary found"; fi
Register --test-no FINT-4341 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-verity status"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
ROOTPROTECTED=0
ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
for DEVICE in /dev/mapper/*; do
if [ -e "${DEVICE}" ]; then
FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY')
if [ ! -z "${FIND}" ]; then
FOUND=1
LogText "Result: found dm-verity device ${DEVICE}"
if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then
ROOTPROTECTED=1
fi
fi
fi
done
if [ "${FOUND}" -ne 1 ]; then
LogText "Result: dm-verity tools found but no active devices"
Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_DISABLED}" --color WHITE
else
LogText "Result: dm-verity tools found, active devices"
if [ ${ROOTPROTECTED} -eq 1 ]; then
LogText "Result: root filesystem is protected by dm-verity"
Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: root filesystem is not protected by dm-verity but active devices found"
Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_FOUND}" --color YELLOW
fi
FILE_INT_TOOL="dm-verity"
FILE_INT_TOOL_FOUND=1
fi
fi
#
#################################################################################
#
# Test : FINT-4402 (was FINT-4316)
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
if [ ! "${AIDEBINARY}" = "" -a ! -z "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
if [ -z "${FIND}" ]; then
LogText "Result: No SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW
ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE"
ReportSuggestion "${TEST_NO}" "Use SHA256 or SHA512 to create checksums in AIDE"
AddHP 1 3
else
LogText "Result: Found SHA256 or SHA512 found for creating checksums"
@ -300,7 +431,7 @@
else
LogText "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
ReportSuggestion "${TEST_NO}" "Install a file integrity tool to monitor changes to critical and sensitive files"
AddHP 0 5
fi
fi
@ -310,4 +441,4 @@
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com

44
include/tests_file_permissions
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -32,27 +32,37 @@
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Starting file permissions check"
LogText "Test: Checking file permissions"
FOUND=0
for PROFILE in ${PROFILES}; do
LogText "Using profile ${PROFILE} for baseline."
FIND=$(${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | ${CUTBINARY} -d: -f2)
for I in ${FIND}; do
LogText "Checking ${I}"
CheckFilePermissions ${I}
LogText " Expected permissions: ${PROFILEVALUE}"
LogText " Actual permissions: ${FILEVALUE}"
LogText " Result: $PERMS"
if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then
if IsVerbose; then Display --indent 4 --text "${I}" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
elif [ "${PERMS}" = "OK" ]; then
Display --indent 4 --text "${I}" --result "${STATUS_OK}" --color GREEN
elif [ "${PERMS}" = "BAD" ]; then
Display --indent 4 --text "${I}" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Incorrect permissions for file ${I}"
FILES=$(${EGREPBINARY} '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1)
for F in ${FILES}; do
LogText "Test: checking file/directory ${F}"
if [ -f "${F}" ]; then
PERMS=$(${GREPBINARY} '^permfile=' ${PROFILE} | ${GREPBINARY} "=${F}:" | ${CUTBINARY} -d: -f2)
if HasCorrectFilePermissions "${F}" "${PERMS}"; then
Display --indent 4 --text "File: ${F}" --result "${STATUS_OK}" --color GREEN
else
Display --indent 4 --text "File: ${F}" --result "${STATUS_SUGGESTION}" --color YELLOW
FOUND=1
fi
elif [ -d "${F}" ]; then
PERMS=$(${GREPBINARY} '^permdir=' ${PROFILE} | ${GREPBINARY} "=${F}:" | ${CUTBINARY} -d: -f2)
if HasCorrectFilePermissions "${F}" "${PERMS}"; then
Display --indent 4 --text "Directory: ${F}" --result "${STATUS_OK}" --color GREEN
else
Display --indent 4 --text "Directory: ${F}" --result "${STATUS_SUGGESTION}" --color YELLOW
FOUND=1
fi
else
LogText "UNKNOWN status for file"
if IsVerbose; then Display --indent 4 --text "${F}" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
LogText "Skipping file/directory ${F} as it does not exist on this system"
fi
done
done
if [ ${FOUND} -eq 1 ]; then
ReportSuggestion "${TEST_NO}" "Consider restricting file permissions" "See screen output or log file" "text:Use chmod to change file permissions"
fi
fi
#
#################################################################################
@ -62,4 +72,4 @@ WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2019, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com

181
include/tests_filesystems
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -44,15 +44,20 @@
if [ -L ${I} ]; then
ShowSymlinkPath ${I}
LogText "Result: ${I} is a symlink. Manual check required to determine exact file system options"
ReportSuggestion ${TEST_NO} "Symlinked mount point needs to be checked manually" "${I}" ""
ReportSuggestion "${TEST_NO}" "Symlinked mount point needs to be checked manually" "${I}" ""
Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE
elif [ -d ${I} ]; then
LogText "Result: directory ${I} exists"
FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($3==MP) { print $3 }}')
case "${OS}" in
"AIX") FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($2==MP) { print $2 }}') ;;
"HP-UX") FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($1==MP) { print $1 }}') ;;
*) FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($3==MP) { print $3 }}') ;;
esac
if IsEmpty "${FIND}"; then
LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system"
Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separate partition"
ReportSuggestion "${TEST_NO}" "To decrease the impact of a full ${I} file system, place ${I} on a separate partition"
AddHP 9 10
else
LogText "Result: found ${I} as a separated mount point"
@ -85,7 +90,7 @@
ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found"
;;
esac
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found one or more volume groups"
for I in ${FIND}; do
LogText "Found LVM volume group: ${I}"
@ -148,7 +153,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for Linux EXT file systems"
FIND=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found one or more EXT file systems"
for I in ${FIND}; do
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
@ -158,7 +163,27 @@
done
else
LogText "Result: no EXT file systems found"
Report "file_systems_ext[]=none"
fi
fi
#
#################################################################################
#
# Test : FILE-6324
# Description : Checking Linux XFS file systems
Register --test-no FILE-6324 --os Linux --weight L --network NO --category security --description "Checking XFS file systems"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for Linux XFS file systems"
FIND=$(${MOUNTBINARY} -t xfs | ${AWKBINARY} '{ print $3","$5 }')
if [ -n "${FIND}" ]; then
LogText "Result: found one or more XFS file systems"
for I in ${FIND}; do
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
FILETYPE=$(echo ${I} | ${CUTBINARY} -d ',' -f2)
LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})"
Report "file_systems_xfs[]=${FILESYSTEM}|${FILETYPE}|"
done
else
LogText "Result: no XFS file systems found"
fi
fi
#
@ -187,10 +212,11 @@
#################################################################################
#
# Test : FILE-6330
# Description : Query all ZFS mounts from /etc/fstab
# Description : Query ZFS mounts
# Note : mount -p does not work under Linux
Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Query /etc/fstab for available ZFS mount points"
LogText "Test: Discover for available ZFS mount points"
FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
@ -211,7 +237,7 @@
# Description : Query all HAMMER PFS mounts from /etc/fstab
Register --test-no FILE-6439 --os DragonFly --weight L --network NO --category security --description "Checking HAMMER PFS mounts"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Query /etc/fstab for available HAMMER PFS mount points"
LogText "Test: Query /etc/fstab for available HAMMER PFS mount points"
FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "null") { print $1":"$2":"$3":"$4":" }}')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Querying HAMMER PFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
@ -248,12 +274,12 @@
# Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>)
HAS_UUID=$(echo ${I} | ${GREPBINARY} "^UUID=")
if [ ! -z "${HAS_UUID}" ]; then
if [ -n "${HAS_UUID}" ]; then
UUID=$(echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }')
LogText "Result: Using ${UUID} as UUID"
if [ ! -z "${BLKIDBINARY}" ]; then
if [ -n "${BLKIDBINARY}" ]; then
FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//')
if [ ! -z "${FIND2}" ]; then
if [ -n "${FIND2}" ]; then
REAL="${FIND2}"
fi
else
@ -262,7 +288,7 @@
if [ -L /dev/disk/by-uuid/${UUID} ]; then
LogText "Result: found disk via /dev/disk/by-uuid listing"
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
if [ ! -z "${sFILE}" ]; then
if [ -n "${sFILE}" ]; then
REAL="${sFILE}"
LogText "Result: disk is ${REAL}"
fi
@ -303,8 +329,8 @@
else
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
#ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap partition (${FIND})"
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options"
#ReportWarning "${TEST_NO}" "Possible incorrect mount options used for swap partition (${FIND})"
ReportSuggestion "${TEST_NO}" "Check your /etc/fstab file for swap partition mount options"
LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)"
fi
fi
@ -318,7 +344,7 @@
if [ "${OS}" = "Linux" -a -f ${ROOTDIR}proc/version ]; then
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then
if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
else
PREQS_MET="NO";
@ -372,7 +398,7 @@
LogText "private information and should be deleted it not being used actively. Use a tool like lsof to"
LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary"
LogText "directories by setting a boot option."
ReportSuggestion ${TEST_NO} "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days"
ReportSuggestion "${TEST_NO}" "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days"
fi
fi
#
@ -391,7 +417,7 @@
AddHP 3 3
else
Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
ReportSuggestion "${TEST_NO}" "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
AddHP 0 3
fi
unset FIND
@ -414,7 +440,7 @@
AddHP 3 3
else
Display --indent 2 --text "- Checking ${ROOTDIR}var/tmp sticky bit" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}var/tmp, to prevent users deleting (by other owned) files in the /var/tmp directory." "/var/tmp" "text:Set sticky bit"
ReportSuggestion "${TEST_NO}" "Set the sticky bit on ${ROOTDIR}var/tmp, to prevent users deleting (by other owned) files in the /var/tmp directory." "/var/tmp" "text:Set sticky bit"
AddHP 0 3
fi
unset FIND
@ -440,7 +466,7 @@
FOUND=0
LogText "Test: Checking acl option on ext[2-4] root file system"
FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found ACL option"
FOUND=1
else
@ -456,11 +482,11 @@
FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }')
fi
# Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
if [ ! -z "${FIND1}" ]; then
if [ -n "${FIND1}" ]; then
LogText "Result: found ${FIND1}"
LogText "Test: Checking default options on ${FIND1}"
FIND2=$(${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl")
if [ ! -z "${FIND2}" ]; then
if [ -n "${FIND2}" ]; then
LogText "Result: found ACL option in default mount options"
FOUND=1
else
@ -504,7 +530,7 @@
NOEXEC=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "noexec") { print "YES" } else { print "NO" } }')
NOSUID=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "nosuid") { print "YES" } else { print "NO" } }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: mount system / is configured with options: ${FIND}"
if [ "${FIND}" = "defaults" ]; then
Display --indent 2 --text "- Mount options of /" --result "${STATUS_OK}" --color GREEN
@ -530,31 +556,39 @@
# ---------------------------------------------------------
# Mount point nodev noexec nosuid
# /boot v v v
# /dev v v
# /dev/shm v v v
# /home v v
# /run v v
# /tmp v v v
# /var v
# /var v v
# /var/log v v v
# /var/log/audit v v v
# /var/tmp v v v
# ---------------------------------------------------------
FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid"
Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking /boot mount options"
FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev:noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /run:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nodev,nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid"
Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Linux mount options"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/fstab ]; then
if [ -f ${ROOTDIR}etc/fstab ]; then
for I in ${FILESYSTEMS_TO_CHECK}; do
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d: -f1)
EXPECTED_FLAGS=$(echo ${I} | ${CUTBINARY} -d: -f2 | ${SEDBINARY} 's/,/ /g')
FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' /etc/fstab)
FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' ${ROOTDIR}etc/fstab)
if [ "${FS_FSTAB}" = "glusterfs" ]; then
EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | ${SEDBINARY} 's/\<\(nodev\|nosuid\)\> *//g')
if [ -z "${EXPECTED_FLAGS}" ]; then
FS_FSTAB=""
fi
fi
if [ ! -z "${FS_FSTAB}" ]; then
FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
if [ -z "${FS_FSTAB}" ]; then # not found in fstab, check if mounted otherwise
FS_FSTAB=$(mount | ${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($3==fs) { print $6 } }')
FOUND_FLAGS=$(mount | ${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $3==fs) { print $6 } }' | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
else
FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
fi
if [ -n "${FS_FSTAB}" ]; then
# In awk using caret/circumflex as first character between brackets, means 'not' (instead of beginning of line)
LogText "File system: ${FILESYSTEM}"
LogText "Expected flags: ${EXPECTED_FLAGS}"
LogText "Found flags: ${FOUND_FLAGS}"
@ -562,7 +596,7 @@
FULLY_HARDENED=1
for FLAG in ${EXPECTED_FLAGS}; do
FLAG_AVAILABLE=$(echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG})
if [ "${FLAG_AVAILABLE}" = "" ]; then
if [ -z "${FLAG_AVAILABLE}" ]; then
LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
FULLY_HARDENED=0
else
@ -571,29 +605,37 @@
fi
done
if [ ${FULLY_HARDENED} -eq 1 ]; then
LogText "Result: marked ${FILESYSTEM} as fully hardenened"
LogText "Result: marked ${FILESYSTEM} as fully hardened"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN
AddHP 5 5
elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then
LogText "Result: marked ${FILESYSTEM} as fully hardenened"
LogText "Result: marked ${FILESYSTEM} as partially hardened"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW
AddHP 4 5
else
if [ "${FOUND_FLAGS}" = "defaults" ]; then
LogText "Result: marked ${FILESYSTEM} options as default (non hardened)"
# if
if ContainsString "defaults" "${FOUND_FLAGS}"; then
LogText "Result: marked ${FILESYSTEM} options as default (not hardened)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW
AddHP 3 5
else
LogText "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)"
LogText "Result: marked ${FILESYSTEM} options as non-default (unclear about hardening)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW
AddHP 4 5
fi
fi
else
LogText "Result: file system ${FILESYSTEM} not found in /etc/fstab"
LogText "Result: file system ${FILESYSTEM} not found in ${ROOTDIR}etc/fstab"
fi
done
fi
NMOUNTS=$(mount | ${WCBINARY} --lines)
NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} --lines)
NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} --lines)
NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} --lines)
NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} --lines)
LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}"
Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}"
fi
#
#################################################################################
@ -605,7 +647,7 @@
if [ -f ${ROOTDIR}etc/fstab ]; then
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' ${ROOTDIR}etc/fstab)
BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
if [ "${BIND}" = "YES" ]; then
Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN
@ -627,7 +669,6 @@
# Description : Check for nodirtime option
# Want to contribute to Lynis? Create this test
#
#################################################################################
#
@ -635,7 +676,6 @@
# Description : Check for relatime
# Want to contribute to Lynis? Create this test
#
#################################################################################
#
@ -648,11 +688,36 @@
#
#################################################################################
#
# Test : FILE-6394 TODO
# Test : FILE-6394
# Description : Check vm.swappiness (Linux)
# Want to contribute to Lynis? Create this test
Register --test-no FILE-6394 --os Linux --weight L --network NO --category security --description "Determine level of swappiness."
if [ ${SKIPTEST} -eq 0 ]; then
SWAPLEVEL=$(${CAT_BINARY} /proc/sys/vm/swappiness)
LogText "Test: checking level of vm.swappiness: ${SWAPLEVEL}"
PHYSDISK=$(${LSBLKBINARY} | ${GREPBINARY} -E 'disk|SWAP' | ${GREPBINARY} -B1 SWAP | ${HEADBINARY} -n1 | ${AWKBINARY} '{print $1}')
if [ ${SWAPLEVEL} -gt 60 ]; then
LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping is more frequent than default."
# Check if swap is on a HDD or SDD for frequent swapping
if [ -d "/sys/block/${PHYSDISK}" ]; then
HDDORSDD=$(${CAT_BINARY} "/sys/block/${PHYSDISK}/queue/rotational")
if [ ${HDDORSDD} -eq 1 ]; then
ReportSuggestion "${TEST_NO}" "vm.swappiness set to: ${SWAPLEVEL} > 60 (default) - consider installing an SSD for swap partition for better performance."
fi
fi
elif [ ${SWAPLEVEL} -eq 0 ]; then
LogText "Result: vm.swappiness=${SWAPLEVEL} meaning swapping is disabled."
ReportSuggestion "${TEST_NO}" "vm.swappiness set to: ${SWAPLEVEL}. Consider setting value to minimum of 1 for minimizing swappiness, but not quite disabling it. Will prevent OOM killer from killing processes when running out of physical memory."
elif [ ${SWAPLEVEL} -eq 1 ]; then
LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping can still occur but at very minimum."
elif [ ${SWAPLEVEL} -eq 10 ]; then
LogText "Result: vm.swappiness=${SWAPLEVEL} which is the preferred setting for database servers."
elif [ ${SWAPLEVEL} -lt 60 ]; then
LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping is less frequent than default. This is only recommended for servers."
else
LogText "Result: vm.swappiness=${SWAPLEVEL} which is the standard level of swappiness and works well for desktop systems."
fi
if IsVerbose; then Display --indent 2 --text "- Swappiness: ${SWAPLEVEL}" --result "INFO" --color WHITE; fi
fi
#
#################################################################################
#
@ -690,7 +755,7 @@
else
LogText "Result: database not found"
Display --indent 2 --text "- Checking Locate database" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
ReportSuggestion "${TEST_NO}" "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
fi
fi
#
@ -733,10 +798,10 @@
# Test : FILE-6430
# Description : Disable mounting of some filesystems
# Rationale : Unless there is a specific reason to use a particular file system, disable it.
# Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf
# Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf
Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
Display --indent 2 --text "- Disable kernel support of some filesystems"
LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf"
FOUND=0
@ -744,19 +809,17 @@
AVAILABLE_MODPROBE_FS=""
for FS in ${LIST_FS_NOT_SUPPORTED}; do
# Check if filesystem is present in modprobe output
FIND=$(${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1)
if [ ! -z "${FIND}" ]; then
LogText "Result: found module support in kernel: ${FIND}"
FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | ${TAILBINARY} -1)
if [ -n "${FIND}" ]; then
LogText "Result: found ${FS} support in the kernel (output = ${FIND})"
Debug "Module ${FS} present in the kernel"
LogText "Test: Checking if ${FS} is active"
# Check if FS is present in lsmod output
FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
if IsEmpty "${FIND}"; then
LogText "Result: module ${FS} is not loaded in the kernel"
LogText "Result: module ${FS} is currently not loaded in the kernel."
AddHP 2 3
if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi
# Tip to disable a particular module if it is not loaded TODO
#ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
FOUND=1
AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} "
else
@ -767,9 +830,19 @@
AddHP 3 3
if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi
fi
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ -n "${FIND}" ]; then
FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
LogText "Result: module ${FS} is blacklisted"
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}"
ReportSuggestion "${TEST_NO}" "Consider disabling unused kernel modules" "/etc/modprobe.d/blacklist.conf" "Add 'install MODULENAME /bin/true' (without quotes)"
fi
else
LogText "Test skipped lsmod binary not found or /proc/modules can not be opened"

72
include/tests_firewalls
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -41,7 +41,7 @@
Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FIREWALL_ACTIVE=1
IPTABLES_ACTIVE=1
IPTABLES_MODULE_ACTIVE=1
@ -73,11 +73,11 @@
# If we have a kernel configuration file, use it for testing
# Do not perform test if we already found it in kernel module list, to avoid triggered it in the upcoming
# tests, when using iptables --list
if [ ! -z "${LINUXCONFIGFILE}" ]; then
if [ -n "${LINUXCONFIGFILE}" ]; then
if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})"
FIND=$(${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
HAVEMOD=$(echo ${FIND} | ${CUTBINARY} -d '=' -f2)
# Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
# active list.
@ -115,7 +115,7 @@
FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1')
done
echo "${FIND}" | while read line; do
echo "${FIND}" | while read -r line; do
table=$(echo ${line} | ${AWKBINARY} '{ print $1 }')
chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }')
policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }')
@ -128,7 +128,7 @@
"ACCEPT")
LogText "Result: Found ACCEPT for ${chainname} (table: ${table})"
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "ACCEPT" --color YELLOW
#ReportSuggestion ${TEST_NO} "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})"
#ReportSuggestion "${TEST_NO}" "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})"
AddHP 1 3
;;
"DROP")
@ -139,7 +139,7 @@
*)
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "other" --color YELLOW
LogText "Result: Unknown policy: ${policy}"
#ReportSuggestion ${TEST_NO} "Check iptables ${chainname} (table: ${table}) chain policy"
#ReportSuggestion "${TEST_NO}" "Check iptables ${chainname} (table: ${table}) chain policy"
;;
esac
fi
@ -151,18 +151,18 @@
#
# Test : FIRE-4512
# Description : Check iptables for empty ruleset (should have at least 5 or more rules)
if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FIREWALL_ACTIVE=1
if [ ${FIND} -le 5 ]; then
# Firewall is active, but needs configuration
FIREWALL_EMPTY_RULESET=1
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active"
ReportWarning "${TEST_NO}" "iptables module(s) loaded, but no rules active"
else
LogText "Result: one or more rules are available (${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
@ -174,7 +174,7 @@
#
# Test : FIRE-4513
# Description : Check iptables for unused rules
if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
@ -187,7 +187,7 @@
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
LogText "Output: iptables rule numbers: ${FIND}"
ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used"
ReportSuggestion "${TEST_NO}" "Check iptables rules to see which rules are currently not used"
LogText "Tip: iptables --list --numeric --line-numbers --verbose"
fi
fi
@ -212,7 +212,7 @@
# Check status with pfctl
LogText "Test: checking pf status via pfctl"
if [ ! -z "${PFCTLBINARY}" ]; then
if [ -n "${PFCTLBINARY}" ]; then
FIND=$(${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | ${HEADBINARY} -1 | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "Disabled" ]; then
if IsVerbose; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED; fi
@ -233,7 +233,7 @@
if [ ${PFFOUND} -eq 0 ]; then
# Check for pf kernel module (FreeBSD and similar)
LogText "Test: searching for pf kernel module"
if [ ! -z "${KLDSTATBINARY}" ]; then
if [ -n "${KLDSTATBINARY}" ]; then
FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko')
if [ -z "${FIND}" ]; then
LogText "Result: Can not find pf KLD"
@ -245,8 +245,7 @@
LogText "Result: no kldstat binary, skipping this part"
fi
IsRunning pflogd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "pflogd"; then
LogText "Result: found pflog daemon in process list"
Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN
PFFOUND=1
@ -283,7 +282,7 @@
else
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
LogText "Result: found one or more warnings in the pf filter rules"
ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
ReportWarning "${TEST_NO}" "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
fi
else
LogText "Result: /etc/pf.conf does NOT exist"
@ -353,7 +352,7 @@
# Description : Check IPFW (FreeBSD)
Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${SYSCTLBINARY}" ]; then
if [ -n "${SYSCTLBINARY}" ]; then
# For now, only check for IPv4.
FIND=$(${SYSCTLBINARY} net.inet.ip.fw.enable 2> /dev/null | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "1" ]; then
@ -386,7 +385,7 @@
Register --test-no FIRE-4532 --weight L --os "macOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check macOS application firewall"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3
LogText "Result: application firewall of macOS is enabled"
@ -408,10 +407,11 @@
Register --test-no FIRE-4534 --weight L --os "macOS" --network NO --category security --description "Check for presence of outbound firewalls on macOS"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# Little Snitch Daemon (macOS)
LogText "Test: checking process Little Snitch Daemon"
IsRunning --full "Little Snitch Daemon"
if [ ${RUNNING} -eq 1 ]; then
if IsRunning --full "Little Snitch Daemon"; then
Display --indent 2 --text "- Checking Little Snitch Daemon" --result "${STATUS_ENABLED}" --color GREEN
LogText "Result: Little Snitch found"
FOUND=1
@ -423,8 +423,7 @@
# HandsOff! Daemon (macOS)
LogText "Test: checking process HandsOffDaemon"
IsRunning HandsOffDaemon
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "HandsOffDaemon"; then
Display --indent 2 --text "- Checking Hands Off! Daemon" --result "${STATUS_ENABLED}" --color GREEN
LogText "Result: Hands Off! found"
FOUND=1
@ -436,8 +435,7 @@
# LuLu Daemon (macOS)
LogText "Test: checking process LuLu"
IsRunning LuLu
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "LuLu"; then
Display --indent 2 --text "- Checking LuLu Daemon" --result "${STATUS_ENABLED}" --color GREEN
LogText "Result: LuLu found"
FOUND=1
@ -449,8 +447,7 @@
# Radio Silence (macOS)
LogText "Test: checking process Radio Silence"
IsRunning --full "Radio Silence"
if [ ${RUNNING} -eq 1 ]; then
if IsRunning --full "Radio Silence"; then
Display --indent 2 --text "- Checking Radio Silence" --result "${STATUS_ENABLED}" --color GREEN
LogText "Result: Radio Silence found"
FOUND=1
@ -478,7 +475,7 @@
Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found nftables kernel module"
FIREWALL_ACTIVE=1
NFTABLES_ACTIVE=1
@ -506,13 +503,13 @@
# Test : FIRE-4540
# Description : Check nftables configuration
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for empty nftables configuration"
Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Check for empty ruleset
NFT_RULES_LENGTH=$(${NFTBINARY} export json 2> /dev/null | wc -c)
if [ ${NFT_RULES_LENGTH} -le 16 ]; then
NFT_RULES_LENGTH=$(${NFTBINARY} list ruleset --stateless 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
if [ ${NFT_RULES_LENGTH} -le 3 ]; then
FIREWALL_EMPTY_RULESET=1
LogText "Result: this firewall set has 16 rules or less and is considered to be empty"
LogText "Result: this firewall set has 3 rules or less and is considered to be empty"
else
LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration"
fi
@ -526,7 +523,7 @@
Register --test-no FIRE-4586 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check firewall logging"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${IPTABLES_ACTIVE} -eq 1 ]; then
if [ ! -z "${IPTABLESSAVEBINARY}" ]; then
if [ -n "${IPTABLESSAVEBINARY}" ]; then
HAS_LOGGING=$(${IPTABLESSAVEBINARY} | ${GREPBINARY} "\-j LOG")
if [ -z "${HAS_LOGGING}" ]; then
Report "firewall_no_logging[]=iptables"
@ -553,7 +550,7 @@
else
Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
LogText "Result: no host based firewall/packet filter found or configured"
ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic"
ReportSuggestion "${TEST_NO}" "Configure a firewall/packet filter to filter incoming and outgoing traffic"
AddHP 0 5
fi
fi
@ -563,7 +560,7 @@
# Test : FIRE-4594
# Description : Check for APF (Advanced Policy Firewall)
Register --test-no FIRE-4594 --weight L --network NO --category security --description "Check for APF presence"
if [ ! -z "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SKIPTEST} -eq 0 ]; then
FILE="/etc/apf/conf.apf"
LogText "Test: check ${FILE}"
@ -596,11 +593,6 @@
#################################################################################
#
# Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.
Report "firewall_active=${FIREWALL_ACTIVE}"
Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}"
Report "firewall_installed=${FIREWALL_ACTIVE}"
WaitForKeyPress
#

12
include/tests_hardening
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -20,7 +20,7 @@
#
InsertSection "Hardening"
# COMPILER_INSTALLED is initialised before
# COMPILER_INSTALLED is initialized before
HARDEN_COMPILERS_NEEDED=0
#
#################################################################################
@ -54,12 +54,12 @@
LogText "Result: no compilers found"
else
# TODO - c89 c99 cpp ld
TEST_BINARIES="${ASBINARY} ${GCCBINARY}"
TEST_BINARIES="${ASBINARY} ${CCBINARY} ${CLANGBINARY} ${GCCBINARY}"
for ITEM in ${TEST_BINARIES}; do
FILE="${ITEM}"
LogText "Test: Check file permissions for ${ITEM}"
ShowSymlinkPath ${ITEM}
if [ ! -z "${SYMLINK}" ]; then
if [ -n "${SYMLINK}" ]; then
FILE="${SYMLINK}"
fi
@ -76,7 +76,7 @@
# Report suggestion is one or more compilers can be better hardened
if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then
LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only"
ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only"
ReportSuggestion "${TEST_NO}" "Harden compilers like restricting access to root user only"
fi
fi
fi
@ -99,7 +99,7 @@
else
Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED
fi
ReportSuggestion ${TEST_NO} "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC"
ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC"
AddHP 1 3
LogText "Result: no malware scanner found"
fi

87
include/tests_homedirs
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -37,8 +37,8 @@
Register --test-no HOME-9302 --weight L --network NO --category security --description "Create list with home directories"
if [ ${SKIPTEST} -eq 0 ]; then
# Read sixth field of /etc/passwd
LogText "Test: query /etc/passwd to obtain home directories"
FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | ${SORTBINARY} -u)
LogText "Test: query ${ROOTDIR}etc/passwd to obtain home directories"
FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' ${ROOTDIR}etc/passwd | ${SORTBINARY} -u)
for I in ${FIND}; do
if [ -d ${I} ]; then
LogText "Result: found home directory: ${I} (directory exists)"
@ -50,12 +50,83 @@
fi
#
#################################################################################
#
# Test : HOME-9304
# Description : Check if users' home directories permissions are 750 or more restrictive
Register --test-no HOME-9304 --weight L --network NO --category security --description "Check if users' home directories permissions are 750 or more restrictive"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if users' home directories permissions are 750 or more restrictive
FOUND=0
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
while read -r LINE; do
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
LogText "Test: checking directory '${DIR}' for user '${USER}'"
if [ -d "${DIR}" ]; then
WRITE_GROUP_PERM=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c6)
OTHER_PERMS=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c8-10)
if [ ! ${WRITE_GROUP_PERM} = "-" -o ! ${OTHER_PERMS} = "---" ]; then
LogText "Result: permissions of home directory ${DIR} of user ${USER} are not strict enough. Should be 750 or more restrictive. Change with: chmod 750 ${DIR}"
FOUND=1
else
LogText "Result: permissions of home directory ${DIR} of user ${USER} are fine"
fi
fi
done << EOF
${USERDATA}
EOF
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Permissions of home directories" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Double check the permissions of home directories as some might be not strict enough."
else
Display --indent 2 --text "- Permissions of home directories" --result "${STATUS_OK}" --color GREEN
LogText "Result: OK, all permissions of the home directories are 750 or more restrictive"
fi
fi
#
#################################################################################
#
# Test : HOME-9306
# Description : Check if users own their home directories
Register --test-no HOME-9306 --weight L --network NO --category security --description "Check if users own their home directories"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if users own their home directories
FOUND=0
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
while read -r LINE; do
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
LogText "Test: checking directory '${DIR}' for user '${USER}'"
if [ -d "${DIR}" ]; then
OWNER=$(ls -ld ${DIR} | awk -F" " '{ print $3 }')
if [ ! "${OWNER}" = "${USER}" ]; then
LogText "Result: the home directory ${DIR} of user ${USER} is owned by ${OWNER}. Correct: chown ${USER} ${DIR}"
FOUND=1
else
LogText "Result: ownership of home directory ${DIR} for user ${USER} looks to be correct"
fi
fi
done << EOF
${USERDATA}
EOF
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Ownership of home directories" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Double check the ownership of home directories as some might be incorrect."
else
Display --indent 2 --text "- Ownership of home directories" --result "${STATUS_OK}" --color GREEN
LogText "Result: OK, all users own their home directories"
fi
fi
#
#################################################################################
#
# Test : HOME-9310
# Description : Check for suspicious shell history files
Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${HOMEDIRS}" ]; then
if [ -n "${HOMEDIRS}" ]; then
if [ "${OS}" = "Solaris" ]; then
# Solaris doesn't support -maxdepth
FIND=$(${FINDBINARY} ${HOMEDIRS} -name ".*history" ! -type f -print)
@ -70,12 +141,12 @@
LogText "Result: the following files seem to be of the wrong file type:"
LogText "Output: ${FIND}"
LogText "Info: above files could be redirected files to avoid logging and should be investigated"
ReportWarning ${TEST_NO} "Incorrect file type found for shell history file"
ReportWarning "${TEST_NO}" "Incorrect file type found for shell history file"
fi
LogText "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful."
LogText "Remark: History files are normally of the type 'file'. Symbolic links and other types are suspicious."
else
Display --indent 2 --text "- Checking shell history files" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: Homedirs is empty, test will be skipped"
LogText "Result: Homedirs is empty, therefore test will be skipped"
fi
fi
#
@ -93,7 +164,7 @@
# Notes : For performance reasons we combine the scanning of different files, so inode caching is used
# as much as possible for every find command
# Profile opt : ignore-home-dir (multiple lines allowed), ignores home directory
if [ ! -z "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories"
if [ ${SKIPTEST} -eq 0 ]; then
IGNORE_HOME_DIRS=$(${GREPBINARY} "^ignore-home-dir=" ${REPORTFILE} | ${AWKBINARY} -F= '{ print $2 }')

