From d282fbfc9c29d07254e9abf184e5e42ca1e8abbe Mon Sep 17 00:00:00 2001 From: Aneesh Agrawal Date: Mon, 27 Apr 2015 03:07:45 -0400 Subject: [PATCH 001/122] Update check for sulogin under systemd. The default rescue.service unit file was updated in the systemd repo on Jan 23, 2015 to allow for sulogin location variability. --- include/tests_boot_services | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 35fee381..972855e8 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -702,7 +702,7 @@ if [ -f /usr/lib/systemd/system/rescue.service ]; then logtext "Result: file /usr/lib/systemd/system/rescue.service" logtext "Test: checking presence sulogin for single user mode" - FIND=`egrep "^ExecStart=-(/usr)?/sbin/sulogin" /usr/lib/systemd/system/rescue.service` + FIND=`egrep "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service` if [ ! "${FIND}" = "" ]; then FOUND=1 logtext "Result: found sulogin, so single user is protected" From bfd24585cf880613c63b6bf77437ce85f72569fb Mon Sep 17 00:00:00 2001 From: Aneesh Agrawal Date: Mon, 27 Apr 2015 03:31:43 -0400 Subject: [PATCH 002/122] Pass information about locate prereqs to Register. Prevent the locate test from running spuriously when locate is not present --- include/tests_filesystems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 6d9453da..426bef35 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -538,7 +538,7 @@ # or /var/cache/locate/locatedb # FreeBSD /var/db/locate.database if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FILE-6410 --os Linux --weight L --network NO --description "Checking Locate database" + Register --test-no FILE-6410 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Checking Locate database" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking locate database" FOUND=0 From 5d7dc80481399c6a5fc6f53f9dacd5ea6b86104d Mon Sep 17 00:00:00 2001 From: Roland Smith Date: Mon, 27 Apr 2015 11:32:09 +0200 Subject: [PATCH 003/122] Initial version of IPFW test (FreeBSD). --- include/tests_firewalls | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 5a529d35..1d3a7061 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -274,7 +274,24 @@ ################################################################################# # # Test : FIRE-4530 - # Description : Check ipfw + # Description : Check ipfw (FreeBSD) + Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check ipfw status" + if [ ! "${SYSCTLBINARY}" = "" ]; then + # For now, only check for IPv4. + FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` + if [ "${FIND}" = "1" ]; then + Display --indent 4 --text "- Checking ipfw status" --result RUNNING --color GREEN + logtext "Result: ipfw is enabled and running for IPv4" + FIREWALL_ACTIVE=1 + FIREWALL_SOFTWARE="ipfw" + else + Display --indent 4 --text "- Checking ipfw status" --result "NOT RUNNING" --color YELLOW + logtext "Result: ipfw is not running for IPv4" + fi + else + Display --indent 2 --text "- Checking ipfw" --result SKIPPED --color YELLOW + ReportException "${TEST_NO}:4" "No IPFW test available (sysctl missing)" + fi # ################################################################################# # From ded7e95a14207bec2206ae3a896cae074daf87a8 Mon Sep 17 00:00:00 2001 From: Roland Smith Date: Mon, 27 Apr 2015 12:00:58 +0200 Subject: [PATCH 004/122] Check if ipfw is enabled in rc.conf. --- include/tests_firewalls | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 1d3a7061..3e23fb95 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -280,12 +280,20 @@ # For now, only check for IPv4. FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` if [ "${FIND}" = "1" ]; then - Display --indent 4 --text "- Checking ipfw status" --result RUNNING --color GREEN - logtext "Result: ipfw is enabled and running for IPv4" + Display --indent 2 --text "- Checking ipfw status" --result RUNNING --color GREEN + logtext "Result: ipfw is running for IPv4" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipfw" + IPFW_ENABLED=`service -e | grep -o ipfw` + if [ "${IPFW_ENABLED}" = "ipfw" ]; then + Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result YES --color GREEN + logtext "Result: ipfw is enabled at start-up for IPv4" + else + Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW + logtext "Result: ipfw is disabled at start-up for IPv4" + fi else - Display --indent 4 --text "- Checking ipfw status" --result "NOT RUNNING" --color YELLOW + Display --indent 2 --text "- Checking ipfw status" --result "NOT RUNNING" --color YELLOW logtext "Result: ipfw is not running for IPv4" fi else From a0b20fcfe352a913054f3ba95d660142c69402ec Mon Sep 17 00:00:00 2001 From: Roland Smith Date: Mon, 27 Apr 2015 18:26:39 +0200 Subject: [PATCH 005/122] Wrap ipfw test in SKIPTEST block. --- include/tests_firewalls | 42 +++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 3e23fb95..28143f1f 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -276,29 +276,31 @@ # Test : FIRE-4530 # Description : Check ipfw (FreeBSD) Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check ipfw status" - if [ ! "${SYSCTLBINARY}" = "" ]; then - # For now, only check for IPv4. - FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` - if [ "${FIND}" = "1" ]; then - Display --indent 2 --text "- Checking ipfw status" --result RUNNING --color GREEN - logtext "Result: ipfw is running for IPv4" - FIREWALL_ACTIVE=1 - FIREWALL_SOFTWARE="ipfw" - IPFW_ENABLED=`service -e | grep -o ipfw` - if [ "${IPFW_ENABLED}" = "ipfw" ]; then - Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result YES --color GREEN - logtext "Result: ipfw is enabled at start-up for IPv4" + if [ ${SKIPTEST} -eq 0 ]; then + if [ ! "${SYSCTLBINARY}" = "" ]; then + # For now, only check for IPv4. + FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` + if [ "${FIND}" = "1" ]; then + Display --indent 2 --text "- Checking ipfw status" --result RUNNING --color GREEN + logtext "Result: ipfw is running for IPv4" + FIREWALL_ACTIVE=1 + FIREWALL_SOFTWARE="ipfw" + IPFW_ENABLED=`service -e | grep -o ipfw` + if [ "${IPFW_ENABLED}" = "ipfw" ]; then + Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result YES --color GREEN + logtext "Result: ipfw is enabled at start-up for IPv4" + else + Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW + logtext "Result: ipfw is disabled at start-up for IPv4" + fi else - Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW - logtext "Result: ipfw is disabled at start-up for IPv4" + Display --indent 2 --text "- Checking ipfw status" --result "NOT RUNNING" --color YELLOW + logtext "Result: ipfw is not running for IPv4" fi - else - Display --indent 2 --text "- Checking ipfw status" --result "NOT RUNNING" --color YELLOW - logtext "Result: ipfw is not running for IPv4" + else + Display --indent 2 --text "- Checking ipfw" --result SKIPPED --color YELLOW + ReportException "${TEST_NO}:4" "No IPFW test available (sysctl missing)" fi - else - Display --indent 2 --text "- Checking ipfw" --result SKIPPED --color YELLOW - ReportException "${TEST_NO}:4" "No IPFW test available (sysctl missing)" fi # ################################################################################# From 72feac96388b0ed4243a62152667424e8ab074b4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 11 Jun 2015 13:57:37 +0200 Subject: [PATCH 006/122] Added additional legal words for banner usage --- include/tests_banners | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_banners b/include/tests_banners index de60c258..610f7cae 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -23,7 +23,7 @@ ################################################################################# # BANNER_FILES="/etc/issue /etc/issue.net /etc/motd" - LEGAL_BANNER_STRINGS="audit access authori intrusion law legal monitor owner policy policies private prohibited restricted subject terms this unauthorized" + LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence intrusion law legal monitor owner policy policies private prohibited restricted subject terms this unauthorized" # ################################################################################# # From e13a9087eaeb13d7c33b9392d2d21c0735ae20ef Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 11 Jun 2015 13:57:57 +0200 Subject: [PATCH 007/122] Added compilers to report --- include/tests_hardening | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/tests_hardening b/include/tests_hardening index 592e8b16..713264b9 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -55,6 +55,7 @@ IsWorldExecutable ${ASBINARY} if [ $? -eq 1 ]; then logtext "Binary: found ${ASBINARY} (world executable)" + report "compiler[]=${ASBINARY}" AddHP 2 3 HARDEN_COMPILERS_NEEDED=1 else @@ -67,6 +68,7 @@ IsWorldExecutable ${GCCBINARY} if [ $? -eq 1 ]; then logtext "Binary: found ${GCCBINARY} (world executable)" + report "compiler[]=${GCCBINARY}" AddHP 2 3 HARDEN_COMPILERS_NEEDED=1 else From 0d4b25d3089d1f6f31f5c32689f222c575c96a2c Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 11 Jun 2015 13:58:16 +0200 Subject: [PATCH 008/122] Disable suggestion for this test --- include/tests_filesystems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 6444a645..9b9561a1 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -276,7 +276,7 @@ Display --indent 2 --text "- Testing swap partitions" --result WARNING --color RED logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})" #ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})" - ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" + #ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" logtext "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)" fi fi From f0026427bbd884476cc68d2adc6d577ee1cbc79c Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 11 Jun 2015 13:58:30 +0200 Subject: [PATCH 009/122] Textual changes --- include/tests_file_permissions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_file_permissions b/include/tests_file_permissions index a62f27e9..a5f30270 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -56,4 +56,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com From f34e59663f2d1f8a46cc3818831e3a0859904d5b Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 11 Jun 2015 20:50:19 +0200 Subject: [PATCH 010/122] Report hardening index, even when report is not shown --- include/report | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/report b/include/report index 82b69c6b..b211f0e1 100644 --- a/include/report +++ b/include/report @@ -87,7 +87,6 @@ HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]" logtext "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" logtext "Hardening strength: ${HIDESCRIPTION}" - report "hardening_index=${HPINDEX}" # ################################################################################# @@ -239,6 +238,10 @@ fi + # Report data, even if it is not displayed on screen + report "hardening_index=${HPINDEX}" + + if [ ${QUIET} -eq 0 ]; then echo " ${PROGRAM_name} ${PROGRAM_version}" From b947bb085c0baa34a30aa167efc3002a7248ae3b Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 17 Jun 2015 17:06:51 +0200 Subject: [PATCH 011/122] Changed detection, added examples of fstab entries --- include/tests_filesystems | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 9b9561a1..9b7536e8 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -262,21 +262,23 @@ # # Test : FILE-6336 # Description : Check swap mount options + # Examples : [partition] swap swap defaults 0 0 + # [partition] none swap sw 0 0 if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap mount options" if [ ${SKIPTEST} -eq 0 ]; then # Swap partitions should be mounted with 'sw' or 'swap' logtext "Test: check swap partitions with incorrect mount options" #FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` - FIND=`awk '{ if ($3=="swap" && $4~/sw/) { print $1 }}' /etc/fstab` + FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults") { print $1 }}' /etc/fstab` if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN logtext "Result: all swap partitions have correct options (sw or swap)" else - Display --indent 2 --text "- Testing swap partitions" --result WARNING --color RED + Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})" #ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})" - #ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" + ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" logtext "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)" fi fi From 7d3053831195a1a700e079ea1373d17a5510866b Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 17 Jun 2015 17:13:44 +0200 Subject: [PATCH 012/122] Added missing bracket --- include/tests_filesystems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 9b7536e8..e302a3e5 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -270,7 +270,7 @@ # Swap partitions should be mounted with 'sw' or 'swap' logtext "Test: check swap partitions with incorrect mount options" #FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` - FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults") { print $1 }}' /etc/fstab` + FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab` if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN logtext "Result: all swap partitions have correct options (sw or swap)" From c1b4601f7130926b75b22d508be320b1e6eb89b3 Mon Sep 17 00:00:00 2001 From: Alex Kamsteeg Date: Mon, 13 Jul 2015 09:43:04 +0200 Subject: [PATCH 013/122] Update README.md --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 317cda8d..786c895e 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,8 @@ Main audience: ## First run -Clone or download the project files. No compilation or installation is required. - -Execute: ./lynis audit system +1. Clone or download the project files. No compilation or installation is required. +2. Execute: ./lynis audit system By default If you want to run the software as root, we suggest to alter the ownership of the files. From 6dfe906610201c398ea11de9958b5d028cb45edd Mon Sep 17 00:00:00 2001 From: Alex Kamsteeg Date: Mon, 13 Jul 2015 10:49:50 +0200 Subject: [PATCH 014/122] Fixed styling of command in First Run instructions --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 786c895e..16699264 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ Main audience: ## First run 1. Clone or download the project files. No compilation or installation is required. -2. Execute: ./lynis audit system +2. Execute: `./lynis audit system` By default If you want to run the software as root, we suggest to alter the ownership of the files. From e8111a124feff0cbacfdc7ae2f62b58a776f0fbe Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 14 Jul 2015 00:31:59 +0200 Subject: [PATCH 015/122] Increase default minimum amount of connections before alerting --- include/tests_networking | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/tests_networking b/include/tests_networking index ac0d3c43..4188c440 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -447,16 +447,17 @@ # Test : NETW-3028 # Description : Checking for many waiting connections # Type : Performance + # Notes : It is common to see a healthy web server seeing to have several thousands of TCP connections in WAIT state if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Using netstat for check for connections in WAIT state" FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'` - if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="100"; fi + if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW - ReportWarning ${TEST_NO} "H" "Found too much connections in WAIT state (${FIND})" + ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})" else Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN logtext "Result: ${FIND} connections are in WAIT state" From be9177407b30214dfb3b40befc21d85c75a0e3f4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 14 Jul 2015 00:34:05 +0200 Subject: [PATCH 016/122] Updated changelog for upcoming release --- CHANGELOG | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index fbb2dd02..d76e21c5 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -18,6 +18,68 @@ ================================================================================ + = Lynis 2.1.x (2015-xx-xx) = + + This release adds several improvements and in different areas. Support for systems + like CentOS, openSUSE, Slackware is improved. It includes further cleanups of the + code, performance tweaks and more support for common software components. + + Performance: + Performance tuning has been applied, to speed up execution of the audit on + systems with many files. + + Automatic updater: + Initial work on an automatic updater has been implemented. This way Lynis can + be scheduled for updating from a trusted source. + + Internal functions: + As not all systems have readlink, or