430
include/tests_insecure_services
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -18,7 +18,7 @@
#
#################################################################################
#
# Unsecure services
# Insecure services
#
#################################################################################
#
@ -28,32 +28,55 @@
#
INETD_ACTIVE=0
INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf"
INETD_PACKAGE_INSTALLED=0
XINETD_ACTIVE=0
XINETD_CONFIG_FILE="${ROOTDIR}etc/xinetd.conf"
XINETD_CONFIG_DIR="${ROOTDIR}etc/xinetd.d"
#
#################################################################################
#
# Test : INSE-8000
# Description : Check for installed inetd package
Register --test-no INSE-8000 --package-manager-required --weight L --network NO --category security --description "Installed inetd package"
if [ ${SKIPTEST} -eq 0 ]; then
# Check for installed inetd daemon
LogText "Test: Checking if inetd is installed"
if PackageIsInstalled "inetd"; then
INETD_PACKAGE_INSTALLED=1
LogText "Result: inetd is installed"
Display --indent 2 --text "- Installed inetd package" --result "${STATUS_FOUND}" --color YELLOW
#ReportSuggestion "${TEST_NO}" "If there are no inetd services required, it is recommended that the daemon be removed"
else
LogText "Result: inetd is NOT installed"
Display --indent 2 --text "- Installed inetd package" --result "${STATUS_NOT_FOUND}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8002
# Description : Check for inetd status
Register --test-no INSE-8002 --weight L --network NO --category security --description "Check for enabled inet daemon"
if [ ${INETD_PACKAGE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8002 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check running processes
LogText "Test: Searching for active inet daemon"
IsRunning inetd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "inetd"; then
LogText "Result: inetd is running"
Display --indent 2 --text "- Checking inetd status" --result "ACTIVE" --color GREEN
Display --indent 4 --text "- inetd status" --result "ACTIVE" --color GREEN
INETD_ACTIVE=1
else
LogText "Result: inetd is NOT running"
Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN
Display --indent 4 --text "- inetd status" --result "NOT ACTIVE" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8004
# Description : Check for inetd configuration file
# Description : Check for inetd configuration file (inetd)
if [ ${INETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon"
Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of inetd configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
# Check configuration file
LogText "Test: Searching for file ${INETD_CONFIG_FILE}"
@ -73,16 +96,16 @@
if [ ${INETD_ACTIVE} -eq 0 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of inetd when disabled"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002)
LogText "Test: check if all services are disabled if inetd is disabled"
# Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test INSE-8002)
LogText "Test: check if all services are disabled when inetd is disabled"
FIND=$(${GREPBINARY} -v "^#" ${INETD_CONFIG_FILE} | ${GREPBINARY} -v "^$")
if [ -z "${FIND}" ]; then
LogText "Result: no services found in ${INETD_CONFIG_FILE}"
Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN
Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found services in inetd, even though inetd is not running"
Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service"
Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service"
fi
fi
#
@ -95,7 +118,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking telnet presence in inetd configuration"
FIND=$(${GREPBINARY} "^telnet" ${INETD_CONFIG_FILE})
if [ "${FIND}" = "" ]; then
if [ -z "${FIND}" ]; then
LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 3 3
@ -109,19 +132,379 @@
#
#################################################################################
#
if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
# Test : INSE-8100
# Description : Check for installed xinetd daemon
Register --test-no INSE-8100 --package-manager-required --weight L --network NO --category security --description "Check for installed xinetd daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check for installed xinetd daemon
LogText "Test: Checking for installed xinetd daemon"
if PackageIsInstalled "xinetd"; then
LogText "Result: xinetd is installed"
Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "If there are no xinetd services required, it is recommended that the daemon be removed"
else
LogText "Result: xinetd is NOT installed"
Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8102
# Description : Check for xinetd status
Register --test-no INSE-8102 --weight L --network NO --category security --description "Check for active xinet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check running processes
LogText "Test: Searching for active extended internet services daemon (xinetd)"
if IsRunning "xinetd"; then
LogText "Result: xinetd is running"
Display --indent 4 --text "- xinetd status" --result "ACTIVE" --color GREEN
XINETD_ACTIVE=1
else
LogText "Result: xinetd is NOT running"
Display --indent 4 --text "- xinetd status" --result "NOT ACTIVE" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8104
# Description : Check for xinetd configuration file
if [ ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled xinet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check configuration file
LogText "Test: Searching for file ${XINETD_CONFIG_FILE}"
if [ -f "${XINETD_CONFIG_FILE}" ]; then
LogText "Result: ${XINETD_CONFIG_FILE} exists"
Display --indent 6 --text "- Configuration file (xinetd.conf)" --result "${STATUS_FOUND}" --color WHITE
else
LogText "Result: ${XINETD_CONFIG_FILE} does not exist"
Display --indent 6 --text "- Configuration file (xinetd.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : INSE-8106
# Description : Check for xinetd configuration file contents if xinetd is NOT active
if [ ${XINETD_ACTIVE} -eq 0 -a -f ${XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of xinetd when disabled"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if any service is enabled in /etc/xinetd.d (xinetd is not active, see test INSE-8102)
LogText "Test: check if all services are disabled if xinetd is disabled"
FIND=$(${GREPBINARY} -r "disable\s*=\s*no" ${XINETD_CONFIG_DIR})
if [ -z "${FIND}" ]; then
LogText "Result: no services found in ${XINETD_CONFIG_DIR}"
Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_NOT_FOUND}" --color GREEN
else
LogText "Result: found services in ${XINETD_CONFIG_DIR}, even though xinetd is not running"
Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Although xinetd is not running, make sure no services are enabled in ${XINETD_CONFIG_DIR}, or remove xinetd service"
fi
fi
#
#################################################################################
#
# Test : INSE-8116
# Description : Check for insecure services enabled via xinetd
if [ ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Insecure services enabled via xinetd"
if [ ${SKIPTEST} -eq 0 ]; then
XINETD_INSECURE_SERVICE_FOUND=0
ITEMS="chargen chargen-dgram chargen-stream daytime daytime-dgram daytime-stream discard discard-dgram discard-stream echo echo-dgram echo-stream time time-dgram time-stream ntalk rexec rlogin rsh rsync talk telnet tftp"
for SERVICE in ${ITEMS}; do
LogText "Test: checking service ${SERVICE}"
if ! SkipAtomicTest "${TEST_NO}:${SERVICE}"; then
FILE="${XINETD_CONFIG_DIR}/${SERVICE}"
if [ -f "${FILE}" ]; then
LogText "Test: checking status in xinetd configuration file (${FILE})"
FIND=$(${GREPBINARY} "disable\s*=\s*no" ${FILE})
if [ -n "${FIND}" ]; then
LogText "Result: found insecure service enabled: ${SERVICE}"
XINETD_INSECURE_SERVICE_FOUND=1
ReportSuggestion "${TEST_NO}" "Disable or remove any insecure services in the xinetd configuration" "${SERVICE}" "text:See log file for more details"
Report "insecure_service[]=${SERVICE}"
fi
fi
else
LogText "Result: skipped, as this item is excluded using the profile"
fi
done
if [ ${XINETD_INSECURE_SERVICE_FOUND} -eq 0 ]; then
LogText "Result: no insecure services found in xinetd configuration"
Display --indent 6 --text "- Checking xinetd (insecure services)" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
else
LogText "Result: one ore more insecure services discovered in xinetd configuration"
Display --indent 6 --text "- Checking xinetd (insecure services)" --result "${STATUS_WARNING}" --color RED
AddHP 0 3
fi
fi
#
#################################################################################
#
# Test : INSE-8200
# Description : Check if tcp_wrappers is installed when inetd/xinetd is active
if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8200 --package-manager-required --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if tcp_wrappers is installed"
FOUND=0
PACKAGES="tcp_wrappers tcpd"
for PACKAGE in ${PACKAGES}; do
if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
done
if [ ${FOUND} -eq 1 ]; then
LogText "Result: tcp_wrappers is installed"
Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: tcp_wrappers is NOT installed"
Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_SUGGESTION}" --color YELLOW
#ReportSuggestion "${TEST_NO}" "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed"
fi
fi
#
#################################################################################
#
# Test : INSE-8300
# Description : Check if rsh client is installed
Register --test-no INSE-8300 --package-manager-required --weight L --network NO --category security --description "Check if rsh client is installed"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if rsh client is installed"
FOUND=0
PACKAGES="rsh rsh-client rsh-redone-client"
for PACKAGE in ${PACKAGES}; do
if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
done
if [ ${FOUND} -eq 1 ]; then
LogText "Result: rsh client is installed"
Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Remove rsh client when it is not in use or replace with the more secure SSH package"
else
LogText "Result: rsh client is NOT installed"
Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8302
# Description : Check presence of rsh Trust Files
#Register --test-no INSE-8302 --weight L --network NO --category security --description "Check presence of rsh Trust Files"
#if [ ${SKIPTEST} -eq 0 ]; then
# # Check presence of Rsh Trust Files
# FOUND=0
# for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do
# USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
# DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
# if [ -d ${DIR} ]; then
# for RHOSTS in ${DIR}/.rhosts; do
# if [ ! -h ${RHOSTS} -a -f ${RHOSTS} ]; then
# LogText "FOUND .rhosts file in home directory ${DIR} of ${USER}"
# FOUND=1
# fi
# done
# fi
# done
# if [ -f /etc/hosts.equiv ];then
# LogText "FOUND /etc/hosts.equiv"
# FOUND=1
# fi
# if [ ${FOUND} -eq 1 ]; then
# LogText "Result: found one or more Rsh Trust Files"
# Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_SUGGESTION}" --color YELLOW
# ReportSuggestion "${TEST_NO}" "Remove every Rsh Trust Files as they can allow unauthenticated access to a system"
# else
# LogText "Result: no Rsh Trust Files found"
# Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_OK}" --color GREEN
# fi
#fi
#
#################################################################################
#
# Test : INSE-8304
# Description : Check if rsh server is installed
Register --test-no INSE-8304 --package-manager-required --weight L --network NO --category security --description "Check if rsh server is installed"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if rsh server is installed
LogText "Test: Checking if rsh server is installed"
FOUND=0
PACKAGES="rsh-server rsh-redone-server"
for PACKAGE in ${PACKAGES}; do
if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
done
if [ ${FOUND} -eq 1 ]; then
LogText "Result: rsh server is installed"
Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Remove the rsh-server package and replace with a more secure alternative like SSH"
Report "insecure_service[]=rsh-server"
else
LogText "Result: rsh server is NOT installed"
Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8310
# Description : Check if telnet client is installed
Register --test-no INSE-8310 --package-manager-required --weight L --network NO --category security --description "Check if telnet client is installed"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if telnet client is installed
LogText "Test: Checking if telnet client is installed"
if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
if [ ${FOUND} -eq 1 ]; then
LogText "Result: telnet client is installed"
Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_FOUND}" --color YELLOW
# Telnet client usage might be used for troubleshooting instead of system administration
#ReportSuggestion "${TEST_NO}" "telnet client contain numerous security exposures and have been replaced with the more secure SSH package"
else
LogText "Result: telnet client is NOT installed"
Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8312
# Description : Check if telnet server is installed
Register --test-no INSE-8322 --package-manager-required --weight L --network NO --category security --description "Check if telnet server is installed"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if TFTP server is installed
LogText "Test: Checking if telnet server is installed"
FOUND=0
PACKAGES="telnetd telnet-server"
for PACKAGE in ${PACKAGES}; do
if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
done
if [ ${FOUND} -eq 1 ]; then
LogText "Result: telnet server is installed"
Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Removing the telnet server package and replace with SSH when possible"
Report "insecure_service[]=telnet-server"
else
LogText "Result: telnet server is NOT installed"
Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_NOT_FOUND}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8314
# Description : Check if NIS client is installed
Register --test-no INSE-8314 --package-manager-required --weight L --network NO --category security --description "Check if NIS client is installed"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=""
LogText "Test: Checking if NIS client is installed"
PACKAGES="nis ypbind"
for PACKAGE in ${PACKAGES}; do
if PackageIsInstalled "${PACKAGE}"; then
FOUND="${PACKAGE}"
fi
done
if [ -n "${FOUND}" ]; then
LogText "Result: NIS client is installed"
Display --indent 2 --text "- Checking NIS client installation" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "NIS client should be removed if not required. Use a more secure alternative or a protocol that can use encrypted communications."
else
LogText "Result: NIS client is NOT installed"
Display --indent 2 --text "- Checking NIS client installation" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8316
# Description : Check if NIS server is installed
Register --test-no INSE-8316 --package-manager-required --weight L --network NO --category security --description "Check if NIS server is installed"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=""
LogText "Test: Checking if NIS server is installed"
PACKAGES="nis ypserv"
for PACKAGE in ${PACKAGES}; do
if PackageIsInstalled "${PACKAGE}"; then
FOUND="${PACKAGE}"
fi
done
if [ -n "${FOUND}" ]; then
LogText "Result: NIS server is installed"
Display --indent 2 --text "- Checking NIS server installation" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services"
else
LogText "Result: NIS server is NOT installed"
Display --indent 2 --text "- Checking NIS server installation" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8318
# Description : Check if TFTP client is installed
Register --test-no INSE-8318 --package-manager-required --weight L --network NO --category security --description "Check if TFTP client is installed"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if TFTP client is installed"
FOUND=""
PACKAGES="atftp tftp tftp-hpa"
for PACKAGE in ${PACKAGES}; do
if PackageIsInstalled "${PACKAGE}"; then
FOUND="${PACKAGE}"
fi
done
if [ -n "${FOUND}" ]; then
LogText "Result: TFTP client is installed"
Display --indent 2 --text "- Checking TFTP client installation" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server)"
else
LogText "Result: TFTP client is NOT installed"
Display --indent 2 --text "- Checking TFTP client installation" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8320
# Description : Check if TFTP server is installed
Register --test-no INSE-8320 --package-manager-required --weight L --network NO --category security --description "Check if TFTP server is installed"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if TFTP server is installed"
FOUND=""
PACKAGES="atftpd tftpd tftp-server tftpd-hpa"
for PACKAGE in ${PACKAGES}; do
if PackageIsInstalled "${PACKAGE}"; then
FOUND="${PACKAGE}"
fi
done
if [ -n "${FOUND}" ]; then
LogText "Result: TFTP server is installed"
Display --indent 2 --text "- Checking TFTP server installation" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of tftp services"
else
LogText "Result: TFTP server is NOT installed"
Display --indent 2 --text "- Checking TFTP server installation" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
if [ -n "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS"
if [ ${SKIPTEST} -eq 0 ]; then
TEST_SERVICES="com.apple.fingerd"
TEST_SERVICES="com.apple.fingerd com.apple.ftp-proxy"
for ITEM in ${TEST_SERVICES}; do
if ${LAUNCHCTL_BINARY} print-enabled system | grep -sq ${ITEM}; then
Display --indent 2 --text "- $text" --result "${STATUS_NO}" --color RED
if ${LAUNCHCTL_BINARY} list | ${GREPBINARY} -sq ${ITEM}; then
Display --indent 2 --text "- ${ITEM}" --result "${STATUS_NO}" --color RED
LogText "Result: found ${ITEM}, which is considered an insecure service"
AddSuggestion "${TEST_NO}" "Consider disabling service ${ITEM}" "launchctl" "-"
ReportSuggestion "${TEST_NO}" "Consider disabling service ${ITEM}" "launchctl" "-"
AddHP 0 1
else
Display --indent 2 --text "- $text" --result "${STATUS_OK}" --color GREEN
LogText "Result: $text, OK"
Display --indent 2 --text "- ${ITEM}" --result "${STATUS_OK}" --color GREEN
LogText "Result: did not find ${ITEM}, which is fine"
AddHP 1 1
fi
done
@ -130,9 +513,6 @@
#################################################################################
#
# To do:
# - mark in report when a system was tested for any insecure services
WaitForKeyPress
#

435
include/tests_kernel
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -26,11 +26,12 @@
#
#################################################################################
#
CORE_DUMPS_DISABLED=0
CPU_PAE=0
CPU_NX=0
LINUXCONFIGFILE=""
LINUXCONFIGFILE_ZIPPED=0
LIMITS_DIRECTORY="${ROOTDIR}etc/security/limits.d"
APT_ARCHIVE_DIRECTORY="${ROOTDIR}var/cache/apt/archives"
#
#################################################################################
#
@ -48,7 +49,7 @@
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
ReportException "${TEST_NO}:01"
else
FIND2=$(echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
if HasData "${FIND2}"; then
LogText "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
@ -102,8 +103,7 @@
# Description : Check CPU options and support (PAE, No eXecute, eXecute Disable)
# More info : pae and nx bit are both visible on AMD and Intel CPU's if supported
if [ "${HARDWARE}" = "x86_64" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no KRNL-5677 --preqs-met "${PREQS_MET}" --os Linux --weight L --network NO --category security --description "Check CPU options and support"
Register --test-no KRNL-5677 --platform x86_64 --os Linux --weight L --network NO --category security --description "Check CPU options and support"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking CPU support (NX/PAE)"
LogText "Test: Checking /proc/cpuinfo"
@ -144,7 +144,7 @@
Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result "${STATUS_NONE}" --color YELLOW
ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
ReportSuggestion "${TEST_NO}" "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
fi
else
Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result "${STATUS_SKIPPED}" --color YELLOW
@ -182,7 +182,7 @@
# Description : Check if Linux is build as a monolithic kernel or not
Register --test-no KRNL-5723 --os Linux --weight L --network NO --category security --description "Determining if Linux kernel is monolithic"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
LogText "Test: checking if kernel is monolithic or modular"
# Checking if any modules are loaded
FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ')
@ -207,7 +207,7 @@
# Description : Checking Linux loaded kernel modules
Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort)
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
if HasData "${FIND}"; then
@ -234,18 +234,19 @@
# Description : Checking for available Linux kernel configuration file in /boot
Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config"
if [ ${SKIPTEST} -eq 0 ]; then
CHECKFILE="/boot/config-$(uname -r)"
CHECKFILE="${ROOTDIR}boot/config-$(uname -r)"
CHECKFILE_ZIPPED="${ROOTDIR}proc/config.gz"
if [ -f ${CHECKFILE} ]; then
LINUXCONFIGFILE="${CHECKFILE}"
LogText "Result: found config (${LINUXCONFIGFILE})"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
elif [ -f /proc/config.gz ]; then
LINUXCONFIGFILE="${CHECKFILE}"
elif [ -f ${CHECKFILE_ZIPPED} ]; then
LINUXCONFIGFILE="${CHECKFILE_ZIPPED}"
LINUXCONFIGFILE_ZIPPED=1
LogText "Result: found config: /proc/config.gz (compressed)"
LogText "Result: found config: ${ROOTDIR}proc/config.gz (compressed)"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: no Linux kernel configuration file found in /boot"
LogText "Result: no Linux kernel configuration file found in ${ROOTDIR}boot"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
if HasData "${LINUXCONFIGFILE}"; then
@ -266,15 +267,15 @@
Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking disk I/O kernel scheduler"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi
if [ ! "${GREPTOOL}" = "" ]; then
if [ -n "${GREPTOOL}" ]; then
LogText "Test: Checking the default I/O kernel scheduler"
LINUX_KERNEL_IOSCHED=$(${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g)
if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then
if [ -n "${LINUX_KERNEL_IOSCHED}" ]; then
LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN
Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
else
LogText "Result: no default i/o kernel scheduler found"
LogText "Result: no default I/O kernel scheduler found"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
else
@ -322,8 +323,8 @@
LogText "Test: Active kernel modules (KLDs)"
LogText "Description: View all active kernel modules (including kernel)"
LogText "Test: Checking modules"
if [ -f ${ROOTDIR}sbin/kldstat ]; then
FIND=$(${ROOTDIR}sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ -x /sbin/kldstat ]; then
FIND=$(/sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:"
COUNT=0
@ -339,7 +340,7 @@
fi
else
echo "[ ${WHITE}SKIPPED${NORMAL} ]"
LogText "Result: no results, can NOT find ${ROOTDIR}sbin/kldstat"
LogText "Result: no results, can NOT find /sbin/kldstat"
fi
fi
#
@ -374,10 +375,17 @@
LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
LogText "Result: found ${ROOTDIR}usr/bin/apt-cache"
LogText "Test: checking readlink location of ${ROOTDIR}vmlinuz"
if [ -f ${ROOTDIR}vmlinuz ]; then
LogText "Test: checking presence of ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz"
if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then
HAS_VMLINUZ=1
FINDKERNFILE=$(readlink -f ${ROOTDIR}vmlinuz)
if [ -f ${ROOTDIR}vmlinuz ]; then
FINDVMLINUZ=${ROOTDIR}vmlinuz
else
FINDVMLINUZ=${ROOTDIR}boot/vmlinuz
fi
LogText "Result: found ${FINDVMLINUZ}"
LogText "Test: checking readlink location of ${FINDVMLINUZ}"
FINDKERNFILE=$(readlink -f ${FINDVMLINUZ})
LogText "Output: readlink reported file ${FINDKERNFILE}"
LogText "Test: checking package from dpkg -S"
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
@ -385,9 +393,15 @@
elif [ -e ${ROOTDIR}dev/grsec ]; then
FINDKERNEL=linux-image-$(uname -r)
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
elif [ -e ${ROOTDIR}etc/rpi-issue ]; then
FINDKERNEL=raspberrypi-kernel
LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian"
elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then
FINDKERNEL=linux-image-$(uname -r)
LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No"
else
LogText "This system is missing ${ROOTDIR}vmlinuz. Unable to check whether kernel is up-to-date."
ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz"
LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date."
ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz"
fi
LogText "Test: Using apt-cache policy to determine if there is an update available"
FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
@ -399,7 +413,7 @@
LogText "Result: Exception occurred, no output from apt-cache policy"
if [ ${HAS_VMLINUZ} -eq 1 ]; then
ReportException "${TEST_NO}:01"
ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy to determine why its output is empty"
ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty"
fi
LogText "Result: apt-cache policy did not return an installed kernel version"
else
@ -415,7 +429,7 @@
else
Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
LogText "Result: kernel update available according 'apt-cache policy'."
ReportSuggestion ${TEST_NO} "Determine priority for available kernel update"
ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update"
fi
fi
else
@ -429,61 +443,167 @@
# Description : Checking core dumps configuration (Linux)
Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking presence /etc/security/limits.conf"
if [ -f /etc/security/limits.conf ]; then
LogText "Result: file /etc/security/limits.conf exists"
LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
FIND1=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }')
FIND2=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }')
if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system"
AddHP 1 2
else
LogText "Result: core dumps (soft and hard) are both disabled"
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN
CORE_DUMPS_DISABLED=1
AddHP 3 3
fi
# Sysctl option
LogText "Test: Checking sysctl value of fs.suid_dumpable"
FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }')
if [ -z "${FIND}" ]; then
LogText "Result: sysctl key fs.suid_dumpable not found"
else
LogText "Result: value ${FIND} found"
fi
if [ "${FIND}" = "2" ]; then
LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN
Display --indent 2 --text "- Checking core dumps configuration"
LogText "Test: Checking presence of systemd"
# systemd option
if [ $HAS_SYSTEMD -eq 1 ]; then
LogText "Result: systemd is present on this system"
LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/systemd/coredump.conf and ${ROOTDIR}etc/systemd/coredump.conf.d/*.conf"
# check likely main config file for systemd: ${ROOTDIR}etc/systemd/coredump.conf for ProcessSizeMax=0 and Storage=none
SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
# check conf files in possibly existing coredump.conf.d folders
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
# while there could be multiple files overwriting each other, we are checking the number of occurrences
SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
( [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ); then
LogText "Result: core dumps are disabled by 'ProcessSizeMax=0' and 'Storage=none' in systemd configuration files"
AddHP 1 1
elif [ "${FIND}" = "1" ]; then
LogText "Result: all programs can perform core dumps (value 1, for debugging)"
Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW
ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump"
TMP_COLOR="GREEN"
if [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -gt 1 ]; then
LogText "Result: 'ProcessSizeMax=0' and 'Storage=none' are set multiple times in systemd configuration files. Check config!"
ReportSuggestion "${TEST_NO}" "Check systemd configuration for duplicate entries of core dump settings"
TMP_COLOR="YELLOW"
fi
Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_DISABLED}" --color "${TMP_COLOR}"
elif [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] || [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then
LogText "Result: 'ProcessSizeMax=0' and 'Storage=none' are set in ${ROOTDIR}etc/systemd/coredump.conf but overwritten in subdir config files"
ReportSuggestion "${TEST_NO}" "Check systemd configuration for overwriting core dump settings"
Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color YELLOW
AddHP 0 1
elif ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] ) || \
( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ) || \
( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \
( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then
LogText "Result: core dumps are explicitely enabled in systemd configuration files"
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')"
Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED
AddHP 0 1
else
LogText "Result: found default option, some programs can dump (not processes which need to change credentials)"
Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW
LogText "Result: core dumps are not disabled in systemd configuration. Didn't find settings 'ProcessSizeMax=0' and 'Storage=none'"
Display --indent 4 --text "- configuration in systemd conf files" --result "DEFAULT" --color WHITE
AddHP 0 1
fi
fi
# Profile option
LogText "Test: Checking presence ${ROOTDIR}etc/profile"
if [ -f "${ROOTDIR}etc/profile" ]; then
LogText "Test: Checking if 'ulimit -c 0' exists in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
# use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts)
ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then
LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN
AddHP 1 1
elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then
LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'"
Display --indent 4 --text "- configuration in etc/profile" --result "DEFAULT" --color WHITE
AddHP 0 1
elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then
LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'"
Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ENABLED}" --color RED
AddHP 0 1
else
LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!"
Display --indent 4 --text "- configuration in etc/profile" --result "ERROR" --color YELLOW
fi
fi
# Limits option
LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf"
if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then
LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists"
LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*"
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1)
FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1)
FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1)
# When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file.
if [ "${FIND3}" = "core dumps disabled" ]; then
FIND1="soft core disabled"
FIND2="hard core disabled"
elif [ "${FIND3}" = "core dumps enabled" ]; then
FIND1="soft core enabled"
FIND2="hard core enabled"
fi
IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)"
IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)"
if [ "${FIND2}" = "hard core disabled" ]; then
LogText "Result: core dumps are hard disabled"
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN"
if [ "${FIND1}" = "soft core disabled" ]; then
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
else
Display --indent 4 --text "- 'soft' config in security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN"
fi
AddHP 3 3
elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps (soft and hard) are enabled"
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file"
AddHP 0 3
elif [ "${FIND1}" = "soft core disabled" ]; then
LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})"
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
AddHP 2 3
elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})"
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
AddHP 0 3
else
LogText "Result: core dumps are not explicitly disabled"
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file"
AddHP 1 3
fi
else
LogText "Result: file /etc/security/limits.conf does not exist, skipping test"
LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test"
fi
# TODO: Check ulimit settings in /etc/profile and /etc/profile.d
# Sysctl option
LogText "Test: Checking sysctl value of fs.suid_dumpable"
FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }')
if [ -z "${FIND}" ]; then
LogText "Result: sysctl key fs.suid_dumpable not found"
else
LogText "Result: value ${FIND} found"
fi
if [ "${FIND}" = "2" ]; then
LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color WHITE
AddHP 1 1
elif [ "${FIND}" = "1" ]; then
LogText "Result: all programs can perform core dumps (value 1, for debugging)"
Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW
ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump"
AddHP 0 1
else
# 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped
# https://www.kernel.org/doc/Documentation/sysctl/fs.txt
LogText "Result: found default option (0), no execute only program or program with changed privilege levels can dump"
Display --indent 4 --text "- Checking setuid core dumps configuration" --result DISABLED --color GREEN
AddHP 1 1
fi
fi
#
#################################################################################
#
# Test : KRNL-5826
# Description : Checking core dumps configuration (Solaris)
#Register --test-no KRNL-5826 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : KRNL-5830
# Description : Check if system needs a reboot (Linux only)
@ -509,11 +629,12 @@
else
LogText "Result: file ${FILE} not found"
fi
# Check if /boot exists
if [ -d ${ROOTDIR}boot ]; then
if [ -d "${ROOTDIR}boot" ]; then
LogText "Result: /boot exists, performing more tests from here"
FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
if [ -f ${ROOTDIR}boot/vmlinuz -a ! -L ${ROOTDIR}boot/vmlinuz ]; then
LogText "Result: found /boot/vmlinuz (not symlinked)"
NEXTLINE=0
@ -521,12 +642,13 @@
for I in $(file ${ROOTDIR}boot/vmlinuz-linux); do
if [ ${NEXTLINE} -eq 1 ]; then
FINDVERSION="${I}"
break
else
# Searching for the Linux kernel after the keyword 'version'
if [ "${I}" = "version" ]; then NEXTLINE=1; fi
fi
done
if [ ! -z "${FINDVERSION}" ]; then
if [ -n "${FINDVERSION}" ]; then
CURRENT_KERNEL=$(uname -r)
if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then
LogText "Result: reboot needed, as current kernel is different than the one loaded"
@ -535,11 +657,50 @@
else
ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data"
fi
elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)"
LogText "Test: checking kernel version on disk"
VERSION_ON_DISK=$(${FILEBINARY} -b ${ROOTDIR}boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}')
if [ ! -z "${VERSION_ON_DISK}" ]; then
elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then
if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux"
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux
elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then
LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts"
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts
else
# Match on /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default
FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)
LogText "Result: found ${FOUND_VMLINUZ}"
fi
VERSION_ON_DISK=""
if [ -L "${FOUND_VMLINUZ}" ]; then
LogText "Result: found a symlink, retrieving destination"
FOUND_VMLINUZ=$(readlink "${FOUND_VMLINUZ}")
LogText "Result: destination file is ${FOUND_VMLINUZ}"
VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//')
LogText "Result: version derived from file name is '${VERSION_ON_DISK}'"
elif [ -f "${FOUND_VMLINUZ}" ]; then
VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//')
LogText "Result: version derived from file name is '${VERSION_ON_DISK}'"
fi
if [ -z "${VERSION_ON_DISK}" ]; then
LogText "Test: checking kernel version on disk"
NEXTLINE=0
VERSION_ON_DISK=""
for I in $(file ${FOUND_VMLINUZ}); do
if [ ${NEXTLINE} -eq 1 ]; then
VERSION_ON_DISK="${I}"
break
else
# Searching for the Linux kernel after the keyword 'version'
if [ "${I}" = "version" ]; then NEXTLINE=1; fi
fi
done
fi
if [ -z "${VERSION_ON_DISK}" ]; then
LogText "Result: could not find the version on disk"
ReportException "${TEST_NO}:4" "Could not find the kernel version"
else
LogText "Result: found version ${VERSION_ON_DISK}"
ACTIVE_KERNEL=$(uname -r)
LogText "Result: active kernel version ${ACTIVE_KERNEL}"
@ -550,9 +711,6 @@
REBOOT_NEEDED=1
LogText "Result: reboot needed, as there is a difference between active kernel and the one on disk"
fi
else
LogText "Result: could not find the version on disk"
ReportException "${TEST_NO}:4" "Could not find the kernel version from /boot/vmlinux-linux"
fi
else
if [ -L ${ROOTDIR}boot/vmlinuz ]; then
@ -564,7 +722,7 @@
MYKERNEL=$(${UNAMEBINARY} -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g')
LogText "Result: using ${MYKERNEL} as my kernel version (stripped)"
FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for ITEM in ${FIND}; do
LogText "Result: found ${ITEM}"
done
@ -572,7 +730,7 @@
# Ignore rescue images. Remove generic. and huge. for Slackware machines
LogText "Action: checking relevant kernels"
KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ')
KERNELS_ONE_LINE=$(${ECHOCMD} ${KERNELS} | ${TRBINARY} '\n' ' ')
LogText "Output: ${KERNELS_ONE_LINE}"
elif [ ! "$(ls ${ROOTDIR}boot/kernel* 2> /dev/null)" = "" ]; then
LogText "Output: Found a kernel file in ${ROOTDIR}boot"
@ -580,11 +738,11 @@
# Examples:
# /boot/kernel-genkernel-x86_64-3.14.14-gentoo
KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
if [ ! -z "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi
if [ -n "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi
else
ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected"
fi
if [ ! -z "${KERNELS}" ]; then
if [ -n "${KERNELS}" ]; then
FOUND_KERNEL=0
for I in ${KERNELS}; do
# Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist)
@ -616,7 +774,108 @@
LogText "Result: Skipping this test, as there are no files in /boot"
fi
else
LogText "Result: /boot does not exist"
LogText "Result: /boot does not exist or not privileged to read files"
fi
# Attempt to check for Raspbian if reboot is needed
# This check searches for apt package "raspberrypi-kernel-[package-date]", trys to extract the date of packaging from the filename
# and compares that date with the currently running kernel's build date (uname -v).
# Of course there can be a time difference between kernel build and kernel packaging, therefor a time difference of
# 3 days is accepted and it is assumed with only 3 days apart, this must be the same kernel version.
if [ ${REBOOT_NEEDED} -eq 2 ] && [ -d "${APT_ARCHIVE_DIRECTORY}" ]; then
LogText "Result: found folder ${APT_ARCHIVE_DIRECTORY}; assuming this is a debian based distribution"
LogText "Check: try to find raspberrypi-kernel file in ${APT_ARCHIVE_DIRECTORY} and extract package date from file name"
FOUND_KERNEL_DATE=$(${FINDBINARY} ${APT_ARCHIVE_DIRECTORY} -name "raspberrypi-kernel*" -printf "%T@ %Tc %p\n" 2> /dev/null \
| ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${EGREPBINARY} -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g')
if [ -n "${FOUND_KERNEL_DATE}" ]; then
FOUND_KERNEL_IN_SECONDS=$(date -d "${FOUND_KERNEL_DATE}" "+%s" 2> /dev/null)
else
LogText "Result: Skipping this test, as there was no package date to extract"
fi
if [ -n "${FOUND_KERNEL_IN_SECONDS}" ] && [ ${FOUND_KERNEL_IN_SECONDS} -gt 1 ]; then
LogText "Result: Got package date: ${FOUND_KERNEL_DATE} (= ${FOUND_KERNEL_IN_SECONDS} seconds)"
UNAME_OUTPUT="$(${UNAMEBINARY} -v 2> /dev/null)"
else
LogText "Result: Skipping this test, as extracting the seconds of package date failed"
fi
if [ -n "${UNAME_OUTPUT}" ]; then
LogText "Result: Got an output from 'uname -v'"
LogText "Check: Trying to extract kernel build date from 'uname -v' output"
next=""
for part in ${UNAME_OUTPUT}; do
if [ -z "$next" ]; then
if [ "${part}" = "Mon" ] || [ "${part}" = "Tue" ] || [ "${part}" = "Wed" ] || [ "${part}" = "Thu" ] || [ "${part}" = "Fri" ] || [ "${part}" = "Sat" ] || [ "${part}" = "Sun" ]; then
next="month"
fi
elif [ "$next" = "month" ]; then
if [ $(${ECHOCMD} "${part}" | ${EGREPBINARY} -c "[A-Z][a-z]") -ge 1 ]; then
UNAME_DATE_MONTH="${part}"
next="day"
fi
elif [ "${next}" = "day" ]; then
if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
UNAME_DATE_DAY="${part}"
next="time"
fi
elif [ "${next}" = "time" ]; then
if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c ":[0-9][0-9]:") -ge 1 ]; then
next="year"
fi
elif [ "${next}" = "year" ]; then
if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
UNAME_DATE_YEAR="${part}"
break
fi
fi
done
if [ -n "${UNAME_DATE_MONTH}" ] && [ -n "${UNAME_DATE_DAY}" ] && [ -n "${UNAME_DATE_YEAR}" ]; then
LogText "Result: Extracted kernel build date is: ${UNAME_DATE_DAY} ${UNAME_DATE_MONTH} ${UNAME_DATE_YEAR}"
UNAME_DATE_IN_SECONDS=$(date -d "${UNAME_DATE_DAY} ${UNAME_DATE_MONTH} ${UNAME_DATE_YEAR}" "+%s" 2> /dev/null)
LogText "Check: Comparing kernel build date in seconds (${UNAME_DATE_IN_SECONDS}s) with package date in seconds (${FOUND_KERNEL_IN_SECONDS}s)"
if [ -n "${UNAME_DATE_IN_SECONDS}" ] && [ ${FOUND_KERNEL_IN_SECONDS} -ge ${UNAME_DATE_IN_SECONDS} ]; then
LogText "Result: package creation date is older than running kernel. Hence, this check should be valid."
LogText "Check if package create date and kernel build date are not more than 3 days apart."
SECONDS_APART=$(( ${FOUND_KERNEL_IN_SECONDS} - ${UNAME_DATE_IN_SECONDS} ))
if [ ${SECONDS_APART} -ge 60 ]; then
MINUTES_APART=$(( ${SECONDS_APART} / 60 ))
if [ ${MINUTES_APART} -ge 60 ]; then
DAYS_APART=$(( ${MINUTES_APART} / 60 ))
if [ ${DAYS_APART} -ge 24 ]; then DAYS_APART=$(( ${DAYS_APART} / 24 )); else DAYS_APART=0; fi
else
DAYS_APART=0
fi
else
DAYS_APART=0
fi
# assuming kernels are packaged definitely within 3 days. ACCEPTED_TIME_DIFF needs a value in seconds
ACCEPTED_TIME_DIFF=$((3 * 24 * 60 * 60))
if [ ${FOUND_KERNEL_IN_SECONDS} -le $((${UNAME_DATE_IN_SECONDS} + ${ACCEPTED_TIME_DIFF})) ]; then
LogText "Result: package create date and kernel build date are only ${DAYS_APART} day(s) apart."
LogText "Result: Assuming no reboot needed."
REBOOT_NEEDED=0
else
LogText "Result: package create date and kernel build date are ${DAYS_APART} day(s) apart."
LogText "Result: Assuming reboot is needed."
REBOOT_NEEDED=1
fi
else
LogText "Result: Package's create date is older than running kernel, which is unexpected. Might not be a valid test. Skipping..."
fi
else
LogText "Result: Could not extract Day, Month and Year from 'uname -v' output"
fi
else
LogText "Result: Did not get output from 'uname -v'. Skipping test."
fi
else
LogText "Result: /var/cache/apt/archives/ does not exist"
fi
# Display discovered status
@ -625,7 +884,7 @@
AddHP 5 5
elif [ ${REBOOT_NEEDED} -eq 1 ]; then
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED
ReportWarning ${TEST_NO} "Reboot of system is most likely needed" "" "text:reboot"
ReportWarning "${TEST_NO}" "Reboot of system is most likely needed" "" "text:reboot"
AddHP 0 5
else
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW
@ -639,4 +898,4 @@ WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2019, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com

10
include/tests_kernel_hardening
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -47,7 +47,7 @@
done
# Scan custom profile
if [ ! -z "${CUSTOM_PROFILE}" ]; then
if [ -n "${CUSTOM_PROFILE}" ]; then
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
for LINE in ${FIND}; do
SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
@ -57,7 +57,7 @@
fi
# Last, use data from default profile
if [ ! -z "${DEFAULT_PROFILE}" ]; then
if [ -n "${DEFAULT_PROFILE}" ]; then
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | ${SEDBINARY} 's/ /-space-/g')
for LINE in ${FIND}; do
SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
@ -76,7 +76,7 @@
tFINDhp=$(echo ${line} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]")
tFINDdesc=$(echo ${line} | ${AWKBINARY} -F\; '{ print $5 }' | ${SEDBINARY} 's/-space-/ /g')
tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
if [ ! -z "${tFINDcurvalue}" ]; then
if [ -n "${tFINDcurvalue}" ]; then
positive_match=0
for value in ${tFINDexpvalue}; do
if [ "${value}" = "${tFINDcurvalue}" ]; then
@ -106,7 +106,7 @@
# Add suggestion if one or more sysctls have a different value than scan profile
if [ ${FOUND} -eq 1 ]; then
LogText "Result: found ${N} keys that can use tuning, according scan profile"
ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked" "" "Change sysctl value or disable test (skip-test=${TEST_NO}:<sysctl-key>)"
ReportSuggestion "${TEST_NO}" "One or more sysctl values differ from the scan profile and could be tweaked" "" "Change sysctl value or disable test (skip-test=${TEST_NO}:<sysctl-key>)"
fi
fi
#

16
include/tests_ldap
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -36,16 +36,14 @@
# Description : Check running OpenLDAP instance
Register --test-no LDAP-2219 --weight L --network NO --category security --description "Check running OpenLDAP instance"
if [ ${SKIPTEST} -eq 0 ]; then
# TODO adding additional slash needed?
IsRunning slapd
if [ ${RUNNING} -eq 0 ]; then
Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: No running slapd process found."
else
if IsRunning "slapd"; then
Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found running slapd process"
SLAPDFOUND=1
SLAPD_RUNNING=1
else
Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: No running slapd process found."
fi
fi
#
@ -66,7 +64,7 @@
fi
done
# Check if we found a valid location
if [ ! -z "${SLAPD_CONF_LOCATION}" ]; then
if [ -n "${SLAPD_CONF_LOCATION}" ]; then
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
@ -91,7 +89,7 @@
#################################################################################
#
# Test : LDAP-2240
# Description : Check OpenLDAP unencrypted RootDN password
# Description : Check OpenLDAP plaintext RootDN password
#
#################################################################################
#

171
include/tests_logging
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -47,7 +47,7 @@
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
ReportSuggestion "${TEST_NO}" "Check if any syslog daemon is running and correctly configured."
AddHP 0 3
else
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_OK}" --color GREEN
@ -65,8 +65,7 @@
Register --test-no LOGG-2132 --weight L --network NO --category security --description "Check for running syslog-ng daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for syslog-ng daemon in process list"
IsRunning syslog-ng
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "syslog-ng"; then
LogText "Result: Found syslog-ng in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
@ -93,7 +92,7 @@
else
LogText "Result: Syslog-NG configuration file seems NOT to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
ReportSuggestion "${TEST_NO}" "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
fi
fi
#
@ -104,8 +103,7 @@
Register --test-no LOGG-2136 --weight L --network NO --category security --description "Check for running systemd journal daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for systemd journal daemon in process list"
IsRunning systemd-journal
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "systemd-journal"; then
Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_FOUND}" --color GREEN
SYSTEMD_JOURNAL_RUNNING=1
Report "syslog_daemon_present=1"
@ -122,8 +120,7 @@
Register --test-no LOGG-2210 --weight L --network NO --category security --description "Check for running metalog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for metalog daemon in process list"
IsRunning metalog
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "metalog"; then
LogText "Result: Found metalog in process list"
Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
@ -143,8 +140,7 @@
Register --test-no LOGG-2230 --weight L --network NO --category security --description "Check for running RSyslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for RSyslog daemon in process list"
IsRunning rsyslogd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "rsyslogd"; then
LogText "Result: Found rsyslogd in process list"
Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
@ -164,8 +160,7 @@
Register --test-no LOGG-2240 --weight L --network NO --category security --description "Check for running RFC 3195 compliant daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list"
IsRunning rfc3195d
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "rfc3195d"; then
LogText "Result: Found rfc3195d in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
@ -190,14 +185,13 @@
if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then
# Search for klogd, but ignore other lines related to klogd (like dd with input/output file)
#FIND=$(${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep")
IsRunning klogd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "klogd"; then
LogText "Result: klogd running"
Display --indent 4 --text "- Checking klogd" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: No klogd found"
Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED
ReportWarning ${TEST_NO} "klogd is not running, which could lead to missing kernel messages in log files"
ReportWarning "${TEST_NO}" "klogd is not running, which could lead to missing kernel messages in log files"
fi
else
LogText "Result: test skipped, because other facility is being used to log kernel messages"
@ -212,15 +206,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Result: Checking for unkilled minilogd instances"
# Search for minilogd. It shouldn't be running normally, if another syslog daemon is started
IsRunning minilogd
if [ ${RUNNING} -eq 0 ]; then
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: No minilogd is running"
else
if IsRunning "minilogd"; then
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED
LogText "Result: minilogd found in process list"
# minilogd daemon seems to be running
ReportWarning ${TEST_NO} "minilogd is running, which should normally not be running"
ReportWarning "${TEST_NO}" "minilogd is running, which should normally not be running"
else
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: No minilogd is running"
fi
fi
#
@ -254,7 +247,7 @@
else
Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_WARNING}" --color RED
LogText "Result: No logrotate configuration found"
ReportSuggestion ${TEST_NO} "Check if log files are properly rotated"
ReportSuggestion "${TEST_NO}" "Check if log files are properly rotated"
fi
fi
#
@ -262,7 +255,7 @@
#
# Test : LOGG-2148
# Description : Checking log files rotated with logrotate
if [ ! -z "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which files are rotated with logrotate and if they exist"
@ -286,7 +279,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which directories can be found in logrotate configuration"
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
if IsEmpty "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: nothing found"
else
LogText "Result: found one or more directories (via logrotate configuration)"
@ -311,7 +304,7 @@
# Try local hosts file
LogText "Result: Checking for loghost in /etc/inet/hosts"
FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1
LogText "Result: Found loghost entry in /etc/inet/hosts"
else
@ -320,7 +313,7 @@
# Try name resolving if no entry is present in local host file
LogText "Result: Checking for loghost via name resolving"
FIND=$(getent hosts loghost | ${GREPBINARY} loghost)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1
LogText "Result: name resolving was successful"
LogText "Output: ${FIND}"
@ -335,8 +328,8 @@
else
Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED
LogText "Result: No loghost entry found"
ReportWarning ${TEST_NO} "No loghost entry found"
ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services"
ReportWarning "${TEST_NO}" "No loghost entry found"
ReportSuggestion "${TEST_NO}" "Add a loghost entry to /etc/inet/hosts or other name services"
fi
fi
#
@ -348,40 +341,95 @@
if [ ${SYSLOG_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2154 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking syslog configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then
SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf"
else
SYSLOGD_CONF="/etc/syslog.conf"
if [ ${RSYSLOG_RUNNING} -eq 1 ]; then
DATA=""
TARGET="${ROOTDIR}etc/rsyslog.conf"
if [ -f ${TARGET} ]; then
LogText "Test: analyzing file ${TARGET} for remote target"
DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
if [ -z "${DATA}" ]; then
LogText "Result: no remote target found"
else
LogText "Result: found remote target"
REMOTE_LOGGING_ENABLED=1
for D in ${DATA}; do
if SafeInput "${D}"; then
D=$(echo ${D} | ${SEDBINARY} 's/:space:/ /g')
LogText "Data: ${D}"
fi
done
fi
fi
TARGET="${ROOTDIR}etc/rsyslog.d"
if [ -d ${TARGET} ]; then
FILES=$(${FINDBINARY} ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ')
for F in ${FILES}; do
F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g')
LogText "Test: analyzing file ${F} for remote target"
DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
if [ -n "${DATA}" ]; then
LogText "Result: found remote target"
REMOTE_LOGGING_ENABLED=1
for D in ${DATA}; do
if SafeInput "${D}"; then
D=$(echo ${D} | ${SEDBINARY} 's/:space:/ /g')
LogText "Data: ${D}"
fi
done
else
# Check new style configuration (omrelp/omfwd). This can be all on one line or even split over multiple lines.
DATA=$(${EGREPBINARY} "target=\"([a-zA-Z0-9\-])" ${F})
if [ -n "${DATA}" ]; then
LogText "Result: most likely remote log host is used, as keyword 'target' is used"
REMOTE_LOGGING_ENABLED=1
else
LogText "Result: no remote target found"
fi
fi
done
fi
fi
# Test generic syslog files (syslog-ng and older syslog daemons)
if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then
SYSLOGD_CONF="${ROOTDIR}etc/syslog-ng/syslog-ng.conf"
else
SYSLOGD_CONF="${ROOTDIR}etc/syslog.conf"
fi
if [ -f ${SYSLOGD_CONF} ]; then
LogText "Test: check if logs are also logged to a remote logging host"
FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: remote logging enabled"
REMOTE_LOGGING_ENABLED=1
else
# Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
for DESTINATION in ${DESTINATIONS}; do
FIND2=$(${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
if [ ! -z "${FIND2}" = "" ]; then
FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
if [ -n "${FIND2}" ]; then
LogText "Result: found destination ${DESTINATION} configured for remote logging"
REMOTE_LOGGING_ENABLED=1
fi
done
fi
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
LogText "Result: no remote logging found"
ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
AddHP 1 3
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
else
AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN
fi
else
LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"
fi
# Show result
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
Report "remote_syslog_configured=0"
LogText "Result: no remote logging found"
ReportSuggestion "${TEST_NO}" "Enable logging to an external logging host for archiving purposes and additional protection"
AddHP 1 3
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
else
Report "remote_syslog_configured=1"
AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN
fi
fi
#
#################################################################################
@ -461,17 +509,15 @@
Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking open log files with lsof"
if [ ! -z "${LSOFBINARY}" ]; then
FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
if [ -n "${LSOFBINARY}" ]; then
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
for I in ${FIND}; do
LogText "Found logfile: ${I}"
Report "open_logfile[]=${I}"
done
Display --indent 2 --text "- Checking open log files" --result "${STATUS_DONE}" --color GREEN
else
LogText "Result: lsof not installed, skipping test"
Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color YELLOW
# Add suggestion
Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color WHITE
fi
fi
#
@ -479,7 +525,7 @@
#
# Test : LOGG-2190
# Description : Checking deleted files
if [ ! -z "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for deleted files in use"
if [ ${SKIPTEST} -eq 0 ]; then
EARLY_MYSQL=""
@ -488,12 +534,7 @@
LSOF_GREP="WARNING|Output information"
# MySQL versions prior to 5.6 leave lots of deleted in-use files in /tmp, ignoring those
if [ ! -z "${DPKGBINARY}" ]; then
EARLY_MYSQL=$(${DPKGBINARY} -l | ${EGREPBINARY} mysql-server-5.[0-5])
elif [ ! -z "${RPMBINARY}" ]; then
EARLY_MYSQL=$(${RPMBINARY} -qa mariadb | ${EGREPBINARY} mariadb-5.[0-5])
fi
if [ ! -z "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi
LSOF_GREP="${LSOF_GREP}|mysqld"
# grsecurity causes Fail2Ban to hold onto deleted in-use files in /var/tmp
if [ ${GRSEC_FOUND} -eq 1 ]; then LSOF_GREP="${LSOF_GREP}|fail2ban"; fi
@ -502,15 +543,15 @@
LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts"
fi
FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
if [ ! -z "${FIND}" ]; then
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
if [ -n "${FIND}" ]; then
LogText "Result: found one or more files which are deleted, but still in use"
for I in ${FIND}; do
LogText "Found deleted file: ${I}"
Report "deleted_file[]=${I}"
done
Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why."
ReportSuggestion "${TEST_NO}" "Check what deleted files are still in use and why."
else
LogText "Result: no deleted files found"
Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_DONE}" --color GREEN
@ -521,11 +562,11 @@
#
# Test : LOGG-2192
# Description : Check for open log files which are empty. This may indicate a problem with log rotation, or unused services
if [ ! "${LSOFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${LSOFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2192 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for open log files that are empty"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${LSOFBINARY} -n -w | ${AWKBINARY} '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | ${SORTBINARY} | uniq)
if [ ! -z "${FIND}" ]; then
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n -w | ${AWKBINARY} '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | ${SORTBINARY} | uniq)
if [ -n "${FIND}" ]; then
for I in ${FIND}; do
LogText "Found an opened logfile that is empty: ${I}"
Report "open_empty_log_file[]=${I}"

38
include/tests_mac_frameworks
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -50,7 +50,7 @@
if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${AASTATUSBINARY}" ]; then
if [ -n "${AASTATUSBINARY}" ]; then
CAN_READ_FILE=0
FILE="/sys/kernel/security/apparmor/profiles"
if [ -f ${FILE} ]; then
@ -75,6 +75,12 @@
Report "apparmor_enabled=1"
Report "apparmor_policy_loaded=1"
AddHP 3 3
# ignore kernel threads (Parent PID = 2 [kthreadd])
NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} --lines)
Display --indent 8 --text "Found ${NUNCONFINED} unconfined processes"
for PROCESS in $(${PSBINARY} -N --ppid 2 -o label:1,pid,comm | ${GREPBINARY} '^unconfined' | ${TRBINARY} ' ' ':'); do
LogText "Result: Unconfined process: ${PROCESS}"
done
elif [ $? -eq 4 ]; then
LogText "Result: Can not determine status, most likely due to lacking permissions"
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
@ -83,7 +89,7 @@
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
elif [ $? -eq 2 ]; then
LogText "Result: AppArmor is enabled, but no policy is loaded"
ReportSuggestion ${TEST_NO} "Load AppArmor policies"
ReportSuggestion "${TEST_NO}" "Load AppArmor policies"
Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
Report "apparmor_enabled=1"
Report "apparmor_policy_loaded=0"
@ -114,7 +120,7 @@
Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking if we have sestatus binary"
if [ ! -z "${SESTATUSBINARY}" ]; then
if [ -n "${SESTATUSBINARY}" ]; then
LogText "Result: found sestatus binary (${SESTATUSBINARY})"
Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN
else
@ -148,10 +154,21 @@
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
ReportWarning ${TEST_NO} "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
ReportWarning "${TEST_NO}" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} --lines)
Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
LogText "Permissive SELinux object types: ${PERMISSIVE}"
UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} --lines)
NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} --lines)
Display --indent 8 --text "Found ${NUNCONFINED} unconfined and ${NINITRC} initrc_t processes"
LogText "Unconfined processes: ${UNCONFINED}"
LogText "Processes with initrc_t type: ${INITRC}"
else
LogText "Result: SELinux framework is disabled"
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW
@ -189,6 +206,13 @@
LogText "Result: TOMOYO Linux is enabled"
Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_ENABLED}" --color GREEN
Report "tomoyo_enabled=1"
if [ ! -z ${TOMOYOPSTREEBINARY} ]; then
NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${WCBINARY} --lines)
Display --indent 8 --text "Found ${NUNCONFINED} unconfined (not profile 3) processes"
for PROCESS in $(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${SEDBINARY} -e 's/+-//g' -e 's/^ *//g' -e 's/ \+/:/g' | ${SORTBINARY}); do
LogText "Result: Unconfined process: ${PROCESS}"
done
fi
AddHP 3 3
else
LogText "Result: TOMOYO Linux is disabled"
@ -206,7 +230,7 @@
Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence"
if [ ${SKIPTEST} -eq 0 ]; then
# Check Linux kernel configuration
if [ ! -z "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then
if [ -n "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then
FIND=$(${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE})
if [ ! "${FIND}" = "" ]; then
LogText "Result: grsecurity available (in kernel config)"
@ -222,7 +246,7 @@
Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
if HasData "${GRADMBINARY}"; then
FIND=$(${GRADMBINARY} --status)
FIND=$(${GRADMBINARY} --status 2>/dev/null)
if [ "${FIND}" = "The RBAC system is currently enabled." ]; then
MAC_FRAMEWORK_ACTIVE=1
fi

167
include/tests_mail_messaging
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -44,8 +44,7 @@
Register --test-no MAIL-8802 --weight L --network NO --category security --description "Check Exim status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check Exim status"
IsRunning exim4 || IsRunning exim
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "exim4" || IsRunning "exim"; then
LogText "Result: found running Exim process"
Display --indent 2 --text "- Exim status" --result "${STATUS_RUNNING}" --color GREEN
EXIM_RUNNING=1
@ -62,11 +61,11 @@
# Test : MAIL-8804
# Description : Exim configuration options
if [ ${EXIM_RUNNING} -eq 1 -a ! "${EXIMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8803 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Exim configuration options"
Register --test-no MAIL-8804 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Exim configuration options"
if [ ${SKIPTEST} -eq 0 -a ${EXIM_RUNNING} -eq 1 ]; then
LogText "Test: Exim configuration options"
EXIM_ROUTERS=$(exim -bP router_list)
EXIM_ROUTERS=$(${EXIMBINARY} -bP router_list)
unset FIND FIND2 FIND3 FIND4
@ -77,31 +76,31 @@
# Smarthost or Satellite
FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
EXIM_TYPE="LOCAL ONLY"
elif [ ! -z "${FIND2}" ]; then
elif [ -n "${FIND2}" ]; then
EXIM_TYPE="INTERNET HOST"
elif [ ! -z "${FIND3}" ]; then
elif [ -n "${FIND3}" ]; then
FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost')
if [ ! -z "${FIND4}" ]; then
if [ -n "${FIND4}" ]; then
EXIM_TYPE="SATELLITE"
else
EXIM_TYPE="SMARTHOST"
fi
fi
if [ ! -z "${EXIM_TYPE}" ]; then
if [ -n "${EXIM_TYPE}" ]; then
LogText "Result: Exim Type - ${EXIM_TYPE}"
Display --indent 4 --text "- Type" --result "${EXIM_TYPE}" --color GREEN
else
LogText "Result: Exim Type - Not Configured"
Display --indent 4 --text "- Type" --result "Not Configured" --color WHITE
Display --indent 4 --text "- Type" --result "${STATUS_NOT_CONFIGURED}" --color WHITE
fi
if [ "${EXIM_TYPE}" = "INTERNET HOST" -o "${EXIM_TYPE}" = "SMARTHOST" ]; then
LogText "Test: Exim Public Interfaces"
EXIM_IP=$(exim -bP local_interfaces | cut -d '=' -f2 | sed -e 's/\s*<\s*\;\?//' -e 's/\s*::0\s*\;\?//' -e 's/\s*127.0.0.1\s*\;\?//' -e 's/^\s*//' -e 's/\s*$//')
if [ ! -z "${EXIM_IP}" ]; then
EXIM_IP=$(${EXIMBINARY} -bP local_interfaces | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/\s*<\s*\;\?//' -e 's/\s*::0\s*\;\?//' -e 's/\s*127.0.0.1\s*\;\?//' -e 's/^\s*//' -e 's/\s*$//')
if [ -n "${EXIM_IP}" ]; then
LogText "Result: ${EXIM_IP}"
Display --indent 4 --text "- Public Interface(s)" --result "${EXIM_IP}" --color GREEN
else
@ -110,56 +109,129 @@
fi
LogText "Test: Exim TLS State"
EXIM_TLS=$(exim -bP tls_advertise_hosts | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
if [ ! -z "${EXIM_TLS}" ]; then
EXIM_TLS=$(${EXIMBINARY} -bP tls_advertise_hosts | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
if [ -n "${EXIM_TLS}" ]; then
LogText "Result: Enabled"
Display --indent 4 --text "- TLS" --result "ENABLED" --color GREEN
Display --indent 4 --text "- TLS" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: Not enabled"
Display --indent 4 --text "- TLS" --result "NOT ENABLED" --color WHITE
Display --indent 4 --text "- TLS" --result "${STATUS_DISABLED}" --color WHITE
fi
fi
if [ ! -z "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then
if [ -n "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then
LogText "Test: Exim Certificate and Private Key"
case "${EXIM_TYPE}" in
"INTERNET HOST" | "SMARTHOST" )
EXIM_CERTIFICATE=$(exim -bP tls_certificate | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
EXIM_PRIVATEKEY=$(exim -bP tls_privatekey | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
EXIM_CERTIFICATE=$(${EXIMBINARY} -bP tls_certificate | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
EXIM_PRIVATEKEY=$(${EXIMBINARY} -bP tls_privatekey | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
;;
"SATELLITE" )
EXIM_CERTIFICATE=$(exim -bP transport remote_smtp_smarthost | grep tls_certificate | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
EXIM_PRIVATEKEY=$(exim -bP transport remote_smtp_smarthost | grep tls_privatekey | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
EXIM_CERTIFICATE=$(${EXIMBINARY} -bP transport remote_smtp_smarthost | ${GREPBINARY} tls_certificate | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
EXIM_PRIVATEKEY=$(${EXIMBINARY} -bP transport remote_smtp_smarthost | ${GREPBINARY} tls_privatekey | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
;;
esac
if [ ! -z "${EXIM_CERTIFICATE}" ]; then
if [ -n "${EXIM_CERTIFICATE}" ]; then
LogText "Result: ${EXIM_CERTIFICATE}"
if [ -f "${EXIM_CERTIFICATE}" ]; then
Display --indent 4 --text "- Certificate" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Certificate found."
LogText "Result: Certificate found"
else
Display --indent 4 --text "- Certificate" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: Certificate not found."
LogText "Result: Certificate not found"
fi
else
LogText "Result: Certificate not set."
Display --indent 4 --text "- Certificate not set" --result "${STATUS_WARNING}" --color WHITE
LogText "Result: Certificate not set"
Display --indent 4 --text "- Certificate" --result "${STATUS_NOT_CONFIGURED}" --color WHITE
fi
if [ ! -z "${EXIM_PRIVATEKEY}" ]; then
if [ -n "${EXIM_PRIVATEKEY}" ]; then
LogText "Result: ${EXIM_PRIVATEKEY}"
if [ -f "${EXIM_PRIVATEKEY}" ]; then
LogText "Result: Private Key found."
LogText "Result: Private Key found"
Display --indent 4 --text "- Private Key" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 4 --text "- Private Key" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: Private Key not found."
LogText "Result: Private Key not found"
fi
else
LogText "Result: Private Key not set."
Display --indent 4 --text "- Private Key not set" --result "${STATUS_WARNING}" --color WHITE
LogText "Result: Private Key not set"
Display --indent 4 --text "- Private Key" --result "${STATUS_NOT_CONFIGURED}" --color WHITE
fi
LogText "Test: Exim Verify Certificates"
case "${EXIM_TYPE}" in
"INTERNET HOST" | "SMARTHOST" )
EXIM_CERTIFICATES=$(${EXIMBINARY} -bP tls_verify_certificate | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
;;
"SATELLITE" )
EXIM_CERTIFICATES=$(${EXIMBINARY} -bP transport remote_smtp_smarthost | ${GREPBINARY} tls_verify_certificate | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
;;
esac
case "${EXIM_CERTIFICATES}" in
"")
# This condition results in a RED warning because it should never be hit
LogText "Result: Verify Certificates not set"
Display --indent 4 --text "- Verify Certificates not set" --result "${STATUS_WARNING}" --color RED
;;
"system")
# This is the default setting and should be the most common
LogText "Result: Verify Certificates set to system default"
Display --indent 4 --text "- Verify Certificates" --result "DEFAULT" --color WHITE
;;
*)
# This condition should only be hit when it has been set to a custom value
LogText "Result: Verify Certificates set to \"${EXIM_CERTIFICATES}\""
Display --indent 4 --text "- Verify Certificates" --result "CUSTOM" --color GREEN
;;
esac
case "${EXIM_TYPE}" in
"INTERNET HOST" | "SMARTHOST" )
EXIM_VERIFY_HOSTS=$(${EXIMBINARY} -bP tls_verify_hosts | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
EXIM_TRY_VERIFY_HOSTS=$(${EXIMBINARY} -bP tls_try_verify_hosts | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
;;
"SATELLITE" )
EXIM_VERIFY_HOSTS=$(${EXIMBINARY} -bP transport remote_smtp_smarthost | ${GREPBINARY} tls_verify_hosts | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
EXIM_TRY_VERIFY_HOSTS=$(${EXIMBINARY} -bP transport remote_smtp_smarthost | ${GREPBINARY} tls_try_verify_hosts | ${CUTBINARY} -d '=' -f2 | ${SEDBINARY} -e 's/^\s*//' -e 's/\s*$//')
;;
esac
LogText "Test: Exim Try Verify Hosts"
if [ -n "${EXIM_TRY_VERIFY_HOSTS}" ]; then
LogText "Result: Try Verify Hosts enabled"
case "${EXIM_TYPE}" in
"INTERNET HOST" )
Display --indent 4 --text "- Try Verify Hosts" --result "${STATUS_ENABLED}" --color GREEN
;;
"SATELLITE" | "SMARTHOST" )
Display --indent 4 --text "- Try Verify Hosts" --result "${STATUS_ENABLED}" --color YELLOW
;;
esac
else
LogText "Result: Try Verify Hosts not enabled"
Display --indent 4 --text "- Try Verify Hosts" --result "${STATUS_DISABLED}" --color WHITE
fi
LogText "Test: Exim Verify Hosts"
if [ -n "${EXIM_VERIFY_HOSTS}" ]; then
LogText "Result: Verify Hosts enabled"
case "${EXIM_TYPE}" in
"INTERNET HOST" )
Display --indent 4 --text "- Verify Hosts" --result "${STATUS_ENABLED}" --color YELLOW
;;
"SATELLITE" | "SMARTHOST" )
Display --indent 4 --text "- Verify Hosts" --result "${STATUS_ENABLED}" --color GREEN
;;
esac
else
LogText "Result: Verify Hosts not enabled"
Display --indent 4 --text "- Verify Hosts" --result "${STATUS_DISABLED}" --color WHITE
fi
fi
fi
@ -175,7 +247,7 @@
LogText "Test: check Postfix status"
# Some other processes also use master, therefore it should include both master and postfix
FIND1=$(${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep")
if [ ! -z "${FIND1}" ]; then
if [ -n "${FIND1}" ]; then
LogText "Result: found running Postfix process"
Display --indent 2 --text "- Postfix status" --result "${STATUS_RUNNING}" --color GREEN
POSTFIX_RUNNING=1
@ -210,11 +282,11 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: using postconf to see if Postfix configuration has errors"
FIND=$(${POSTCONFBINARY} 2>&1 | ${GREPBINARY} "warning:")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Report "postfix_config_error=1"
Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_WARNING}" --color RED
LogText "Result: found an error or warning in the Postfix configuration. Manual check suggested."
ReportSuggestion ${TEST_NO} "Found a configuration error in Postfix" "${POSTFIX_CONFIGFILE}" "text:run postconf > /dev/null"
ReportSuggestion "${TEST_NO}" "Found a configuration error in Postfix" "${POSTFIX_CONFIGFILE}" "text:run postconf > /dev/null"
else
LogText "Result: all looks to be fine with Postfix configuration"
if IsVerbose; then Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_OK}" --color GREEN; fi
@ -233,21 +305,21 @@
FIND2=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} '$mail_name')
FIND3=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^mail_name' | ${GREPBINARY} -i 'postfix')
FIND4=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${OS}")
if [ ! -z "${LINUX_VERSION}" ]; then
if [ -n "${LINUX_VERSION}" ]; then
FIND5=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${LINUX_VERSION}")
fi
SHOWWARNING=0
if [ ! -z "${FIND1}" ]; then
if [ -n "${FIND1}" ]; then
SHOWWARNING=1
Report "banner_software_disclosure[]=${FIND1}"
elif [ ! -z "${FIND2}" -a ! -z "${FIND3}" ]; then
elif [ -n "${FIND2}" -a -n "${FIND3}" ]; then
SHOWWARNING=1
Report "banner_software_disclosure[]=${FIND2}"
elif [ ! -z "${FIND4}" ]; then
elif [ -n "${FIND4}" ]; then
SHOWWARNING=1
Report "banner_os_disclosure[]=${FIND4}"
elif [ ! -z "${FIND5}" ]; then
elif [ -n "${FIND5}" ]; then
SHOWWARNING=1
Report "banner_os_disclosure[]=${FIND5}"
fi
@ -255,8 +327,8 @@
if [ ${SHOWWARNING} -eq 1 ]; then
Display --indent 6 --text "- Postfix banner" --result "${STATUS_WARNING}" --color RED
LogText "Result: found OS, or mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
ReportWarning ${TEST_NO} "Found some information disclosure in SMTP banner (OS or software name)"
ReportSuggestion ${TEST_NO} "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
ReportWarning "${TEST_NO}" "Found some information disclosure in SMTP banner (OS or software name)"
ReportSuggestion "${TEST_NO}" "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
else
if IsVerbose; then Display --indent 6 --text "- Postfix banner" --result "${STATUS_OK}" --color GREEN; fi
fi
@ -283,8 +355,7 @@
Register --test-no MAIL-8838 --weight L --network NO --category security --description "Check dovecot process"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check dovecot status"
IsRunning dovecot
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "dovecot"; then
LogText "Result: found running dovecot process"
Display --indent 2 --text "- Dovecot status" --result "${STATUS_RUNNING}" --color GREEN
DOVECOT_RUNNING=1
@ -305,8 +376,7 @@
Register --test-no MAIL-8860 --weight L --network NO --category security --description "Check Qmail status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check Qmail status"
IsRunning qmail-smtpd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "qmail-smtpd"; then
LogText "Result: found running Qmail process"
Display --indent 2 --text "- Qmail status" --result "${STATUS_RUNNING}" --color GREEN
QMAIL_RUNNING=1
@ -325,8 +395,7 @@
Register --test-no MAIL-8880 --weight L --network NO --category security --description "Check Sendmail status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check sendmail status"
IsRunning sendmail
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "sendmail"; then
LogText "Result: found running Sendmail process"
Display --indent 2 --text "- Sendmail status" --result "${STATUS_RUNNING}" --color GREEN
SENDMAIL_RUNNING=1
@ -342,7 +411,7 @@
#
# Test : MAIL-8920
# Description : Check OpenSMTPD process status
if [ ! -z "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check smtpd status"

124
include/tests_malware
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -31,8 +31,10 @@
BITDEFENDER_DAEMON_RUNNING=0
CLAMD_RUNNING=0
CLAMSCAN_INSTALLED=0
CROWDSTRIKE_FALCON_SENSOR_RUNNING=0
ESET_DAEMON_RUNNING=0
FRESHCLAM_DAEMON_RUNNING=0
KASPERSKY_SCANNER_RUNNING=0
MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0
SOPHOS_SCANNER_RUNNING=0
@ -45,7 +47,7 @@
Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence chkrootkit"
if [ ! -z "${CHKROOTKITBINARY}" ]; then
if [ -n "${CHKROOTKITBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1
@ -63,7 +65,7 @@
Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence Rootkit Hunter"
if [ ! -z "${RKHUNTERBINARY}" ]; then
if [ -n "${RKHUNTERBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1
@ -100,34 +102,9 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# ESET security products
LogText "Test: checking process esets_daemon"
IsRunning esets_daemon
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
ESET_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found ESET security product"
Report "malware_scanner[]=eset"
fi
# Bitdefender (macOS)
LogText "Test: checking process epagd"
IsRunning epagd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
BITDEFENDER_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Bitdefender security product"
Report "malware_scanner[]=bitdefender"
fi
# Avast (macOS)
LogText "Test: checking process com.avast.daemon"
IsRunning com.avast.daemon
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "com.avast.daemon"; then
FOUND=1
AVAST_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
@ -138,8 +115,7 @@
# Avira
LogText "Test: checking process Avira daemon"
IsRunning avqmd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "avqmd"; then
FOUND=1
AVIRA_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
@ -148,10 +124,31 @@
Report "malware_scanner[]=avira"
fi
# Bitdefender (macOS)
LogText "Test: checking process epagd"
if IsRunning "bdagentd" || IsRunning "epagd"; then
FOUND=1
BITDEFENDER_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Bitdefender security product"
Report "malware_scanner[]=bitdefender"
fi
# CrowdStrike falcon-sensor
LogText "Test: checking process falcon-sensor (CrowdStrike)"
if IsRunning "falcon-sensor"; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} falcon-sensor" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found falcon-sensor service"
CROWDSTRIKE_FALCON_SENSOR_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=falcon-sensor"
fi
# Cylance (macOS)
LogText "Test: checking process CylanceSvc"
IsRunning CylanceSvc
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "CylanceSvc"; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} CylancePROTECT" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found CylancePROTECT service"
@ -160,15 +157,40 @@
Report "malware_scanner[]=cylance-protect"
fi
# ESET security products
LogText "Test: checking process esets_daemon"
if IsRunning "esets_daemon"; then
FOUND=1
ESET_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found ESET security product"
Report "malware_scanner[]=eset"
fi
# Kaspersky products
LogText "Test: checking process wdserver or klnagent (Kaspersky)"
# wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first
if [ -x /opt/kaspersky/kesl/libexec/kesl_launcher.sh ]; then
if IsRunning "wdserver"; then KASPERSKY_SCANNER_RUNNING=1; fi
else
if IsRunning "klnagent"; then KASPERSKY_SCANNER_RUNNING=1; fi
fi
if [ ${KASPERSKY_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Kaspersky" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found Kaspersky"
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=kaspersky"
fi
# McAfee products
LogText "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first
if [ -x /opt/McAfee/cma/bin/cma ]; then
IsRunning cma
if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
if IsRunning "cma"; then MCAFEE_SCANNER_RUNNING=1; fi
else
IsRunning cmdagent
if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
if IsRunning "cmdagent"; then MCAFEE_SCANNER_RUNNING=1; fi
fi
if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
@ -180,14 +202,12 @@
# Sophos savscand/SophosScanD
LogText "Test: checking process savscand"
IsRunning savscand
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "savscand"; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1
fi
LogText "Test: checking process SophosScanD"
IsRunning SophosScanD
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "SophosScanD"; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1
fi
@ -200,18 +220,15 @@
# Symantec rtvscand/smcd/symcfgd
LogText "Test: checking process rtvscand"
IsRunning rtvscand
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "rtvscand"; then
SYMANTEC_SCANNER_RUNNING=1
fi
LogText "Test: checking process Symantec management client service"
IsRunning smcd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "smcd"; then
SYMANTEC_SCANNER_RUNNING=1
fi
LogText "Test: checking process Symantec Endpoint Protection configuration service"
IsRunning symcfgd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "symcfgd"; then
SYMANTEC_SCANNER_RUNNING=1
fi
if [ ${SYMANTEC_SCANNER_RUNNING} -eq 1 ]; then
@ -224,8 +241,7 @@
# TrendMicro (macOS)
LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)"
IsRunning TmccMac
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "TmccMac"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro anti-virus" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Trend Micro component"
FOUND=1
@ -267,8 +283,7 @@
Register --test-no MALW-3284 --weight L --network NO --category security --description "Check for clamd"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking running ClamAV daemon (clamd)"
IsRunning clamd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "clamd"; then
Display --indent 2 --text "- ${GEN_CHECKING} ClamAV daemon" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running clamd process"
MALWARE_SCANNER_INSTALLED=1
@ -286,8 +301,7 @@
Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for freshclam"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking running freshclam daemon"
IsRunning freshclam
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "freshclam"; then
FRESHCLAM_DAEMON_RUNNING=1
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running freshclam process"
@ -295,7 +309,7 @@
else
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: freshclam is not running"
ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
ReportSuggestion "${TEST_NO}" "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
fi
fi
#
@ -307,7 +321,7 @@
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then
CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan')
if [ ! -z "${CLAMSCANBINARY}" ]; then
if [ -n "${CLAMSCANBINARY}" ]; then
LogText "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
MALWARE_SCANNER_INSTALLED=1