the -f option of readlink, the + ShowSymlinkPath function has been extended with a Python based check. + + Software support: + Apache module directory /usr/lib64/apache has been added, which is used on openSUSE. + Support for Chef has been added. + + File integrity: + Added tests for CSF's lfd utility for integrity monitoring on directories and + files. Related tests are FINT-4334 and FINT-4336. + + Time sychronization: + Added support for Chrony time daemon and timesync daemon. Additionally NTP + sychronization status is checked when it is enabled. + + Other: + Check for permissions has been extended. + Python binary is now detected, to help with symlink detection. + Several new legal terms, for usage in banners, have been added. + In several files old tests have been removed, to further clean up the code. + The hardening index is inserted into the report, even if it is not displayed on screen. + + Bug fixes: + Nginx test showed error when access_log had multiple parameters + + Functions: + Added AddSystemGroup function + + New tests: + [PKGS-7366] Scan for debsecan utility on Debian systems + [PKGS-7410] Determine amount of installed kernel packages + [TIME-3106] Check synchronization status of NTP on systemd based systems + [CONT-8102] Docker daemon status and gather basic details + [CONT-8104] Check docker info for any Docker warnings + [CONT-8106] Check total, running and unused Docker containers + + Plugins: + [PLGN-2602] Disabled by default, as it may be too slow for some machines + [PLGN-3002] Extended with /sbin/nologin + + Documentation: + A new document has been created to help with the process of upgrading Lynis. + It is available at https://cisofy.com/documentation/lynis/upgrading/ + + -------------------------------------------------------------- + + = Lynis 2.1.0 (2015-04-16) = General: @@ -62,6 +124,7 @@ -------------------------------------------------------------- + = Lynis 2.0.0 (2015-02-25) = From 3caaf0f744dbb7c7fd7f520df60c56ff8d544df9 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 14 Jul 2015 00:34:38 +0200 Subject: [PATCH 017/122] Adjusted connections_max_wait_state --- default.prf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/default.prf b/default.prf index 713070f7..8f79daa5 100644 --- a/default.prf +++ b/default.prf @@ -270,8 +270,8 @@ permdir:/root/.ssh:rwx------:root:-:WARN: # ################################################################################# -# Amount of connections in WAIT state before reporting it as a warning -#config:connections_max_wait_state:50: +# Amount of connections in WAIT state before reporting it as a suggestion +#config:connections_max_wait_state:5000: # Skip security repository check for Debian based systems #config:debian_skip_security_repository:yes: @@ -354,7 +354,7 @@ permdir:/root/.ssh:rwx------:root:-:WARN: # Provide options to cURL when uploading data. Common options include: # -k or --insecure --> use HTTPS, but skip certificate check (e.g. self-signed) -# --proxy [http://]proxyserver:8080 --> use HTTP/HTTPS proxy +# --proxy [http://]proxyserver:8080 --> use HTTP/HTTPS proxy # --socks5 proxyserver:8080 --> use SOCKS proxy #config:upload_options:-k: From 9e3fb6f6c243af72f6feae033fab4ce6c967073f Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 14 Jul 2015 00:40:22 +0200 Subject: [PATCH 018/122] Updated line --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 16699264..b83144c6 100644 --- a/README.md +++ b/README.md @@ -30,9 +30,8 @@ Main audience: 1. Clone or download the project files. No compilation or installation is required. 2. Execute: `./lynis audit system` -By default -If you want to run the software as root, we suggest to alter the ownership of the files. - +If you want to run the software as root, we suggest to alter the ownership of the files. Use chown -R and +chgrp -R to recursively alter the owner and group. ## Documentation See for full documentation https://cisofy.com/documentation/lynis/ From f341b01e4d637771d978de534891f2545fabfce5 Mon Sep 17 00:00:00 2001 From: James White Date: Wed, 15 Jul 2015 11:50:56 +0100 Subject: [PATCH 019/122] Fix false positive matches with unsafe ports on SQD-3624 The grep statement needs to be modified to prevent tagging port values that contains a value in `SQUID_DAEMON_UNSAFE_PORTS_LIST` but aren't actually the listed port. --- include/tests_squid | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_squid b/include/tests_squid index 0ce03159..98a4380c 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -265,7 +265,7 @@ #SQUID_DAEMON_UNSAFE_PORTS_LIST for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do logtext "Test: Checking port ${I} in Safe_ports list" - FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` + FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` if [ "${FIND2}" = "" ]; then Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN AddHP 1 1 From 5b9c4ad7fda3dce8dab6459aaf41a2bc96ae2386 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 15 Jul 2015 15:26:51 +0200 Subject: [PATCH 020/122] Add contribution rules --- CONTRIBUTIONS.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 CONTRIBUTIONS.md diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md new file mode 100644 index 00000000..ee21149f --- /dev/null +++ b/CONTRIBUTIONS.md @@ -0,0 +1,31 @@ +# Contributions + +## Pull Requests +Contributions to the Lynis project should be submitted as a pull request. The upstream +project can be found in our [GitHub repository](https://github.com/CISOfy/lynis). + +By submitting a [Pull Request](https://help.github.com/articles/using-pull-requests/) +to this repository, you agree that you: + +1. Own the contribution that you are providing, or have obtained permission from + the contribution owner + +2. Allow your contribution to be licensed under the license of the target + project (GPLv3) + +3. Allow your contribution to be freely distributed to the Lynis community + +4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution + + +## Unlimited Rights +Our project is licensed under GPLv3. By providing a contribution to the project, it +will be used for the purpose of the project. Unlimited rights includes the rights to +use, modify, reproduce, release, perform, display, or disclose computer software or +computer software documentation in whole or in part, in any manner and for any +purpose whatsoever, and to have or authorize others to do so. + +If you want to be named in as a contributor in the CONTRIBUTOR file, then include +this notition in your pull request (format: Full Name, with optional the company name +and/or your e-mail address). + From 954482440d5b757da936612a8c045c5150604faa Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 15 Jul 2015 15:48:59 +0200 Subject: [PATCH 021/122] Updated readme files --- README | 20 ++++++++++---------- README.md | 26 +++++++++++++++++--------- 2 files changed, 27 insertions(+), 19 deletions(-) diff --git a/README b/README index 5b4dfcbb..105d0a30 100644 --- a/README +++ b/README @@ -29,7 +29,8 @@ Some of the (future) features and usage options: - System and security audit checks - - File Integrity Assessment + - Compliance testing + - File integrity monitoring - System and file forensics - Usage of templates/baselines (reporting and monitoring) - Extended debugging features @@ -93,21 +94,20 @@ - GitHub - https://github.com/CISOfy/lynis - E-mail - lynis-dev@cisofy.com + Contributions are appreciated and can be done via GitHub. See CONTRIBUTIONS.md + for more information about how to submit them. + [+] Support ------------------------------- Lynis is tested on the most common operating systems. The documentation (README, FAQ) and the debugging information in the log file should cover most questions and - problems. Bugs can be reported by filling in the contact form at rootkit.nl, or by - sending an e-mail. + problems. Bugs can be reported via GitHub, or sending an e-mail to the lynis-dev + address above. - NOTE: User related questions should not be asked via the contact form. Read the - documentation, the website resources and the log file for answers to common problems. - - Commercial support is available under strict conditions and depends on the request. - For more information fill in the contact form and describe what kind of service is - requested. + Commercial support is available and provided by CISOfy. For more information use + the contact address on https://cisofy.com/contact/. @@ -119,7 +119,7 @@ this tool we have a commercial version available. Lynis Enterprise Suite uses Lynis to audit systems, but also provides malware scanning, intrusion detection and has additional guidance. For all features, please see our website: - http://cisofy.com/lynis-enterprise/ + https://cisofy.com/lynis-enterprise/ diff --git a/README.md b/README.md index b83144c6..6997db75 100644 --- a/README.md +++ b/README.md @@ -3,22 +3,30 @@ lynis Lynis - Security auditing and hardening tool, for Unix based systems -Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD and Solaris. It performs -an in-depth security scan on the system to detect software and security issues. Besides information related to -security, it will also scan for general system information, installed packages, and possible configuration -issues. +Lynis is a security auditing for Unix derivatives like Linux, BSD, and Solaris. It performs an in-depth security scan +on the system to detect software and security issues. Besides information related to security, it will also scan for +general system information, installed packages, and possible configuration issues. We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, and even alter the software. Many agree with us, as the software is being used by thousands every day to protect their systems. -The software is aimed at assisting with automated auditing, configuration management, software patch management, -penetration testing, vulnerability management, and malware scanning of Unix-based systems. +Main goals: +- Automated security auditing +- Compliance testing +- Vulnerability management + +The software aims to also assist with: +- Configuration management +- Software patch management +- Penetration testing +- Malware scanning +- Intrusion detection License: - GPLv3 -Main audience: +Typical users of the software: - System administrators - Auditors - Security officers @@ -30,11 +38,11 @@ Main audience: 1. Clone or download the project files. No compilation or installation is required. 2. Execute: `./lynis audit system` -If you want to run the software as root, we suggest to alter the ownership of the files. Use chown -R and +If you want to run the software as root, we suggest altering the ownership of the files. Use chown -R and chgrp -R to recursively alter the owner and group. ## Documentation -See for full documentation https://cisofy.com/documentation/lynis/ +Full documentation: https://cisofy.com/documentation/lynis/ ## Flexibility For people who want to expand tests, it is suggested to use the tests_custom file (template in include directory). From c68d20ba2ce54de8d2fd59f8a4b9d107805dd743 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 15 Jul 2015 20:02:15 +0200 Subject: [PATCH 022/122] Minor grammar tweaks --- CONTRIBUTIONS.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md index ee21149f..19a17295 100644 --- a/CONTRIBUTIONS.md +++ b/CONTRIBUTIONS.md @@ -7,7 +7,7 @@ project can be found in our [GitHub repository](https://github.com/CISOfy/lynis) By submitting a [Pull Request](https://help.github.com/articles/using-pull-requests/) to this repository, you agree that you: -1. Own the contribution that you are providing, or have obtained permission from +1. Own the contribution that you are providing or have obtained permission from the contribution owner 2. Allow your contribution to be licensed under the license of the target @@ -26,6 +26,6 @@ computer software documentation in whole or in part, in any manner and for any purpose whatsoever, and to have or authorize others to do so. If you want to be named in as a contributor in the CONTRIBUTOR file, then include -this notition in your pull request (format: Full Name, with optional the company name -and/or your e-mail address). +this notition in your pull request. Preferred format: Full Name, with optional the +company name and/or your e-mail address). From 6857f015000e7890a8d7f4b2a1409c8c8aaf104b Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 16 Jul 2015 17:02:15 +0200 Subject: [PATCH 023/122] Added LDAP configuration file location to report, and code cleanups --- include/tests_authentication | 220 ++--------------------------------- 1 file changed, 8 insertions(+), 212 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index d5a5c8bd..402cc1f6 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -250,27 +250,6 @@ fi # ################################################################################# -# -# # Test : AUTH-9229 -# # Description : Check AIX password file consistency -# # Notes : Read only mode? -# if [ -x /usr/bin/usrck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no AUTH-9229 --os AIX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking password file consistency (usrck)" -# FIND=`/usr/bin/usrck -n ALL 2>; echo $?` -# if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN -# logtext "Result: usrck finished didn't find problems" -# else -# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED -# logtext "Result: usrck found one or more errors/warnings in the password file." -# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file" -# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues." -# fi -# fi -# -################################################################################# # # Test : AUTH-9230 # Description : Check Solaris password file consistency @@ -291,47 +270,6 @@ fi # ################################################################################# -# -# # Test : AUTH-9231 -# # Description : Check HP-UX password file consistency -# # Notes : Read only mode? -# if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no AUTH-9231 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking password file consistency (pwck)" -# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` -# if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN -# logtext "Result: pwck finished didn't find problems" -# else -# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED -# logtext "Result: pwck found one or more errors/warnings in the password file." -# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" -# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." -# fi -# fi -# -################################################################################# -# -# # Test : AUTH-9232 -# # Description : Check HP-UX group file consistency -# if [ -x /usr/sbin/grpck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no AUTH-9232 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking group file consistency (grpck)" -# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?