41
include/tests_memory_processes
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -30,17 +30,17 @@
# Description : Query /proc/meminfo
Register --test-no PROC-3602 --os Linux --weight L --network NO --category security --description "Checking /proc/meminfo for memory details"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /proc/meminfo ]; then
LogText "Result: found /proc/meminfo"
Display --indent 2 --text "- Checking /proc/meminfo" --result "${STATUS_FOUND}" --color GREEN
FIND=$(${AWKBINARY} '/^MemTotal/ { print $2, $3 }' /proc/meminfo)
if [ -f ${ROOTDIR}proc/meminfo ]; then
LogText "Result: found ${ROOTDIR}proc/meminfo"
Display --indent 2 --text "- Checking ${ROOTDIR}proc/meminfo" --result "${STATUS_FOUND}" --color GREEN
FIND=$(${AWKBINARY} '/^MemTotal/ { print $2, $3 }' ${ROOTDIR}proc/meminfo)
MEMORY_SIZE=$(echo ${FIND} | ${AWKBINARY} '{ print $1 }')
MEMORY_UNITS=$(echo ${FIND} | ${AWKBINARY} '{ print $2 }')
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}"
else
LogText "Result: /proc/meminfo file not found on this system"
LogText "Result: ${ROOTDIR}proc/meminfo file not found on this system"
fi
fi
#
@ -80,12 +80,12 @@
fi
if [ -z "${FIND}" ]; then
LogText "Result: no zombie processes found"
Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_OK}" --color GREEN
Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_NOT_FOUND}" --color GREEN
else
LogText "Result: found one or more dead or zombie processes"
LogText "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes"
ReportSuggestion "${TEST_NO}" "Check the output of ps for dead or zombie processes"
fi
fi
#
@ -104,19 +104,40 @@
fi
if [ -z "${FIND}" ]; then
LogText "Result: No processes were waiting for IO requests to be handled first"
Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_OK}" --color GREEN
Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_NOT_FOUND}" --color GREEN
else
LogText "Result: found one or more processes which were waiting to get IO requests handled first"
LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
LogText "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests"
ReportSuggestion "${TEST_NO}" "Check process listing for processes waiting for IO requests"
fi
fi
#
#################################################################################
#
# Test : PROC-3802
# Description : Check presence of prelink tooling
Register --test-no PROC-3802 --package-manager-required --os Linux --weight L --network NO --category security --description "Check presence of prelink tooling"
if [ ${SKIPTEST} -eq 0 ]; then
if PackageIsInstalled "prelink"; then
LogText "Result: prelink packages is installed"
# TODO
# - Add item to website with rationale
#ReportSuggestion "${TEST_NO}" "Disable and remove prelinking of binaries"
AddHP 1 3
Display --indent 2 --text "- Search prelink tooling" --result "${STATUS_FOUND}" --color YELLOW
else
Display --indent 2 --text "- Search prelink tooling" --result "${STATUS_NOT_FOUND}" --color GREEN
LogText "Result: prelink package is NOT installed"
AddHP 3 3
fi
fi
#
#################################################################################
#
WaitForKeyPress
#

142
include/tests_nameservices
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -84,7 +84,7 @@
if [ ${COUNT} -gt 6 ]; then
LogText "Result: Found ${COUNT} search domains"
Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
ReportWarning "${TEST_NO}" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
else
LogText "Result: Found ${COUNT} search domains"
Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
@ -95,7 +95,7 @@
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
ReportWarning ${TEST_NO} "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
ReportWarning "${TEST_NO}" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
else
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
fi
@ -124,7 +124,7 @@
Report "resolv_conf_option[]=${ITEM}"
# TODO add suggestions for the related options
# rotate --> add performance tune point
# timeout --> add performe tune point when smaller than 3 seconds
# timeout --> add performance tune point when smaller than 3 seconds
done
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN
fi
@ -188,7 +188,7 @@
# If files and commands can't be found, use defined value from resolv.conf
if [ -z "${DOMAINNAME}" ]; then
if [ ! -z "${RESOLV_DOMAINNAME}" ]; then
if [ -n "${RESOLV_DOMAINNAME}" ]; then
LogText "Result: using domain name from ${ROOTDIR}etc/resolv.conf"
DOMAINNAME=${RESOLV_DOMAINNAME}
else
@ -197,14 +197,14 @@
fi
fi
if [ ! -z "${DOMAINNAME}" ]; then
if [ -n "${DOMAINNAME}" ]; then
LogText "Result: found domain name"
Report "domainname=${DOMAINNAME}"
Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN
Display --indent 6 --text "Domain name: ${DOMAINNAME}"
else
Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name"
ReportSuggestion "${TEST_NO}" "Check DNS configuration for the dns domain name"
fi
fi
#
@ -215,8 +215,7 @@
Register --test-no NAME-4032 --weight L --network NO --category security --description "Check nscd status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking nscd status"
IsRunning nscd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "nscd"; then
NAME_CACHE_USED=1
LogText "Result: nscd is running"
Display --indent 2 --text "- Checking nscd status" --result "${STATUS_RUNNING}" --color GREEN
@ -233,8 +232,7 @@
Register --test-no NAME-4034 --weight L --network NO --category security --description "Check Unbound status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking Unbound (unbound) status"
IsRunning unbound
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "unbound"; then
UNBOUND_RUNNING=1
NAME_CACHE_USED=1
LogText "Result: Unbound daemon is running"
@ -278,8 +276,7 @@
Register --test-no NAME-4202 --weight L --network NO --category security --description "Check BIND status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for running BIND instance"
IsRunning named
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "named"; then
LogText "Result: found BIND process"
Display --indent 2 --text "- Checking BIND status" --result "${STATUS_FOUND}" --color GREEN
BIND_RUNNING=1
@ -303,7 +300,7 @@
LogText "Result: found configuration file (${BIND_CONFIG_LOCATION})"
fi
done
if [ ! -z "${BIND_CONFIG_LOCATION}" ]; then
if [ -n "${BIND_CONFIG_LOCATION}" ]; then
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
@ -327,7 +324,7 @@
else
LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
ReportWarning "${TEST_NO}" "Errors discovered in BIND configuration file"
fi
else
LogText "Result: named-checkconf not found, skipping test"
@ -350,8 +347,8 @@
else
LogText "Result: possible BIND version available in version banner"
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found BIND version in banner"
ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file"
ReportWarning "${TEST_NO}" "Found BIND version in banner"
ReportSuggestion "${TEST_NO}" "The version in BIND can be masked by defining 'version none' in the configuration file"
AddHP 0 2
fi
fi
@ -384,8 +381,7 @@
Register --test-no NAME-4230 --weight L --network NO --category security --description "Check PowerDNS status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for running PowerDNS instance"
IsRunning pdns_server
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "pdns_server"; then
LogText "Result: found PowerDNS process"
Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_RUNNING}" --color GREEN
POWERDNS_RUNNING=1
@ -449,12 +445,12 @@
#
# Test : NAME-4238
# Description : Check PowerDNS authoritative status
if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${POWERDNS_RUNNING} -eq 1 -a -n "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritative status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for PowerDNS master status"
FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Found master=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritative master: YES"
POWERDNS_AUTH_MASTER=1
@ -464,7 +460,7 @@
fi
LogText "Test: Checking for PowerDNS slave status"
FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Found slave=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritative slave: YES"
POWERDNS_AUTH_SLAVE=1
@ -481,13 +477,11 @@
Register --test-no NAME-4304 --weight L --network NO --category security --description "Check NIS ypbind status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking status of ypbind daemon"
IsRunning ypbind
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "ypbind"; then
LogText "Result: ypbind is running"
Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_FOUND}" --color GREEN
YPBIND_RUNNING=1
IsRunning ypldap
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "ypldap"; then
LogText "Result: ypldap is running"
Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN
else
@ -509,7 +503,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking $(domainname) for NIS domain value"
FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Value: ${FIND}"
NISDOMAIN="${FIND}"
else
@ -520,7 +514,7 @@
if [ -f ${ROOTDIR}etc/defaultdomain ]; then
LogText "Result: file ${ROOTDIR}etc/defaultdomain exists"
FIND2=$(cat ${ROOTDIR}etc/defaultdomain)
if [ ! -z "${FIND2}" ]; then
if [ -n "${FIND2}" ]; then
LogText "Output: ${FIND2}"
NISDOMAIN="${FIND2}"
else
@ -533,7 +527,7 @@
LogText "Result: file ${ROOTDIR}etc/sysconfig/network exists"
LogText "Test: checking NISDOMAIN value in file"
FIND3=$(${GREPBINARY} "^NISDOMAIN" ${ROOTDIR}etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g')
if [ ! -z "${FIND3}" ]; then
if [ -n "${FIND3}" ]; then
LogText "Found NIS domain: ${FIND3}"
NISDOMAIN="${FIND3}"
else
@ -553,7 +547,7 @@
fi
fi
# Check if we found any NIS domain
if [ ! -z "${NISDOMAIN}" ]; then
if [ -n "${NISDOMAIN}" ]; then
LogText "Found NIS domain: ${NISDOMAIN}"
Report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN
@ -565,27 +559,27 @@
#
#################################################################################
#
if [ -f ${ROOTDIR}etc/hosts ]; then Display --indent 2 --text "- Checking ${ROOTDIR}etc/hosts"; fi
if [ -f ${ROOTDIR}etc/hosts ]; then
Display --indent 2 --text "- Checking /etc/hosts"
else
LogText "Result: no /etc/hosts file found"
fi
# Test : NAME-4402
# Description : Check /etc/hosts configuration
Register --test-no NAME-4402 --weight L --network NO --category security --description "Check duplicate line in /etc/hosts"
if [ -f ${ROOTDIR}etc/hosts ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check duplicate line in /etc/hosts"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts"
if [ -f ${ROOTDIR}etc/hosts ]; then
OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d)
if [ -z "${OUTPUT}" ]; then
LogText "Result: OK, no duplicate lines found"
Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN
else
LogText "Found duplicate line: ${OUTPUT}"
LogText "Result: found duplicate line"
Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts"
fi
OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d)
if [ -z "${OUTPUT}" ]; then
LogText "Result: OK, no duplicate lines found"
Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_NONE}" --color GREEN
else
LogText "Result: ${ROOTDIR}etc/hosts not found, test skipped"
Display --indent 4 --text "Searching duplicate line" --result "${STATUS_SKIPPED}" --color YELLOW
LogText "Found duplicate line: ${OUTPUT}"
LogText "Result: found duplicate line"
Display --indent 4 --text "- Duplicate entries in hosts file" --result "$STATUS_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts"
fi
fi
#
@ -593,42 +587,44 @@
#
# Test : NAME-4404
# Description : Check /etc/hosts contains an entry for this server name
if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -f ${ROOTDIR}etc/hosts ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4404 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/hosts contains an entry for this server name"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check /etc/hosts contains an entry for this server name"
if [ -f /etc/hosts ]; then
sFIND=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' /etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
if [ "${sFIND}" != "" ]; then
LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN
if [ -n "${HOSTNAME}" ]; then
DATA=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
if [ -n "${DATA}" ]; then
LogText "Result: Found entry for ${HOSTNAME} in ${ROOTDIR}etc/hosts"
Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: No entry found for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving"
LogText "Result: No entry found for ${HOSTNAME} in ${ROOTDIR}etc/hosts"
Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Add the IP name and FQDN to /etc/hosts for proper name resolving"
LogText "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections"
fi
fi
fi
else
LogText "Result: Skipping test, no hostname configured"
fi
fi
#
#################################################################################
#
# Test : NAME-4406
# Description : Check server hostname mapping
if HasData "${HOSTNAME}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${HOSTNAME}" -a -f ${ROOTDIR}etc/hosts ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check server hostname not locally mapped in /etc/hosts"
sFIND=$(${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
if [ ! "${sFIND}" = "" ]; then
LogText "Test: Check server hostname not locally mapped in ${ROOTDIR}etc/hosts"
DATA=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
if [ -n "${DATA}" ]; then
LogText "Result: Found this server hostname mapped to a local address"
LogText "Output: ${sFIND}"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Output: ${DATA}"
Display --indent 4 --text "- Hostname mapped to localhost" --result "${STATUS_FOUND}" --color YELLOW
LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface."
ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system"
ReportSuggestion "${TEST_NO}" "Split resolving between localhost and the hostname of the system"
else
LogText "Result: this server hostname is not mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_OK}" --color GREEN
Display --indent 4 --text "- Hostname mapped to localhost" --result "${STATUS_NOT_FOUND}" --color GREEN
fi
fi
#
@ -636,29 +632,29 @@
#
# Test : NAME-4408
# Description : Check localhost entry
if [ ! -z "${GETENT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON="No getent binary"; else PREQS_MET="NO"; SKIPREASON=""; fi
if [ -n "${GETENT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON="No getent binary"; else PREQS_MET="NO"; SKIPREASON=""; fi
Register --test-no NAME-4408 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check localhost entry"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check server hostname not locally mapped in /etc/hosts"
FIND=$(${GETENT_BINARY} hosts localhost | ${AWKBINARY} '{print $1}' | ${SORTBINARY} | ${TRBINARY} -d '\n')
if [ "${FIND}" = "127.0.0.1" ]; then
LogText "Result: localhost mapped to 127.0.0.1"
Display --indent 4 --text "- Checking /etc/hosts (localhost to IP)" --result "${STATUS_OK}" --color GREEN
report "localhost-mapped-to=${FIND}"
Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_OK}" --color GREEN
Report "localhost-mapped-to=${FIND}"
elif [ "${FIND}" = "::1" ]; then
LogText "Result: localhost mapped to ::1"
Display --indent 4 --text "- Checking /etc/hosts (localhost to IP)" --result "${STATUS_OK}" --color GREEN
report "localhost-mapped-to=${FIND}"
Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_OK}" --color GREEN
Report "localhost-mapped-to=${FIND}"
elif [ "${FIND}" = "127.0.0.1::1" ]; then
LogText "Result: localhost mapped to 127.0.0.1 and ::1"
Display --indent 4 --text "- Checking /etc/hosts (localhost to IP)" --result "${STATUS_OK}" --color GREEN
report "localhost-mapped-to=${FIND}"
Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_OK}" --color GREEN
Report "localhost-mapped-to=${FIND}"
else
LogText "Output: ${FIND}"
LogText "Result: this server hostname is not mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost to IP)" --result "${STATUS_SUGGESTION}" --color YELLOW
Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Information: Ensure that localhost resolves back to 127.0.0.1 (and/or ::1)."
ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system" "/etc/hosts" "text:Check your localhost line"
ReportSuggestion "${TEST_NO}" "Split resolving between localhost and the hostname of the system" "/etc/hosts" "text:Check your localhost line"
fi
fi
#

309
include/tests_networking
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -34,6 +34,55 @@
InsertSection "Networking"
#
#################################################################################
#
# Test : NETW-2400
# Description : Test hostname for valid characters and length
# Notes : FQDN: max 253 characters
# : component: a-z, 0-9, hyphen, not start with hyphen, max 63 characters
# dots allowed as separator
Register --test-no NETW-2400 --weight L --network YES --category basics --description "Hostname length and value check"
if [ ${SKIPTEST} -eq 0 ]; then
# Test first the fully qualified domain name
if [ ${#FQDN} -gt 253 ]; then
# Too long
LogText "Result: FQDN is more than 253 characters"
Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_WARNING}" --color RED
ReportWarning "${TEST_NO}" "Hostname is too long (more than 253 characters)"
elif [ ${#FQDN} -eq 0 ]; then
# FQDN not defined
LogText "Result: FQDN is not defined"
if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_UNKNOWN}" --color YELLOW; fi
else
# Fine
LogText "Result: FQDN is defined and not longer than 253 characters (${#FQDN} characters)"
if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_OK}" --color GREEN; fi
fi
# Now test short hostname
if [ ${#HOSTNAME} -eq 0 ]; then
if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_NONE}" --color RED; fi
LogText "Result: hostname is not defined"
else
# Test length
if [ ${#HOSTNAME} -gt 63 ]; then
LogText "Result: hostname is more than 63 characters"
Display --indent 2 --text "- Hostname (length)" --result "${STATUS_WARNING}" --color RED
else
LogText "Result: hostnamed is defined and not longer than 63 characters"
fi
# Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name)
FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[a-zA-Z0-9\.\-]')
if [ -z "${FIND}" ]; then
LogText "Result: good, no unexpected characters discovered in hostname"
if IsVerbose; then Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_OK}" --color GREEN; fi
else
LogText "Result: unexpected characters discovered in hostname (characters: ${FIND}), which may impact network connectivity"
Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_WARNING}" --color RED
ReportWarning "${TEST_NO}" "Hostname contains invalid characters" "hostname" "text:See log file for invalid characters"
fi
fi
fi
#
#################################################################################
#
# Test : NETW-2600
# Description : Gather IPv6 configuration
@ -47,7 +96,7 @@
IPV6_MISCONFIGURED=0
IPV6_MISCONFIGURED_MTU=0
FIND=$(sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
IPV6_CONFIGURED=1
for I in ${FIND}; do
SYSCTL_KEY=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
@ -124,7 +173,7 @@
if [ -f /etc/resolv.conf ]; then
LogText "Result: Found /etc/resolv.conf file"
FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq | ${CUTBINARY} -d# -f1)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Display --indent 4 --text "- Testing nameservers"
LogText "Test: Querying nameservers"
for I in ${FIND}; do
@ -134,7 +183,7 @@
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "127.0.0.53" -o "${I}" = "127.0.1.1" -o "${I}" = "0.0.0.0" ]; then
LOCAL_DNSRESOLVER_FOUND=1
fi
if [ ! -z "${DIGBINARY}" ]; then
if [ -n "${DIGBINARY}" ]; then
# See if we can query something at the nameserver
# 0=good, other=bad
DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${FQDN} > /dev/null ; echo $?)
@ -147,8 +196,8 @@
Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED
LogText "Result: nameserver ${I} does NOT respond"
LogText "Exit-code from dig: ${DNSRESPONSE}"
ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
ReportWarning ${TEST_NO} "Nameserver ${I} does not respond"
ReportSuggestion "${TEST_NO}" "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
ReportWarning "${TEST_NO}" "Nameserver ${I} does not respond"
fi
else
LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed"
@ -167,13 +216,13 @@
Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check availability two nameservers"
if [ ${SKIPTEST} -eq 0 ]; then
SKIP=0
if [ ! -z "${DIGBINARY}" ]; then
if [ -n "${DIGBINARY}" ]; then
if [ ${NUMBERACTIVENS} -lt 2 ]; then
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
LogText "Result: less than 2 responsive nameservers found"
ReportWarning ${TEST_NO} "Couldn't find 2 responsive nameservers"
ReportWarning "${TEST_NO}" "Couldn't find 2 responsive nameservers"
LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
ReportSuggestion "${TEST_NO}" "Check your resolv.conf file and fill in a backup nameserver if possible"
AddHP 1 2
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_OK}" --color GREEN
@ -189,16 +238,50 @@
fi
#
#################################################################################
#
# Test : NETW-2706
# Description : Check systemd-resolve output and upstream DNSSEC status
# Notes : Ubuntu 16.04 uses systemd-resolve, newer ones most likely resolvectl
if [ -n "${RESOLVECTLBINARY}" ]; then
PREQS_MET="YES"
RESOLVE_CMD="${RESOLVECTLBINARY}"
RESOLVE_CMD_PARAM="statistics"
elif [ -n "$(command -v systemd-resolve 2> /dev/null)" ]; then
PREQS_MET="YES"
RESOLVE_CMD="$(command -v systemd-resolve 2> /dev/null)"
RESOLVE_CMD_PARAM="--statistics"
else
PREQS_MET="NO"
fi
Register --test-no NETW-2706 --preqs-met "${PREQS_MET}" --weight L --network YES --category security --description "Check systemd-resolved and upstream DNSSEC status"
if [ ${SKIPTEST} -eq 0 ]; then
SKIP=0
DNSSEC_STATUS=$(${RESOLVE_CMD} ${RESOLVE_CMD_PARAM} 2> /dev/null | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ')
if [ "${DNSSEC_STATUS}" = "yes" ]; then
Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_YES}" --color GREEN
LogText "Result: DNSSEC supported by systemd-resolved and upstream DNS servers"
elif [ "${DNSSEC_STATUS}" = "no" ]; then
Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_NO}" --color YELLOW
LogText "Result: DNSSEC not supported by systemd-resolved or upstream DNS servers"
else
Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_UNKNOWN}" --color RED
LogText "Result: command '${RESOLVE_CMD} ${RESOLVE_CMD_PARAM}' returned an error. Please run command manually to check for details."
fi
else
LogText "Result: Test most likely skipped due to not having resolvectl"
fi
#
#################################################################################
#
# Test : NETW-3001
# Description : Find default gateway (route)
# More info : BSD: ^default Linux: 0.0.0.0
if [ ! -z "${NETSTATBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${NETSTATBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then
LogText "Test: Searching default gateway(s)"
FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for I in ${FIND}; do
LogText "Result: Found default gateway ${I}"
Report "default_gateway[]=${I}"
@ -222,9 +305,9 @@
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }')
;;
Linux)
if [ ! -z "${IPBINARY}" ]; then
if [ -n "${IPBINARY}" ]; then
FIND=$(${IPBINARY} link show 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} 's/://g')
elif [ ! -z "${IFCONFIGBINARY}" ]; then
elif [ -n "${IFCONFIGBINARY}" ]; then
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ( $2 == "Link" ) { print $1 }}')
fi
;;
@ -265,14 +348,14 @@
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
;;
Linux)
if [ ! -z "${IFCONFIGBINARY}" ]; then
if [ -n "${IFCONFIGBINARY}" ]; then
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u)
# CentOS 7.x and others may return nothing. Let's retry with 'ether' field.
if [ -z "${FIND}" ]; then
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
fi
else
if [ ! -z "${IPBINARY}" ]; then
if [ -n "${IPBINARY}" ]; then
LogText "Test: Using ip binary to gather hardware addresses"
FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }')
else
@ -320,12 +403,12 @@
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
;;
Linux)
if [ ! -z "${IFCONFIGBINARY}" ]; then
if [ -n "${IFCONFIGBINARY}" ]; then
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2)
# Version which works for multiple types of ifconfig (e.g. Slackware)
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }')
else
if [ ! -z "${IPBINARY}" ]; then
if [ -n "${IPBINARY}" ]; then
LogText "Test: Using ip binary to gather IP addresses"
FIND=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
FIND2=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
@ -370,58 +453,57 @@
# Description : Check listening ports
Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports"
if [ ${SKIPTEST} -eq 0 ]; then
DATA=""
FIND=""; FIND2=""
COUNT=0
case ${OS} in
DragonFly|FreeBSD)
if [ ! -z "${SOCKSTATBINARY}" ]; then
DragonFly | FreeBSD)
if [ -n "${SOCKSTATBINARY}" ]; then
FIND=$(${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
# To strip off IP's: ${SEDBINARY} 's/|.*:/|/'
else
FIND=""
fi
FIND2=""
;;
;;
Linux)
if [ ! -z "${NETSTATBINARY}" ]; then
if [ -n "${SSBINARY}" ]; then
LogText "Test: Retrieving ss information to find listening ports"
DATA=$(${SSBINARY} --query=udp,tcp -plnt | ${AWKBINARY} '{ if ($1!="Netid") { print "raw,ss,v1|"$1"|"$5"|"$7"|" }}' | ${SEDBINARY} 's/pid=[0-9]\{1,\},fd=[0-9]\{1,\}//g' | ${SEDBINARY} 's/users://' | ${SEDBINARY} 's/,)//g' | ${TRBINARY} -d '()"')
elif [ -n "${NETSTATBINARY}" ]; then
LogText "Test: Retrieving netstat information to find listening ports"
# UDP
FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:')
# TCP
FIND2=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:')
else
if [ ! "${SSBINARY}" = "" ]; then
# UDP
FIND=$(${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
# TCP
FIND2=$(${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
else
ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports"
fi
ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports"
fi
;;
;;
macOS)
if [ ! "${LSOFBINARY}" = "" ]; then
if [ -n "${LSOFBINARY}" ]; then
LogText "Test: Retrieving lsof information to find listening ports"
# UDP and TCP combined
FIND=$(${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME")
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | ${SEDBINARY} 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | ${SEDBINARY} 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME")
else
FIND=""
fi
# Not needed as we have a combined test
FIND2=""
;;
;;
NetBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then
if [ -n "${SOCKSTATBINARY}" ]; then
LogText "Test: Retrieving sockstat information to find listening ports"
FIND=$(${SOCKSTATBINARY} 2> /dev/null | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
else
FIND=""
fi
FIND2=""
;;
;;
OpenBSD)
if [ ! "${NETSTATBINARY}" = "" ]; then
if [ -n "${NETSTATBINARY}" ]; then
LogText "Test: Retrieving netstat information to find listening ports"
# UDP
FIND=$(${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"||" }')
# TCP
@ -429,16 +511,21 @@
else
ReportException "${TEST_NO}:3" "netstat missing to gather listening ports"
fi
;;
;;
*)
# Got this exception? Provide your details and output of netstat or any other tool to determine this information.
ReportException "${TEST_NO}:2" "Unclear what method to use, to determine listening port information"
;;
;;
esac
# Retrieve information from sockstat, when available
LogText "Test: Retrieving sockstat information to find listening ports"
if HasData "${FIND}"; then
if [ -n "${DATA}" ]; then
for ITEM in ${DATA}; do
COUNT=$((COUNT + 1))
Report "network_listen[]=${ITEM}"
done
fi
if [ -n "${FIND}" ]; then
for ITEM in ${FIND}; do
COUNT=$((COUNT + 1))
LogText "Found listening info: ${ITEM}"
@ -446,18 +533,17 @@
done
fi
if [ ! "${FIND2}" = "" ]; then
if [ -n "${FIND2}" ]; then
for ITEM in ${FIND2}; do
COUNT=$((COUNT + 1))
LogText "Found listening info: ${ITEM}"
Report "network_listen_port[]=${ITEM}"
done
fi
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
if [ -z "${DATA}" -a -z "${FIND}" ]; then
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW
else
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN
Display --indent 6 --text "* Found ${COUNT} ports"
fi
fi
#
@ -486,10 +572,10 @@
# Check if this interface was whitelisted
if [ ${WHITELISTED} -eq 0 ]; then
FOUNDPROMISC=1
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
ReportWarning "${TEST_NO}" "Found promiscuous interface (${ITEM})"
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
else
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
LogText "Result: Found promiscuous interface ${ITEM} (*whitelisted via profile*)"
fi
done
fi
@ -507,35 +593,54 @@
#
# Test : NETW-3015
# Description : Checking promiscuous interfaces (Linux)
# Note : Need ifconfig binary at this moment (does not work on Arch Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)"
Register --test-no NETW-3015 --os Linux --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (Linux)"
NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
if [ ! "${NETWORK}" = "" ]; then
FOUNDPROMISC=99
NETWORK=""
USE_IP_INSTEAD_IFCONFIG=0
if [ -n "${IPBINARY}" ]; then
LogText "Test: Using ip binary to retrieve network interfaces"
NETWORK=$(${IPBINARY} -o link 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{print $2 }' | ${TRBINARY} -d ':')
USE_IP_INSTEAD_IFCONFIG=1
elif [ -n "${IFCONFIGBINARY}" ]; then
LogText "Test: Using ifconfig binary to retrieve network interfaces"
NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
fi
LogText "Test: Checking all interfaces to discover any with promiscuous mode enabled"
if [ -n "${NETWORK}" ]; then
FOUNDPROMISC=0
for I in ${NETWORK}; do
FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
if [ ! "${FIND}" = "" ]; then
if [ ${USE_IP_INSTEAD_IFCONFIG} -eq 1 ]; then
FIND=$(${IPBINARY} -o -d link show ${I} 2> /dev/null | ${GREPBINARY} "promiscuity [1-9]")
else
FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
fi
if [ -n "${FIND}" ]; then
LogText "Result: Promiscuous interface: ${I}"
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
if [ "${ISWHITELISTED}" = "" ]; then
if [ -z "${ISWHITELISTED}" ]; then
FOUNDPROMISC=1
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
ReportWarning "${TEST_NO}" "Found promiscuous interface" "${I}" "text:Determine if this mode is required or whitelist interface in profile"
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
else
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
fi
fi
done
else
LogText "Result: no network interfaces discovered, so nothing tested"
fi
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
LogText "Result: No promiscuous interfaces found"
else
elif [ ${FOUNDPROMISC} -eq 1 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
else
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_UNKNOWN}" --color YELLOW
fi
fi
#
@ -574,8 +679,7 @@
# Description : Checking for DHCP client
Register --test-no NETW-3030 --weight L --network NO --category security --description "Checking DHCP client status"
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning dhclient || IsRunning dhcpcd || IsRunning udhcpc
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "dhclient" || IsRunning "dhcpcd" || IsRunning "udhcpc"; then
Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE
DHCP_CLIENT_RUNNING=1
else
@ -591,32 +695,95 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# addrwatch
if IsRunning "addrwatch"; then
FOUND=1
fi
# arpwatch
IsRunning arpwatch
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "arpwatch"; then
FOUND=1
ARPWATCH_RUNNING=1
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
fi
# arpon
IsRunning arpon
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "arpon"; then
FOUND=1
ARPON_RUNNING=1
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
fi
if [ ${FOUND} -eq 0 ]; then
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN
else
Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Consider running ARP monitoring software (arpwatch,arpon)"
#ReportSuggestion "${TEST_NO}" "Consider running ARP monitoring software (addrwatch,arpwatch,arpon)"
fi
fi
#
#################################################################################
#
# Test : NETW-3200
# Description : Determine available network protocols
# Notes : See all available supported modules: ls -d /lib/modules/$(uname -r )/kernel/net
# To see active/enabled protocols: ls -d /proc/sys/net
Register --test-no NETW-3200 --weight L --network YES --category security --description "Determine available network protocols"
if [ ${SKIPTEST} -eq 0 ]; then
TESTED=0
FOUND_UNCOMMON_PROTOCOL_ENABLED=0
case ${OS} in
Linux)
TESTED=1
LogText "Test: checking the status of some network protocols that typically are not used"
UNCOMMON_PROTOCOLS="dccp sctp rds tipc"
for P in ${UNCOMMON_PROTOCOLS}; do
LogText "Test: now checking module '${P}'"
if ! SkipAtomicTest "${TEST_NO}:${P}"; then
UNCOMMON_PROTOCOL_DISABLED=0
# First check modprobe.conf
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
DATA=$(${GREPBINARY} "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.conf)
if [ -n "${DATA}" ]; then
LogText "Result: found ${P} module disabled via modprobe.conf"
UNCOMMON_PROTOCOL_DISABLED=1
fi
fi
# Then additional modprobe configuration files
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
DATA=$(${GREPBINARY} --files-with-matches --no-messages "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.d/*)
if [ -n "${DATA}" ]; then
UNCOMMON_PROTOCOL_DISABLED=1
for F in ${DATA}; do
LogText "Result: found ${P} module disabled via ${F}"
done
fi
fi
Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
Report "arpwatch_running=${ARPWATCH_RUNNING}"
if [ ${UNCOMMON_PROTOCOL_DISABLED} -eq 0 ]; then
ReportSuggestion "${TEST_NO}" "Determine if protocol '${P}' is really needed on this system"
Report "uncommon_network_protocol_enabled=${P}"
FOUND_UNCOMMON_PROTOCOL_ENABLED=1
fi
fi
done
;;
*)
LogText "This test has no routine yet for this operating system."
Debug "No routine implemented yet for this operating system to check for available network protocols"
;;
esac
if [ ${TESTED} -eq 1 ]; then
if [ ${FOUND_UNCOMMON_PROTOCOL_ENABLED} -eq 1 ]; then
Display --indent 2 --text "- Uncommon network protocols" --result "${FOUND}" --color YELLOW
else
Display --indent 2 --text "- Uncommon network protocols" --result "${STATUS_NOT_FOUND}" --color GREEN
fi
fi
unset DATA F FOUND TESTED UNCOMMON_PROTOCOLS
fi
#
#################################################################################
#
WaitForKeyPress

224
include/tests_php
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -29,29 +29,86 @@
# Possible locations of php.ini
PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
${ROOTDIR}etc/php/php.ini ${ROOTDIR}etc/php5.5/php.ini ${ROOTDIR}etc/php5.6/php.ini ${ROOTDIR}etc/php7.0/php.ini ${ROOTDIR}etc/php7.1/php.ini ${ROOTDIR}etc/php7.2/php.ini \
${ROOTDIR}etc/php/cgi-php5/php.ini ${ROOTDIR}etc/php/cli-php5/php.ini ${ROOTDIR}etc/php/apache2-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5.5/php.ini ${ROOTDIR}etc/php/apache2-php5.6/php.ini ${ROOTDIR}etc/php/apache2-php7.0/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini \
${ROOTDIR}etc/php/cgi-php7.1/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini ${ROOTDIR}etc/php/cgi-php5.5/php.ini ${ROOTDIR}etc/php/cgi-php5.6/php.ini ${ROOTDIR}etc/php/cgi-php7.0/php.ini \
${ROOTDIR}etc/php/cli-php7.1/php.ini ${ROOTDIR}etc/php/cli-php5.5/php.ini ${ROOTDIR}etc/php/cli-php5.6/php.ini ${ROOTDIR}etc/php/cli-php7.0/php.ini \
${ROOTDIR}etc/php/embed-php7.1/php.ini ${ROOTDIR}etc/php/embed-php5.5/php.ini ${ROOTDIR}etc/php/embed-php5.6/php.ini ${ROOTDIR}etc/php/embed-php7.0/php.ini \
${ROOTDIR}etc/php/fpm-php7.1/php.ini ${ROOTDIR}etc/php/fpm-php5.5/php.ini ${ROOTDIR}etc/php/fpm-php5.6/php.ini ${ROOTDIR}etc/php/fpm-php7.0/php.ini \
${ROOTDIR}etc/php/php.ini \
${ROOTDIR}etc/php5.5/php.ini \
${ROOTDIR}etc/php5.6/php.ini \
${ROOTDIR}etc/php7.0/php.ini \
${ROOTDIR}etc/php7.1/php.ini \
${ROOTDIR}etc/php7.2/php.ini \
${ROOTDIR}etc/php7.3/php.ini \
${ROOTDIR}etc/php7.4/php.ini \
${ROOTDIR}etc/php/cgi-php5/php.ini \
${ROOTDIR}etc/php/cli-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5.5/php.ini \
${ROOTDIR}etc/php/apache2-php5.6/php.ini \
${ROOTDIR}etc/php/apache2-php7.0/php.ini \
${ROOTDIR}etc/php/apache2-php7.1/php.ini \
${ROOTDIR}etc/php/apache2-php7.2/php.ini \
${ROOTDIR}etc/php/apache2-php7.3/php.ini \
${ROOTDIR}etc/php/apache2-php7.4/php.ini \
${ROOTDIR}etc/php/cgi-php5.5/php.ini \
${ROOTDIR}etc/php/cgi-php5.6/php.ini \
${ROOTDIR}etc/php/cgi-php7.0/php.ini \
${ROOTDIR}etc/php/cgi-php7.1/php.ini \
${ROOTDIR}etc/php/cgi-php7.2/php.ini \
${ROOTDIR}etc/php/cgi-php7.3/php.ini \
${ROOTDIR}etc/php/cgi-php7.4/php.ini \
${ROOTDIR}etc/php/cli-php5.5/php.ini \
${ROOTDIR}etc/php/cli-php5.6/php.ini \
${ROOTDIR}etc/php/cli-php7.0/php.ini \
${ROOTDIR}etc/php/cli-php7.1/php.ini \
${ROOTDIR}etc/php/cli-php7.2/php.ini \
${ROOTDIR}etc/php/cli-php7.3/php.ini \
${ROOTDIR}etc/php/cli-php7.4/php.ini \
${ROOTDIR}etc/php/embed-php5.5/php.ini \
${ROOTDIR}etc/php/embed-php5.6/php.ini \
${ROOTDIR}etc/php/embed-php7.0/php.ini \
${ROOTDIR}etc/php/embed-php7.1/php.ini \
${ROOTDIR}etc/php/embed-php7.2/php.ini \
${ROOTDIR}etc/php/embed-php7.3/php.ini \
${ROOTDIR}etc/php/embed-php7.4/php.ini \
${ROOTDIR}etc/php/fpm-php7.4/php.ini \
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
${ROOTDIR}etc/php/fpm-php7.0/php.ini \
${ROOTDIR}etc/php/fpm-php5.5/php.ini \
${ROOTDIR}etc/php/fpm-php5.6/php.ini \
${ROOTDIR}etc/php5/cgi/php.ini \
${ROOTDIR}etc/php5/cli/php.ini \
${ROOTDIR}etc/php5/cli-php5.4/php.ini ${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \
${ROOTDIR}etc/php5/cli-php5.4/php.ini \
${ROOTDIR}etc/php5/cli-php5.5/php.ini \
${ROOTDIR}etc/php5/cli-php5.6/php.ini \
${ROOTDIR}etc/php5/apache2/php.ini \
${ROOTDIR}etc/php5/fpm/php.ini \
${ROOTDIR}private/etc/php.ini \
${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \
${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \
${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \
${ROOTDIR}etc/php/7.0/apache2/php.ini \
${ROOTDIR}etc/php/7.1/apache2/php.ini \
${ROOTDIR}etc/php/7.2/apache2/php.ini \
${ROOTDIR}etc/php/7.3/apache2/php.ini \
${ROOTDIR}etc/php/7.4/apache2/php.ini \
${ROOTDIR}etc/php/7.0/cli/php.ini \
${ROOTDIR}etc/php/7.0/fpm/php.ini \
${ROOTDIR}etc/php/7.1/cli/php.ini \
${ROOTDIR}etc/php/7.1/fpm/php.ini \
${ROOTDIR}etc/php/7.2/cli/php.ini \
${ROOTDIR}etc/php/7.2/fpm/php.ini \
${ROOTDIR}etc/php/7.3/cli/php.ini \
${ROOTDIR}etc/php/7.3/fpm/php.ini \
${ROOTDIR}etc/php/7.4/cli/php.ini \
${ROOTDIR}etc/php/7.4/fpm/php.ini \
${ROOTDIR}var/www/conf/php.ini \
${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \
${ROOTDIR}usr/local/etc/php.ini \
${ROOTDIR}usr/local/lib/php.ini \
${ROOTDIR}usr/local/etc/php5/cgi/php.ini \
${ROOTDIR}usr/local/php54/lib/php.ini \
${ROOTDIR}usr/local/php56/lib/php.ini \
${ROOTDIR}usr/local/php70/lib/php.ini \
${ROOTDIR}usr/local/php71/lib/php.ini \
${ROOTDIR}usr/local/php72/lib/php.ini \
${ROOTDIR}usr/local/php73/lib/php.ini \
${ROOTDIR}usr/local/php74/lib/php.ini \
${ROOTDIR}usr/local/zend/etc/php.ini \
${ROOTDIR}usr/pkg/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
@ -59,6 +116,9 @@
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
${ROOTDIR}opt/alt/php44/etc/php.ini \
${ROOTDIR}opt/alt/php51/etc/php.ini \
${ROOTDIR}opt/alt/php52/etc/php.ini \
@ -68,21 +128,44 @@
${ROOTDIR}opt/alt/php56/etc/php.ini \
${ROOTDIR}opt/alt/php70/etc/php.ini \
${ROOTDIR}opt/alt/php71/etc/php.ini \
${ROOTDIR}opt/alt/php72/etc/php.ini \
${ROOTDIR}opt/alt/php73/etc/php.ini \
${ROOTDIR}opt/alt/php74/etc/php.ini \
${ROOTDIR}etc/opt/remi/php56/php.ini \
${ROOTDIR}etc/opt/remi/php70/php.ini \
${ROOTDIR}etc/opt/remi/php71/php.ini \
${ROOTDIR}etc/opt/remi/php72/php.ini"
${ROOTDIR}etc/opt/remi/php72/php.ini \
${ROOTDIR}etc/opt/remi/php73/php.ini \
${ROOTDIR}etc/opt/remi/php74/php.ini"
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
PHPINILOCS="${PHPINILOCS} \
${ROOTDIR}etc/php-5.6.ini \
${ROOTDIR}etc/php-7.0.ini \
${ROOTDIR}etc/php-7.1.ini \
${ROOTDIR}etc/php-7.2.ini \
${ROOTDIR}etc/php-7.3.ini \
${ROOTDIR}etc/php-7.4.ini"
PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
${ROOTDIR}etc/php/7.0/cli/conf.d \
${ROOTDIR}etc/php/7.1/cli/conf.d \
${ROOTDIR}etc/php/7.2/cli/conf.d \
${ROOTDIR}etc/php/7.3/cli/conf.d \
${ROOTDIR}etc/php/7.4/cli/conf.d \
${ROOTDIR}etc/php/7.0/fpm/conf.d \
${ROOTDIR}etc/php/7.1/fpm/conf.d \
${ROOTDIR}etc/php/7.2/fpm/conf.d \
${ROOTDIR}etc/php/7.3/fpm/conf.d \
${ROOTDIR}etc/php/7.4/fpm/conf.d \
${ROOTDIR}etc/php.d \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \
${ROOTDIR}opt/alt/php44/etc/php.d.all \
${ROOTDIR}opt/alt/php51/etc/php.d.all \
${ROOTDIR}opt/alt/php52/etc/php.d.all \
@ -91,7 +174,24 @@
${ROOTDIR}opt/alt/php55/etc/php.d.all \
${ROOTDIR}opt/alt/php56/etc/php.d.all \
${ROOTDIR}opt/alt/php70/etc/php.d.all \
${ROOTDIR}opt/alt/php71/etc/php.d.all"
${ROOTDIR}opt/alt/php71/etc/php.d.all \
${ROOTDIR}opt/alt/php72/etc/php.d.all \
${ROOTDIR}opt/alt/php73/etc/php.d.all \
${ROOTDIR}opt/alt/php74/etc/php.d.all \
${ROOTDIR}usr/local/lib/php.conf.d \
${ROOTDIR}usr/local/php70/lib/php.conf.d \
${ROOTDIR}usr/local/php71/lib/php.conf.d \
${ROOTDIR}usr/local/php72/lib/php.conf.d \
${ROOTDIR}usr/local/php73/lib/php.conf.d \
${ROOTDIR}usr/local/php74/lib/php.conf.d"
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
PHPINIDIRS="${PHPINIDIRS} \
${ROOTDIR}etc/php-5.6 \
${ROOTDIR}etc/php-7.0 \
${ROOTDIR}etc/php-7.1 \
${ROOTDIR}etc/php-7.2 \
${ROOTDIR}etc/php-7.3 \
${ROOTDIR}etc/php-7.4"
#
#################################################################################
#
@ -130,7 +230,7 @@
fi
done
if [ ! -z "${PHPINIFILE}" ]; then
if [ -n "${PHPINIFILE}" ]; then
Display --indent 2 --text "- Checking PHP" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: using single file ${PHPINIFILE} for main php.ini tests"
LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
@ -138,14 +238,14 @@
Display --indent 2 --text "- Checking PHP" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: no php.ini file found"
fi
unset DIR; unset FILE; unset FIND
unset DIR FILE FIND
fi
#
#################################################################################
#
# Test : PHP-2320
# Description : Check php disable functions option
if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@ -170,7 +270,7 @@
if [ ${FOUND} -eq 0 ]; then
LogText "Result: all PHP functions can be executed"
Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_NONE}" --color YELLOW
ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions"
ReportSuggestion "${TEST_NO}" "Harden PHP by disabling risky functions"
LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
AddHP 0 1
else
@ -185,7 +285,7 @@
# Test : PHP-2368
# Description : Check php register_globals option
# Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
if [ ! -z "${PHPINIFILE}" -a ! -z "${PHPVERSION}" -a ! -z "${EGREPBINARY}" ]; then
if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then
if [ -f "${PHPINIFILE}" ]; then
FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
if [ -z "${FIND}" ]; then
@ -206,10 +306,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP register_globals option"
FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
ReportSuggestion "${TEST_NO}" "Change the register_globals line to: register_globals = Off"
LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
AddHP 1 2
else
@ -226,11 +326,17 @@
# Description : Check PHP expose_php option
# Background : When this option is turned on, PHP will show its version number in the HTTP headers
# Notes : TODO - Extend test to check all PHP files
if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for FILE in ${PHPINI_ALLFILES}; do
# Don't look at this setting in cli configuration
case "${FILE}" in
*/cli/*)
continue
;;
esac
LogText "Test: Checking file ${FILE}"
FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
if HasData "${FIND}"; then
@ -242,7 +348,7 @@
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED
ReportSuggestion ${TEST_NO} "Turn off PHP information exposure" "expose_php = Off" "-"
ReportSuggestion "${TEST_NO}" "Turn off PHP information exposure" "expose_php = Off" "-"
Report "Result: expose_php option is turned on, which can expose useful information for an attacker"
AddHP 1 3
else
@ -257,15 +363,15 @@
# Test : PHP-2374
# Description : Check PHP enable_dl option
# Notes : Extend test to check all PHP files
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP enable_dl option"
FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules"
ReportSuggestion "${TEST_NO}" "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules"
AddHP 0 1
else
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_OFF}" --color GREEN
@ -279,15 +385,15 @@
# Test : PHP-2376
# Description : Check PHP allow_url_fopen option
# Notes : Extend test to check all PHP files YYY
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_fopen option"
FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
LogText "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk"
ReportSuggestion "${TEST_NO}" "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_OFF}" --color GREEN
@ -302,15 +408,15 @@
# Test : PHP-2378
# Description : Check PHP allow_url_include option
# Notes : Extend test to check all PHP files YYY
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_include option"
FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk"
ReportSuggestion "${TEST_NO}" "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_OFF}" --color GREEN
@ -324,7 +430,7 @@
# - test disabled for time being, as newer suhosin7 work is not stable enough -
# Test : PHP-2379
# Description : Check PHP suhosin extension status
#if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP suhosin extension status"
#if [ ${SKIPTEST} -eq 0 ]; then
@ -356,14 +462,14 @@
# fi
# # Check Suhosin for PHP 7
# if [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then
# if [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then
# LogText "Test: Check Suhosin for PHP 7 is not enabled"
# LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production"
# ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7"
# ReportSuggestion "${TEST_NO}" "Disable Suhosin for PHP 7"
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
# Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED
# AddHP 0 1
# elif [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then
# elif [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then
# LogText "Test: Check Suhosin for PHP 7 is not enabled"
# LogText "Result: Suhosin for PHP 7 is not enabled"
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN
@ -373,7 +479,7 @@
# if [ ${FOUND} -eq 0 ]; then
# LogText "Result: Suhosin extension is not enabled"
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
# ReportSuggestion ${TEST_NO} "Harden PHP by enabling suhosin extension"
# ReportSuggestion "${TEST_NO}" "Harden PHP by enabling suhosin extension"
# LogText "suhosin extension is not enabled"
# AddHP 0 1
# else
@ -389,7 +495,7 @@
# else
# LogText "Result: Suhosin simulation mode is active"
# Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_WARNING}" --color RED
# ReportSuggestion ${TEST_NO} "Harden PHP by deactivating suhosin simulation mode"
# ReportSuggestion "${TEST_NO}" "Harden PHP by deactivating suhosin simulation mode"
# LogText "suhosin simulation mode is active"
# AddHP 0 1
# fi
@ -397,6 +503,42 @@
#fi
#
#################################################################################
#
# Test : PHP-2382
# Description : Check listen option
# Background : https://github.com/CISOfy/lynis/issues/837
if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for FILE in ${PHPINI_ALLFILES}; do
# Don't look at this setting in cli configuration
case "${FILE}" in
*/cli/*)
continue
;;
esac
LogText "Test: Checking file ${FILE}"
FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE})
if HasData "${FIND}"; then
LogText "Result: found listen on just a port number"
LogText "Data: ${FIND}"
LogText "Note: when possible, limit access to just localhost, so it can't be accessed from outside"
FOUND=1
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking listen option" --result "${STATUS_SUGGESTION}" --color YELLOW
#ReportSuggestion "${TEST_NO}" "Limit the listening of FastCGI to just localhost or a local socket" "listen = 127.0.0.1:9000" "-"
AddHP 1 3
else
Display --indent 4 --text "- Checking listen option" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
fi
fi
#
#################################################################################
#
WaitForKeyPress

278
include/tests_ports_packages
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -26,6 +26,7 @@
PACKAGE_MGR_PKG=0
PACKAGE_AUDIT_TOOL=""
PACKAGE_AUDIT_TOOL_FOUND=0
PACMANCONF="${ROOTDIR}etc/pacman.conf"
INSTALLED_PACKAGES=""
#
#################################################################################
@ -37,7 +38,7 @@
# Test : PKGS-7301
# Description : Query FreeBSD pkg
if [ -x ${ROOTDIR}usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query NetBSD pkg"
Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD pkg"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(pkg -N 2>&1; echo $?)
if [ "${FIND}" = "0" ]; then
@ -88,7 +89,7 @@
# Test : PKGS-7303
# Description : Query brew package manager
FIND=$(which brew 2> /dev/null | grep -v "no [^ ]* in ")
if [ ! -z "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
@ -158,7 +159,7 @@
#
# Test : PKGS-7308
# Description : RPM package based systems
if [ ! -z "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
@ -191,7 +192,7 @@
#
# Test : PKGS-7310
# Description : pacman package based systems
if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PACMANBINARY}" -a -f "${PACMANCONF}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
@ -222,12 +223,12 @@
#
# Test : PKGS-7312
# Description : Check for available package updates when pacman package is used
if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PACMANBINARY}" -a -f "${PACMANCONF}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking available updates for pacman based system"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
FIND=$(which checkupdates 2> /dev/null | grep -v "no [^ ]* in ")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FIND=$(checkupdates)
for I in ${FIND}; do
LogText "Result: update available for ${I}"
@ -251,8 +252,7 @@
#
# Test : PKGS-7314
# Description : Check pacman.conf options
PACMANCONF="/etc/pacman.conf"
if [ ! -z "${PACMANBINARY}" -a -f ${PACMANCONF} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${PACMANBINARY}" -a -f "${PACMANCONF}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7314 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking pacman configuration options"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
@ -315,7 +315,7 @@
#
# Test : PKGS-7322
# Description : Discover vulnerable packages with arch-audit
if [ ! -z "${ARCH_AUDIT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="arch-audit not found"; fi
if [ -n "${ARCH_AUDIT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="arch-audit not found"; fi
Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking arch-audit output for vulnerable packages"
@ -338,14 +338,14 @@
#
# Test : PKGS-7328
# Description : Check installed packages with Zypper
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="zypper"
FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
if [ ! -z "${FIND}" ]; then
FIND=$(${ZYPPERBINARY} --non-interactive -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
if [ -n "${FIND}" ]; then
for PKG in ${FIND}; do
COUNT=$((COUNT + 1))
LogText "Installed package: ${PKG}"
@ -362,19 +362,19 @@
#
# Test : PKGS-7330
# Description : Check vulnerable packages with Zypper
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)")
if [ ! -z "${FIND}" ]; then
FIND=$(${ZYPPERBINARY} --non-interactive pchk | ${GREPBINARY} "(0 security patches)")
if [ -n "${FIND}" ]; then
LogText "Result: No security updates found with Zypper"
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
else
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
LogText "Result: Zypper found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed"
ReportWarning "${TEST_NO}" "Found one or more vulnerable packages installed"
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
FIND=$(${ZYPPERBINARY} --non-interactive lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
LogText "List of vulnerable packages/version:"
for PKG in ${FIND}; do
VULNERABLE_PACKAGES_FOUND=1
@ -487,7 +487,7 @@
COUNT=$((COUNT + 1))
LogText "Found unpurged package: ${J}"
done
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
ReportSuggestion "${TEST_NO}" "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
fi
else
LogText "Result: dpkg can NOT be found on this system, test skipped"
@ -510,7 +510,7 @@
else
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_WARNING}" --color YELLOW
LogText "Result: found ${FIND} unused distfiles"
ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
ReportSuggestion "${TEST_NO}" "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
fi
fi
fi
@ -520,7 +520,7 @@
# Test : PKGS-7350
# Description : Use Dandified YUM to gather installed packages
# Notes : Possible replacement for YUM in the long term
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
@ -546,13 +546,13 @@
#
# Test : PKGS-7352
# Description : Use Dandified YUM to detect security updates
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7352" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for security updates with DNF utility"
if [ ${SKIPTEST} -eq 0 ]; then
# Check for security updates
LogText "Action: checking updateinfo for security updates"
FIND=$(${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
VULNERABLE_PACKAGES_FOUND=1
LogText "Result: found vulnerable packages, upgrade of system needed."
for PKG in ${FIND}; do
@ -561,7 +561,7 @@
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
ReportWarning ${TEST_NO} "Found one or more vulnerable packages. Run: dnf upgrade"
ReportWarning "${TEST_NO}" "Found one or more vulnerable packages. Run: dnf upgrade"
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
else
LogText "Result: no security updates found"
@ -574,20 +574,20 @@
#
# Test : PKGS-7354
# Description : Perform integrity tests for package database
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if repoquery plugin is available
FIND=$(${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Action: checking integrity of package database"
FIND=$(${DNFBINARY} -q repoquery --duplicated)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found unexpected result on repoquery --duplicated"
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated"
fi
FIND=$(${DNFBINARY} -q repoquery --unsatisfied)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found unexpected result on repoquery --unsatisfied"
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied"
fi
@ -600,17 +600,17 @@
#
# Test : PKGS-7366
# Description : Checking if debsecan is installed and enabled on Debian systems
if [ ! -z "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsecan utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${DEBSECANBINARY}" ]; then
if [ -n "${DEBSECANBINARY}" ]; then
LogText "Result: debsecan utility is installed"
Display --indent 4 --text "- debsecan utility" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="debsecan"
FIND=$(${FINDBINARY} ${ROOTDIR}etc/cron* -name debsecan)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: cron job is configured for debsecan"
Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
@ -618,13 +618,13 @@
LogText "Result: no cron job is configured for debsecan"
Display --indent 4 --text "- debsecan cron job" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 3
ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
ReportSuggestion "${TEST_NO}" "Check debsecan cron job and ensure it is enabled"
fi
else
LogText "Result: debsecan is not installed."
Display --indent 4 --text "- debsecan utility" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
ReportSuggestion "${TEST_NO}" "Install debsecan to check for vulnerabilities on installed packages."
fi
fi
#
@ -633,10 +633,10 @@
# Test : PKGS-7370
# Description : Checking debsums installation status and presence in cron job
# Note : Run this only when it is a DPKG based system
if [ ! -z "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsums utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${DEBSUMSBINARY}" ]; then
if [ -n "${DEBSUMSBINARY}" ]; then
LogText "Result: debsums utility is installed"
Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
@ -650,12 +650,12 @@
LogText "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 3
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job."
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regularly via a cron job."
fi
else
LogText "Result: debsums utility is not installed."
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database."
ReportSuggestion "${TEST_NO}" "Install debsums utility for the verification of packages with known good database."
fi
fi
#
@ -702,7 +702,7 @@
else
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
LogText "List of vulnerable packages/version:"
for I in $(${ROOTDIR}usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
VULNERABLE_PACKAGES_FOUND=1
@ -728,7 +728,7 @@
# Description : Check for vulnerable FreeBSD packages (with pkg)
# Notes : Related vulnerability file is /var/db/pkg/vuln.xml
# TODO : Run this in any jail
if [ ! -z "${PKG_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="pkg tool not available"; fi
if [ -n "${PKG_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="pkg tool not available"; fi
Register --test-no PKGS-7381 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with pkg"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
@ -746,7 +746,7 @@
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 10 10
elif [ $? -eq 1 ]; then
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
VULNERABLE_PACKAGES_FOUND=1
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_FOUND}" --color YELLOW
for ITEM in ${FIND}; do
@ -755,7 +755,7 @@
LogText "Vulnerable package: ${ITEM}"
AddHP 1 2
done
ReportWarning ${TEST_NO} "Found vulnerable packages" "${COUNT} vulnerable packages" "text:Run pkg audit"
ReportWarning "${TEST_NO}" "Found vulnerable packages" "${COUNT} vulnerable packages" "text:Run pkg audit"
else
LogText "Result: found an exit code greater than zero, yet no output"
fi
@ -786,8 +786,8 @@
else
Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result "${STATUS_WARNING}" --color RED
LogText "Result: Portaudit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
ReportSuggestion "${TEST_NO}" "Update your system with portupgrade or other tools"
LogText "List of vulnerable packages/version:"
for PKG in $(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
VULNERABLE_PACKAGES_FOUND=1
@ -804,7 +804,7 @@
# Test : PKGS-7383
# Description : Check for YUM package Update management
# Notes : Skip if DNF is used as package manager
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: YUM package update management"
@ -812,7 +812,7 @@
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
LogText "Result: YUM package update management failed"
Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "YUM is not properly configured or registered for this platform (no repolist found)"
ReportWarning "${TEST_NO}" "YUM is not properly configured or registered for this platform (no repolist found)"
else
LogText "Result: YUM repository available (${FIND})"
Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_OK}" --color GREEN
@ -823,7 +823,7 @@
#
# Test : PKGS-7384
# Description : Search for YUM utils package
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package"
if [ ${SKIPTEST} -eq 0 ]; then
# package-cleanup tool can be found in different locations
@ -838,8 +838,8 @@
else
LogText "Result: One or more duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found one or more duplicate packages installed"
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems"
ReportWarning "${TEST_NO}" "Found one or more duplicate packages installed"
ReportSuggestion "${TEST_NO}" "Run package-cleanup to solve duplicate package problems"
fi
# Check for package database problems
@ -851,13 +851,13 @@
else
LogText "Result: One or more problems found in package database"
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found one or more problems in the package database"
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems"
ReportWarning "${TEST_NO}" "Found one or more problems in the package database"
ReportSuggestion "${TEST_NO}" "Run package-cleanup to solve package problems"
fi
else
Display --indent 2 --text "- yum-utils package not installed" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: YUM utils package not found"
ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database"
ReportSuggestion "${TEST_NO}" "Install package 'yum-utils' for better consistency checking of the package database"
fi
fi
#
@ -879,8 +879,7 @@
if [ ${DO_TEST} -eq 0 ]; then
FileExists ${ROOTDIR}usr/share/yum-cli/cli.py
if [ ${FILE_FOUND} -eq 1 ]; then
SearchItem "\-\-security" "${ROOTDIR}usr/share/yum-cli/cli.py"
if [ ${ITEM_FOUND} -eq 1 ]; then
if SearchItem "\-\-security" "${ROOTDIR}usr/share/yum-cli/cli.py"; then
DO_TEST=1
LogText "Result: found built-in security in yum"
else
@ -892,8 +891,7 @@
if [ ${DO_TEST} -eq 0 ]; then
FileExists ${ROOTDIR}etc/yum/pluginconf.d/security.conf
if [ ${FILE_FOUND} -eq 1 ]; then
SearchItem "^enabled=1$" "${ROOTDIR}etc/yum/pluginconf.d/security.conf"
if [ ${ITEM_FOUND} -eq 1 ]; then
if SearchItem "^enabled=1$" "${ROOTDIR}etc/yum/pluginconf.d/security.conf"; then
DO_TEST=1
LogText "Result: found enabled plugin"
else
@ -905,7 +903,7 @@
# Check if it's installed as package (this is old style)
if [ ${DO_TEST} -eq 0 ]; then
FIND=$(rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: found yum-plugin-security package"
DO_TEST=1
fi
@ -929,13 +927,12 @@
LogText "Vulnerable package: ${I}"
AddHP 1 2
done
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Use 'yum --security update' to update your system"
ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
fi
else
LogText "Result: yum-security package not found"
Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_SKIPPED}" --color YELLOW
ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
ReportSuggestion "${TEST_NO}" "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
fi
fi
#
@ -946,7 +943,7 @@
if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${PYTHONBINARY}" ]; then
if [ -n "${PYTHONBINARY}" ]; then
LogText "Test: checking enabled repositories"
REPOS=$(${PYTHONBINARY} -c 'import yum ; yb = yum.YumBase() ; yb.conf ; print [(r.id + "=" + str(r.gpgcheck)) for r in yb.repos.listEnabled()]' | ${GREPBINARY} "^\[" | ${TRBINARY} -d '[] ' | ${TRBINARY} -d "'" | ${SEDBINARY} 's/,/ /g')
if [ -z "${REPOS}" ]; then LogText "Result: found no repositories"; fi
@ -968,15 +965,15 @@
FOUND=0
FileExists ${ROOTDIR}etc/yum.conf
if [ ${FILE_FOUND} -eq 1 ]; then
SearchItem "^gpgenabled\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
SearchItem "^gpgcheck\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
if SearchItem "^gpgenabled\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; then FOUND=1; fi
if SearchItem "^gpgcheck\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; then FOUND=1; fi
if [ ${FOUND} -eq 1 ]; then
LogText "Result: GPG check is enabled"
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
else
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED
ReportWarning ${TEST_NO} "No GPG signing option found in yum.conf"
ReportWarning "${TEST_NO}" "No GPG signing option found in yum.conf"
AddHP 2 3
fi
fi
@ -985,16 +982,26 @@
#################################################################################
#
# Test : PKGS-7388
# Description : Check security repository in Debian/ubuntu apt sources.list file
if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in Debian/ubuntu apt sources.list file"
# Description : Check security repository in Debian/Ubuntu apt sources.list file
PREQS_MET="NO"
if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then
case "${LINUX_VERSION}" in
"Debian" | "Linux Mint" | "Ubuntu")
PREQS_MET="YES"
;;
*)
LogText "Skipping test, although sources.list or sources.list.d exists. This specific OS version most likely has no security repository"
;;
esac
fi
Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in apt sources.list file"
if [ $SKIPTEST -eq 0 ]; then
FOUND=0
if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then
if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
if [ ! -z "${FIND}" ]; then
FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
if [ -n "${FIND}" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found security repository in ${ROOTDIR}etc/apt/sources.list"
@ -1006,8 +1013,8 @@
fi
if [ -d /etc/apt/sources.list.d ]; then
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
if [ ! -z "${FIND}" ]; then
FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
if [ -n "${FIND}" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
@ -1022,7 +1029,7 @@
AddHP 3 3
else
Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory"
ReportWarning "${TEST_NO}" "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory"
AddHP 0 3
fi
else
@ -1046,8 +1053,8 @@
else
LogText "Result: package database is most likely NOT consistent"
Display --indent 2 --text "- Checking APT package database" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "apt-get check returned a non successful exit code."
ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check."
ReportWarning "${TEST_NO}" "apt-get check returned a non successful exit code."
ReportSuggestion "${TEST_NO}" "Run apt-get to perform a manual package database consistency check."
fi
fi
#
@ -1055,7 +1062,8 @@
#
# Test : PKGS-7392
# Description : Check Debian/Ubuntu vulnerable packages
if [ -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Note : Skip for zypper-based systems
if [ -x ${ROOTDIR}usr/bin/apt-get -a -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates"
if [ ${SKIPTEST} -eq 0 ]; then
VULNERABLE_PACKAGES_FOUND=0
@ -1082,7 +1090,7 @@
# Check if we get the proper line back and amount of security patches available
if [ -z "${FIND}" ]; then
LogText "Result: did not find security updates line"
ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result"
ReportSuggestion "${TEST_NO}" "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result"
ReportException "${TEST_NO}:1" "Apt-check did not provide any result"
else
if [ "${FIND}" = "0" ]; then
@ -1102,7 +1110,7 @@
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
# Show packages which would be upgraded and match 'security' in repository name
FIND=$(${ROOTDIR}usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
VULNERABLE_PACKAGES_FOUND=1
SCAN_PERFORMED=1
LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
@ -1115,8 +1123,8 @@
fi
if [ ${SCAN_PERFORMED} -eq 1 ]; then
if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
ReportSuggestion "${TEST_NO}" "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_WARNING}" --color RED
else
Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_OK}" --color GREEN
@ -1175,7 +1183,7 @@
fi
else
LogText "Result: glsa-check tool not found"
ReportSuggestion ${TEST_NO} "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks."
ReportSuggestion "${TEST_NO}" "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks."
fi
fi
#
@ -1207,7 +1215,7 @@
else
LogText "Result: ${ROOTDIR}usr/bin/apt-show-versions not found"
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
ReportSuggestion "${TEST_NO}" "Install package apt-show-versions for patch management purposes"
fi
fi
@ -1221,7 +1229,7 @@
LogText "Test: checking for package audit tool"
if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED
ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
ReportSuggestion "${TEST_NO}" "Install a package audit tool to determine vulnerable packages"
LogText "Result: no package audit tool found"
else
Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN
@ -1247,31 +1255,119 @@
Register --test-no PKGS-7410 --weight L --network NO --category security --description "Count installed kernel packages"
if [ ${SKIPTEST} -eq 0 ]; then
KERNELS=0
if [ ! -z "${RPMBINARY}" ]; then
LogText "Test: Checking how many kernel packages are installed"
TESTED=0
LogText "Test: Checking how many kernel packages are installed"
if [ "${DPKGBINARY}" ]; then
TESTED=1
KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]"
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from dpkg -l output, which is unexpected"
elif [ ${KERNELS} -gt 5 ]; then
LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages" "${KERNELS} kernels" "text:validate dpkg -l output and perform cleanup with apt autoremove"
else
LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
fi
fi
if [ "${RPMBINARY}" ]; then
TESTED=1
KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from rpm -q kernel output, which is unexpected"
ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output"
elif [ ${KERNELS} -gt 5 ]; then
LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)"
AddHP 4 5
else
LogText "Result: found ${KERNELS} on the system, which is fine"
AddHP 1 1
LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
fi
fi
if [ "${ZYPPERBINARY}" ]; then
TESTED=1
KERNELS=$(${ZYPPERBINARY} --non-interactive -n se --type package --match-exact --installed-only "kernel-default" 2> /dev/null | ${GREPBINARY} "kernel-default" | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from zypper output, which is unexpected."
ReportException "KRNL-5840:3" "Could not find any kernel packages via package manager. Maybe using a different kernel package?"
elif [ ${KERNELS} -gt 3 ]; then
LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages"
else
LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
fi
fi
if [ ${KERNELS} -eq 0 -a ${TESTED} -eq 1 ]; then
ReportException "KRNL-5840:1" "Could not find any kernel packages via package manager"
fi
Report "installed_kernel_packages=${KERNELS}"
fi
#
#################################################################################
#
# Test : PKGS-7420
# Description : Detect toolkit to automatically download and apply upgrades
Register --test-no PKGS-7420 --weight L --network NO --category security --description "Detect toolkit to automatically download and apply upgrades"
if [ ${SKIPTEST} -eq 0 ]; then
UNATTENDED_UPGRADES_TOOLKIT=0
UNATTENDED_UPGRADES_TOOL=""
UNATTENDED_UPGRADES_OPTION_AVAILABLE=0
if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi
case "${OS}" in
"Linux")
case "${LINUX_VERSION}" in
"CentOS" | "Debian" | "Fedora" | "RHEL" | "Ubuntu")
Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}"
Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}"
Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}"
UNATTENDED_UPGRADES_OPTION_AVAILABLE=1
# Test available tools for Linux
if [ -f "${ROOTDIR}bin/auter" ]; then
UNATTENDED_UPGRADES_TOOL="auter"
UNATTENDED_UPGRADES_TOOLKIT=1
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
fi
if [ -f "${ROOTDIR}sbin/yum-cron" ]; then
UNATTENDED_UPGRADES_TOOL="yum-cron"
UNATTENDED_UPGRADES_TOOLKIT=1
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
fi
if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then
UNATTENDED_UPGRADES_TOOL="dnf-automatic"
UNATTENDED_UPGRADES_TOOLKIT=1
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
fi
if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then
UNATTENDED_UPGRADES_TOOL="unattended-upgrade"
UNATTENDED_UPGRADES_TOOLKIT=1
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
fi
;;
esac
;;
esac
if [ ${UNATTENDED_UPGRADES_OPTION_AVAILABLE} -eq 1 ]; then
if [ ${UNATTENDED_UPGRADES_TOOLKIT} -eq 1 ]; then
AddHP 5 5
Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN
else
AddHP 1 5
Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOT_FOUND}" --color YELLOW
LogText "Result: no toolkit for automatic updates discovered"
ReportSuggestion "${TEST_NO}" "Consider using a tool to automatically apply upgrades"
fi
fi
Report "unattended_upgrade_option_available=${UNATTENDED_UPGRADES_OPTION_AVAILABLE}"
fi
#
#################################################################################
#
WaitForKeyPress