` -# if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN -# logtext "Result: grpck finished didn't find problems" -# else -# Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED -# logtext "Result: grpck found one or more errors/warnings in the group file." -# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file" -# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues." -# fi -# fi -# -################################################################################# # # Test : AUTH-9234 # Description : Query user accounts @@ -434,23 +372,6 @@ fi # ################################################################################# -# - # Test : AUTH-9244 - # Description : Query NIS servers - #Register --test-no AUTH-9244 --weight L --network NO --description "Query NIS servers" - #if [ ${SKIPTEST} -eq 0 ]; then - #fi -# -################################################################################# -# - # Test : AUTH-9246 - # Description : Query NIS active - #Register --test-no AUTH-9246 --weight L --network NO --description "Query active NIS servers" - #if [ ${SKIPTEST} -eq 0 ]; then - #if - #grep '^+' /etc/passwd /etc/group -# -################################################################################# # # Test : AUTH-9250 # Description : Check for sudoers file @@ -515,65 +436,9 @@ fi # ################################################################################# -# -# # Test : AUTH-9255 -# # Description : Solaris test for unique UIDs -# Register --test-no AUTH-9255 --os Solaris --weight L --network NO --description "Solaris unique UIDs" -# if [ ${SKIPTEST} -eq 0 ]; then -# FIND=`logins -d | awk '{ print $1 }'` -# if [ "${FIND}" = "" ]; then -# logtext "Result: no duplicate accounts found, all accounts have an unique ID" -# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result OK --color GREEN -# else -# for I in ${FIND}; do -# ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})" -# done -# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result WARNING --color RED -# fi -# fi -# -################################################################################# -# - # Test : AUTH-9260 [T] - # Description : Search for account lockout on Linux - # Notes : lib directory should be fixed -# Register --test-no AUTH-9260 --os Linux --weight L --network NO --description "Checking account lockout" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: searching for /lib/security/pam_tally.so" -# if [ -f /lib/security/pam_tally.so ]; then -# logtext "Result: /lib/security/pam_tally.so found" -# AddHP 1 1 -# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result FOUND --color GREEN -# if [ -f /etc/pam.d/system-auth ]; then -# logtext "Test: search for enable pam_tally module in system-auth, with a deny value higher than zero" -# FIND=`grep "account required" /etc/pam.d/system-auth | grep "pam_tally.so" | grep "deny=" | grep -v "deny=0"` -# if [ "${FIND}" = "" ]; then -# logtext "Result: pam_tally properly configured" -# logtext "Output: ${FIND}" -# AddHP 1 1 -# Display --indent 4 --text "- Checking lockout policy" --result FOUND --color GREEN -# else -# logtext "Result: pam_tally not (properly) configured" -# logtext "Output: ${FIND}" -# Display --indent 4 --text "- Checking lockout policy" --result SUGGESTION --color YELLOW -# AddHP 0 1 -# ReportSuggestion ${TEST_NO} "Configure pam_tally in system-auth: account required /lib/security/pam_tally.so deny=3 no_magic_root reset" -# fi -# else -# logtext "Result: skipped, /etc/pam.d/system-auth not found" -# fi -# else -# logtext "Result: /lib/security/pam_tally.so not found" -# AddHP 0 1 -# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result "SUGGESTION" --color YELLOW -# ReportSuggestion ${TEST_NO} "Install a PAM module for account lockout to counter brute force attacks" -# fi -# -################################################################################# # # Test : AUTH-9262 # Description : Search for PAM password strength testing libraries - # Notes : YYY (combine with other PAM modules) Register --test-no AUTH-9262 --weight L --network NO --description "Checking presence password strength testing tools (PAM)" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 @@ -708,11 +573,6 @@ fi # ################################################################################# -# - # Test : AUTH-9270 - # Description : Audit PAM configuration files -# -################################################################################# # # Test : AUTH-9278 # Description : Search LDAP support in PAM files @@ -829,11 +689,6 @@ fi # ################################################################################# -# - # Test : AUTH-9292 - # Description : Check locked accounts (exclamation mark as first char in second column) -# -################################################################################# # # Test : AUTH-9304 # Description : Check if single user mode login is properly configured in Solaris @@ -944,12 +799,6 @@ fi # ################################################################################# -# - # Test : AUTH-9322 - # Description : Authentication time restrictions - # /etc/security/time.conf -# -################################################################################# # # Test : AUTH-9328 # Description : Check default umask in common files @@ -1027,7 +876,6 @@ logtext "Result: file /etc/passwd does not exist" fi - # /etc/login.defs logtext "Test: Checking /etc/login.defs" if [ -f /etc/login.defs ]; then @@ -1075,8 +923,7 @@ logtext "Result: file /etc/init.d/functions does not exist" fi - # /etc/init.d/rc [T] - # Always needed? (YYY) + # /etc/init.d/rc logtext "Test: Checking /etc/init.d/rc" if [ -f /etc/init.d/rc ]; then logtext "Result: file /etc/init.d/rc exists" @@ -1101,8 +948,7 @@ logtext "Result: file /etc/init.d/rc does not exist" fi - # /etc/init.d/rcS [T] - # Always needed? (YYY) + # /etc/init.d/rcS logtext "Test: Checking /etc/init.d/rcS" if [ -f /etc/init.d/rcS ]; then logtext "Result: file /etc/init.d/rcS exists" @@ -1187,36 +1033,6 @@ fi # ################################################################################# -# - # Test : AUTH-9342 [T] - # Description : AIX account locking - # Notes : /usr/sbin/lsuser -a logretries ALL - # should return ${ACCOUNT_MAX_RETRIES} or less for each user, but not 0 -# -################################################################################# -# - # Test : AUTH-9344 [T] - # Description : HP-UX account locking - # Notes : grep :u_maxtries# /tcb/files/auth/system/default - # should return ${ACCOUNT_MAX_RETRIES} or less, but not 0 -# -################################################################################# -# - # Test : AUTH-9348 [T] - # Description : Delay time after each failed login - # Notes : This control counters brute force attacking by delaying each - # attempt, while giving normal users to try typing in their - # account details after a reasonable delay - # Should return ${ACCOUNT_DELAY_TIME} or more - # (4 seconds would be good) - # AIX - # grep "logindelay" /etc/security/login.cfg - # Linux - # grep "FAIL_DELAY" /etc/login.defs - # HP-UX - # grep ":t_logdelay#" /tcb/files/auth/system/default -# -################################################################################# # # Test : AUTH-9402 # Description : Query LDAP authentication support @@ -1238,31 +1054,6 @@ fi # ################################################################################# -# - # Test : AUTH-9404 - # Description : Check LDAP client configuration -# if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no AUTH-9404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: checking ldap.conf locations" -# for I in ${LDAP_CONF_LOCATIONS}; do -# logtext "Test: checking ${I}" -# if [ -f ${I} ]; then -# logtext "Result: file ${I} exists" -# logtext "Test: checking LDAP servers in file ${I}" -# FIND2=`egrep "^host " ${I} | awk '{ print $2 }'` -# for I in ${FIND2}; do -# Display --indent 6 --text "LDAP server: ${I}" -# logtext "Result: found LDAP server ${I}" -# # YYY check if host(s) are reachable/respond to queries -# done -# else -# logtext "Result: ${I} does NOT exist" -# fi -# done -# fi -# -################################################################################# # # Test : AUTH-9406 # Description : Check LDAP servers in client configuration @@ -1273,12 +1064,14 @@ for I in ${LDAP_CONF_LOCATIONS}; do logtext "Test: checking ${I}" if [ -f ${I} ]; then - logtext "Result: file ${I} exists" + logtext "Result: file ${I} exists, LDAP being used" + LDAP_CLIENT_CONFIG_FILE="${I}" logtext "Test: checking LDAP servers in file ${I}" FIND2=`egrep "^host " ${I} | awk '{ print $2 }'` for I in ${FIND2}; do Display --indent 6 --text "LDAP server: ${I}" logtext "Result: found LDAP server ${I}" + report "ldap_server[]=${I}" # YYY check if host(s) are reachable/respond to queries done else @@ -1324,6 +1117,9 @@ report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" report "ldap_pam_enabled=${LDAP_PAM_ENABLED}" +if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then + report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}" +fi wait_for_keypress From e06d706c837977f50d2ed93f7827c5595e9dbe79 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 12:20:03 +0200 Subject: [PATCH 024/122] Optimizing code, cleaning up --- include/binaries | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/include/binaries b/include/binaries index e2569613..ab8f67fe 100644 --- a/include/binaries +++ b/include/binaries @@ -14,7 +14,8 @@ # ################################################################################# # -# Check which tools are installed +# * Check which binaries and tools are installed +# * With the results a customized scan can be performed for every single system. # ################################################################################# # @@ -25,19 +26,14 @@ ################################################################################# # if [ ${CHECK_BINARIES} -eq 1 ]; then - InsertSection "System Tools" - # - ################################################################################# - # + InsertSection "System Tools" + Display --indent 2 --text "- Scanning available tools..." + logtext "Start scanning for available audit binaries and tools..." - Display --indent 2 --text "- Scanning available tools..." - logtext "Start scanning for available audit binaries and tools..." - - # Test : FILE-7502 - # Description : Check all system binaries - # Notes : Always perform test, dependency for many other tests - Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries" - #if [ ${SKIPTEST} -eq 0 ]; then + # Test : FILE-7502 + # Description : Check all system binaries + # Notes : Always perform test, dependency for many other tests + Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries" BINARY_PATHS_FOUND=""; N=0 Display --indent 2 --text "- Checking system binaries..." logtext "Status: Starting binary scan..." @@ -206,13 +202,11 @@ logtext "Discovered directories: ${BINARY_PATHS_FOUND}" report "binary_paths=${BINARY_PATHS_FOUND}" BINARY_SCAN_FINISHED=1 - #fi - - logtext "Result: found ${N} binaries" - report "binaries_count=${N}" + logtext "Result: found ${N} binaries" + report "binaries_count=${N}" else - logtext "Result: checking binaries skipped in this mode" + logtext "Result: checking of binaries skipped in this mode" fi # From 95d08a735a37d06e23c1bf9d290150c8178ad108 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 12:20:27 +0200 Subject: [PATCH 025/122] Optimizing code, cleaning up --- include/consts | 89 ++++++++++++++++++-------------------------------- 1 file changed, 32 insertions(+), 57 deletions(-) diff --git a/include/consts b/include/consts index cd85acb9..d0d2b2c9 100644 --- a/include/consts +++ b/include/consts @@ -18,10 +18,7 @@ ################################################################################# # -# Program information - # Paths where system and program binaries are located -# Includes Sun Solaris dirs BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ /usr/local/libexec /usr/libexec /usr/sfw/bin /usr/sfw/sbin \ /usr/sfw/libexec /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec \ @@ -29,31 +26,9 @@ BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ /usr/pkg/bin /usr/pkg/sbin" # Do not use specific language, fall back to default +# Some tools with translated strings are very hard to parse unset LANG -# -################################################################################# -# -# Deprecated -# -################################################################################# -# - HOME_HISTORY_AUDIT_TITLE="Incorrect history file types" - HOME_HISTORY_AUDIT_DESCRIPTION="" - - HOME_HISTORY_LOG_TITLE="History files type check" - HOME_HISTORY_LOG_DESCRIPTION="History files type check" - HOME_HISTORY_LOG_TEXT="History files are normally of the type 'file'. Symbolic links and other types can be riskful" - - HOME_PATH_LOG_MESSAGE="A single dot in the PATH variable of a user can be a risk, while executing commands in for example a home directory." - - USER_PASSWD_DOUBLEUID_AUDIT_TITLE="Non unique UIDs" - USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION="Non unique UIDs in passwd file" - USER_PASSWD_DOUBLEUID_AUDIT_TEXT="Non unique UIDs can riskful for the system or part of a configuration mistake" - - KERNEL_ACTIVE_MODULES_TITLE="Active kernel modules (KLDs)" - KERNEL_ACTIVE_MODULES_DESCRIPTION="View all active kernel modules (including kernel)" - KERNEL_ACTIVE_MODULES_TEXT="Displays the loaded kernel modules in memory. Make sure to check the integrity of the kld tools." # ################################################################################# # @@ -147,29 +122,29 @@ unset LANG # ################################################################################# # -# == Options == +# * Options # -# Option Description -# -------------------------------------------------------------------------- - CRONJOB=0 # Run as a cronjob - CTESTS_PERFORMED=0 # Number of tests which are performed +################################################################################# +# + CRONJOB=0 # Run as a cronjob + CTESTS_PERFORMED=0 # Number of tests which are performed DEBUG=0 # Debugging mode (to screen) HPPOINTS=0 # Number of hardening points HPTOTAL=0 # Maximum number of hardening points - LOG_INCORRECT_OS=1 # Log tests with incorrect OS - NEVERBREAK=0 # Don't wait for user input + LOG_INCORRECT_OS=1 # Log tests with incorrect OS + NEVERBREAK=0 # Don't wait for user input PENTESTINGMODE=0 # Try tests without root privileges - QUICKMODE=0 # Don't wait for user input - QUIET=0 # Show normal messages and warnings as well - SHOW_TOOL_TIPS=1 # Show inline tool tips (default true) - SKIPLOGTEST=0 # Skip logging for one test - SKIP_UPGRADE_TEST=0 # Skip upgrade test - TESTS_TO_PERFORM="" # Which tests only to perform - TEST_PAUSE_TIME=0 # Default pause time - TOTAL_TESTS=0 # Total amount of tests (counter) + QUICKMODE=0 # Don't wait for user input + QUIET=0 # Show normal messages and warnings as well + SHOW_TOOL_TIPS=1 # Show inline tool tips (default true) + SKIPLOGTEST=0 # Skip logging for one test + SKIP_UPGRADE_TEST=0 # Skip upgrade test + TESTS_TO_PERFORM="" # Which tests only to perform + TEST_PAUSE_TIME=0 # Default pause time + TOTAL_TESTS=0 # Total amount of tests (counter) UPLOAD_DATA=0 # Upload of data to central node - VIEWHELP=0 # Show help - WRONGOPTION=0 # A wrong option is used + VIEWHELP=0 # Show help + WRONGOPTION=0 # A wrong option is used # ################################################################################# # @@ -178,24 +153,24 @@ unset LANG # ################################################################################# # -# Colors +# * Colors +# +# For improved display # ################################################################################# # -# Color name Description -# -------------------------------------------------------------------------- - NORMAL="" - WARNING="" # Bad (red) - SECTION="" # Section (yellow) - NOTICE="" # Notice (yellow) - OK="" # Ok (green) - BAD="" # Bad (red) + NORMAL="" + WARNING="" # Bad (red) + SECTION="" # Section (yellow) + NOTICE="" # Notice (yellow) + OK="" # Ok (green) + BAD="" # Bad (red) - # Real color names - YELLOW="" # Yellow - WHITE="" # White - GREEN="" # Green - RED="" # Red + # Normal color names + YELLOW="" + WHITE="" + GREEN="" + RED="" PURPLE="" MAGENTA="" BROWN="" From afaecd951297d2ad14266448f608668e7621bc50 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 12:21:36 +0200 Subject: [PATCH 026/122] Removing deprecated strings and cleaning up --- include/tests_accounting | 49 ++---------------------------------- include/tests_authentication | 6 ++--- include/tests_homedirs | 2 +- include/tests_kernel | 4 +-- 4 files changed, 7 insertions(+), 54 deletions(-) diff --git a/include/tests_accounting b/include/tests_accounting index d32f4b33..146b7589 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -326,15 +326,6 @@ fi # ################################################################################# -# - # Test : ACCT-9658 - # Description : Check required audit files in /etc/security - #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no ACCT-9658 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check required audit files" - #if [ ${SKIPTEST} -eq 0 ]; then - #fi -# -################################################################################# # # Test : ACCT-9662 # Description : Check location for audit events @@ -367,22 +358,6 @@ fi # ################################################################################# -# - # Test : ACCT-96xx - # Description : Check which events are audited - #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no ACCT-96xx --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# - # Test : ACCT-96xx - # Description : Check user specific event auditing - #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no ACCT-96xx --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check user specific event auditing" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# # # Test : ACCT-9672 # Description : check auditstat @@ -405,26 +380,6 @@ ################################################################################# # - # Test : ACCT-9680 - # Description : Check if required packages are installed - #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list" - #if [ ${SKIPTEST} -eq 0 ]; then - # - # Solaris 10 packages - # bash-3.00# pkginfo | egrep 'SUNWcar|SUNWcsr|SUNWcsu|SUNWhea|SUNWman' - #system SUNWcar Core Architecture, (Root) - #system SUNWcsr Core Solaris, (Root) - #system SUNWcsu Core Solaris, (Usr) - #system SUNWhea SunOS Header Files - #system SUNWman On-Line Manual Pages - -# -################################################################################# -# -# Check psacct package (ac, lastcomm, accton, sa) -# Check auditd (auditctl, ausearch, aureport) - wait_for_keypress # diff --git a/include/tests_authentication b/include/tests_authentication index 402cc1f6..442e20ab 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -58,10 +58,8 @@ # # Test : AUTH-9208 # Description : Check non-unique accounts - Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts" + Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts in passwd file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: ${USER_PASSWD_DOUBLEUID_AUDIT_TITLE}" - logtext "Description: ${USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION}" logtext "Test: Checking for non-unique accounts" if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PASSWD_FILE="/etc/master.passwd" @@ -84,7 +82,7 @@ Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE logtext "Result: test skipped, ${PASSWD_FILE} file not available" fi - logtext "Remarks: ${USER_PASSWD_DOUBLEUID_AUDIT_TEXT}" + logtext "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake" fi # ################################################################################# diff --git a/include/tests_homedirs b/include/tests_homedirs index 7afe5068..81127eb8 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -69,7 +69,7 @@ logtext "Info: above files could be redirected files to avoid logging and should be investigated" ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file" fi - logtext "Remarks: ${HOME_HISTORY_LOG_TEXT}" + logtext "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful." else Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE logtext "Result: Homedirs is empty, test will be skipped" diff --git a/include/tests_kernel b/include/tests_kernel index 4a5f437a..a7cb4a91 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -286,8 +286,8 @@ Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking active kernel modules" - logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}" - logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}" + logtext "Test: Active kernel modules (KLDs)" + logtext "Description: View all active kernel modules (including kernel)" logtext "Test: Checking modules" if [ -f /sbin/kldstat ]; then FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6` From fd5c968d16d8ac541d4647a9c9ab2caf103a1b68 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 13:44:30 +0200 Subject: [PATCH 027/122] Cleaning up some lines --- include/functions | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/include/functions b/include/functions index 2245bc80..d2db98ce 100644 --- a/include/functions +++ b/include/functions @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen - CISOfy -# https://cisofy.com +# Copyright 2007-2015, Michael Boelen - CISOfy (michael.boelen@cisofy.com) +# Website: https://cisofy.com # # This software is licensed under GPL, version 3. See LICENSE file for # usage of this software. @@ -132,7 +132,6 @@ # Check updates CheckUpdates() { - # Possible improvement: determine if host binary exists YYY PROGRAM_LV="0000000000"; DB_MALWARE_LV="0000000000"; DB_FILEPERMS_LV="0000000000" LYNIS_LV_RECORD="lynis-latest-version.cisofy.com." FIND=`which dig 2> /dev/null` @@ -352,8 +351,6 @@ fi fi - # YYY check group ownership (just in case) - # Check if we have the read bit if [ "${OTHERPERMS}" = "r" ]; then CANREAD=1 @@ -824,12 +821,12 @@ NGINX_EXPIRES_FOUND=1 ;; error_log) - # YYY Check if debug is appended + # Check if debug is appended FIND=`echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}'` if [ ${FIND} -eq 1 ]; then NGINX_ERROR_LOG_DEBUG=1 fi - # YYY Check if file exists + # Check if log file exists FILE=`echo ${VALUE} | awk '{ print $1 }'` if [ ! "${FILE}" = "" ]; then if [ ! -f ${FILE} ]; then From 2b1061ef14687d1c1d24c38a73c14bf4f6973d19 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 13:47:44 +0200 Subject: [PATCH 028/122] Added suggestions for Solaris auditing --- include/tests_accounting | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/tests_accounting b/include/tests_accounting index 146b7589..5c3bda3c 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -344,12 +344,13 @@ Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN else logtext "Result: location ${FIND} does not exist" - # YYY perform manual audit - Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW + Display --indent 4 --text "- Checking Solaris audit location" --result "NOT FOUND" --color YELLOW + ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available" fi else logtext "Result: unknown event location" Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW + ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured" fi else logtext "Result: could not find /etc/security/audit_control" From 8f9a61685457c92bbce9eb095b01cb0ddbfc1033 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 14:26:25 +0200 Subject: [PATCH 029/122] Add more descriptive text to the template --- include/tests_custom.template | 37 +++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/include/tests_custom.template b/include/tests_custom.template index 14c6ae75..900d7711 100644 --- a/include/tests_custom.template +++ b/include/tests_custom.template @@ -29,25 +29,46 @@ ################################################################################# # # Test : CUST-0010 + # Author : Your name # Description : Check for something interesting - template - # This test first checks if OpenSSL binary was found + # Notes : This test first checks if OpenSSL binary was found + + # * Prerequisites check + # + # We check first if a variable is defined (OPENSSLBINARY). + # Other good options to check for: + # -f /etc/file + # -d /var/run/mydirectory + # ${MYVARIABLE} -eq 1 if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "My description" + + # * Test registration + # + # Register the test, with custom ID CUST-0010, and only execute it when the prerequisites were met + Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "My description of what this test does" + # Or you could use this one without any dependencies # Register --test-no CUST-0010 --weight L --network NO --description "My description" + + # If everything is fine, perform test if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 logtext "Test: checking something" - ReportWarning ${TEST_NO} "M" "Test warning" if [ ${FOUND} -eq 0 ]; then - Display --indent 4 --text "- Performing custom test 1" --result OK --color GREEN - logtext "Result: the test looks great!" + Display --indent 4 --text "- Performing custom test" --result OK --color GREEN + logtext "Result: the test result looks great!" + + # Optional: create a suggestion after a specific finding + #ReportSuggestion "${TEST_NO}" "This is my suggestion to improve the system even further." + else - Display --indent 4 --text "- Performing custom test 1" --result WARNING --color RED - logtext "Result: hmm bad result of this test :(" - ReportSuggestion ${TEST_NO} "This could be better!" + Display --indent 4 --text "- Performing custom test" --result WARNING --color RED + logtext "Result: this test had a bad result :(" + # Throw a warning to the screen and report + ReportWarning ${TEST_NO} "M" "This is a warning message" fi fi + # ################################################################################# # From 17c44ced52c7d503e78ab52034d20dcfa010b8d4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 14:57:57 +0200 Subject: [PATCH 030/122] Include examples and clarify usage --- include/tests_custom.template | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/include/tests_custom.template b/include/tests_custom.template index 900d7711..73cbc9ff 100644 --- a/include/tests_custom.template +++ b/include/tests_custom.template @@ -33,22 +33,27 @@ # Description : Check for something interesting - template # Notes : This test first checks if OpenSSL binary was found - # * Prerequisites check + # * Prerequisites Check + # ----------------------- # - # We check first if a variable is defined (OPENSSLBINARY). - # Other good options to check for: - # -f /etc/file - # -d /var/run/mydirectory - # ${MYVARIABLE} -eq 1 - if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + # Check first if any dependency. If it doesn't meet, the test will be skipped after registration (SKIPTEST == 1) + # + # Examples: + # -f /etc/file = Test if file exists + # -d /var/run/mydirectory = Test if directory exists + # ${MYVARIABLE} -eq 1 = Test if variable is set to 1 + # "${MYVARIABLE}" = "Value" = Test if variable is equal to specific value - # * Test registration + if [ -f /etc/myfile ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + + # * Registration of Test + # ------------------------ # # Register the test, with custom ID CUST-0010, and only execute it when the prerequisites were met - Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "My description of what this test does" + Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Description of what this test does" - # Or you could use this one without any dependencies - # Register --test-no CUST-0010 --weight L --network NO --description "My description" + # Or we could use this test without any dependencies + # Register --test-no CUST-0010 --weight L --network NO --description "Description of what this test does" # If everything is fine, perform test if [ ${SKIPTEST} -eq 0 ]; then From 13c8de88a67e4513c53483f67610e190e54065ee Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 16:27:17 +0200 Subject: [PATCH 031/122] Changes to release version 2.1.1 --- lynis | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/lynis b/lynis index 3ca57f7d..c67b4ac1 100755 --- a/lynis +++ b/lynis @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2015 Michael Boelen, CISOfy (michael.boelen@cisofy.com) -# Website: https://cisofy.com +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -23,7 +23,7 @@ # Program information PROGRAM_name="Lynis" PROGRAM_version="2.1.1" - PROGRAM_releasedate="27 May 2015" + PROGRAM_releasedate="22 July 2015" PROGRAM_author="CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" @@ -305,10 +305,10 @@ echo " ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${NORMAL}" echo "" wait_for_keypress + # Deleting temporary files + # Note: Display function does not work yet at this point if [ -f lynis.pid ]; then rm -f lynis.pid; fi if [ -f /var/run/lynis.pid ]; then rm -f /var/run/lynis.pid; fi - #YYY Display function not working yet from here, due to OS detection - #Display --indent 2 --text "- Deleting old PID file..." --result DONE --color GREEN fi # Create new PID file (use work directory if /var/run is not available) @@ -499,7 +499,6 @@ echo " Report file: ${REPORTFILE}" echo " Report version: ${REPORT_version}" echo " Plugin directory: ${PLUGINDIR}" - #echo " Database directory: ${DBDIR}" echo " ---------------------------------------------------" fi @@ -522,9 +521,7 @@ logtext "-----------------------------------------------------" logtext "Include directory: ${INCLUDEDIR}" logtext "Plugin directory: ${PLUGINDIR}" - logtext "Database directory: ${DBDIR}" logtextbreak - #wait_for_keypress # ################################################################################# From 1775590ba70ce52d6362141e395ecc1e80ddc4fa Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 16:27:39 +0200 Subject: [PATCH 032/122] Updated documentation --- CONTRIBUTORS | 12 +++++++++--- FAQ | 25 +++++++++++++------------ README | 11 +++++++---- 3 files changed, 29 insertions(+), 19 deletions(-) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index f90af8f3..015e55ba 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -1,16 +1,22 @@ ================================================================================ - Lynis - CONTRIBUTIONS + Lynis - CONTRIBUTORS ================================================================================ The Lynis project is very thankful for the following individuals who - contributed to the project. They invested time and effort to report issues - and send in related patches to improve the software and other components. + contributed to the project. ================================================================================ + Want to contribute as well? Here are some suggestions: + + - New tests for your favorite daemons + - Report (unexpected) screen errors + - Missing results + - Check for grammar issues + [+] Patches, bug fixes and suggestions ------------------------------------------ diff --git a/FAQ b/FAQ index 21bad933..858bddfd 100644 --- a/FAQ +++ b/FAQ @@ -7,9 +7,11 @@ Author: Michael Boelen (michael.boelen@cisofy.com) Description: Security and system auditing tool - Website: https://cisofy.com/lynis/ + Web site: https://cisofy.com/lynis/ + GitHub: https://github.com/CISOfy/lynis + Support address: lynis-dev@cisofy.com Development: May 2007 - Now - Suppor: See README file and https://cisofy.com/support/ + Support: See README file and https://cisofy.com/support/ Documentation: See web site, README, FAQ and CHANGELOG file ================================================================================ @@ -18,9 +20,9 @@ ------------------------------- Q: I don't understand the program (output), what to do? - A: Keep reading this FAQ, then continue with reading the README file, followed - by the log file (default: /var/log/lynis.log). After those sources, check - the documentation on the website. + A: Keep reading this FAQ. Also useful are the README file and the log file + (default: /var/log/lynis.log). Or check out the documentation on the + website: https://cisofy.com/support/ Q: I can't find any configuration file for Lynis, where is it? A: There isn't one (currently), since all options are available as command @@ -30,11 +32,10 @@ Q: Why is there no port/package for my operating system? A: Because there is no maintainer for it yet. If you have the time to keep - the port/package current for your preferred operating system, fill in the - contact form to notify me and confirm no one else is working on it. + the port/package current for your preferred operating system, let us know. Q: What to do with the report files? - A: The output could be used for monitoring (baseline checks). For user of the + A: The output could be used for monitoring (baseline checks). For users of the Lynis Enterprise Suite, they will be used to upload data. @@ -42,7 +43,7 @@ [+] Bugs or issues ------------------------------- Q: Where can I report an issue or bug? - A: Use the developer e-mail address lynis-dev@cisofy.com + A: GitHub, or use the developer e-mail address lynis-dev@cisofy.com @@ -72,12 +73,12 @@ invoke Lynis (example: bash lynis -c). Q: One or more tests are giving incorrect output. How to solve that? - A: Check the log file. If that also has incorrect data, fill in the contact - form and describe the issue. + A: Check the log file. If that also has incorrect data, let us know via GitHub + or the developer e-mail address. Q: The program takes long to complete and also uses too much resources. Can it be tuned? - A: The time it takes to complete is depends on the amount of tests to run. + A: The time it takes to complete depends on the amount of tests to run. However the resources it take can be slighty lowered by increasing the pause_between_tests profile option. Keep in mind this increases the total length of the scan to complete. diff --git a/README b/README index 105d0a30..debc1002 100644 --- a/README +++ b/README @@ -15,11 +15,14 @@ ================================================================================ - == The website contains up-to-date documentation == + *** NOTE *** + + The website contains the latest documentation See https://cisofy.com/documentation/lynis/ + [+] Introduction ------------------------------- @@ -46,7 +49,7 @@ - License: GPL v3 - Language: Shell script - Author: Michael Boelen, CISOfy - - Website: https://cisofy.com + - Web site: https://cisofy.com - Required permissions: root preferred, not needed - Other requirements: write access to /tmp @@ -91,8 +94,8 @@ ------------------------------- If you have input to improve Lynis, let us know via: - - GitHub - https://github.com/CISOfy/lynis - - E-mail - lynis-dev@cisofy.com + * GitHub - https://github.com/CISOfy/lynis + * E-mail - lynis-dev@cisofy.com Contributions are appreciated and can be done via GitHub. See CONTRIBUTIONS.md for more information