60
include/tests_printers_spools → include/tests_printers_spoolers
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -55,7 +55,7 @@
LogText "Result: chkprintcap did NOT gave any warnings"
else
Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file"
ReportSuggestion "${TEST_NO}" "Run chkprintcap manually to test printcap file"
LogText "Output from chkprintcap: ${FIND}"
LogText "Run chkprintcap and check the ${ROOTDIR}etc/printcap file"
fi
@ -69,8 +69,7 @@
Register --test-no PRNT-2304 --weight L --network NO --category security --description "Check cupsd status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking cupsd status"
IsRunning cupsd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "cupsd"; then
Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: cups daemon running"
CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
@ -118,49 +117,60 @@
LogText "Test: Checking CUPS configuration file permissions"
FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: found ${FIND}"
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
AddHP 1 1
else
Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
AddHP 1 2
fi
case "${FIND}" in
r[w-]-[r-][w-]---- )
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
AddHP 1 1
;;
* )
Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Access to CUPS configuration could be more strict."
AddHP 1 2
;;
esac
fi
#
#################################################################################
#
# Test : PRNT-2308
# Description : Check CUPS daemon network configuration
# Notes : Listen and SSLListen can be used
if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd network configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# Checking network addresses
LogText "Test: Checking CUPS daemon listening network addresses"
FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
COUNT=0
for ITEM in ${FIND}; do
LogText "Found network address: ${ITEM}"
LogText "Result: found network address: ${ITEM}"
COUNT=$((COUNT + 1))
FOUND=1
done
# Check if daemon is only running on localhost
# Search for Port statement
FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE})
if [ -n "${FIND}" ]; then
LogText "Result: found CUPS listening on port 631 (most likely all interfaces)"
FOUND=1
fi
# Check if daemon might be running on localhost
if [ ${FOUND} -eq 0 ]; then
LogText "Result: no listen statement found in CUPS configuration file"
LogText "Result: CUPS does not look to be listening on a network port"
elif [ ${COUNT} -eq 1 ]; then
if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
LogText "Result: CUPS daemon only running on localhost"
AddHP 2 2
else
LogText "Result: CUPS daemon running on one or more interfaces (not limited to localhost)"
ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to listen on the network"
ReportSuggestion "${TEST_NO}" "Check CUPS configuration if it really needs to listen on the network"
AddHP 1 2
fi
else
LogText "Result: CUPS daemon is running on several network addresses"
ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to run on several network addresses"
ReportSuggestion "${TEST_NO}" "Check CUPS configuration if it really needs to run on several network addresses"
AddHP 1 2
fi
@ -188,8 +198,7 @@
Register --test-no PRNT-2314 --weight L --network NO --category security --description "Check lpd status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking lpd status"
IsRunning lpd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "lpd"; then
Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: lp daemon running"
LPD_RUNNING=1; PRINTING_DAEMON="lp"
@ -211,7 +220,7 @@
FileIsReadable ${QDAEMON_CONFIG_FILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
QDAEMON_CONFIG_ENABLED=1
@ -231,8 +240,7 @@
Register --test-no PRNT-2418 --os AIX --weight L --network NO --category security --description "Checking qdaemon printer spooler status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking qdaemon status"
IsRunning qdaemon
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "qdaemon"; then
LogText "Result: qdaemon daemon running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_RUNNING}" --color GREEN
QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon"
@ -240,7 +248,7 @@
if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then
LogText "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED
ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs"
ReportSuggestion "${TEST_NO}" "Activate print spooler daemon (qdaemon) in order to process print jobs"
else
LogText "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
@ -267,7 +275,7 @@
done
LogText "Result: Found ${COUNT} old print jobs in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
ReportSuggestion "${TEST_NO}" "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
else
LogText "Result: Old print jobs not found in /var/spool/lpd/qdir"
@ -279,7 +287,7 @@
#################################################################################
#
if [ ! -z ${PRINTING_DAEMON} ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi
if [ -n "${PRINTING_DAEMON}" ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi
WaitForKeyPress

48
include/tests_scheduling
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -38,7 +38,6 @@
FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )")
if IsEmpty "${FIND}"; then
LogText "Result: no cron daemon found"
AddHP 3 3
else
LogText "Result: cron daemon running"
CROND_RUNNING=1
@ -61,6 +60,7 @@
CRONTAB_FILE="${ROOTDIR}etc/crontab"
if [ -f ${CRONTAB_FILE} ]; then
${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab"
if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FindCronJob ${CRONTAB_FILE}
@ -85,6 +85,8 @@
for FILE in ${FIND}; do
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
FindCronJob ${FILE}
if HasData "${sCRONJOBS}"; then
for K in ${sCRONJOBS}; do
@ -115,11 +117,13 @@
LogText "Result: no files found in ${I}"
else
LogText "Result: found one or more files in ${I}. Analyzing files.."
for J in ${FIND}; do
if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
LogText "Result: Found cronjob (${I}): ${J}"
Report "cronjob[]=${J}"
for FILE in ${FIND}; do
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
LogText "Result: Found cronjob (${I}): ${FILE}"
Report "cronjob[]=${FILE}"
done
LogText "Result: done with analyzing files in ${I}"
fi
@ -137,21 +141,23 @@
FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null)
for I in ${FIND}; do
if FileIsReadable ${I}; then
${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
FindCronJob ${I}
for J in ${sCRONJOBS}; do
LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})"
for FILE in ${sCRONJOBS}; do
LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})"
Report "cronjob[]=${I}"
done
fi
done
else
if [ -d /var/spool/cron ]; then
FIND=$(find /var/spool/cron -type f -print)
if [ -d ${ROOTDIR}var/spool/cron ]; then
FIND=$(find ${ROOTDIR}var/spool/cron -type f -print)
for I in ${FIND}; do
if FileIsReadable ${I}; then
${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
FindCronJob ${I}
for J in ${sCRONJOBS}; do
LogText "Found cronjob (/var/spool/cron): ${I} (${J})"
for FILE in ${sCRONJOBS}; do
LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})"
LogText "cronjob[]=${I}"
done
fi
@ -164,7 +170,7 @@
if [ -f /etc/anacrontab ]; then
LogText "Test: checking anacrontab"
sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
if [ ! -z "${sANACRONJOBS}" ]; then
if [ -n "${sANACRONJOBS}" ]; then
Report "scheduler[]=anacron"
for I in ${sANACRONJOBS}; do
LogText "Found anacron job (/etc/anacrontab): ${I}"
@ -177,12 +183,12 @@
# Show warning when an issue shows up. Even if *both* the permissions and ownership are wrong, just show one (prevent overload of warnings).
if [ ${BAD_FILE_PERMISSIONS} -eq 1 ]; then
ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect file permissions (see log for details)"
Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED
Display --indent 2 --text "- Checking crontab and cronjobs files" --result "${STATUS_WARNING}" --color RED
elif [ ${BAD_FILE_OWNERSHIP} -eq 1 ]; then
ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect ownership (see log for details)"
Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED
Display --indent 2 --text "- Checking crontab and cronjob files" --result "${STATUS_WARNING}" --color RED
else
Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_DONE}" --color GREEN
Display --indent 2 --text "- Checking crontab and cronjob files" --result "${STATUS_DONE}" --color GREEN
fi
fi
@ -195,7 +201,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking atd status"
FIND=$(${PSBINARY} ax | ${GREPBINARY} "/atd" | ${GREPBINARY} -v "grep")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: at daemon active"
Display --indent 2 --text "- Checking atd status" --result "${STATUS_RUNNING}" --color GREEN
ATD_RUNNING=1
@ -298,6 +304,12 @@
#################################################################################
#
if [ -z "${LYNIS_CRONJOB}" ]; then
LogText "Result: no scheduled Lynis execution found (e.g. crontab, cronjob)"
else
LogText "Result: found scheduled Lynis execution (${LYNIS_CRONJOB})"
fi
WaitForKeyPress
#

43
include/tests_shells
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -31,9 +31,10 @@
# Files (interactive login shells): /etc/profile $HOME/.bash_profile
# $HOME/.bash_login $HOME/.profile
# Files (interactive non-login shells): $HOME/.bash_rc
#
# csh/tcsh
# Files: /etc/csh.cshrc /etc/csh.login
#
# zsh
# Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile
# /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc
@ -60,7 +61,7 @@
LogText "Result: Found insecure console in ${ROOTDIR}etc/ttys. Single user mode login without password allowed!"
LogText "Output ${ROOTDIR}etc/ttys:"
LogText "${FIND}"
ReportWarning ${TEST_NO} "Found unprotected console in ${ROOTDIR}etc/ttys"
ReportWarning "${TEST_NO}" "Found unprotected console in ${ROOTDIR}etc/ttys"
LogText "Possible solution: Change the console line from 'secure' to 'insecure'."
fi
fi
@ -68,8 +69,8 @@
#################################################################################
#
# Test : SHLL-6211
# Description : which shells are available according /etc/shells
Register --test-no SHLL-6211 --weight L --network NO --category security --description "Checking available and valid shells"
# Description : Determine available shell according /etc/shells
Register --test-no SHLL-6211 --weight L --network NO --category security --description "Available and valid shells"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for ${ROOTDIR}etc/shells"
if [ -f ${ROOTDIR}etc/shells ]; then
@ -98,25 +99,23 @@
#################################################################################
#
# Test : SHLL-6220
# Description : check for idle session killing tools or settings
Register --test-no SHLL-6220 --weight L --network NO --category security --description "Checking available and valid shells"
# Description : Check for idle session killing tools or settings
Register --test-no SHLL-6220 --weight L --network NO --category security --description "Idle session killing tools or settings"
if [ ${SKIPTEST} -eq 0 ]; then
IDLE_TIMEOUT_METHOD=""
IDLE_TIMEOUT_READONLY=""
LogText "Test: Search for session timeout tools or settings in shell"
IsRunning timeoutd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "timeoutd"; then
IDLE_TIMEOUT=1
LogText "Result: found timeoutd process to kill idle sesions"
LogText "Result: found timeoutd process to kill idle sessions"
IDLE_TIMEOUT_METHOD="timeout-daemon"
fi
IsRunning autolog
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "autolog"; then
IDLE_TIMEOUT=1
LogText "Result: found autolog process to kill idle sesions"
Report="session_timeout_method[]=autolog"
LogText "Result: found autolog process to kill idle sessions"
Report "session_timeout_method[]=autolog"
IDLE_TIMEOUT_METHOD="autolog"
fi
@ -125,7 +124,7 @@
FIND=$(${GREPBINARY} 'TMOUT=' ${ROOTDIR}etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
# Determine if the value is exported (with export, readonly, or typeset)
FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' ${ROOTDIR}etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
LogText "Output: ${I}"
@ -142,7 +141,7 @@
LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile"
fi
if [ ! -z "${FIND2}" ]; then
if [ -n "${FIND2}" ]; then
N=0;
for I in ${FIND2}; do
LogText "Output: ${I}"
@ -166,12 +165,12 @@
if [ -d ${ROOTDIR}etc/profile.d ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
# Determine if we can find a TMOUT value
FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
# Determine if the value is exported (with export, readonly, or typeset)
FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
LogText "Output: ${I}"
@ -188,7 +187,7 @@
LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile.d/*.sh"
fi
# Check for readonly
if [ ! -z "${FIND2}" ]; then
if [ -n "${FIND2}" ]; then
N=0;
for I in ${FIND2}; do
LogText "Output: ${I}"
@ -211,10 +210,10 @@
LogText "Result: skip ${ROOTDIR}etc/profile.d directory test, directory not available on this system"
fi
if [ ! -z "${IDLE_TIMEOUT_METHOD}" ]; then
if [ -n "${IDLE_TIMEOUT_METHOD}" ]; then
Report "session_timeout_method[]=${IDLE_TIMEOUT_METHOD}"
fi
if [ ! -z "${IDLE_TIMEOUT_READONLY}" ]; then
if [ -n "${IDLE_TIMEOUT_READONLY}" ]; then
Report "session_timeout_set_readonly=${IDLE_TIMEOUT_READONLY}"
fi
@ -283,4 +282,4 @@ WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2019, CISOfy - http://cisofy.com
# Lynis - Copyright 2007-2020, CISOfy - http://cisofy.com

12
include/tests_snmp
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -35,9 +35,7 @@
Register --test-no SNMP-3302 --weight L --network NO --category security --description "Check for running SNMP daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for a SNMP daemon"
# Check running processes
IsRunning snmpd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "snmpd"; then
SNMP_DAEMON_RUNNING=1
LogText "Result: SNMP daemon is running"
Display --indent 2 --text "- Checking running SNMP daemon" --result "${STATUS_FOUND}" --color GREEN
@ -74,7 +72,7 @@
#
# Test : SNMP-3306
# Description : Determine SNMP communities
if [ ! -z "${SNMP_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${SNMP_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP communities"
if [ ${SKIPTEST} -eq 0 ]; then
WARN=0
@ -95,7 +93,7 @@
AddHP 2 2
else
Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found easy guessable SNMP community string"
ReportWarning "${TEST_NO}" "Found easy guessable SNMP community string"
fi
fi
#
@ -106,4 +104,4 @@ WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com

50
include/tests_squid
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -43,7 +43,7 @@
FOUND=0
# Check running processes
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
SQUID_DAEMON_RUNNING=1
LogText "Result: Squid daemon is running"
Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN
@ -86,10 +86,10 @@
#
# Test : SQD-3606
# Description : Check Squid version
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${SQUIDBINARY}" ]; then
if [ -n "${SQUIDBINARY}" ]; then
LogText "Result: Squid binary found (${SQUIDBINARY})"
# Skip check if a setuid/setgid bit is found
FIND=$(${FINDBINARY} ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print)
@ -110,8 +110,8 @@
#
# Test : SQD-3610
# Description : Check Squid configuration options
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather Squid settings"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
FIND=$(${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
@ -126,17 +126,17 @@
#################################################################################
#
# Test : SQD-3613
# Description : Check Squid configuration options
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Description : Check Squid configuration file permissions
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
ReportWarning ${TEST_NO} "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
ReportSuggestion "${TEST_NO}" "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
ReportWarning "${TEST_NO}" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
AddHP 0 2
else
LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
@ -147,7 +147,7 @@
#
#################################################################################
#
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
Display --indent 4 --text "- Checking Squid access control"
fi
#
@ -155,7 +155,7 @@
#
# Test : SQD-3614
# Description : Check Squid authentication
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check auth_param option for authentication methods"
@ -176,7 +176,7 @@
#
# Test : SQD-3616
# Description : Check external Squid authentication
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check external_acl_type option for external authentication helpers"
@ -222,7 +222,7 @@
#################################################################################
#
# Test : SQD-3624
# Description : Check unsecure ports in Safe_ports list
# Description : Check insecure ports in Safe_ports list
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid safe ports"
if [ ${SKIPTEST} -eq 0 ]; then
@ -231,13 +231,13 @@
if IsEmpty "${FIND}"; then
LogText "Result: no Safe_ports found"
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
ReportSuggestion "${TEST_NO}" "Check if Squid has been configured to restrict access to all safe ports"
else
LogText "Result: checking ACL safe ports"
FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }')
if IsEmpty "${FIND2}"; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
ReportSuggestion "${TEST_NO}" "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
AddHP 0 1
else
LogText "Result: Safe_ports found"
@ -256,7 +256,7 @@
AddHP 1 1
else
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_FOUND}" --color RED
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}"
ReportWarning "${TEST_NO}" "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}"
AddHP 0 1
fi
done
@ -265,7 +265,7 @@
#
#################################################################################
#
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
Display --indent 4 --text "- Checking Squid Denial of Service tuning options"
fi
#
@ -273,7 +273,7 @@
#
# Test : SQD-3630 [T]
# Description : Check reply_body_max_size value
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking option reply_body_max_size"
@ -282,7 +282,7 @@
LogText "Result: option reply_body_max_size not configured"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
AddHP 1 2
ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests."
ReportSuggestion "${TEST_NO}" "Configure Squid option reply_body_max_size to limit the upper size of requests."
else
LogText "Result: option reply_body_max_size configured"
LogText "Output: ${FIND}"
@ -293,7 +293,7 @@
#
#################################################################################
#
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
Display --indent 4 --text "- Checking Squid general options"
fi
#
@ -301,7 +301,7 @@
#
# Test : SQD-3680
# Description : Check httpd_suppress_version_string
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppression"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on")
@ -309,7 +309,7 @@
LogText "Result: option httpd_suppress_version_string not configured"
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 2
ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
ReportSuggestion "${TEST_NO}" "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
else
LogText "Result: option httpd_suppress_version_string configured"
LogText "Output: ${FIND}"
@ -325,4 +325,4 @@ WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com

78
include/tests_ssh
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -27,6 +27,7 @@
SSH_DAEMON_PORT=""
SSH_DAEMON_RUNNING=0
SSH_DAEMON_OPTIONS_FILE=""
OPENSSHD_RUNNING=0
OPENSSHD_VERSION=0
OPENSSHD_VERSION_MAJOR=0
OPENSSHD_VERSION_MINOR=0
@ -42,8 +43,8 @@
Register --test-no SSH-7402 --weight L --network NO --category security --description "Check for running SSH daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for a SSH daemon"
IsRunning sshd
if [ ${RUNNING} -eq 1 ] || PortIsListening "TCP" 22; then
if IsRunning "sshd"; then
OPENSSHD_RUNNING=1
SSH_DAEMON_RUNNING=1
Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN
# Store settings in a temporary file
@ -51,6 +52,9 @@
SSH_DAEMON_OPTIONS_FILE="${TEMP_FILE}"
# Use a non-existing user, to ensure that systems that have a Match block configured, will be evaluated as well
${SSHDBINARY} -T -C user=doesnotexist,host=none,addr=none 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE}
elif PortIsListening "TCP" 22; then
Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN
SSH_DAEMON_RUNNING=1
else
Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
@ -60,7 +64,7 @@
#
# Test : SSH-7404
# Description : Determine SSH daemon configuration file location
if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${OPENSSHD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7404 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH daemon file location"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@ -95,15 +99,15 @@
#
# Test : SSH-7406
# Description : Check OpenSSH version
if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${OPENSSHD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determine OpenSSH version"
if [ ${SKIPTEST} -eq 0 ]; then
OPENSSHD_VERSION=$(sshd -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d ',')
OPENSSHD_VERSION=$(${SSHDBINARY} -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d '[:cntrl:],')
LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}"
if [ ! -z ${OPENSSHD_VERSION} ]; then
OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $1}')
if [ -n "${OPENSSHD_VERSION}" ]; then
OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $1}')
LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}"
OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $2}')
OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $2}')
LogText "Result: OpenSSH minor version: ${OPENSSHD_VERSION_MINOR}"
fi
fi
@ -113,7 +117,7 @@
# Test : SSH-7408
# Description : Check SSH specific defined options
# Notes : Instead of parsing the configuration file, we query the SSH daemon itself
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" -a \( ${OPENSSHD_VERSION_MAJOR} -gt 5 -o ${OPENSSHD_VERSION_MAJOR} -eq 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 \) ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}"
@ -137,9 +141,9 @@
IgnoreRhosts:YES,,NO:=\
LoginGraceTime:120,240,480:<\
LogLevel:VERBOSE,INFO,:=\
MaxAuthTries:2,4,6:<\
MaxAuthTries:3,6,999:<\
MaxSessions:2,4,8:<\
PermitRootLogin:(NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD),,YES:=\
PermitRootLogin:(FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD),,YES:=\
PermitUserEnvironment:NO,,YES:=\
PermitTunnel:NO,,YES:=\
Port:,,22:!\
@ -147,7 +151,6 @@
StrictModes:YES,,NO:=\
TCPKeepAlive:NO,,YES:=\
UseDNS:NO,,YES:=\
VerifyReverseMapping:YES,,NO:=\
X11Forwarding:NO,,YES:=\
AllowAgentForwarding:NO,,YES:="
@ -185,7 +188,7 @@
FOUNDVALUE=$(${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1)
LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}"
if [ ! -z "${FOUNDVALUE}" ]; then
if [ -n "${FOUNDVALUE}" ]; then
LogText "Result: Option ${OPTIONNAME} found"
LogText "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}"
@ -197,7 +200,7 @@
elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
RESULT="WEAK"
else
if [ ! -z "${EXPECTEDVALUE}" ]; then
if [ -n "${EXPECTEDVALUE}" ]; then
LogText "Expected value has multiple values, testing if active value is in list (${EXPECTEDVALUE})"
FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${EXPECTEDVALUE}")
if [ $? -eq 0 ]; then
@ -207,7 +210,7 @@
LogText "Result: not found"
fi
fi
if [ ! -z "${MEDIUMSCOREDVALUE}" ]; then
if [ -n "${MEDIUMSCOREDVALUE}" ]; then
LogText "Medium scored value has multiple values, testing if active value is in list (${MEDIUMSCOREDVALUE})"
FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${MEDIUMSCOREDVALUE}")
if [ $? -eq 0 ]; then
@ -258,31 +261,31 @@
fi
if [ "${RESULT}" = "GOOD" ]; then
LogText "Result: SSH option ${OPTIONNAME} is configured very well"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_OK}" --color GREEN
LogText "Result: OpenSSH option ${OPTIONNAME} is configured very well"
Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
elif [ "${RESULT}" = "MIDSCORED" ]; then
LogText "Result: SSH option ${OPTIONNAME} is configured reasonably"
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
LogText "Result: OpenSSH option ${OPTIONNAME} is configured reasonably"
ReportSuggestion "${TEST_NO}" "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-"
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 1 3
elif [ "${RESULT}" = "WEAK" ]; then
LogText "Result: SSH option ${OPTIONNAME} is in a weak configuration state and should be fixed"
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
LogText "Result: OpenSSH option ${OPTIONNAME} is in a weak configuration state and should be fixed"
ReportSuggestion "${TEST_NO}" "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-"
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 0 3
elif [ "${RESULT}" = "UNKNOWN" ]; then
LogText "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE
LogText "Result: Value of OpenSSH option ${OPTIONNAME} is unknown (not defined)"
Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE
Report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|"
else
LogText "Result: Option ${OPTIONNAME} not found in output"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_NOT_FOUND}" --color WHITE
Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
else
if IsVerbose; then Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "SKIPPED (via config)" --color WHITE; fi
if IsVerbose; then Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "SKIPPED (via config)" --color WHITE; fi
fi
done
fi
@ -290,32 +293,32 @@
#################################################################################
#
# Test : SSH-7440
# Description : AllowUsers / AllowGroups
# Description : OpenSSH - AllowUsers / AllowGroups
# Goal : Check if only a specific amount of users/groups can log in to the system
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH option: AllowUsers and AllowGroups"
if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSSH option: AllowUsers and AllowGroups"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# AllowUsers
FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
FOUND=1
else
LogText "Result: AllowUsers is not set"
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_NOT_FOUND}" --color WHITE
Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
# AllowGroups
FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
FOUND=1
else
LogText "Result: AllowGroups is not set"
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_NOT_FOUND}" --color WHITE
Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
if [ ${FOUND} -eq 1 ]; then
@ -331,6 +334,7 @@
#
Report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
Report "openssh_daemon_running=${OPENSSHD_RUNNING}"
WaitForKeyPress

24
include/tests_storage
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -30,17 +30,17 @@
#
# Test : STRG-1846
# Description : Check for disabled firewire storage
# Explanation : Best option is to use the install function, or else drivers can still be loaded manually
# Explanation : Best option is to use the install function, otherwise drivers can still be loaded manually
Register --test-no STRG-1846 --os Linux --weight L --network NO --category security --description "Check if firewire storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${SKIPTEST}" -eq 0 ]; then
FOUND=0
LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
if [ -d "${ROOTDIR}etc/modprobe.d" ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
if [ ! -z "${FIND1}" -o ! -z "${FIND2}" ]; then
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"
fi
@ -48,10 +48,10 @@
LogText "Result: skipping ${ROOTDIR}etc/modprobe.d, directory found but no files in it"
fi
fi
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#")
if [ ! -z "${FIND1}" -o ! -z "${FIND2}" ]; then
if [ -f "${ROOTDIR}etc/modprobe.conf" ]; then
FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"
fi
@ -60,7 +60,7 @@
if [ ${FOUND} -eq 0 ]; then
LogText "Result: firewire ohci driver is not explicitly disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "NOT DISABLED" --color WHITE
ReportSuggestion ${TEST_NO} "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft"
ReportSuggestion "${TEST_NO}" "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft"
# after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u
AddHP 2 3
else
@ -77,4 +77,4 @@ WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2019, CISOfy, Michael Boelen - https://cisofy.com
# Lynis - Copyright 2007-2020, CISOfy, Michael Boelen - https://cisofy.com

16
include/tests_storage_nfs
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -33,7 +33,7 @@
#
# Test : STRG-1902
# Description : Check rpcinfo
if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking rpcinfo registered programs"
@ -48,7 +48,7 @@
#
# Test : STRG-1904
# Description : Check nfs versions in rpcinfo
if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NFS registered versions"
@ -63,7 +63,7 @@
#
# Test : STRG-1906
# Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NFS registered protocols"
@ -123,7 +123,7 @@
if [ -f ${ROOTDIR}etc/exports ]; then
LogText "Result: ${ROOTDIR}etc/exports exists"
FIND=$(${GREPBINARY} -v "^$" ${ROOTDIR}etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for I in ${FIND}; do
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found line: ${I}"
@ -149,7 +149,7 @@
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
Display --indent 6 --text "- Checking empty /etc/exports" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: ${ROOTDIR}etc/exports seems to have no exported file systems"
ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
ReportSuggestion "${TEST_NO}" "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
fi
fi
#
@ -161,10 +161,10 @@
Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share"
if [ ${SKIPTEST} -eq 0 ]; then
sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d' | ${GREPBINARY} "\*")
if [ ! -z "${sFIND}" ]; then
if [ -n "${sFIND}" ]; then
LogText "Result: all client are allowed to access a NFS share in /etc/exports"
Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW
ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports"
ReportSuggestion "${TEST_NO}" "Specify clients that are allowed to access a NFS share /etc/exports"
AddHP 2 3
else
LogText "Result: only some clients are allowed to access a NFS share"

6
include/tests_system_integrity
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -31,7 +31,7 @@
#################################################################################
#
if [ -x ${ROOTDIR}/usr/bin/csrutil ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No CSrutil binary found"; fi
Register --test-no SINT-7010 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight H --network NO --category security --description "System Integrity Status"
Register --test-no SINT-7010 --os MacOS --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight H --network NO --category security --description "System Integrity Status"
if [ ${SKIPTEST} -eq 0 ]; then
if ${ROOTDIR}usr/bin/csrutil status | ${GREPBINARY} -sq enabled ; then
Display --indent 2 --text "- System Integrity Protection (status)" --result "${STATUS_OK}" --color GREEN
@ -51,4 +51,4 @@
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com

256
include/tests_time
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -36,6 +36,7 @@
NTP_CONFIG_TYPE_EVENTBASED=0
NTP_CONFIG_TYPE_STARTUP=0
NTPD_RUNNING=0 # Specific for ntpd
OPENNTPD_COMMUNICATION=0 # if ntpctl can communicate
SYSTEMD_NTP_ENABLED=0
#
#################################################################################
@ -62,9 +63,8 @@
for FILE in ${SEARCH_FILES}; do
if [ -f ${FILE} ]; then LogText "result: found chrony configuration: ${FILE}"; CHRONY_CONF_FILE="${FILE}"; fi
done
if [ ! -z "${CHRONY_CONF_FILE}" ]; then
IsRunning chronyd
if [ ${RUNNING} -eq 1 ]; then
if [ -n "${CHRONY_CONF_FILE}" ]; then
if IsRunning "chronyd"; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
Display --indent 2 --text "- NTP daemon found: chronyd" --result "${STATUS_FOUND}" --color GREEN
else
@ -75,15 +75,41 @@
fi
# Check time daemon (eg DragonFly BSD)
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "dntpd"; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result "${STATUS_FOUND}" --color GREEN
fi
# Check running processes
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep")
if [ ! -z "${FIND}" ]; then
# Check for OpenNTPD, ntpctl comes with a "regular" install
if [ -n "${NTPCTLBINARY}" ]; then
# In contrast to timectl, "synchronised: yes" is not grepped.
# Reason: openntpd syncs only if large time corrections are not required or -s is passed.
# This might be not intended by the administrator (-s is NOT the default!)
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep")
# Status code 0 is when communication over the socket is successfull
if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd"
LogText "result: found openntpd (method: ntpctl)"
OPENNTPD_COMMUNICATION=1
elif [ -n "${FIND}" ] ; then
# Reasons for ntpctl to fail might be someone spawned a new process thus overwriting the socket,
# then ended it, but another openntpd process is still running
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd"
LogText "result: found openntpd (method: ps)"
else
LogText "result: running openntpd not found, but ntpctl is instaalled"
fi
if [ "${NTP_DAEMON}" = "openntpd" ]; then
Display --indent 2 --text "- NTP daemon found: OpenNTPD" --result "${STATUS_FOUND}" --color GREEN
fi
fi
# Check running processes (ntpd from ntp.org)
# As checking by process name is ambigiouse (openntpd has the same process name),
# this check will be skipped if openntpd has been found.
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "ntpd: " | ${GREPBINARY} -v "grep")
if [ "${NTP_DAEMON}" != "openntpd" ] && [ -n "${FIND}" ]; then
FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
NTP_DAEMON="ntpd"
LogText "Result: found running NTP daemon in process list"
@ -91,77 +117,60 @@
fi
# Check time daemon (eg NetBSD)
IsRunning timed
if [ ${RUNNING} -eq 1 ]; then
if IsRunning "timed"; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timed"
Display --indent 2 --text "- NTP daemon found: timed" --result "${STATUS_FOUND}" --color GREEN
fi
# Check timedate daemon (systemd)
if [ ! -z "${TIMEDATECTL}" ]; then
FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
if [ ! -z "${FIND}" ]; then
# Check for systemd-timesyncd
if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then
LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf"
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN
SYSTEMD_NTP_ENABLED=1
else
LogText "Result: ${ROOTDIR}etc/systemd/timesyncd.conf does not exist"
fi
else
LogText "Result: time sychronization not performed according timedatectl command"
fi
else
LogText "Result: timedatectl command not available on this system"
FIND=$(${PSBINARY} ax | ${GREPBINARY} "systemd-timesyncd" | ${GREPBINARY} -v "grep")
if [ -n "${FIND}" ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found running systemd-timesyncd in process list"
fi
# Check crontab for OpenBSD/FreeBSD
# Check anacrontab for Linux
CRONTAB_FILES="/etc/anacrontab /etc/crontab"
# Regex for matching multiple time synchronisation binaries
# Partial sanity check for sntp and ntpdig, but this does not consider all corner cases
CRONTAB_REGEX='ntpdate|rdate|sntp.+-(s|j|--adj)|ntpdig.+-(S|s)'
for I in ${CRONTAB_FILES}; do
if [ -f ${I} ]; then
LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#')
if [ ! -z "${FIND}" ]; then
LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}"
FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
if [ -n "${FIND}" ]; then
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
LogText "Result: found ntpdate, rdate, sntp or ntpdig reference in crontab file ${I}"
else
#Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: no ntpdate or rdate reference found in crontab file ${I}"
LogText "Result: no ntpdate, rdate, sntp or ntpdig reference found in crontab file ${I}"
fi
else
LogText "Result: crontab file ${I} not found"
fi
done
# Don't run check in cron job directory on Solaris
# /etc/cron.d/FIFO is a special file and test get stuck at this file
# Notes: only test for normal files. File /etc/cron.d/FIFO on solaris is a special file and test may hang
# Linux systems may have a .placeholder file
FOUND_IN_CRON=0
# Check cron jobs
for I in ${CRON_DIRS}; do
if [ -d ${I} ]; then
if FileIsReadable ${I}; then
FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO)
if [ ! -z "${FIND}" ]; then
for J in ${FIND}; do
LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#")
if [ ! -z "${FIND2}" ]; then
LogText "Positive match found: ${FIND2}"
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
fi
done
else
LogText "Result: ${I} is empty, skipping search in directory"
for J in "${I}"/*; do # iterate over folders in a safe way
# Check: regular file, readable and not called .placeholder
FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$')
if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then
LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}"
FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
if [ -n "${FIND}" ]; then
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}"
fi
else
LogText "Result: could not search in directory due to permissions"
fi
fi
done
done
if [ ${FOUND_IN_CRON} -eq 1 ]; then
@ -186,13 +195,13 @@
if [ -f /etc/rc.conf ]; then
LogText "Test: Checking if ntpdate is enabled at startup in *BSD"
FIND=$(${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
LogText "Result: ntpdate is enabled in rc.conf"
FOUND=1
NTP_CONFIG_TYPE_STARTUP=1
# Only show suggestion when ntpdate is enabled, however ntpd is not running
if [ ${NTP_DAEMON_RUNNING} -eq 0 ]; then
ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is advised to run it at least daily or use a NTP daemon"
ReportSuggestion "${TEST_NO}" "Although ntpdate is enabled in rc.conf, it is advised to run it at least daily or use a NTP daemon"
fi
else
LogText "Result: ntpdate is not enabled in rc.conf"
@ -205,7 +214,7 @@
else
Display --indent 2 --text "- Checking for a running NTP daemon or client" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a NTP daemon or client"
ReportSuggestion ${TEST_NO} "Use NTP daemon or NTP client to prevent time issues."
ReportSuggestion "${TEST_NO}" "Use NTP daemon or NTP client to prevent time issues."
AddHP 0 2
fi
else
@ -219,14 +228,14 @@
#
# Test : TIME-3106
# Description : Check status of systemd time synchronization
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! -z "${TIMEDATECTL}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a -n "${TIMEDATECTL}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check the status of time synchronization via timedatectl"
FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
if [ -z "${FIND}" ]; then
LogText "Result: time not synchronized via NTP"
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized"
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Synchronization via NTP is enabled, but status reflects it is not synchronized"
fi
fi
#
@ -234,7 +243,7 @@
#
# Test : TIME-3112
# Description : Check for valid associations from ntpq peers list
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for NTP association ID's from ntpq peers list"
@ -244,7 +253,7 @@
LogText "Result: Found one or more association ID's"
else
Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check ntp.conf for properly configured NTP servers and a correctly functioning name service."
ReportSuggestion "${TEST_NO}" "Check ntp.conf for properly configured NTP servers and a correctly functioning name service."
fi
fi
#
@ -252,7 +261,7 @@
#
# Test : TIME-3116
# Description : Check for stratum 16 peers
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
@ -279,7 +288,7 @@
else
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found ${COUNT} high stratum (16) peers)"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for stratum 16 peers"
ReportSuggestion "${TEST_NO}" "Check ntpq peers output for stratum 16 peers"
fi
fi
fi
@ -290,7 +299,7 @@
# Description : Check unreliable peers from peer list
# Notes : Items with # are too far away (network distance)
# Items with - are not chosen due clustering algorithm
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking unreliable ntp peers"
@ -305,7 +314,7 @@
LogText "Unreliable peer: ${I}"
Report "ntp_unreliable_peer[]=${I}"
done
ReportSuggestion ${TEST_NO} "Check ntpq peers output for unreliable ntp peers and correct/replace them"
ReportSuggestion "${TEST_NO}" "Check ntpq peers output for unreliable ntp peers and correct/replace them"
fi
fi
#
@ -313,13 +322,13 @@
#
# Test : TIME-3124
# Description : Check selected time source
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check selected time source"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking selected time source"
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ if ($4=="l") { print $1 } }')
FIND2=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }')
if [ -z "${FIND}" -a ! -z "${FIND2}" ]; then
if [ -z "${FIND}" -a -n "${FIND2}" ]; then
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN
FIND2=$(echo ${FIND2} | ${SEDBINARY} 's/*//g')
LogText "Result: Found selected time source (value: ${FIND2})"
@ -327,7 +336,7 @@
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with."
LogText "Local source: ${FIND}"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for selected time source"
ReportSuggestion "${TEST_NO}" "Check ntpq peers output for selected time source"
fi
fi
#
@ -335,7 +344,7 @@
#
# Test : TIME-3128
# Description : Check time source candidates
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preferred time source"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking preferred time source"
@ -343,7 +352,7 @@
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_NONE}" --color YELLOW
LogText "Result: No other time source candidates found"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates"
ReportSuggestion "${TEST_NO}" "Check ntpq peers output for time source candidates"
else
Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found one or more candidates to synchronize time with."
@ -358,7 +367,7 @@
#
# Test : TIME-3132
# Description : Check ntpq falsetickers
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking preferred time source"
@ -374,7 +383,7 @@
LogText "Falseticker found: ${I}"
Report "ntp_falseticker[]=${I}"
done
ReportSuggestion ${TEST_NO} "Check ntpq peers output for falsetickers"
ReportSuggestion "${TEST_NO}" "Check ntpq peers output for falsetickers"
fi
fi
#
@ -382,7 +391,7 @@
#
# Test : TIME-3136
# Description : Check ntpq reported ntp version (Linux)
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
@ -390,7 +399,7 @@
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking NTP version" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: No NTP version found"
ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version"
ReportSuggestion "${TEST_NO}" "Check ntpq output for NTP protocol version"
else
Display --indent 2 --text "- Checking NTP version" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found NTP version ${FIND}"
@ -403,7 +412,7 @@
# Test : TIME-3146
# Description : Check /etc/default/ntpdate (Linux)
# Notes : ntpdate-debian binary
#if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#if [ ${NTPD_RUNNING} -eq 1 -a -n "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/default/ntpdate"
#if [ ${SKIPTEST} -eq 0 ]; then
#
@ -428,7 +437,7 @@
# Description : Check empty NTP step-tickers
# Notes : Mostly applies to Red Hat and clones
FILE="${ROOTDIR}etc/ntp/step-tickers"
if [ "${NTPD_RUNNING}" -eq 1 -a ! -z "${NTPQBINARY}" -a -f "${FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ "${NTPD_RUNNING}" -eq 1 -a -n "${NTPQBINARY}" -a -f "${FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check empty NTP step-tickers"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@ -441,7 +450,7 @@
else
LogText "Result: ${FILE} is empty. The step-tickers contain no configured NTP servers"
Display --indent 2 --text "- Checking NTP step-tickers file" --result "EMPTY FILE" --color YELLOW
ReportSuggestion ${TEST_NO} "Use step-tickers file for quicker time synchronization"
ReportSuggestion "${TEST_NO}" "Use step-tickers file for quicker time synchronization"
fi
else
LogText "Result: ${FILE} is not empty, which is fine"
@ -458,7 +467,7 @@
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "SOME MISSING" --color YELLOW
ReportSuggestion ${TEST_NO} "Some time servers missing in step-tickers file"
ReportSuggestion "${TEST_NO}" "Some time servers missing in step-tickers file"
AddHP 3 4
else
Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "${STATUS_OK}" --color GREEN
@ -479,7 +488,8 @@
# Other should preferably have no access, or read-only at max
FILE_ARRAY="${ROOTDIR}etc/chrony.conf ${ROOTDIR}usr/pkg/etc/chrony.conf \
${ROOTDIR}etc/inet/ntp.conf ${ROOTDIR}etc/ntp.conf ${ROOTDIR}usr/local/etc/ntp.conf"
${ROOTDIR}etc/inet/ntp.conf ${ROOTDIR}etc/ntp.conf ${ROOTDIR}usr/local/etc/ntp.conf\
${ROOTDIR}etc/ntpd.conf ${ROOTDIR}etc/openntpd/ntpd.conf ${ROOTDIR}usr/local/etc/ntpd.conf"
Register --test-no TIME-3170 --weight L --network NO --category security --description "Check configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
@ -490,12 +500,104 @@
ReportWarning "${TEST_NO}" "Found world writable configuration file" "${FILE}" ""
fi
Report "ntp_config_file[]=${FILE}"
NTP_CONFIG_FOUND=1
fi
done
fi
#
#################################################################################
#
# Test : TIME-3180
# Description : Report if ntpctl cannot communicate with OpenNTPD
if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no TIME-3180 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Report if ntpctl cannot communicate with OpenNTPD"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OPENNTPD_COMMUNICATION}" -eq 0 ]; then
ReportWarning "${TEST_NO}" "OpenNTPD found, but ntpctl cannot communicate with" "${NTPCTLBINARY} -s status" "Restart OpenNTPD"
fi
fi
#
#################################################################################
#
# Test : TIME-3181
# Description : Check status of OpenNTPD time synchronisation
if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no TIME-3181 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check status of OpenNTPD time synchronisation"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${NTPCTLBINARY} -s status | ${GREPBINARY} "clock synced" )
if [ -z "${FIND}" ]; then
ReportWarning "${TEST_NO}" "OpenNTPD is not synchronising system time" "${NTPCTLBINARY} -s status" "text:Set time manually once or check network connectivity."
fi
fi
#
#################################################################################
#
# Test : TIME-3182
# Description : Check OpenNTPD has working peers
if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers"
if [ ${SKIPTEST} -eq 0 ]; then
# Format is "xx/yy peers valid, ..."
FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status"
fi
fi
#
#################################################################################
#
# Test : TIME-3185
# Description : Check systemd-timesyncd synchronized time
if [ "${NTP_DAEMON}" = "systemd-timesyncd" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time"
SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -e "${SYNCHRONIZED_FILE}" ]; then
FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") ))
# Check if last sync was more than 2048 seconds (= the default of systemd) ago
if [ "${FIND}" -ge 2048 ]; then
COLOR=RED
ReportWarning "${TEST_NO}" "systemd-timesyncd did not synchronized the time recently."
else
COLOR=GREEN
fi
Display --indent 2 --text "- Last time synchronization" --result "${FIND}s" --color "${COLOR}"
LogText "Result: systemd-timesyncd synchronized time ${FIND} seconds ago."
else
Display --indent 2 --text "- Last time synchronization" --result "${STATUS_NOT_FOUND}" --color RED
ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully synchronized time"
fi
fi
unset SYNCHRONIZED_FILE
#
#################################################################################
#
Report "ntp_config_found=${NTP_CONFIG_FOUND}"
Report "ntp_config_type_daemon=${NTP_CONFIG_TYPE_DAEMON}"
Report "ntp_config_type_eventbased=${NTP_CONFIG_TYPE_EVENTBASED}"