about how to submit them. From 66fb36959339c2b6b4594ca11ffdb0e279164e50 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 16:28:11 +0200 Subject: [PATCH 033/122] Copyright line changes and cleanups --- include/tests_authentication | 41 +------------------- include/tests_banners | 20 ---------- include/tests_boot_services | 58 +---------------------------- include/tests_containers | 1 - include/tests_crypto | 1 - include/tests_insecure_services | 15 ++------ include/tests_kernel | 8 +--- include/tests_kernel_hardening | 6 +-- include/tests_ldap | 6 +-- include/tests_logging | 11 +----- include/tests_mac_frameworks | 24 ++++-------- include/tests_mail_messaging | 66 ++------------------------------- include/tests_malware | 40 +++++++------------- include/tests_memory_processes | 19 ++-------- include/tests_nameservices | 9 ++--- include/tests_networking | 28 +++----------- include/tests_php | 30 ++------------- include/tests_ports_packages | 55 ++------------------------- 18 files changed, 60 insertions(+), 378 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 442e20ab..b00ef5ad 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -389,7 +389,6 @@ if [ ${FOUND} -eq 1 ]; then logtext "Result: sudoers file found (${SUDOERS_FILE})" Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN - # YYY add more tests to audit sudoers file else logtext "Result: sudoers file NOT found" Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW @@ -590,7 +589,6 @@ else logtext "Result: LDAP module not found" Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE - # YYY display message when ldap is enabled in /etc/passwd, but not found in PAM fi else logtext "Result: file /etc/pam.d/common-auth not found, skipping test" @@ -673,7 +671,6 @@ logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then - # YYY check if LDAP is used with password policies logtext "Result: password aging limits are not configured" Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base" @@ -690,7 +687,7 @@ # # Test : AUTH-9304 # Description : Check if single user mode login is properly configured in Solaris - # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY) + # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check if file exists (Solaris 10 does not have this file by default) @@ -791,7 +788,6 @@ AddHP 2 2 fi else - # YYY logtext "Result: No inittab or init file found, unsure if system is protected" fi fi @@ -1070,7 +1066,6 @@ Display --indent 6 --text "LDAP server: ${I}" logtext "Result: found LDAP server ${I}" report "ldap_server[]=${I}" - # YYY check if host(s) are reachable/respond to queries done else logtext "Result: ${I} does NOT exist" @@ -1079,38 +1074,6 @@ fi # ################################################################################# -# - # Test : AUTH-92xx - # Description : login.access checks - #Register --test-no AUTH-92xx --weight L --network NO --description "login.access checks" -# -################################################################################# -# -# pam_unix.so -# pam_cracklib.so -# pam_pwcheck.so -# pam_env.so -# pam_xauth.so -# pam_tally.so -# pam_wheel.so -# pam_limits.so -# pam_nologin.so -# pam_deny.so -# pam_securetty.so -# pam_time.so -# pam_access.so -# pam_listfile.so -# pam_lastlog.so -# pam_warn.so -# pam_console.so -# pam_resmgr.so -# pam_devperm.so -# -################################################################################# -# -# sudoers: Check for potential harmful commands like vi, echo, cat -# -################################################################################# # report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" @@ -1123,4 +1086,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_banners b/include/tests_banners index 610f7cae..96e3998e 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -221,29 +221,9 @@ # ################################################################################# # -# /etc/dt/config/*/Xresources -# /etc/default/telnetd (telnet without TCP wrappers) -# /etc/default/ftpd (ftp without TCP wrappers) -# /etc/ftpd/banner.msg (ftp without TCP wrappers on Solaris) -# /etc/ftpaccess (HP-UX) -# /etc/ftpmotd (AIX) -# /etc/ftpaccess.ctl (AIX) -# /etc/security/login.cfg (AIX) -# /etc/X11/xdm/Xresources -# /etc/X11/xdm/kdmrc -# /etc/X11/gdm/gdm -# /etc/vsftpd.conf -# -################################################################################# -# wait_for_keypress -# -################################################################################# -# -# Notes: -# HPUX: /etc/copyright # #================================================================================ # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_boot_services b/include/tests_boot_services index 972855e8..5ce609f8 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -144,9 +144,6 @@ GRUBCONFFILE="/boot/grub2/grub.cfg" fi logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})" - # YYY password check, when documentation of GRUB2 project is improved - # YYY Add check permission check (600) - fi # Some OSes like Gentoo do not have /boot mounted by default @@ -263,7 +260,6 @@ logtext "Result: LILO password option set" AddHP 4 4 fi - #YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf) else logtext "Result: can not read ${LILOCONFFILE} (no permission)" fi @@ -318,7 +314,6 @@ if [ -f /etc/yaboot.conf ]; then logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)" Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN - #YYY add permission check BOOT_LOADER="YABOOT" BOOT_LOADER_FOUND=1 else @@ -397,11 +392,6 @@ fi # ################################################################################# -# - # Test : BOOT-5166 - # Description : Check for /etc/rc.local file (and contents) -# -################################################################################# # # Test : BOOT-5177 # Description : Check for Linux boot services (systemd and chkconfig) @@ -467,48 +457,13 @@ fi # ################################################################################# -# - # Test : BOOT-5178 - # Description : Check for Linux boot services (Red Hat style) - # if [ ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - # Register --test-no BOOT-5178 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for unneeded Linux boot services (Red Hat style)" - # if [ ${SKIPTEST} -eq 0 ]; then - # N=0 - # N=`expr ${N} + 1` - - #* mctrans (if selinux is NOT enabled) - #* restorecond (if selinux is NOT enabled) --> and is it really needed? - # - # if profile is server, warn if found: - #* pcscd (if profile=server) - #* avahi-daemon - # Redhat: /etc/sysconfig/network - # check if NOZEROCONF=yes is available - # - #* xfs (if /usr/bin/startx is not found) - # - #if [ ! -f /etc/mdadm.conf -a ! -f /etc/mdadm/mdadm.conf ]; then - #* mdmonitor - # - # - #* firstboot - # Display warning if [ ! -f /etc/reconfigSys ] - # AND "RUN_FIRSTBOOT=YES" is NOT in /etc/sysconfig/firstboot - # - #* acpid - # Display warning if no modules are loaded (lsmod | grep -i acpi) - # - # - # fi -# -################################################################################# # # Test : BOOT-5180 # Description : Check for Linux boot services (Debian style) if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)" if [ ${SKIPTEST} -eq 0 ]; then - # YYY runlevel check + # Runlevel check sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"` if [ ! "${sRUNLEVEL}" = "" ]; then FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort` @@ -609,16 +564,6 @@ fi # ################################################################################# -# - # Add autostart services, like from KDE/Gnome - # Test : BOOT-5102 - # Description : Check for tasks which are autostarted via /etc/inittab - #Register --test-no BOOT-5102 --weight L --network NO --description "Check inittab for services" - #if [ ${SKIPTEST} -eq 0 ]; then - #fi - #YYY check against static list? -# -################################################################################# # # Test : BOOT-5202 # Description : Check uptime of system @@ -721,7 +666,6 @@ ################################################################################# # - report "boot_loader=${BOOT_LOADER}" report "service_manager=${SERVICE_MANAGER}" diff --git a/include/tests_containers b/include/tests_containers index d6450c95..dcd4d238 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -159,7 +159,6 @@ ################################################################################# # - wait_for_keypress # diff --git a/include/tests_crypto b/include/tests_crypto index ea69bf3c..8db5eb69 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -50,7 +50,6 @@ FOUNDPROBLEM=1 logtext "Result: certificate ${J} has been expired" report "expired_certificate[]=${J}|unknown entity|" - #YYY Dump more information to log file fi else logtext "Result: can not read file ${J} (no permission)" diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 534132ee..f6b5e15d 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -37,7 +37,6 @@ if [ ${RUNNING} -eq 1 ]; then logtext "Result: inetd is running" Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN - #YYY perform manual check INETD_ACTIVE=1 else logtext "Result: inetd is NOT running" @@ -61,8 +60,6 @@ logtext "Result: ${INETD_CONFIG_FILE} does not exist" Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE fi - # YYY immutable bit could be set - # YYY permission check (already set in profile) fi # ################################################################################# @@ -106,15 +103,9 @@ # ################################################################################# # -# Check telnet in /etc/xinetd.conf -# Check telnet in /etc/xinetd/* -# Check running telnet daemon (telnetd) -# rshd rlogin rexec -# /etc/hosts.equiv - wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_kernel b/include/tests_kernel index a7cb4a91..15c84206 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -276,10 +276,6 @@ fi # ################################################################################# -# -# YYY Check for kernel options -# -################################################################################# # # Test : KRNL-5745 # Description : Checking FreeBSD loaded kernel modules diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 7797fa1a..cc82eb47 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -66,4 +66,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_ldap b/include/tests_ldap index 551fae3a..26c35c0b 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -101,4 +101,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_logging b/include/tests_logging index 7346365a..707b6948 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -36,7 +36,6 @@ # Test : LOGG-2130 # Description : Check for a running syslog daemon - # Notes : Log which syslog daemon is found YYY Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Searching for a logging daemon" @@ -476,12 +475,6 @@ # ################################################################################# # -# -# Rsyslogd checks -# -# -################################################################################# -# report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}" report "log_rotation_tool=${LOGROTATE_TOOL}" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 23e75e5e..4a0bc6dc 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -48,11 +48,11 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${AASTATUSBINARY}" = "" ]; then # Checking AppArmor status - #0 if apparmor is enabled and policy is loaded. - #1 if apparmor is not enabled/loaded. - #2 if apparmor is enabled but no policy is loaded. - #3 if control files are not available - #4 if apparmor status can't be read + # 0 if apparmor is enabled and policy is loaded. + # 1 if apparmor is not enabled/loaded. + # 2 if apparmor is enabled but no policy is loaded. + # 3 if control files are not available + # 4 if apparmor status can't be read FIND=`${AASTATUSBINARY} > /dev/null; echo $?` if [ ${FIND} -eq 0 ]; then MAC_FRAMEWORK_ACTIVE=1 @@ -187,14 +187,6 @@ report "framework_selinux=${SELINUXFOUND}" wait_for_keypress -# To implement: -# FMAC (OpenSolaris, MAC) -# LSM (Linux Security Modules) -# TrustedBSD (MAC) -# RSBAC (RBAC) -# Apple sandbox technology -# PAX - # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index dc568283..b936dbb8 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -50,29 +50,6 @@ fi # ################################################################################# -# - # Test : MAIL-8804 - # Description : Check Exim configuration - #if [ ${EXIM_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration" - #if [ ${SKIPTEST} -eq 0 ]; then - # if [ ! "${EXIMBINARY}" = "" ]; then - # logtext "Test: Searching Exim configuration file" - # FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'` - # if [ ! "${FIND}" = "" ]; then - # Display --indent 2 --text "- Checking Exim configuration" --result FOUND --color GREEN - # Display --indent 4 --text "Result: configuration file is ${FIND}" - # logtext "Result: found Exim" - # logtext "Result: configuration file is ${FIND}" - # else - # Display --indent 2 --text "- Checking Exim configuration" --result WARNING --color RED - # logtext "Couldn't find the Exim configuration file, however Exim seems to be installed." - # fi - # else - # logtext "Exim binary not found, no tests performed" - # fi -# -################################################################################# # # Test : MAIL-8814 # Description : Check Postfix process @@ -161,26 +138,6 @@ fi # ################################################################################# -# - # Test : MAIL-8842 - # Description : Check Dovecot logging locations - #Register --test-no MAIL-8842 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot logging locations" - #if [ ${SKIPTEST} -eq 0 ]; then -# ParseDovecot -# CONF="/etc/dovecot/dovecot.conf" -# FIND=`cat ${CONF} | grep "^log_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'` -# if [ ! "${FIND}" = "" ]; then -# logtext "Result: output for error messages = ${FIND}" -# fi -# -# FIND=`cat ${CONF} | grep "^log_info_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'` -# if [ ! "${FIND}" = "" ]; then -# logtext "Result: output for informational messages = ${FIND}" -# fi -# -# fi -# -################################################################################# # # Test : MAIL-8860 # Description : Check Qmail process status @@ -239,23 +196,6 @@ fi # ################################################################################# -# - # Test : MAIL-xxxx - # Description : Check if outgoing mail is obscured (increased privacy) - #Register --test-no MAIL-xxxx --weight L --network NO --description "Check XXX" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# - #YYY Add support for mail, procmail - #YYY Add support for MUAs: Thunderbird, Kmail, Evolution - # Other software : Cyrus-IMAP, Amavisd-new, SpamAssassin, Fetchmail, Procmail, maildrop - #- Dovecot : \'/usr/local/etc/dovecot.conf\' - #- For Sendmail : \'/var/mail/sendmail.cf\' - #- Fetchmail : \'~/.fetchmailrc\' (not only root) - #- Cyrus-IMAP : \'/usr/local/etc/imapd.conf\' for parameters and \'/usr/local/etc/cyrus.conf\' for the services launched -# -################################################################################# # report "imap_daemon=${IMAP_DAEMON}" @@ -267,4 +207,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_malware b/include/tests_malware index 2fe22ba1..1462646c 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands -# Web site: http://cisofy.com +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -166,26 +166,20 @@ # ################################################################################# # -# Test : MALW-3288 -# Description : Check for ClamXav (Mac OS X) -# -################################################################################# -# - Register --test-no MALW-3288 --weight L --network NO --description "Check for ClamXav" + # Test : MALW-3288 + # Description : Check for ClamXav (Mac OS X) + if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for ClamXav" if [ ${SKIPTEST} -eq 0 ]; then - if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then - CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'` - if [ ! "${CLAMSCANBINARY}" = "" ]; then - logtext "Result: Found ClamXav clamscan installed" - Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN - MALWARE_SCANNER_INSTALLED=1 - AddHP 3 3 - else - logtext "Result: ClamXav malware scanner not found" - AddHP 0 3 - fi + CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'` + if [ ! "${CLAMSCANBINARY}" = "" ]; then + logtext "Result: Found ClamXav clamscan installed" + Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN + MALWARE_SCANNER_INSTALLED=1 + AddHP 3 3 else - logtext "Result: could not find ClamXav location" + logtext "Result: ClamXav malware scanner not found" + AddHP 0 3 fi fi # @@ -196,12 +190,6 @@ # ################################################################################# # -################################################################################# -# -# Other projects: maldetect (rfxn) -# -################################################################################# -# report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}" diff --git a/include/tests_memory_processes b/include/tests_memory_processes index 4fa64c1c..fda6a32e 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -110,23 +110,10 @@ fi # ################################################################################# -# - # Ubuntu test: dead processes - # who -d -# -################################################################################# -# - # Test : PROC-3624 - # Description : Check shared memory (ipcs -m) - # Notes : if it's empty, check /dev/shm and warn if any files are left behind - #Register --test-no PROC-3614 --os Linux --weight L --network NO --description "Check shared memory" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# # wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_nameservices b/include/tests_nameservices index 38782a8b..6aedd833 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -233,7 +233,6 @@ else logtext "Result: nscd is not running" Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE - #YYY show performance suggestion if LDAP is used fi fi # @@ -263,7 +262,6 @@ Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Search BIND configuration file" - #YYY add chrooted environments for I in ${BIND_CONFIG_LOCS}; do if [ -f ${I}/named.conf ]; then BIND_CONFIG_LOCATION="${I}/named.conf" @@ -377,7 +375,6 @@ Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Search PowerDNS configuration file" - #YYY add chrooted environments for I in ${POWERDNS_CONFIG_LOCS}; do if [ -f ${I}/pdns.conf ]; then POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf" @@ -609,4 +606,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_networking b/include/tests_networking index 4188c440..469a22f4 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -29,7 +29,7 @@ # ################################################################################# # - # Test : NETW-2704 (YYY move to nameservices section) + # Test : NETW-2704 # Description : Basic nameserver configuration tests (connectivity) Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests" if [ ${SKIPTEST} -eq 0 ]; then @@ -44,7 +44,7 @@ for I in ${FIND}; do logtext "Found nameserver: ${I}" report "nameserver[]=${I}" - # Check if a local resolver is available (like DNSMasq) + # Check if a local resolver is available (like DNSMasq) if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then LOCAL_DNSRESOLVER_FOUND=1 fi @@ -200,7 +200,7 @@ case ${OS} in AIX) FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'` - # IPv6 support in AIX? (YYY) + FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'` ;; DragonFly|FreeBSD|NetBSD) FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'` @@ -473,8 +473,6 @@ IsRunning dhclient if [ ${RUNNING} -eq 1 ]; then Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE - #YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine - #report "manual[]=System is running DHCP client" DHCP_CLIENT_RUNNING=1 else Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE @@ -482,20 +480,6 @@ fi # ################################################################################# -# - # Test : NETW-3060 - # Description : Check if IPv6 is configured AND used - # /etc/modprobe.d (add 'install ipv6 /bin/true' if IPv6 isn't used) - # or - # aliased (/etc/modprobe.d/aliases?): alias net-pf-10 off ipv6 (to disable) - #Register --test-no NETW-3060 --weight L --network NO --description "Checking IPv6 connectivity" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# -# Linux: net.ipv4.ip_always_defrag -# -################################################################################# # report "dhcp_client_running=${DHCP_CLIENT_RUNNING}" @@ -503,4 +487,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_php b/include/tests_php index 8a7db951..d4e842c8 100644 --- a/include/tests_php +++ b/include/tests_php @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -252,37 +252,13 @@ logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)" AddHP 2 2 fi - #YYY Check through all files fi # ################################################################################# # -# Disable/use functions: -# safe_mode (only for PHP5?) -# open_basedir (limits access to defined directory, comparable with chrooting) -# disable_classes -# session.save_path -# session.referer_check -# upload_tmp_dir -# file_uploads Off, if possible -# Set display_errors to Off -# Set log_errors to On and define error_log (with value Syslog or a filename) -# -################################################################################# -# - # mod_suexec - # suPHP (/etc/suphp.conf) -# -################################################################################# -# - # Test : PHP-2388 - # Description : Check php version number -# -################################################################################# -# wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 23a66584..8143113a 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -78,35 +78,6 @@ fi # ################################################################################# -# -# Temporary disabled due false positives -# Packages like docbook, gcc, automake report multiple installed versions -# # Test : PKGS-7303 -# # Description : Query FreeBSD pkg_info -# if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD for double installed packages" -# if [ ${SKIPTEST} -eq 0 ]; then -# SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3` -# if [ "${SDOUBLEINSTALLED}" = "" ]; then -# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result OK --color GREEN -# logtext "Ok, no packages show up twice or more in the package listing." -# else -# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result WARNING --color RED -# for J in ${SDOUBLEINSTALLED}; do -# ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})" -# logtext "This package ${J} is visible twice or more in the pkg_info listing." -# ReportSuggestion ${TEST_NO} "(FreeBSD) run pkgdb -F and check this manually." -# ReportSuggestion ${TEST_NO} "(OpenBSD) check dependencies to see if one of the double " -# logtext "installed packages is unneeded." -# report "double_installed_package[]=${J}" -# done -# fi -# else -# Display --indent 4 --text "- Searching pkg_info" --result "NOT FOUND" --color WHITE -# logtext "Result: pkg_info can NOT be found on this system" -# fi -# -################################################################################# # # Test : PKGS-7304 # Description : Gentoo packages @@ -152,7 +123,6 @@ logtext "Result: pkginfo can NOT be found on this system" fi # -# ################################################################################# # # Test : PKGS-7308 @@ -202,7 +172,6 @@ if [ "${SPACKAGES}" = "" ]; then logtext "Result: pacman binary available, but package list seems to be empty" logtext "Info: looks like the pacman binary is installed, but not used for package installation" - #YYY ReportException? else for J in ${SPACKAGES}; do N=`expr ${N} + 1` @@ -380,7 +349,7 @@ fi # ################################################################################# - +# # Test : PKGS-7348 # Description : Show unneeded distfiles if present # Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is @@ -540,7 +509,6 @@ if [ "${FIND}" = "" ]; then logtext "Result: pkg audit results are clean" Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN - # Don't check yet, output of found vulnerable packages unclear (YYY) else logtext "Result: ${FIND}" #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED @@ -1014,21 +982,6 @@ fi # ################################################################################# -# - # Test : PKGS-7414 - # Description : Check installonly_limit in yum.conf -# -################################################################################# -# - # Test : PKGS-7416 - # Description : Check for popularity-contest (Debian/Ubuntu) -# -################################################################################# -# - # Test : PKGS-7418 - # Description : Check for yum-changelog -# -################################################################################# # if [ ! "${INSTALLED_PACKAGES}" = "" ]; then @@ -1043,4 +996,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com From ba11e87b3cc217afefcedeaeb1085dfa25dea4da Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 17:35:03 +0200 Subject: [PATCH 034/122] Removed hardening tools section --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index c67b4ac1..eaad013c 100755 --- a/lynis +++ b/lynis @@ -719,7 +719,7 @@ filesystems storage storage_nfs nameservices ports_packages networking printers_spools \ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ insecure_services banners scheduling accounting time crypto virtualization containers \ - mac_frameworks file_integrity hardening_tools tooling malware file_permissions homedirs \ + mac_frameworks file_integrity tooling malware file_permissions homedirs \ kernel_hardening hardening" else INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}" From afd01ece5d89dd3a1d78e3884d42ad38e129622a Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 17:37:11 +0200 Subject: [PATCH 035/122] Remove incomplete tests, code enhancements --- include/tests_filesystems | 6 +-- include/tests_firewalls | 8 +--- include/tests_homedirs | 20 ++------- include/tests_printers_spools | 2 +- include/tests_scheduling | 26 +++++------ include/tests_solaris | 6 +-- include/tests_squid | 59 ------------------------- include/tests_ssh | 82 ++--------------------------------- include/tests_storage | 12 +---- include/tests_storage_nfs | 6 +-- include/tests_time | 16 +++---- include/tests_tooling | 6 +-- include/tests_virtualization | 11 +++-- include/tests_webservers | 11 ++--- 14 files changed, 50 insertions(+), 221 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index fd879565..28dfab75 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -623,4 +623,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_firewalls b/include/tests_firewalls index 5a529d35..8563d4e0 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -30,10 +30,6 @@ # ################################################################################# # -# YYY Improvement needed for iptables to check if kernel modules are used or not. -# If they are not used and iptables is not found in configuration, no checks should be performed. -# - # Test : FIRE-4511 # Description : Check iptables kernel module Register --test-no FIRE-4511 --os Linux --weight L --network NO --description "Check iptables kernel module" diff --git a/include/tests_homedirs b/include/tests_homedirs index 81127eb8..012cf648 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -28,7 +28,6 @@ # ################################################################################# # - # Test : HOME-9302 # Description : Create list with home directories Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories" @@ -100,19 +99,6 @@ logtext "Output: ${IGNORE_HOME_DIRS}" fi fi - - #YYY - #echo -n " - Checking PATH variable vulnerabilities" - # - #FIND=`find ${HOMEDIRS} -name * | grep -r 'PATH=' | egrep '=.:|:.:|:.;' | grep -v 'CDPATH'` - #if [ "${FIND}" = "" ] - # then - # logtext "Result: Ok, no special things found in the PATH variable" - # else - # echo "[ ${WARNING}WARNING${NORMAL} ]" - # logtext "Warning: Probably found \".\" in the PATH. Details: ${FIND}" - #fi - # # ################################################################################# # @@ -121,4 +107,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_printers_spools b/include/tests_printers_spools index 5d35ba3d..ec64bc11 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -293,4 +293,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_scheduling b/include/tests_scheduling index 176da013..1b5e23f0 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -139,16 +139,16 @@ # Description : Check atd status Register --test-no SCHD-7718 --weight L --network NO --description "Check at users" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking atd status" - FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"` - if [ ! "${FIND}" = "" ]; then - logtext "Result: at daemon active" - Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN - ATD_RUNNING=1 - else - logtext "Result: at daemon not active" - Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE - fi + logtext "Test: Checking atd status" + FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"` + if [ ! "${FIND}" = "" ]; then + logtext "Result: at daemon active" + Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN + ATD_RUNNING=1 + else + logtext "Result: at daemon not active" + Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE + fi fi # ################################################################################# @@ -247,4 +247,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_solaris b/include/tests_solaris index 4b0783af..109bee67 100644 --- a/include/tests_solaris +++ b/include/tests_solaris @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands -# Web site: http://cisofy.com +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -66,4 +66,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_squid b/include/tests_squid index 98a4380c..f6277feb 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -103,15 +103,6 @@ fi # ################################################################################# -# -# # Test : SQD-3608 -# # Description : Check Squid build options -# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no SQD-3608 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" -# if [ ${SKIPTEST} -eq 0 ]; then -# fi -# -################################################################################# # # Test : SQD-3610 # Description : Check Squid configuration options @@ -129,15 +120,6 @@ fi # ################################################################################# -# -# # Test : SQD-3612 -# # Description : Check Squid additional configuration files -# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no SQD-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check additional Squid configuration files" -# if [ ${SKIPTEST} -eq 0 ]; then -# fi -# -################################################################################# # # Test : SQD-3613 # Description : Check Squid configuration options @@ -315,7 +297,6 @@ # ################################################################################# # - # Test : SQD-3680 # Description : Check httpd_suppress_version_string if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi @@ -338,46 +319,6 @@ ################################################################################# # - -# Squid -#Hardening: -# $1 $3 -# acl snmp_community -# acl maxconn -# acl max_user_ip -# -# follow_x_forwarded_for -#Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well) -#Read cache_peer_domain -#Read cache_peer_access -#Read icp_access -#Read icp_port -#Read htcp_access -#Read htcp_port -#Read http_port -#Read https_port -#Read cache_dir -#Read access_log -#Read coredump_dir -#Read quick_abort_min / max /pct -# -# Memory tuning -#Read cache_mem -#Read maximum_object_size_in_memory -#Read maximum_object_size -#Read cache_swap_low -#Read cache_swap_high - -# Security -#cache_effective_user -# off -#forwarded_for - -#wccp -# -################################################################################# -# - wait_for_keypress # diff --git a/include/tests_ssh b/include/tests_ssh index 15fb599c..303af6b6 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -79,28 +79,6 @@ fi # ################################################################################# -# -# # Test : SSH-7406 -# # Description : Check for a running SSH daemon -# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Searching for a SSH daemon" -# CheckOption "^Port " ${SSH_DAEMON_CONFIG} -# if [ ${FOUND} -eq 1 ]; then -# FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'` -# # Check if this output is numeric and usuable for later (e.g. in netstat output) -# Display --indent 2 --text "- Checking SSH listening port" --result FOUND --color GREEN -# logtext "Result: setting port number to ${FIND}" -# SSH_DAEMON_PORT="${FIND}" -# else -# Display --indent 2 --text "- Checking SSH listening port" --result "NOT FOUND" --color WHITE -# logtext "Result: setting port to default number, as no other port has been configured" -# SSH_DAEMON_PORT="22" -# fi -# fi -# -################################################################################# # # Test : SSH-7408 # Description : Check SSH specific defined options @@ -202,32 +180,6 @@ fi # ################################################################################# -# - # Test : SSH-7418 - # Description : Check SSH Port option -# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no SSH-7418 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Port" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: check allowed SSH protocol versions" -# FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'` -# if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then -# logtext "Result: Protocol option is set to allow SSH protocol version 1" -# Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED -# ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed" -# AddHP 0 3 -# else -# if [ "${FIND}" = "2" ]; then -# logtext "Result: only protocol 2 is allowed" -# Display --indent 4 --text "- SSH option: Protocol" --result OK --color GREEN -# AddHP 3 3 -# else -# logtext "Result: value of Protocol is unknown (not defined)" -# Display --indent 4 --text "- SSH option: Protocol" --result DEFAULT --color WHITE -# fi -# fi -# fi -# -################################################################################# # # Test : SSH-7440 # Description : AllowUsers / AllowGroups @@ -269,33 +221,7 @@ # ################################################################################# # - # Test : SSH-7464 - # Description : HashKnownHosts - #if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no SSH-7464 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: HashKnownHosts" - #if [ ${SKIPTEST} -eq 0 ]; then - # /etc/ssh/ssh_config - # ReportSuggestion ${TEST_NO} "HashKnownHosts option can migitate worm attacks" - #AddHP 2 2 - #fi -# -################################################################################# -# - # Test : SSH-7480 - # Description : AllowUsers / AllowGroups - # Goal : Scan SSH daemon - #if [ ! ${SSHKEYSCANBINARY} = "" -a ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no SSH-7480 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups" - #if [ ${SKIPTEST} -eq 0 ]; then - # First determine what port the local instance of SSH daemon is running on. If unknown, use port 22 - # FIND=`${SSHKEYSCANBINARY} localhost 2>&1 | grep OpenSSH | egrep -i "bsd|debian|ubuntu|redhat"` -# -################################################################################# -# - # sshd -T can provide additional insights -# -################################################################################# -# + report "ssh_daemon_running=${SSH_DAEMON_RUNNING}" #report "ssh_daemon_port=${SSH_DAEMON_PORT}" @@ -303,4 +229,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_storage b/include/tests_storage index 1ee95589..796e07d3 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -108,14 +108,6 @@ # ################################################################################# # -# Use modprobe --showconfig to test for options - -# NetBSD: amd (auto mount daemon) - -# -################################################################################# -# - wait_for_keypress diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 2de8a8e0..2b3d7d6b 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -177,4 +177,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_time b/include/tests_time index 508702c5..5569c804 100644 --- a/include/tests_time +++ b/include/tests_time @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -22,6 +22,7 @@ # ################################################################################# # + CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs" NTP_DAEMON="" NTP_DAEMON_RUNNING=0 NTP_CONFIG_FOUND=0 @@ -29,9 +30,7 @@ NTP_CONFIG_TYPE_SCHEDULED=0 NTP_CONFIG_TYPE_EVENTBASED=0 NTP_CONFIG_TYPE_STARTUP=0 - # Specific for ntpd - NTPD_RUNNING=0 - CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs" + NTPD_RUNNING=0 # Specific for ntpd SYSTEMD_NTP_ENABLED=0 # ################################################################################# @@ -117,10 +116,6 @@ fi done - ########################## - # To do: test on Solaris # - ########################## - # Don't run check in cron job directory on Solaris # /etc/cron.d/FIFO is a special file and test get stuck at this file FOUND_IN_CRON=0 @@ -360,7 +355,6 @@ # # Test : TIME-3136 # Description : Check ntpq reported ntp version (Linux) - # Notes : Test could be improved by checking every host (YYY) if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP protocol version" if [ ${SKIPTEST} -eq 0 ]; then @@ -460,4 +454,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_tooling b/include/tests_tooling index ee118c31..302a28d9 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -125,4 +125,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_virtualization b/include/tests_virtualization index 36a3a456..6c80e081 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -29,9 +29,9 @@ # # Initialise # VMWARE_GUEST=0 # Display --indent 2 --text "- Checking VMware guest status" -# #YYY check memory driver file -# #YYY check LKM list -# #YYY check vmware tools +# # check memory driver file +# # check LKM list +# # check vmware tools # logtext "Test: checking VMware tools daemon presence" # if [ ! "${VMWARETOOLSBINARY}" = "" ]; then # logtext "Result: VMware tools binary found" @@ -46,9 +46,8 @@ ################################################################################# # - wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_webservers b/include/tests_webservers index b83d93a9..bb5db39d 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -693,11 +693,6 @@ # Description : Nginx: Check for server_tokens off in configuration files # ################################################################################# -# - # Scan for websites - #/etc/apache2/sites-available -# -################################################################################# # # Remove temp file (double check) @@ -709,4 +704,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - cisofy.com - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com From db131518f0d72a52838165854fcc20ce0468c31f Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 17:37:39 +0200 Subject: [PATCH 036/122] Clean up code --- include/parameters | 2 +- include/profiles | 24 +++--------------------- 2 files changed, 4 insertions(+), 22 deletions(-) diff --git a/include/parameters b/include/parameters index 2cd372f8..aadc6700 100644 --- a/include/parameters +++ b/include/parameters @@ -263,4 +263,4 @@ done #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/profiles b/include/profiles index 93176716..1ceb4cd8 100644 --- a/include/profiles +++ b/include/profiles @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -15,23 +15,6 @@ ################################################################################# # # Read profile/template -# -################################################################################# -# - #YYY Enable check when profile files are complete and completely documented - # Check if default profile is used - if [ "${PROFILE}" = "defaultXXX.prf" ]; then - echo "" - echo " ===============================================================================" - echo " ${WARNING}Warning${NORMAL}: ${WHITE}Default profile is used.${NORMAL}" - echo " Default profile contains only a small amount of options and settings." - echo " Consult the documentation to create a custom profile!" - echo "" - echo " [ ${WHITE}Press [ENTER] to continue with the default profile or [CTRL] + C to stop${NORMAL} ]" - echo " ===============================================================================" - wait_for_keypress - fi - # ################################################################################# # @@ -40,7 +23,7 @@ FIND=`cat ${PROFILE} | grep '^config:' | sed 's/ /!space!/g'` for I in ${FIND}; do OPTION=`echo ${I} | cut -d ':' -f2` - VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'` + VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'` logtext "Profile option set: ${OPTION} (with value ${VALUE})" @@ -120,7 +103,6 @@ # Profile name profile_name) - # YYY dummy PROFILE_NAME="${VALUE}" ;; From dd66273f413ebfa493c4e2dfadb3ddd420da6103 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 18:28:34 +0200 Subject: [PATCH 037/122] Removed unused categories --- include/tests_hardening_tools | 52 ----------------------------------- include/tests_tcpwrappers | 47 ------------------------------- 2 files changed, 99 deletions(-) delete mode 100644 include/tests_hardening_tools delete mode 100644 include/tests_tcpwrappers diff --git a/include/tests_hardening_tools b/include/tests_hardening_tools deleted file mode 100644 index c148e9a0..00000000 --- a/include/tests_hardening_tools +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh - -################################################################################# -# -# Lynis -# ------------------ -# -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl -# -# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are -# welcome to redistribute it under the terms of the GNU General Public License. -# See LICENSE file for usage of this software. -# -################################################################################# -# -# InsertSection "Hardening tools" -# -################################################################################# -# - # Checking Solaris Security Toolkit (Jass) - # Test : HRDN-7402 - # Description : Check jass hardening - # Register --test-no HRDN-7402 --weight L --network NO --description "Check jass hardening" - # if [ ${SKIPTEST} -eq 0 ]; then - # if [ -d /opt/SUNWjass -o -d /var/opt/SUNWjass ]; then - # logtext "Result: found Solaris Security Toolkit (Jass hardening tool)" - # fi - # -# -################################################################################# -# - # Test : HRDN-7410 - # Description : Check tiger hardening tool -# -################################################################################# -# - # Test : HRDN-7420 - # Description : Check Bastille Unix hardening tool -# -################################################################################# -# - # Checking Solaris Security Toolkit (ASET) - # - Automated Security Enhancement Tool - - # AddHP 3 3 - -#wait_for_keypress - -# -#================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands diff --git a/include/tests_tcpwrappers b/include/tests_tcpwrappers deleted file mode 100644 index ca610165..00000000 --- a/include/tests_tcpwrappers +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh - -################################################################################# -# -# Lynis -# ------------------ -# -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl -# -# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are -# welcome to redistribute it under the terms of the GNU General Public License. -# See LICENSE file for usage of this software. -# -################################################################################# -# -# TCP Wrappers -# Run after: NFS checks -# -################################################################################# -# -# -################################################################################# -# -# InsertSection "TCP Wrappers" -# -################################################################################# -# - # Test : TCPW-xxxx (YYY move to nameservices section) - # Description : Basic nameserver configuration tests (connectivity) -# Register --test-no TCPW-xxxx --weight L --network YES --description "Basic nameserver configuration tests" -# if [ ${SKIPTEST} -eq 0 ]; then -# Display --indent 2 --text "- Checking configured nameservers" -# logtext "Test: Checking /etc/resolv.conf file" -# Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN -# ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)." -# ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond" -# fi -# -################################################################################# -# - -#wait_for_keypress - -# -#================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands From 424f6cccd039ec84b73b93c4f2fd0b9b18fb5829 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 20:34:14 +0200 Subject: [PATCH 038/122] Release 2.1.1 --- CHANGELOG | 185 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 104 insertions(+), 81 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index d76e21c5..db90546e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -8,119 +8,142 @@ Author: Michael Boelen (michael.boelen@cisofy.com) Description: Security and system auditing tool Website: https://cisofy.com/lynis/ - GitHub: https://github.com/CISOfy/Lynis + GitHub: https://github.com/CISOfy/lynis - Support policy: See section 'Support' (README file); + Support policy: See section 'Support' in README file Commercial support and plugins available via CISOfy - https://cisofy.com Documentation: See web site, README, FAQ and CHANGELOG file ================================================================================ - = Lynis 2.1.x (2015-xx-xx) = - This release adds several improvements and in different areas. Support for systems - like CentOS, openSUSE, Slackware is improved. It includes further cleanups of the - code, performance tweaks and more support for common software components. + = Lynis 2.1.1 (2015-07-22) = - Performance: - Performance tuning has been applied, to speed up execution of the audit on - systems with many files. + This release adds a lot of improvements, with focus on performance, and + additional support for common Linux distributions and external utilities. + We recommend to use this latest version. - Automatic updater: - Initial work on an automatic updater has been implemented. This way Lynis can - be scheduled for updating from a trusted source. + * Operating system enhancements + ------------------------------- + Support for systems like CentOS, openSUSE, Slackware is improved. - Internal functions: - As not all systems have readlink, or the -f option of readlink, the - ShowSymlinkPath function has been extended with a Python based check. + * Performance + ------------- + Performance tuning has been applied, to speed up execution of the audit on + systems with many files. This also includes code cleanups. - Software support: - Apache module directory /usr/lib64/apache has been added, which is used on openSUSE. - Support for Chef has been added. + * Automatic updates + ------------------- + Initial work on an automatic updater has been implemented. This way Lynis + can be scheduled for automatic updating from a trusted source. - File integrity: - Added tests for CSF's lfd utility for integrity monitoring on directories and - files. Related tests are FINT-4334 and FINT-4336. + * Internal functions + -------------------- + Not all systems have readlink, or the -f option of readlink. The + ShowSymlinkPath function has been extended with a Python based check, which + is often available. - Time sychronization: - Added support for Chrony time daemon and timesync daemon. Additionally NTP - sychronization status is checked when it is enabled. + * Software support + ------------------ + Apache module directory /usr/lib64/apache has been added, which is used on + openSUSE. - Other: - Check for permissions has been extended. - Python binary is now detected, to help with symlink detection. - Several new legal terms, for usage in banners, have been added. - In several files old tests have been removed, to further clean up the code. - The hardening index is inserted into the report, even if it is not displayed on screen. + Support for Chef has been added. - Bug fixes: - Nginx test showed error when access_log had multiple parameters + Added tests for CSF's lfd utility for integrity monitoring on directories and + files. Related tests are FINT-4334 and FINT-4336. - Functions: - Added AddSystemGroup function + Added support for Chrony time daemon and timesync daemon. Additionally NTP + sychronization status is checked when it is enabled. - New tests: - [PKGS-7366] Scan for debsecan utility on Debian systems - [PKGS-7410] Determine amount of installed kernel packages - [TIME-3106] Check synchronization status of NTP on systemd based systems - [CONT-8102] Docker daemon status and gather basic details - [CONT-8104] Check docker info for any Docker warnings - [CONT-8106] Check total, running and unused Docker containers + Improved single