84
include/tests_tooling
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -54,7 +54,7 @@
# Ansible
FOUND=0
LIST="~/.ansible ${ROOTDIR}etc/ansible ${ROOTDIR}root/.ansible ${ROOTDIR}tmp/.ansible"
LIST="${HOME}/.ansible ${ROOTDIR}etc/ansible ${ROOTDIR}root/.ansible ${ROOTDIR}tmp/.ansible"
for ITEM in ${LIST}; do if DirectoryExists ${ITEM}; then FOUND=1; break; fi; done
# Test for files (only if no match was found)
if [ ${FOUND} -eq 0 ]; then
@ -71,7 +71,7 @@
fi
# Cfengine
if [ ! -z "${CFAGENTBINARY}" ]; then
if [ -n "${CFAGENTBINARY}" ]; then
LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
@ -129,7 +129,7 @@
fi
fi
if [ ! -z "${PUPPETBINARY}" ]; then
if [ -n "${PUPPETBINARY}" ]; then
LogText "Result: Puppet is installed (${PUPPETBINARY})"
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=puppet-agent"
@ -145,26 +145,36 @@
fi
# SaltStack
if [ ! -z "${SALTMINIONBINARY}" ]; then
if [ -n "${SALTMINIONBINARY}" ]; then
Display --indent 4 --text "- SaltStack minion" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MINION_RUNNING=1
Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "- SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN
Report "automation_tool_installed[]=saltstack-minion"
if IsRunning "salt-minion" --user "root salt"; then
Display --indent 6 --text "- Minion process" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: found SaltStack (master)"
SALT_MINION_RUNNING=1
Report "automation_tool_running[]=saltstack-minion"
else
Display --indent 6 --text "- Minion process" --result "${STATUS_NOT_RUNNING}" --color YELLOW
fi
fi
if [ ! -z "${SALTMASTERBINARY}" ]; then
if [ -n "${SALTMASTERBINARY}" ]; then
Display --indent 4 --text "- SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "- SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN
else
if IsRunning "salt-master"; then
Report "automation_tool_installed[]=saltstack-master"
if IsRunning "salt-master" --user "root salt"; then
Display --indent 6 --text "- Master process" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: found SaltStack (master)"
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
Report "automation_tool_running[]=saltstack-master"
Display --indent 4 --text "- SaltStack (master)" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 6 --text "- Master process" --result "${STATUS_NOT_RUNNING}" --color YELLOW
fi
fi
@ -172,7 +182,7 @@
Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
ReportSuggestion "${TEST_NO}" "Determine if automation tools are present for system management"
fi
fi
#
@ -188,7 +198,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Fail2ban presence
if [ ! -z "${FAIL2BANBINARY}" ]; then
if [ -n "${FAIL2BANBINARY}" ]; then
FAIL2BAN_FOUND=1
IDS_IPS_TOOL_FOUND=1
LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
@ -209,10 +219,10 @@
fi
# Continue if tooling is available and configuration file found
if [ ${FAIL2BAN_FOUND} -eq 1 -a ! -z "${FAIL2BAN_CONFIG}" ]; then
if [ ${FAIL2BAN_FOUND} -eq 1 -a -n "${FAIL2BAN_CONFIG}" ]; then
Report "fail2ban_config=${FAIL2BAN_CONFIG}"
FAIL2BANCLIENT=$(which fail2ban-client 2> /dev/null | grep -v "no [^ ]* in ")
if [ ! -z "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi
if [ -n "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi
fi
fi
#
@ -224,7 +234,7 @@
Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${FAIL2BANCLIENT} -d | ${TRBINARY} -d '[]' | ${TRBINARY} -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | ${TRBINARY} -d ' ')
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
for F2BSERVICE in ${FIND}; do
LogText "Result: service '${F2BSERVICE}' enabled"
Report "fail2ban_enabled_service[]=${F2BSERVICE}"
@ -252,12 +262,12 @@
# FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
# FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
#
# if [ ! -z "${FIND}" ]; then
# if [ -n "${FIND}" ]; then
# FAIL2BAN_EMAIL=1
# LogText "Result: found at least one jail which sends an email alert"
# fi
#
# if [ ! -z "${FIND2}" ]; then
# if [ -n "${FIND2}" ]; then
# FAIL2BAN_SILENT=1
# LogText "Result: found at least one jail which does NOT send an email alert"
# fi
@ -298,9 +308,9 @@
#
# LogText "Checking for fail2ban iptables chains"
#
# if [ ! -z "${IPTABLESBINARY}" ]; then
# if [ -n "${IPTABLESBINARY}" ]; then
# CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban)
# if [ ! -z "${CHECK_CHAINS}" ]; then
# if [ -n "${CHECK_CHAINS}" ]; then
# LogText "Result: found at least one iptables chain for fail2ban"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
# else
@ -349,7 +359,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Continue if tooling is available and snort is running
if [ -n ${SNORT_FOUND} ] || [ -n ${SNORT_RUNNING} ]; then
if [ -n "${SNORT_FOUND}" ] || [ -n "${SNORT_RUNNING}" ]; then
if [ ${SNORT_FOUND} -eq 1 ] && [ ${SNORT_RUNNING} -eq 1 ]; then
SNORT_CONFIG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $3}' | ${HEADBINARY} -1)
if HasData "${SNORT_CONFIG}"; then
@ -365,17 +375,29 @@
#
# Test : TOOL-5160
# Description : Check for OSSEC
Register --test-no TOOL-5126 --weight L --network NO --category security --description "Check for active OSSEC analysis daemon"
Register --test-no TOOL-5126 --weight L --network NO --category security --description "Check for active OSSEC daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Server side
if IsRunning "ossec-analysisd"; then
IDS_IPS_TOOL_FOUND=1
LogText "Result: OSSEC analysis daemon is active"
Report "ids_ips_tooling[]=ossec"
Display --indent 2 --text "- Checking presence of OSSEC" --result "${STATUS_FOUND}" --color GREEN
Report "ids_ips_tooling[]=ossec-analysisd"
LogText "Result: OSSEC analysis daemon is active"
Display --indent 2 --text "- Checking presence of OSSEC (analysis)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: OSSEC analysis daemon not active"
fi
# Client side
if IsRunning "ossec-agentd"; then
IDS_IPS_TOOL_FOUND=1
Report "ids_ips_tooling[]=ossec"
Report "ids_ips_tooling[]=ossec-agentd"
LogText "Result: OSSEC agent daemon is active"
Display --indent 2 --text "- Checking presence of OSSEC (agent)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: OSSEC agent daemon not active"
fi
fi
#
#################################################################################
@ -390,7 +412,7 @@
AddHP 2 2
else
Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_NONE}" --color YELLOW
#ReportSuggestion ${TEST_NO} "Install and configure automated intrusion detection/prevention tools"
#ReportSuggestion "${TEST_NO}" "Install and configure automated intrusion detection/prevention tools"
AddHP 0 2
fi
fi

158
include/tests_usb
View File

@ -39,24 +39,24 @@
#
# Test to determine if USBGuard is installed. If it is, we will limit
# suggestions from other tests.
if [ ! -z "${USBGUARDBINARY}" ]; then
if [ -n "${USBGUARDBINARY}" ]; then
USBGUARD_FOUND=1
fi
#
#################################################################################
#
# Test : STRG-1840 (future ID: USB-1200)
# Test : USB-1000 (was STRG-1840)
# Description : Check for disabled USB storage
Register --test-no STRG-1840 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled"
Register --test-no USB-1000 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
fi
@ -66,7 +66,7 @@
fi
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
if [ ! -z "${FIND}" ]; then
if [ -n "${FIND}" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state"
fi
@ -75,7 +75,7 @@
LogText "Result: usb-storage driver is not explicitly disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
if [ "${USBGUARD_FOUND}" -eq "0" ]; then
ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
ReportSuggestion "${TEST_NO}" "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
fi
AddHP 2 3
else
@ -87,46 +87,56 @@
#
#################################################################################
#
# Test : STRG-1842 (future ID: USB-2000)
# Test : USB-2000 (was STRG-1842)
# Description : Check USB authorizations
Register --test-no STRG-1842 --os Linux --weight L --network NO --category security --description "Check USB authorizations"
Register --test-no USB-2000 --os Linux --weight L --network NO --category security --description "Check USB authorizations"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking USB devices authorization to connect to the system"
FOUND=0
USBDEVICESPATH="/sys/bus/usb/devices/usb"
for device in "${USBDEVICESPATH}"*; do
if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then
if [ $(cat "${device}/authorized_default") -eq 1 ]; then
FOUND=1
LogText "Test: ${device} is authorized by default"
Report "usb_authorized_default_device[]=${device}"
elif [ $(cat "${device}/authorized") -eq 1 ]; then
FOUND=1
LogText "Test: ${device} is authorized currently"
Report "usb_authorized_device[]=${device}"
fi
fi
done
USBDEVICESPATH="${ROOTDIR}sys/bus/usb/devices"
LogText "Test: checking presence of USB devices path (${USBDEVICESPATH})"
if [ -d "${USBDEVICESPATH}" ]; then
if [ ${FOUND} -eq 1 ]; then
LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
# To-Be-Added: create documentation and enable the suggestion
#if [ ${USBGUARD_FOUND} -eq 0 ]; then
# ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft"
#fi
AddHP 0 3
LogText "Test: Checking USB devices authorization to connect to the system"
for device in $(find ${USBDEVICESPATH} -name "usb*" -type l -print); do
if [ -e "${device}/authorized" -o -e "${device}/authorized_default" ]; then
if [ "$(cat "${device}/authorized_default")" = "1" ]; then
FOUND=1
LogText "Test: ${device} is authorized by default (authorized_default=1)"
Report "usb_authorized_default_device[]=${device}"
fi
if [ "$(cat "${device}/authorized")" = "1" ]; then
FOUND=1
LogText "Test: ${device} is authorized currently (authorized=1)"
Report "usb_authorized_device[]=${device}"
fi
else
LogText "Test: no authorized or authorized_default file, assuming ${device} is authorized by default"
Report "usb_authorized_default_device[]=${device}"
FOUND=1
fi
done
if [ ${FOUND} -eq 1 ]; then
LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
# TODO: create documentation and enable the suggestion
#if [ ${USBGUARD_FOUND} -eq 0 ]; then
# ReportSuggestion "${TEST_NO}" "Disable USB devices authorization, to prevent unauthorized storage or data theft"
#fi
AddHP 0 3
else
LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3
fi
else
LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3
LogText "Result: devices path does not exist"
fi
fi
#
#################################################################################
#
# Test : USB-3000
# Description : Perform USBGuard check
Register --test-no USB-3000 --os Linux --weight L --network NO --category security --description "Check for presence of USBGuard"
@ -137,27 +147,27 @@
AddHP 1 1
LogText "Checking USBGuard configuration file"
if [ -f /etc/usbguard/usbguard-daemon.conf ]; then
USBGUARD_CONFIG="/etc/usbguard/usbguard-daemon.conf"
if [ -f ${ROOTDIR}etc/usbguard/usbguard-daemon.conf ]; then
USBGUARD_CONFIG="${ROOTDIR}etc/usbguard/usbguard-daemon.conf"
else
USBGUARD_CONFIG=""
fi
if [ ! -z "${USBGUARD_CONFIG}" ]; then
if [ -n "${USBGUARD_CONFIG}" ]; then
LogText "Result: USBGuard configuration found (${USBGUARD_CONFIG})"
Display --indent 4 --text "- Configuration" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
LogText "Checking USBGuard restore controller device state (RestoreControllerDeviceState)"
USBGUARD_RESTORE_POLICY=$(${AWKBINARY} -F '=' -v OPT="RestoreControllerDeviceState" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
if [ ! -z "${USBGUARD_RESTORE_POLICY}" ]; then
if [ -n "${USBGUARD_RESTORE_POLICY}" ]; then
LogText "Result: RestoreControllerDeviceState = ${USBGUARD_RESTORE_POLICY}"
case "${USBGUARD_RESTORE_POLICY}" in
"true")
Display --indent 6 --text "- Restore controller device state" --result "${USBGUARD_RESTORE_POLICY}" --color YELLOW
LogText " Consider changing RestoreControllerDeviceState to \"false\""
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "RestoreControllerDeviceState (${USBGUARD_RESTORE_POLICY} --> false)"
# TODO: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "RestoreControllerDeviceState (${USBGUARD_RESTORE_POLICY} --> false)"
AddHP 0 1
;;
"false")
@ -167,8 +177,8 @@
*)
LogText "Result: Invalid configuration for RestoreControllerDeviceState"
Display --indent 6 --text "- Restore controller device state" --result "Invalid" --color RED
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "RestoreControllerDeviceState invalid \"${USBGUARD_RESTORE_POLICY}\""
# TODO: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "RestoreControllerDeviceState invalid \"${USBGUARD_RESTORE_POLICY}\""
AddHP 0 1
;;
esac
@ -181,25 +191,25 @@
LogText "Checking USBGuard rule for controllers connected before daemon starts (PresentControllerPolicy)"
USBGUARD_CONTROLLER_POLICY=$(${AWKBINARY} -F '=' -v OPT="PresentControllerPolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
if [ ! -z "${USBGUARD_CONTROLLER_POLICY}" ]; then
if [ -n "${USBGUARD_CONTROLLER_POLICY}" ]; then
LogText "Result: PresentControllerPolicy = ${USBGUARD_CONTROLLER_POLICY}"
case "${USBGUARD_CONTROLLER_POLICY}" in
"allow"|"keep")
"allow" | "keep")
Display --indent 6 --text "- Rule for controllers connected before daemon starts" --result "${USBGUARD_CONTROLLER_POLICY}" --color YELLOW
LogText " Consider changing PresentControllerPolicy to \"apply-policy\", \"block\" or \"reject\""
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "PresentControllerPolicy (${USBGUARD_CONTROLLER_POLICY} --> (apply-policy|block|reject)"
# TODO: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "PresentControllerPolicy (${USBGUARD_CONTROLLER_POLICY} --> (apply-policy|block|reject)"
AddHP 0 1
;;
"apply-policy"|"block"|"reject")
"apply-policy" | "block" | "reject")
Display --indent 6 --text "- Rule for controllers connected before daemon starts" --result "${USBGUARD_CONTROLLER_POLICY}" --color GREEN
AddHP 1 1
;;
*)
LogText "Result: Invalid configuration for PresentControllerPolicy"
Display --indent 6 --text "- Rule for controllers connected before daemon starts" --result "Invalid" --color RED
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "PresentControllerPolicy invalid \"${USBGUARD_CONTROLLER_POLICY}\""
# TODO: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "PresentControllerPolicy invalid \"${USBGUARD_CONTROLLER_POLICY}\""
AddHP 0 1
;;
esac
@ -211,25 +221,25 @@
LogText "Checking USBGuard rule for devices connected before daemon starts (PresentDevicePolicy)"
USBGUARD_DEVICE_POLICY=$(${AWKBINARY} -F '=' -v OPT="PresentDevicePolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
if [ ! -z "${USBGUARD_DEVICE_POLICY}" ]; then
if [ -n "${USBGUARD_DEVICE_POLICY}" ]; then
LogText "Result: PresentDevicePolicy = ${USBGUARD_DEVICE_POLICY}"
case "${USBGUARD_DEVICE_POLICY}" in
"allow"|"keep")
"allow" | "keep")
Display --indent 6 --text "- Rule for devices connected before daemon starts" --result "${USBGUARD_DEVICE_POLICY}" --color YELLOW
LogText " Consider changing PresentDevicePolicy to \"apply-policy\", \"block\" or \"reject\""
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "PresentDevicePolicy (${USBGUARD_DEVICE_POLICY} --> (apply-policy|block|reject)"
# TODO: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "PresentDevicePolicy (${USBGUARD_DEVICE_POLICY} --> (apply-policy|block|reject)"
AddHP 0 1
;;
"apply-policy"|"block"|"reject")
"apply-policy" | "block" | "reject")
Display --indent 6 --text "- Rule for devices connected before daemon starts" --result "${USBGUARD_DEVICE_POLICY}" --color GREEN
AddHP 1 1
;;
*)
LogText "Result: Invalid configuration for PresentDevicePolicy"
Display --indent 6 --text "- Rule for devices connected before daemon starts" --result "Invalid" --color RED
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "PresentDevicePolicy invalid \"${USBGUARD_DEVICE_POLICY}\""
# TODO: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "PresentDevicePolicy invalid \"${USBGUARD_DEVICE_POLICY}\""
AddHP 0 1
;;
esac
@ -241,25 +251,25 @@
LogText "Checking USBGuard rule for devices inserted after daemon starts (InsertedDevicePolicy)"
USBGUARD_INSERTED_POLICY=$(${AWKBINARY} -F '=' -v OPT="InsertedDevicePolicy" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
if [ ! -z "${USBGUARD_INSERTED_POLICY}" ]; then
if [ -n "${USBGUARD_INSERTED_POLICY}" ]; then
LogText "Result: InsertedDevicePolicy = ${USBGUARD_INSERTED_POLICY}"
case "${USBGUARD_INSERTED_POLICY}" in
"allow"|"keep")
"allow" | "keep")
Display --indent 6 --text "- Rule for devices inserted after daemon starts" --result "${USBGUARD_INSERTED_POLICY}" --color YELLOW
LogText " Consider changing InsertedDevicePolicy to \"apply-policy\", \"block\" or \"reject\""
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "InsertedDevicePolicy (${USBGUARD_INSERTED_POLICY} --> (apply-policy|block|reject)"
# TODO: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "InsertedDevicePolicy (${USBGUARD_INSERTED_POLICY} --> (apply-policy|block|reject)"
AddHP 0 1
;;
"apply-policy"|"block"|"reject")
"apply-policy" | "block" | "reject")
Display --indent 6 --text "- Rule for devices inserted after daemon starts" --result "${USBGUARD_INSERTED_POLICY}" --color GREEN
AddHP 1 1
;;
*)
LogText "Result: Invalid configuration for InsertedDevicePolicy"
Display --indent 6 --text "- Rule for devices inserted after daemon starts" --result "Invalid" --color RED
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "InsertedDevicePolicy invalid \"${USBGUARD_INSERTED_POLICY}\""
# TODO: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "InsertedDevicePolicy invalid \"${USBGUARD_INSERTED_POLICY}\""
AddHP 0 1
;;
esac
@ -271,14 +281,14 @@
LogText "Checking USBGuard rule for devices not in RuleFile (ImplicitPolicyTarget)"
USBGUARD_DEFAULT_POLICY=$(${AWKBINARY} -F '=' -v OPT="ImplicitPolicyTarget" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
if [ ! -z "${USBGUARD_DEFAULT_POLICY}" ]; then
if [ -n "${USBGUARD_DEFAULT_POLICY}" ]; then
LogText "Result: ImplicitPolicyTarget = ${USBGUARD_DEFAULT_POLICY}"
case "${USBGUARD_DEFAULT_POLICY}" in
"allow")
Display --indent 6 --text "- Rule for devices not in RuleFile" --result "${USBGUARD_DEFAULT_POLICY}" --color YELLOW
LogText " Consider changing ImplicitPolicyTarget to \"block\" or \"reject\""
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "ImplicitPolicyTarget (${USBGUARD_DEFAULT_POLICY} --> (block|reject)"
# TODO: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "ImplicitPolicyTarget (${USBGUARD_DEFAULT_POLICY} --> (block|reject)"
AddHP 0 1
;;
"block"|"reject")
@ -288,8 +298,8 @@
*)
LogText "Result: Invalid configuration for ImplicitPolicyTarget"
Display --indent 6 --text "- Rule for devices not in RuleFile" --result "Invalid" --color RED
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "ImplicitPolicyTarget invalid \"${USBGUARD_DEFAULT_POLICY}\""
# TODO: assign TEST_NO, create documentation, and enable the suggestion
# ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "ImplicitPolicyTarget invalid \"${USBGUARD_DEFAULT_POLICY}\""
AddHP 0 1
;;
esac
@ -301,7 +311,7 @@
LogText "Checking RuleFile"
USBGUARD_RULES=$(${AWKBINARY} -F '=' -v OPT="RuleFile" 'index($0, OPT) == 1 {print $2}' ${USBGUARD_CONFIG})
if [ ! -z "${USBGUARD_RULES}" ] && [ -f "${USBGUARD_RULES}" ]; then
if [ -n "${USBGUARD_RULES}" ] && [ -f "${USBGUARD_RULES}" ]; then
LogText "Result: RuleFile found (${USBGUARD_RULES})"
Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
@ -316,7 +326,7 @@
LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)"
Display --indent 4 --text "- RuleFile" --result "${STATUS_NOT_FOUND}" --color RED
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
#ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies"
#ReportSuggestion "${TEST_NO}" "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies"
AddHP 0 1
fi
@ -324,14 +334,14 @@
Display --indent 4 --text "- Configuration" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: Configuration not found"
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
#ReportSuggestion ${TEST_NO} "USBGuard configuration file not found, consider reinstalling"
#ReportSuggestion "${TEST_NO}" "USBGuard configuration file not found, consider reinstalling"
AddHP 0 7
fi
else
LogText "Result: USBGuard not found"
Display --indent 2 --text "- Checking USBGuard" --result "${STATUS_NOT_FOUND}" --color WHITE
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
#ReportSuggestion ${TEST_NO} "Install USBGuard to allow for fine-grained control of USB authorization"
#ReportSuggestion "${TEST_NO}" "Install USBGuard to allow for fine-grained control of USB authorization"
AddHP 0 8
fi

3
include/tests_virtualization
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -30,7 +30,6 @@
# # Description : Checking VMware
# Register --test-no VIRT-1920 --weight L --network NO --category security --description "Checking VMware guest status"
# if [ ${SKIPTEST} -eq 0 ]; then
# # Initialise
# VMWARE_GUEST=0
# Display --indent 2 --text "- Checking VMware guest status"
# # check memory driver file

56
include/tests_webservers
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -113,9 +113,10 @@
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
LogText "Result: Configuration file found (${APACHE_CONFIGFILE})"
else
LogText "Result: File or directory ${APACHE_CONFIGFILE} does not exist"
LogText "Result: File or directory ${APACHE_TESTFILE} does not exist"
Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests"
ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration"
LogText "Note: if only the Apache binary package has been installed, then the configuration might be missing. Is the Apache package really needed?"
fi
fi
fi
@ -156,7 +157,7 @@
done
# Search Server aliases
for J in $(${GREPBINARY} "ServerAlias" ${I} | ${GREPBINARY} -v "^#" | ${SEDBINARY} "s/\s*ServerAlias //g" | ${SEDBINARY} "s/#.*//g"); do
if [ ! -z ${J} ]; then
if [ -n "${J}" ]; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=$((cVHOSTS + 1))
fi
@ -169,7 +170,7 @@
# Log all virtual hosts we found
for J in ${tVHOSTS}; do
if [ ! -z ${J} ]; then
if [ -n "${J}" ]; then
LogText "Virtual host: ${J}"
#Report "apache_vhost_name[]=${J}"
fi
@ -185,10 +186,10 @@
fi
# Remove temp files
if [ -f ${TMPFILE} -a ! -z "${TMPFILE}" ]; then
if [ -f ${TMPFILE} -a -n "${TMPFILE}" ]; then
rm -f ${TMPFILE}
fi
if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
#
#################################################################################
#
@ -250,14 +251,13 @@
Register --test-no HTTP-6640 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_evasive([0-9][0-9])?.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
if CheckItem "apache_module" "/mod_evasive([0-9][0-9])?.so"; then
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_NOT_FOUND}" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
ReportSuggestion "${TEST_NO}" "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
fi
fi
#
@ -270,14 +270,13 @@
Register --test-no HTTP-6641 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_(reqtimeout|qos).so"
if [ ${ITEM_FOUND} -eq 1 ]; then
if CheckItem "apache_module" "/mod_(reqtimeout|qos).so"; then
Display --indent 10 --text "mod_reqtimeout/mod_qos" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 10 --text "mod_reqtimeout/mod_qos" --result "${STATUS_NOT_FOUND}" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_reqtimeout or mod_qos to guard webserver against Slowloris attacks"
ReportSuggestion "${TEST_NO}" "Install Apache mod_reqtimeout or mod_qos to guard webserver against Slowloris attacks"
fi
fi
#
@ -289,14 +288,13 @@
Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_security2.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
if CheckItem "apache_module" "/mod_security2.so"; then
Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_NOT_FOUND}" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks"
ReportSuggestion "${TEST_NO}" "Install Apache modsecurity to guard webserver against web application attacks"
fi
fi
#
@ -353,7 +351,7 @@
# Test : HTTP-6706
# Description : Search for includes within nginx configuration file
# Notes : Daemon nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for additional nginx configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
CreateTempFile || ExitFatal
@ -404,7 +402,7 @@
# Test : HTTP-6708
# Description : Check discovered nginx configuration settings for further hardening
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: start parsing all discovered nginx options"
@ -422,7 +420,7 @@
LogText "Result: this configuration file is skipped, as it contains usually no interesting details"
fi
done
if [ ! -z "${NGINX_CONF_FILES_ADDITIONS}" ]; then
if [ -n "${NGINX_CONF_FILES_ADDITIONS}" ]; then
for I in ${NGINX_CONF_FILES_ADDITIONS}; do
FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}')
if [ ! "${FILENAME}" = "mime.types" ]; then
@ -444,7 +442,7 @@
# Test : HTTP-6710
# Description : Check SSL configuration of nginx
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx SSL configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_SSL_SUGGESTION=0
@ -482,7 +480,7 @@
else
LogText "Result: No SSL configuration found"
Display --indent 6 --text "- SSL configured" --result "${STATUS_NO}" --color RED
ReportSuggestion ${TEST_NO} "Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy"
ReportSuggestion "${TEST_NO}" "Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy"
AddHP 1 5
fi
if [ ${NGINX_SSL_SUGGESTION} -eq 1 ]; then
@ -496,7 +494,7 @@
# Test : HTTP-6712
# Description : Check logging configuration of nginx
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx access logging"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
@ -522,7 +520,7 @@
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "Check your nginx access log for proper functioning"
ReportSuggestion "${TEST_NO}" "Check your nginx access log for proper functioning"
fi
fi
#
@ -530,7 +528,7 @@
#
# Test : HTTP-6714
# Description : Check missing error logs in nginx
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for missing error logs in nginx"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
@ -543,7 +541,7 @@
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "Check your nginx error_log statements"
ReportSuggestion "${TEST_NO}" "Check your nginx error_log statements"
fi
fi
#
@ -551,7 +549,7 @@
#
# Test : HTTP-6716
# Description : Check debug mode on error log in nginx
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a -n "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for debug mode on error log in nginx"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
@ -568,7 +566,7 @@
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "Check your nginx error_log statements and disable debug mode"
ReportSuggestion "${TEST_NO}" "Check your nginx error_log statements and disable debug mode"
fi
fi
#
@ -602,14 +600,14 @@
LogText "Result: directory ${DIR} not found, skipping search in this directory."
fi
done
unset DIR; unset FILE; unset FIND
unset DIR FILE FIND
fi
#
#################################################################################
#
# Remove temp file (double check)
if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
WaitForKeyPress

45
include/tool_tips
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
@ -26,16 +26,41 @@
# Only show tips when enabled
if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then
LogText "Tool tips: enabled"
# * Regular security auditing
#
# If package is installed, then suggest users to schedule the audit daily
# How: confirm presence of directory /etc/lynis and check cronjobs
# * Check for duplicate items between default and custom profile
#
# This can be done by marking an item if it overwrites the default profile
# with the same value.
#
# Rationale: default profile should contain have sensible default and
# custom profile allows customization for the user or system.
# Suggest usage of plugins if none are enabled
# Bash completion support
if [ ! "${ETC_PATHS}" = "" ]; then
for I in ${ETC_PATHS}; do
if [ -d ${I}/bash-completion.d ]; then
if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis"
fi
fi
done
fi
#
# Detect if bash is used for active user
#if [ -n "${ETC_PATHS}" ]; then
# for I in ${ETC_PATHS}; do
# if [ -d ${I}/bash_completion.d ]; then
# if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
# Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis"
# fi
# fi
# done
#fi
else
LogText "Tool tips: enabled"
fi

254
lynis
View File

@ -24,26 +24,35 @@
#
# In Solaris /bin/sh is not POSIX, but /usr/xpg4/bin/sh is.
# Switch to /usr/xpg4/bin/sh if it exists and we are not already running it.
test "$_" != "/usr/xpg4/bin/sh" && test -f /usr/xpg4/bin/sh && exec /usr/xpg4/bin/sh "$0" "$@"
if [ "$(uname)" = "SunOS" ]; then
test "$_" != "/usr/xpg4/bin/sh" && test -f /usr/xpg4/bin/sh && exec /usr/xpg4/bin/sh "$0" "$@"
fi
#
#################################################################################
#
# Code quality: don't allow using undefined variables
# Notes: $_ may be empty on FreeBSD
set -o nounset
#
#################################################################################
#
# Program information
PROGRAM_NAME="Lynis"
PROGRAM_AUTHOR="CISOfy"
PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com"
PROGRAM_WEBSITE="https://cisofy.com/lynis/"
# Version details
PROGRAM_RELEASE_DATE="2019-02-26"
PROGRAM_RELEASE_TIMESTAMP=1548942179
PROGRAM_RELEASE_TYPE="dev" # dev or final
PROGRAM_VERSION="2.7.2"
PROGRAM_RELEASE_DATE="2020-10-05"
PROGRAM_RELEASE_TIMESTAMP=1601896929
PROGRAM_RELEASE_TYPE="release" # pre-release or release
PROGRAM_VERSION="3.0.1"
# Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
PROGRAM_WEBSITE="https://cisofy.com/lynis/"
PROGRAM_COPYRIGHT="2007-2019, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
PROGRAM_PACKAGE="https://packages.cisofy.com/"
PROGRAM_DOCUMENTATION="https://cisofy.com/docs/"
PROGRAM_COPYRIGHT="2007-2020, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software."
@ -53,12 +62,6 @@
REPORT_version_major="1"; REPORT_version_minor="0"
REPORT_version="${REPORT_version_major}.${REPORT_version_minor}"
DISPLAY_LANG="${LANG}" # required by function Display to deal with multi-bytes characters.
# Code quality:
# Set strict checking for development version for first part of code. After
# initialization this is checked with strict profile option.
if [ ${PROGRAM_RELEASE_TYPE} = "dev" ]; then set -u; fi
#
#################################################################################
@ -67,57 +70,48 @@
#
#################################################################################
#
# Check setuid bit
if [ -u "$0" ]; then echo "The called binary has the set-user-id bit - As this is unusual, execution will be stopped."; exit 1; fi
# Work directory
WORKDIR=$(pwd)
# Test from which directories we can use all functions and tests
INCLUDEDIR="" # Set default include directory to none
USE_CWD=0
if case "$@" in *--usecwd*) true;; *) false;; esac; then
USE_CWD=1
INCLUDEDIR="./include"
else
INCLUDEDIR=""
tINCLUDE_TARGETS="/usr/local/include/lynis /usr/local/lynis/include /usr/share/lynis/include ./include" # Default paths to check (CWD as last option, in case we run from standalone)
for I in ${tINCLUDE_TARGETS}; do
if [ "${I}" = "./include" ]; then
if [ -d ${WORKDIR}/include ]; then INCLUDEDIR="${WORKDIR}/include"; fi
if [ -d "${WORKDIR}/include" ]; then INCLUDEDIR="${WORKDIR}/include"; fi
elif [ -d ${I} -a -z "${INCLUDEDIR}" ]; then
INCLUDEDIR=${I}
fi
done
fi
# Drop out if our include directory can't be found
if [ -z "${INCLUDEDIR}" ]; then
printf "%s" "
Fatal error: can't find include directory
Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
exit 1
fi
if [ -z "${INCLUDEDIR}" ]; then
printf "%s" "\nFatal error: can't find include directory\nMake sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
exit 1
fi
# Test for database directory
if [ ${USE_CWD} -eq 1 ]; then
DBDIR="./db"
else
DBDIR=""; tDB_TARGETS="/usr/local/share/lynis/db /usr/local/lynis/db /usr/share/lynis/db ./db"
for I in ${tDB_TARGETS}; do
if [ "${I}" = "./db" ]; then
if [ -d ${WORKDIR}/db ]; then DBDIR="${WORKDIR}/db"; fi
if [ -d "${WORKDIR}/db" ]; then DBDIR="${WORKDIR}/db"; fi
elif [ -d ${I} -a -z "${DBDIR}" ]; then
DBDIR="${I}"
fi
done
# Import translations. First import English to prefill all texts
if [ ! -f ${DBDIR}/languages/en ]; then
echo "Could not find languages directory (file: ${DBDIR}/languages/en)"
exit 1
else
. ${DBDIR}/languages/en
fi
# Auto detection of language based on locale (first two characters). Set to English when nothing found.
if [ -x "$(command -v locale 2> /dev/null)" ]; then
LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | egrep "^[a-z]{2}$")
fi
if [ -z "${LANGUAGE}" ]; then
#Debug "Result: no (valid) language found, setting to default language (en)"
LANGUAGE="en"
fi
#
#################################################################################
#
@ -125,7 +119,7 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
# Check user to determine file permissions later on. If we encounter Solaris, use related id binary instead
if [ -x /usr/xpg4/bin/id ]; then
MYID=$(/usr/xpg4/bin/id -u 2> /dev/null)
elif [ $(uname) = "SunOS" ]; then
elif [ "$(uname)" = "SunOS" ]; then
MYID=$(id | tr '=' ' ' | tr '(' ' ' | awk '{ print $2 }' 2> /dev/null)
else
MYID=$(id -u 2> /dev/null)
@ -134,13 +128,24 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
#
#################################################################################
#
# Consts (bin paths, text strings, colors)
# Set basic values and test permissions of the files to include, such as:
# - consts: bin paths, text strings, colors
# - functions: function library
#
#################################################################################
#
# Determine if we are root (UID = 0)
if [ ${MYID} -eq 0 ]; then
PRIVILEGED=1
PENTESTINGMODE=0
else
PRIVILEGED=0
# Set to pentesting mode if scan is without root privileges
PENTESTINGMODE=1
fi
# Perform a basic check for permissions. After including functions, using SafePerms()
WARN_ON_FILE_ISSUES=1
WARN_ON_FILE_ISSUES_ASKED=0
IGNORE_FILE_PERMISSION_ISSUES=0
FILES_TO_CHECK="consts functions"
@ -192,12 +197,8 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
printf "\n Option 2) Change ownership of the related files (or full directory).\n\n Commands (full directory):\n # cd ..\n # chown -R 0:0 lynis\n # cd lynis\n # ./lynis audit system"
fi
printf "\n\n[ Press ENTER to continue, or CTRL+C to cancel ]"
WARN_ON_FILE_ISSUES_ASKED=1
read DUMMY
fi
if [ ${WARN_ON_FILE_ISSUES_ASKED} -eq 1 ]; then
WARN_ON_FILE_ISSUES=0
IGNORE_FILE_PERMISSION_ISSUES=1
read -r void
fi
# Now include files if permissions are correct, or user decided to continue
@ -206,11 +207,54 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
#
#################################################################################
#
# Language settings
#
#################################################################################
#
# Auto detection of language based on shell LANG variable. This is required by the Display() function to deal with multi-bytes characters.
DISPLAY_LANG="${LANG:-}"
# Extract the short notation of the language (first two characters).
if [ -x "$(command -v locale 2> /dev/null)" ]; then
LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$")
# Try locale command if shell variable had no value
if [ -z "${DISPLAY_LANG}" ]; then
DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2)
fi
else
LANGUAGE="en"
fi
# Set default language: 'en' (English) if no value is set
if [ -z "${LANGUAGE}" ]; then
LANGUAGE="en"
fi
# Import translations. First import English to prefill all texts
if [ -f ${DBDIR}/languages/en ]; then
if SafeFile "${DBDIR}/languages/en"; then
. ${DBDIR}/languages/en
else
ExitFatal "Incorrect ownership or permissions of language file (${DBDIR}/languages/en)"
fi
else
echo "Could not find languages directory (file: ${DBDIR}/languages/en)"
exit 1
fi
# Now that we have determined the language, we unset it from shell
# Some tools with translated strings are very hard to parse
unset LANG
#
#################################################################################
#
# Traps
#
#################################################################################
#
trap CleanUp INT
trap CleanUp INT TERM
trap Status USR1
# Use safe umask for the files we create
umask 027
@ -224,33 +268,25 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
SafePerms ${INCLUDEDIR}/parameters
. ${INCLUDEDIR}/parameters
# Now determine if we are root (UID = 0)
if [ ${MYID} -eq 0 ]; then
PRIVILEGED=1
else
Debug "Starting Lynis non-privileged"
# Implied pentesting mode if not performed by root user
PENTESTINGMODE=1
fi
# Disable logging if no alternative was provided
if [ ${PRIVILEGED} -eq 0 ]; then
if [ -z "${LOGFILE}" ]; then
# Try creating a log file in temporary directory
if [ ! -f /tmp/lynis.log ]; then
if [ -L /tmp/lynis.log ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
touch /tmp/lynis.log
if [ $? -eq 0 ]; then LOGFILE="/tmp/lynis.log"; else LOGFILE="/dev/null"; fi
# Try creating a log file in home directory
if [ ! -f "$HOME/lynis.log" ]; then
if [ -L "$HOME/lynis.log" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
touch "$HOME/lynis.log"
if [ $? -eq 0 ]; then LOGFILE="$HOME/lynis.log"; else LOGFILE="/dev/null"; fi
else
LOGFILE="/tmp/lynis.log"
LOGFILE="$HOME/lynis.log"
fi
else
if [ -L "${LOGFILE}" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
fi
if [ -z "${REPORTFILE}" ]; then
touch /tmp/lynis-report.dat
if [ -L /tmp/lynis-report.dat ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
if [ $? -eq 0 ]; then REPORTFILE="/tmp/lynis-report.dat"; else REPORTFILE="/dev/null"; fi
touch "$HOME/lynis-report.dat"
if [ -L "$HOME/lynis-report.dat" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
if [ $? -eq 0 ]; then REPORTFILE="$HOME/lynis-report.dat"; else REPORTFILE="/dev/null"; fi
else
if [ -L "${REPORTFILE}" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
fi
@ -399,21 +435,25 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${
${WHITE}Options:${NORMAL}
${GRAY}--no-log${NORMAL} : Don't create a log file
${GRAY}--pentest${NORMAL} : Non-privileged scan (useful for pentest)
${GRAY}--profile ${BROWN}<profile>${NORMAL} : Scan the system with the given profile file
${GRAY}--quick (-Q)${NORMAL} : Quick mode, don't wait for user input
${WHITE}Alternative system audit modes${NORMAL}
${GRAY}--forensics${NORMAL} : Perform forensics on a running or mounted system
${GRAY}--pentest${NORMAL} : Non-privileged, show points of interest for pentesting
${WHITE}Layout options${NORMAL}
${GRAY}--no-colors${NORMAL} : Don't use colors in output
${GRAY}--quiet (-q)${NORMAL} : No output
${GRAY}--reverse-colors${NORMAL} : Optimize color display for light backgrounds
${GRAY}--reverse-colours${NORMAL} : Optimize colour display for light backgrounds
${WHITE}Misc options${NORMAL}
${GRAY}--debug${NORMAL} : Debug logging to screen
${GRAY}--no-log${NORMAL} : Don't create a log file
${GRAY}--profile ${BROWN}<profile>${NORMAL} : Scan the system with the given profile file
${GRAY}--view-manpage (--man)${NORMAL} : View man page
${GRAY}--verbose${NORMAL} : Show more details on screen
${GRAY}--version (-V)${NORMAL} : Display version number and quit
${GRAY}--wait${NORMAL} : Wait between a set of tests
${GRAY}--slow-warning ${BROWN}<seconds>${NORMAL} : Threshold for slow test warning in seconds (default 10)
${WHITE}Enterprise options${NORMAL}
${GRAY}--plugindir ${BROWN}<path>${NORMAL} : Define path of available plugins
@ -421,6 +461,7 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${
More options available. Run '$0 show options', or use the man page.
"
if [ ${WRONGOPTION} -eq 1 ]; then
@ -489,6 +530,7 @@ ${NORMAL}
if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then
FQDN=$(hostname -f 2> /dev/null)
fi
#
#################################################################################
#
@ -521,8 +563,8 @@ ${NORMAL}
Report "os_fullname=${OS_FULLNAME}"
Report "os_version=${OS_VERSION}"
if [ "${OS}" = "Linux" ]; then Report "linux_version=${LINUX_VERSION}"; fi
if [ ! -z "${OS_KERNELVERSION}" ]; then Report "os_kernel_version=${OS_KERNELVERSION}"; fi
if [ ! -z "${OS_KERNELVERSION_FULL}" ]; then Report "os_kernel_version_full=${OS_KERNELVERSION_FULL}"; fi
if [ -n "${OS_KERNELVERSION}" ]; then Report "os_kernel_version=${OS_KERNELVERSION}"; fi
if [ -n "${OS_KERNELVERSION_FULL}" ]; then Report "os_kernel_version_full=${OS_KERNELVERSION_FULL}"; fi
Report "hostname=${HOSTNAME}"
@ -533,6 +575,7 @@ ${NORMAL}
fi
Report "test_category=${TEST_CATEGORY_TO_CHECK}"
Report "test_group=${TEST_GROUP_TO_CHECK}"
#
#################################################################################
#
@ -595,6 +638,7 @@ ${NORMAL}
echo "Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
exit 1
fi
#
#################################################################################
#
@ -613,9 +657,12 @@ ${NORMAL}
if [ ${EOL} -eq 1 ]; then
echo " End-of-life: ${WARNING}YES${NORMAL}"
ReportWarning "GEN-0010" "This version ${OS_VERSION} is marked end-of-life as of ${EOL_DATE}"
elif [ ${EOL} -eq 255 ]; then
# TODO - mark as item where community can provide help
LogText "Note: the end-of-life of '${OS_FULLNAME}' could not be checked. Entry missing in software-eol.db?"
fi
if [ ! -z "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi
if [ -n "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi
echo " Kernel version: ${OS_KERNELVERSION}"
echo " Hardware platform: ${HARDWARE}"
echo " Hostname: ${HOSTNAME}"
@ -638,9 +685,9 @@ ${NORMAL}
LogText "Operating system: ${OS}"
LogText "Operating system name: ${OS_NAME}"
LogText "Operating system version: ${OS_VERSION}"
if [ ! -z "${OS_MODE}" ]; then LogText "Operating system mode: ${OS_MODE}"; fi
if [ -n "${OS_MODE}" ]; then LogText "Operating system mode: ${OS_MODE}"; fi
LogText "Kernel version: ${OS_KERNELVERSION}"
if [ ! -z "${OS_KERNELVERSION_FULL}" ]; then
if [ -n "${OS_KERNELVERSION_FULL}" ]; then
LogText "Kernel version (full): ${OS_KERNELVERSION_FULL}"
fi
LogText "Hardware platform: ${HARDWARE}"
@ -691,7 +738,7 @@ ${NORMAL}
LogText "Latest stable version : ${PROGRAM_LV}"
if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
# Check if current version is REALLY outdated (10 versions ago)
PROGRAM_MINVERSION=$((${PROGRAM_LV} - 10))
PROGRAM_MINVERSION=$((PROGRAM_LV - 10))
LogText "Minimum required version : ${PROGRAM_MINVERSION}"
if [ ${PROGRAM_MINVERSION} -gt ${PROGRAM_AC} ]; then
Display --indent 2 --text "- Program update status... " --result "WARNING" --color RED
@ -728,13 +775,12 @@ ${NORMAL}
OLD_RELEASE=0
TIME_DIFFERENCE_CHECK=10368000 # 4 months
RELEASE_PLUS_TIMEDIFF=$((${PROGRAM_RELEASE_TIMESTAMP} + ${TIME_DIFFERENCE_CHECK}))
RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK))
if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then
# Show if release is old, only if we didn't show it with normal update check
if [ ${UPDATE_AVAILABLE} -eq 0 ]; then
ReportSuggestion "LYNIS" "This release is more than 4 months old. Consider upgrading"
ReportSuggestion "LYNIS" "This release is more than 4 months old. Check the website or GitHub to see if there is an update available."
fi
UPDATE_AVAILABLE=1
OLD_RELEASE=1
fi
@ -780,6 +826,14 @@ ${NORMAL}
#
#################################################################################
#
# Test if we have a package manager available by testing for a dummy package (should not exist)
if PackageIsInstalled "__dummy__"; then
HAS_PACKAGE_MANAGER=1
LogText "Informational: package manager is used"
else
LogText "Informational: no known package manager for this system"
fi
# Use hardware detection capabilities
IsVirtualMachine
if IsContainer; then
@ -846,15 +900,24 @@ ${NORMAL}
if [ -f ${PLUGIN_FILE} ]; then
FIND2=$(grep "^# PLUGIN_NAME=" ${PLUGIN_FILE} | awk -F= '{ print $2 }')
if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then
if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=$((${N_PLUGIN} + 1)); fi
if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=$((N_PLUGIN + 1)); fi
# Check if the plugin is enabled in any of the profiles
PLUGIN_ENABLED_STATE=0
for PROFILE in ${PROFILES}; do
LogText "Action: checking plugin status in profile: ${PROFILE}"
FIND3=$(grep "^plugin=${FIND2}" ${PROFILE})
if [ ! -z "${FIND3}" ]; then
LogText "Result: plugin enabled in profile (${PROFILE})"
PLUGIN_ENABLED_STATE=1
if [ -n "${FIND3}" ]; then
FOUND=0
for I in ${DISABLED_PLUGINS}; do
if [ "${I}" = "${FIND2}" ]; then
FOUND=1
LogText "Result: plugin ${FIND2} is specifically disabled"
fi
done
if [ ${FOUND} -eq 0 ]; then
LogText "Result: plugin enabled in profile (${PROFILE})"
PLUGIN_ENABLED_STATE=1
fi
fi
done
if [ ${PLUGIN_ENABLED_STATE} -eq 1 ]; then
@ -866,7 +929,7 @@ ${NORMAL}
if SafePerms ${PLUGINFILE}; then
LogText "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})"
Report "plugin_enabled_phase${PLUGIN_PHASE}[]=${FIND2}|${PLUGIN_VERSION}|"
if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN_ENABLED=$((${N_PLUGIN_ENABLED} + 1)); fi
if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN_ENABLED=$((N_PLUGIN_ENABLED + 1)); fi
Display --indent 2 --text "- ${CYAN}Plugin${NORMAL}: ${WHITE}${FIND2}${NORMAL}"
if [ ${PLUGIN_PHASE} -eq 1 ]; then Progress " ["; fi
. ${PLUGINFILE}
@ -934,7 +997,7 @@ ${NORMAL}
LogText "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spools \
filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting time crypto virtualization containers \
mac_frameworks file_integrity tooling malware file_permissions homedirs \
@ -948,7 +1011,7 @@ ${NORMAL}
for INCLUDE_TEST in ${INCLUDE_TESTS}; do
INCLUDE_FILE="${INCLUDEDIR}/tests_${INCLUDE_TEST}"
if [ -f ${INCLUDE_FILE} ]; then
if SafePerms ${INCLUDE_FILE}; then
if SafeFile ${INCLUDE_FILE}; then
. ${INCLUDE_FILE}
else
LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)"
@ -1035,7 +1098,7 @@ ${NORMAL}
if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi
# Show tool tips
if [ -f ${INCLUDEDIR}/hints_tips ]; then SafePerms ${INCLUDEDIR}/hints_tips; . ${INCLUDEDIR}/hints_tips; fi
if [ -f ${INCLUDEDIR}/tool_tips ]; then SafePerms ${INCLUDEDIR}/tool_tips; . ${INCLUDEDIR}/tool_tips; fi
LogText "================================================================================"
LogText "Tests performed: ${CTESTS_PERFORMED}"
@ -1063,7 +1126,12 @@ ${NORMAL}
LogText "Program ended successfully"
LogText "================================================================================"
if [ -z "${CUSTOM_PROFILE}" ]; then DisplayToolTip "Enhance ${PROGRAM_NAME} audits by adding your settings to custom.prf (see ${DEFAULT_PROFILE} for all settings)"; fi
# Tool tips
if [ ${QUIET} -eq 0 ]; then
if [ -z "${CUSTOM_PROFILE}" ]; then DisplayToolTip "Enhance ${PROGRAM_NAME} audits by adding your settings to custom.prf (see ${DEFAULT_PROFILE} for all settings)"; fi
fi
# Clean exit (Delete PID file)
if [ ${TOTAL_WARNINGS} -gt 0 ]; then
@ -1081,4 +1149,4 @@ ${NORMAL}
#
#================================================================================
# Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com

48
lynis.8
View File

@ -1,4 +1,4 @@
.TH Lynis 8 "27 Aug 2018" "1.27" "Unix System Administrator's Manual"
.TH Lynis 8 "14 Feb 2020" "1.32" "Unix System Administrator's Manual"
.SH "NAME"
@ -41,13 +41,11 @@ When running \fBLynis\fP for the first time, run: lynis audit system
.SH "COMMANDS"
.IP "audit \<type\>"
Perform an audit of the selected type
.IP "show \<parameter\>"
Show information, such as configuration and paths
.IP "update \<parameter\>"
Perform activities regarding updating
.IP "upload-only"
Upload the available report data file
See HELPERS section for more commands.
.SH "SCAN TYPES"
.IP "audit system"
@ -72,7 +70,10 @@ breaks).
Display debug information to screen for troubleshooting purposes.
.TP
.B \-\-developer
Display developer information when creating tests.
Display detailed information useful for developers when creating tests.
.TP
.B \-\-forensics
Perform the audit on a running or mounted system (see \-\-rootdir)
.TP
.B \-\-help
Show available commands and most-used options.
@ -87,9 +88,12 @@ Show the man page. Useful for systems that do not have the man page installed.
Disable colored output.
.TP
.B \-\-no\-log
Redirect all logging information to /dev/null, prevent sensitive information to
Redirect all logging information to /dev/null, prevents sensitive information to
be written to disk.
.TP
.B \-\-no\-plugins
Do not run any of the enabled plugins.
.TP
.B \-\-pentest
Run a non-privileged scan, usually used for penetration testing. Some of the
tests will be skipped if they require root permissions.
@ -101,7 +105,7 @@ Define location where plugins can be found.
Provide alternative profile to perform the scan.
.TP
.B \-\-quick (\-Q)
Do a quick scan (don't wait for user input).
Do a quick scan (default: don't wait for user input).
.TP
.B \-\-quiet (\-q)
Run quietly and do not show anything to the screen. Will also enable quick mode.
@ -112,20 +116,20 @@ Provide an alternative name for report file.
.B \-\-reverse\-colors
Optimize screen output for light backgrounds.
.TP
.B \-\-skip\-plugins
Do not run plugins.
.TP
.B \-\-tests TEST-IDs
Only run the specific test(s). When using multiple tests, add quotes around the
line.
.TP
.B \-\-tests\-from\-category "<category>"
Tests are only performed if they belong to the defined category. Use the command
'show categories' to determine all valid options.
\ 'show categories' to determine all valid options.
.TP
.B \-\-tests\-from\-group "<group>"
Similar to \-\-tests\-from\-category. Only perform tests from a particular group.
Use 'show categories' to determine valid options.
Use 'show groups' to determine valid options.
.TP
.B \-\-use-cwd
Run from the current working directory.
.TP
.B \-\-upload
Upload data to Lynis Enterprise server (profile option: upload=yes).
@ -155,12 +159,16 @@ file. This speeds up execution and keeps the code clean.
.IP "audit"
Run audit on the system or on other targets
.IP "show"
Provide details about Lynis
.IP "update"
Run updater utility
.IP "configure \<parameter\>"
Change or add settings to the config file
.IP "generate \<parameter\>"
Generate specific details such as host IDs
.IP "show \<parameter\>"
Show information, such as configuration and paths
.IP "update \<parameter\>"
Perform activities regarding updating
.PP
To use a helper, run Lynis followed by the helper name.
To use a helper, run 'lynis' followed by the helper name.
.SH "EXIT CODES"
Lynis uses exit codes to signal any invoking script. Currently the following codes are used:
@ -178,13 +186,13 @@ Can't open file or directory
Lynis found 1 or more warnings or configurations errors (with error-on-warnings=yes)
.SH "BUGS"
Bugs can be reported via GitHub at https://github.com/CISOfy/lynis
Bugs can be reported via GitHub at https://github.com/CISOfy/lynis or via support@cisofy.com
.SH "DOCUMENTATION"
Supporting documentation can be found via https://cisofy.com/support/
.SH "LICENSING"
Lynis is licensed as GPLv3. It was created by Michael Boelen in 2007. Development has been taken over by CISOfy. Plugins may have a different license.
Lynis is licensed as GPLv3. The tool was created by Michael Boelen in 2007. Since 2013 its development has been taken over by CISOfy under the management of Michael Boelen. Plugins may have a different license.
.SH "CONTACT INFORMATION"
Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com.

2
plugins/custom_plugin.template
View File

@ -72,7 +72,7 @@
Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN
else
Display --indent 2 --text "- Checking if everything is OK..." --result WARNING --color RED
ReportSuggestion ${TEST_NO} "This is a suggestion"
ReportSuggestion "${TEST_NO}" "This is a suggestion"
fi
fi
#

25
plugins/plugin_pam_phase1
View File

@ -6,19 +6,26 @@
#-----------------------------------------------------
# PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
# PLUGIN_CATEGORY=authentication
# PLUGIN_DATE=2017-04-30
# PLUGIN_DATE=2020-03-21
# PLUGIN_DESC=PAM
# PLUGIN_NAME=pam
# PLUGIN_PACKAGE=all
# PLUGIN_REQUIRED_TESTS=
# PLUGIN_VERSION=1.0.2
# PLUGIN_VERSION=1.0.5
#-----------------------------------------------------
#########################################################################
#
# Variables
CREDITS_D_PASSWORD=""
CREDITS_L_PASSWORD=""
CREDITS_O_PASSWORD=""
CREDITS_U_PASSWORD=""
MAX_PASSWORD_RETRY=""
MIN_PASSWORD_CLASS=""
PAM_DIRECTORY="${ROOTDIR}etc/pam.d"
#
#########################################################################
#
# Test : PLGN-0008
# Description : Check PAM configuration
FILE="${ROOTDIR}etc/security/pwquality.conf"
@ -57,8 +64,9 @@
done
done
fi
#
#########################################################################
#
# Test : PLGN-0010
# Description : Check PAM configuration
if [ -f ${ROOTDIR}etc/pam.conf -o -d ${PAM_DIRECTORY} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@ -69,12 +77,12 @@
if [ -d ${PAM_DIRECTORY} ]; then
LogText "Result: ${PAM_DIRECTORY} exists"
if [ ! "${OS}" = "FreeBSD" -a ! "${OS}" = "NetBSD" ]; then
FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print)
FIND_FILES=$(find ${PAM_DIRECTORY} \! -name "*.pam-old" -type f -print)
else
if [ -f ${PAM_DIRECTORY}/README ]; then
LogText "Skipped checking ${OS} ${PAM_DIRECTORY}/README as a PAM file"
fi
FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print | grep -v "README")
FIND_FILES=$(find ${PAM_DIRECTORY} \! -name "README" \! -name "*.pam-old" -type f -print)
fi
for PAM_FILE in ${FIND_FILES}; do
@ -88,7 +96,7 @@
PAM_CONTROL_OPTIONS="-"
PAM_MODULE="-"
PAM_MODULE_OPTIONS="-"
PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }')
PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }' | sed 's/^ *-//g')
PARSELINE=0
case ${PAM_TYPE} in
"@include")
@ -263,6 +271,7 @@
pam_securetty) ;;
pam_securityserver) ;;
pam_self) ;;
pam_selinux) ;;
pam_shells) ;;
pam_skey) ;;
pam_ssh)

90
plugins/plugin_systemd_phase1
View File

@ -1,27 +1,17 @@
#!/bin/sh
#########################################################################
#
# This component is part of Lynis Enterprise. No parts may be copied,
# distributed or used without written permission of CISOfy. Users who
# have an active license are permitted to use this component as part
# of the service. This software component may only be used in combination
# with Lynis and Lynis Enterprise.
#
# Copyright 2016, CISOfy - https://cisofy.com
#
#########################################################################
#
# * DO NOT REMOVE *
#-----------------------------------------------------
# PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
# PLUGIN_CATEGORY=essentials
# PLUGIN_DATE=2017-04-30
# PLUGIN_DATE=2020-03-23
# PLUGIN_DESC=Tests related to systemd tooling
# PLUGIN_NAME=systemd
# PLUGIN_PACKAGE=community
# PLUGIN_REQUIRED_TESTS=
# PLUGIN_VERSION=1.0.2
# PLUGIN_VERSION=1.0.4
#-----------------------------------------------------
#
#########################################################################
@ -36,7 +26,7 @@
#
# Test : PLGN-3800
# Description : Gather systemctl exit code
if [ ! "${SYSTEMCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${SYSTEMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3800 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemctl exit code" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} > /dev/null)
@ -54,17 +44,17 @@
# Description : Query systemd version and options
# Notes : version can also be gathered with systemctl show | grep ^Version=
# features with systemctl show | grep ^Features=
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3802 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd version and options" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1)
if [ ! "${FIND}" = "" ]; then
if [ -n "${FIND}" ]; then
SYSTEMD_VERSION=${FIND}
Report "systemd_version=${FIND}"
LogText "Result: found systemd version ${FIND}"
fi
FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1`
if [ ! "${FIND}" = "" ]; then
FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1)
if [ -n "${FIND}" ]; then
Report "systemd_builtin_components=${FIND}"
LogText "Result: found builtin components list"
fi
@ -74,11 +64,11 @@
#
# Test : PLGN-3804
# Description : Gather all systemd unit files
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'`
if [ ! "${FIND}" = "" ]; then
FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }')
if [ -n "${FIND}" ]; then
LogText "Result: found systemd unit files via systemctl list-unit-files"
for I in ${FIND}; do
LogText "Output: ${I}"
@ -91,11 +81,11 @@
#
# Test : PLGN-3806
# Description : Gather all failed systemd units
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'`
if [ ! "${FIND}" = "" ]; then
FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }')
if [ -n "${FIND}" ]; then
LogText "Result: found systemd unit files via systemctl list-unit-files"
for I in ${FIND}; do
LogText "Output: ${I}"
@ -108,11 +98,11 @@
#
# Test : PLGN-3808
# Description : Gather machine ID
if [ -f /etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -f ${ROOTDIR}etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3808 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd machine ID" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(cat /etc/machine-id | head -1)
if [ ! "${FIND}" = "" ]; then
FIND=$(cat ${ROOTDIR}etc/machine-id | head -1)
if [ -n "${FIND}" ]; then
SYSTEMD_MACHINEID="${FIND}"
LogText "Result: found machine ID: ${SYSTEMD_MACHINEID}"
fi
@ -122,11 +112,11 @@
#
# Test : PLGN-3810
# Description : Query main systemd binaries
if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${FINDBINARY}" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${FINDBINARY} ${ROOTDIR}usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
if [ ! "${FIND}" = "" ]; then
if [ -n "${FIND}" ]; then
Report "systemd_binaries=${FIND}"
LogText "Result: found systemd binaries in /usr/lib/systemd"
else
@ -138,29 +128,29 @@
#
# Test : PLGN-3812
# Description : Query journal for boot related information
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3812 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${JOURNALCTLBINARY} --list-boots | wc -l)
LogText "Output: number of boots listed in journal is ${FIND}"
if [ ! "${FIND}" = "" ]; then Report "journal_bootlogs=${FIND}"; fi
if [ -n "${FIND}" ]; then Report "journal_bootlogs=${FIND}"; fi
FIND=$(${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }')
LogText "Output: oldest boot date in journal is ${FIND}"
if [ ! "${FIND}" = "" ]; then Report "journal_oldest_bootdate=${FIND}"; fi
if [ -n "${FIND}" ]; then Report "journal_oldest_bootdate=${FIND}"; fi
fi
#
#################################################################################
#
# Test : PLGN-3814
# Description : Journal integrity
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3814 --preqs-met ${PREQS_MET} --weight L --network NO --description "Verify journal integrity" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${JOURNALCTLBINARY} --verify 2>&1 | grep FAIL | sed 's/[[:space:]]/:space:/g')
if [ ! "${FIND}" = "" ]; then
if [ -n "${FIND}" ]; then
Report "journal_contains_errors=1"
for I in ${FIND}; do
LINE=`echo ${I} | sed 's/:space:/ /g'`
LINE=$(echo ${I} | sed 's/:space:/ /g')
LogText "Output (fails): ${LINE}"
done
else
@ -173,10 +163,10 @@
#
# Test : PLGN-3816
# Description : Journal sizing
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'`
FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 } else if ($1=="Archived") { print $7 }}')
Report "journal_disk_size=${FIND}"
LogText "Result: journals are ${FIND} in size"
fi
@ -185,10 +175,10 @@
#
# Test : PLGN-3818
# Description : Journal meta data
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'`
FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g')
Report "journal_meta_data=${FIND}"
fi
#
@ -196,7 +186,7 @@
#
# Test : PLGN-3820
# Description : Journal FSS (Forward Secure Sealing) configuration
if [ ! "${JOURNALCTLBINARY}" = "" -a ! "${SYSTEMD_MACHINEID}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${JOURNALCTLBINARY}" -a -n "${SYSTEMD_MACHINEID}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3820 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for journal FSS configuration" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FILE="/var/log/journal/${SYSTEMD_MACHINEID}/fss"
@ -211,11 +201,11 @@
#
# Test : PLGN-3830
# Description : Query systemd status
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3830 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1)
if [ ! "${FIND}" = "" ]; then
if [ -n "${FIND}" ]; then
Report "systemd_status=${FIND}"
LogText "Result: found systemd status = ${FIND}"
fi
@ -228,8 +218,8 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'`
if [ ! "${FIND}" = "" ]; then
FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }')
if [ -n "${FIND}" ]; then
for I in ${FIND}; do
Report "systemd_unit_not_found[]=${I}"
done
@ -240,11 +230,11 @@
#
# Test : PLGN-3834
# Description : Gather units from systemd which can not be found
if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${SYSTEMCTLBINARY}" -a -n "${AWKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'`
if [ ! "${FIND}" = "" ]; then
FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}')
if [ -n "${FIND}" ]; then
LogText "Result: found one or more services with faulty state"
for I in ${FIND}; do
LogText "Result: service seems to be faulty (not-found) ${I}"
@ -261,8 +251,8 @@
Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check if systemd-coredump is used" --progress
if [ ${SKIPTEST} -eq 0 ]; then
SYSTEMD_COREDUMP_USED=1
FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump`
if [ ! "${FIND}" = "" ]; then
FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump)
if [ -n "${FIND}" ]; then
LogText "Result: systemd uses systemd-coredump to handle coredumps"
Report "systemd_coredump_used=1"
fi
@ -278,11 +268,11 @@
#
# Test : PLGN-3860
# Description : Query coredumps from journalctl since Yesterday
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3860 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${JOURNALCTLBINARY} SYSLOG_IDENTIFIER=systemd-coredump --since=yesterday -o cat 2> /dev/null)
if [ ! "${FIND}" = "" ]; then
if [ -n "${FIND}" ]; then
Report "journal_coredumps_lastday=1"
LogText "Result: found recent coredumps"
else