user mode protection on the rescue.service file. - Plugins: - [PLGN-2602] Disabled by default, as it may be too slow for some machines - [PLGN-3002] Extended with /sbin/nologin + * Other + ------- + Check for user permissions has been extended. + Python binary is now detected, to help with symlink detection. + Several new legal terms have been added, which are used for usage in banners. + In several files old tests have been removed, to further clean up the code. - Documentation: - A new document has been created to help with the process of upgrading Lynis. - It is available at https://cisofy.com/documentation/lynis/upgrading/ + * Bug fixes + --------- + Nginx test showed error when access_log had multiple parameters. + Tests using locate won't be performed if not present. + Fix false positive match on Squid unsafe ports [SQD-3624]. + The hardening index is now also inserted into the report if it is not displayed + on screen. + + * Functions + --------- + Added AddSystemGroup function + + * New tests + --------- + Several new tests have been added: + + [PKGS-7366] Scan for debsecan utility on Debian systems + [PKGS-7410] Determine amount of installed kernel packages + [TIME-3106] Check synchronization status of NTP on systemd based systems + [CONT-8102] Docker daemon status and gather basic details + [CONT-8104] Check docker info for any Docker warnings + [CONT-8106] Check total, running and unused Docker containers + + * Plugins + --------- + + [PLGN-2602] Disabled by default, as it may be too slow for some machines + [PLGN-3002] Extended with /sbin/nologin + + * Documentation + --------------- + A new document has been created to help with the process of upgrading Lynis. + It is available at https://cisofy.com/documentation/lynis/upgrading/ -------------------------------------------------------------- - = Lynis 2.1.0 (2015-04-16) = + = Lynis 2.1.0 (2015-04-16) = - General: - --------- - Screen output has been improved to provide additional information. + * General + --------- + Screen output has been improved to provide additional information. - OS support: - ------------ - CUPS detection on Mac OS has been improved. AIX systems will now use csum - utility to create host ID. Group check have been altered on AIX, to include - the -n ALL. Core dump check on Linux is extended to check for actual values - as well. + * OS support + ------------ + CUPS detection on Mac OS has been improved. AIX systems will now use csum + utility to create host ID. Group check have been altered on AIX, to include + the -n ALL. Core dump check on Linux is extended to check for actual values + as well. - Software: - ---------- - McAfee detection has been extended by detecting a running cma binary. - Improved detection of pf firewall on BSD and Mac OS. Security patch checking - with zypper extended. + * Software + ---------- + McAfee detection has been extended by detecting a running cma binary. + Improved detection of pf firewall on BSD and Mac OS. Security patch checking + with zypper extended. - Session timeout: - ----------------- - Tests to determine shell time out setting have been extended to account for - AIX, HP-UX and other platforms. It will now determine also if variable is - exported as a readonly variable. Related compliance section PCI DSS 8.1.8 - has been extended. + * Session timeout + ----------------- + Tests to determine shell time out setting have been extended to account for + AIX, HP-UX and other platforms. It will now determine also if variable is + exported as a readonly variable. Related compliance section PCI DSS 8.1.8 + has been extended. - Documentation: - --------------- - - New document: Getting started with Lynis - https://cisofy.com/documentation/lynis/get-started/ + * Documentation + --------------- + - New document: Getting started with Lynis + https://cisofy.com/documentation/lynis/get-started/ - Plugins (Enterprise): - ---------------------- - - Update to file integrity plugin - Changes to PLGN-2606 (capabilities check) + * Plugins (Enterprise) + ---------------------- + - Update to file integrity plugin + Changes to PLGN-2606 (capabilities check) - - New configuration plugins: - PLGN-4802 (SSH settings) - PLGN-4804 (login.defs) + - New configuration plugins: + PLGN-4802 (SSH settings) + PLGN-4804 (login.defs) - Download link: https://cisofy.com/download/lynis/ + Download link: https://cisofy.com/download/lynis/ -------------------------------------------------------------- From c998924b51c019f20acff2899a9c6dbb83d1251e Mon Sep 17 00:00:00 2001 From: Mark Ruys Date: Fri, 24 Jul 2015 15:11:39 +0200 Subject: [PATCH 039/122] Fix STRG-1840 (Check for disabled USB storage) --- include/tests_storage | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_storage b/include/tests_storage index 796e07d3..dbae4aca 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -33,7 +33,7 @@ if [ -d /etc/modprobe.d ]; then FIND=`ls /etc/modprobe.d/* 2> /dev/null` if [ ! "${FIND}" = "" ]; then - FIND=`grep -r "install usb-storage /bin/(false|true)" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"` + FIND=`grep -r "install usb-storage /bin/\(false\|true\)" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"` FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*` if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 @@ -44,7 +44,7 @@ fi fi if [ -f /etc/modprobe.conf ]; then - FIND=`grep "install usb-storage /bin/(false|true)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"` + FIND=`grep "install usb-storage /bin/\(false\|true\)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"` if [ ! "${FIND}" = "" ]; then FOUND=1 logtext "Result: found usb-storage driver in disabled state" From 25c8567b572f44b2e86a99a084714c115252a830 Mon Sep 17 00:00:00 2001 From: Martijn Pepping Date: Fri, 24 Jul 2015 23:58:50 +0200 Subject: [PATCH 040/122] Fixed an comparison error when Docker is present, but the daemon is not running (or unset). --- include/tests_containers | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/tests_containers b/include/tests_containers index dcd4d238..ce350aee 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -119,6 +119,9 @@ # Check total of containers logtext "Test: checking total amount of Docker containers" DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'` + if [ ${DOCKER_CONTAINERS_TOTAL} -z ]; then + DOCKER_CONTAINERS_TOTAL=0 + fi logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers" DOCKER_CONTAINERS_TOTAL2=`${DOCKERBINARY} ps -a 2> /dev/null | grep -v "CONTAINER" | wc -l` logtext "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers" @@ -131,7 +134,7 @@ fi # Check running instances - DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps | grep -v "CONTAINER" | wc -l` + DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps 2> /dev/null | grep -v "CONTAINER" | wc -l` Display --indent 8 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then logtext "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active" From 919e48001d01d00dce08aaa1714611dfbe5ab922 Mon Sep 17 00:00:00 2001 From: Mark Ruys Date: Mon, 27 Jul 2015 12:38:13 +0200 Subject: [PATCH 041/122] More reliable and often faster check to determine virtualization. --- include/functions | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/include/functions b/include/functions index d2db98ce..ff9591db 100644 --- a/include/functions +++ b/include/functions @@ -590,6 +590,19 @@ # 0 = no, 1 = yes, 2 = unknown ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown" + # Trying facter + if [ -x /usr/bin/facter ]; then + case "`facter is_virtual`" in + "true") + VMTYPE=`facter virtual` + logtext "Result: found virtual machine (type: ${VMTYPE})" + report "vm=1" + report "vmtype=${VMTYPE}" + return ;; + "false") return ;; + esac + fi + SHORT="" # Trying systemd @@ -601,6 +614,13 @@ fi fi + # # dmidecode + # if [ "${SHORT}" = "" ]; then + # if [ -x /usr/sbin/dmidecode ]; then + # SHORT=`dmidecode -s system-product-name` + # fi + # fi + # lshw if [ "${SHORT}" = "" ]; then if [ -x /usr/bin/lshw ]; then From c1533442406ad788c5b55bde4f312b04becd0888 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 19 Aug 2015 15:31:24 +0200 Subject: [PATCH 042/122] Capture self-signed certificates during upload with cURL --- include/data_upload | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/include/data_upload b/include/data_upload index 821deaa9..e5fad676 100644 --- a/include/data_upload +++ b/include/data_upload @@ -119,13 +119,20 @@ output "Settings file: ${SETTINGS_FILE}" # Try to connect output "Uploading data.." logtext "Command used: ${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" - UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL}` - if [ $? -gt 0 ]; then - #UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'` - #output "Output code from upload: ${UPLOAD_CODE}" - output "${RED}Error occurred, please check documentation for code ${UPLOAD_CODE}.${NORMAL}" - output "Debug:" - output ${UPLOAD} + UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL} 2> /dev/null` + EXITCODE=$? + if [ ${EXITCODE} -gt 0 ]; then + if [ ${EXITCODE} -eq 60 ]; then + output "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" + output "If you want to accept a self-signed certificate, use the -k option in the profile." + output "Example: ${WHITE}config:upload_options:-k:${NORMAL}" + else + #UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'` + #output "Output code from upload: ${UPLOAD_CODE}" + output "${RED}Error occurred, please check documentation for code ${UPLOAD_CODE}.${NORMAL}" + output "Debug:" + output ${UPLOAD} + fi # Quit ExitClean fi From e4e26930b08b50815c8f927674ce5fb8d95c36ba Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 19 Aug 2015 15:32:04 +0200 Subject: [PATCH 043/122] Ensure that Lynis does not wait in quick mode --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index eaad013c..c3ac0843 100755 --- a/lynis +++ b/lynis @@ -417,7 +417,7 @@ echo "" echo " ###################################################################" echo "${NORMAL}"; echo "" - if [ ${NEVERBREAK} -eq 0 ]; then read void; fi + if [ ${QUICKMODE} -eq 0 ]; then read void; fi fi # ################################################################################# From 2e87b8fde91f5a40ec2db1edd1ed22e5ce420cb7 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 19 Aug 2015 15:51:52 +0200 Subject: [PATCH 044/122] Apply additional checks on first cURL command execution --- include/data_upload | 38 +++++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/include/data_upload b/include/data_upload index e5fad676..577a3dd8 100644 --- a/include/data_upload +++ b/include/data_upload @@ -90,7 +90,18 @@ output "Settings file: ${SETTINGS_FILE}" if [ -f ${REPORTFILE} ]; then output "${WHITE}Report file found.${NORMAL} Starting with connectivity check.." # Quit if license is not valid, to reduce load on both client and server. - UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL}` + UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null` + EXITCODE=$? + if [ ${EXITCODE} -gt 0 ]; then + if [ ${EXITCODE} -eq 60 ]; then + output "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" + output "If you want to accept a self-signed certificate, use the -k option in the profile." + output "Example: ${WHITE}config:upload_options:-k:${NORMAL}" + else + output "${RED}Error: ${NORMAL}cURL exited with code ${EXITCODE}" + fi + ExitFatal + fi UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}'` if [ "${UPLOAD_CODE}" = "100" ]; then output "${WHITE}License is valid${NORMAL}" @@ -110,7 +121,7 @@ output "Settings file: ${SETTINGS_FILE}" echo "Key: ${LICENSE_KEY}" output "Debug information: ${UPLOAD}" # Quit - ExitClean + ExitFatal fi # Extract the hostid from the parse file HOSTID=`cat ${REPORTFILE} | grep "^hostid=" | awk -F= '{ print $2 }'` @@ -122,27 +133,24 @@ output "Settings file: ${SETTINGS_FILE}" UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL} 2> /dev/null` EXITCODE=$? if [ ${EXITCODE} -gt 0 ]; then - if [ ${EXITCODE} -eq 60 ]; then - output "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" - output "If you want to accept a self-signed certificate, use the -k option in the profile." - output "Example: ${WHITE}config:upload_options:-k:${NORMAL}" - else - #UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'` - #output "Output code from upload: ${UPLOAD_CODE}" - output "${RED}Error occurred, please check documentation for code ${UPLOAD_CODE}.${NORMAL}" - output "Debug:" - output ${UPLOAD} - fi + #UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'` + #output "Output code from upload: ${UPLOAD_CODE}" + output "${RED}Error: ${NORMAL}Error occurred, cURL ended during the upload of the report data." + output "Related exit code: ${EXITCODE}" + output "Check the last section of the log file for the exact command used, for further troubleshooting" + output "Debug:" + output ${UPLOAD} # Quit ExitClean fi else - echo "${RED}Fatal error${NORMAL}: No hostid found in report file. Can not upload report file." + echo "${RED}Error${NORMAL}: No hostid found in report file. Can not upload report file." # Quit - ExitClean + ExitFatal fi else output "${YELLOW}No report file found to upload.${NORMAL}" + ExitFatal fi # From 8c1e1f29a3f2b926f191983eec1aa716cae26aec Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 19 Aug 2015 16:02:50 +0200 Subject: [PATCH 045/122] Additional logging --- include/data_upload | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/data_upload b/include/data_upload index 577a3dd8..68b07093 100644 --- a/include/data_upload +++ b/include/data_upload @@ -97,9 +97,12 @@ output "Settings file: ${SETTINGS_FILE}" output "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" output "If you want to accept a self-signed certificate, use the -k option in the profile." output "Example: ${WHITE}config:upload_options:-k:${NORMAL}" + logtext "Result: found self-signed certificate, however not related -k upload option" else output "${RED}Error: ${NORMAL}cURL exited with code ${EXITCODE}" + logtext "Result: cURL exited with code ${EXITCODE}" fi + logtext "Result: quitting, can't check license" ExitFatal fi UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}'` From 0c2a9daef9d4e9bc83faffe9e0b27fe5b4f1da36 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 19 Aug 2015 16:19:14 +0200 Subject: [PATCH 046/122] Show help on screen --- include/data_upload | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/include/data_upload b/include/data_upload index 68b07093..bff4ee83 100644 --- a/include/data_upload +++ b/include/data_upload @@ -94,9 +94,9 @@ output "Settings file: ${SETTINGS_FILE}" EXITCODE=$? if [ ${EXITCODE} -gt 0 ]; then if [ ${EXITCODE} -eq 60 ]; then - output "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" - output "If you want to accept a self-signed certificate, use the -k option in the profile." - output "Example: ${WHITE}config:upload_options:-k:${NORMAL}" + echo "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" + echo "If you want to accept a self-signed certificate, use the -k option in the profile." + echo "Example: ${WHITE}config:upload_options:-k:${NORMAL}" logtext "Result: found self-signed certificate, however not related -k upload option" else output "${RED}Error: ${NORMAL}cURL exited with code ${EXITCODE}" @@ -138,11 +138,11 @@ output "Settings file: ${SETTINGS_FILE}" if [ ${EXITCODE} -gt 0 ]; then #UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'` #output "Output code from upload: ${UPLOAD_CODE}" - output "${RED}Error: ${NORMAL}Error occurred, cURL ended during the upload of the report data." - output "Related exit code: ${EXITCODE}" - output "Check the last section of the log file for the exact command used, for further troubleshooting" - output "Debug:" - output ${UPLOAD} + echo "${RED}Error: ${NORMAL}Error occurred, cURL ended during the upload of the report data." + echo "Related exit code: ${EXITCODE}" + echo "Check the last section of the log file for the exact command used, for further troubleshooting" + echo "Debug:" + echo ${UPLOAD} # Quit ExitClean fi From 7bd91675feae33fbc2131ac839798ead438ce2f9 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 19 Aug 2015 16:20:21 +0200 Subject: [PATCH 047/122] Improved debug logging --- include/data_upload | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/data_upload b/include/data_upload index bff4ee83..d7bf1401 100644 --- a/include/data_upload +++ b/include/data_upload @@ -96,8 +96,8 @@ output "Settings file: ${SETTINGS_FILE}" if [ ${EXITCODE} -eq 60 ]; then echo "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" echo "If you want to accept a self-signed certificate, use the -k option in the profile." - echo "Example: ${WHITE}config:upload_options:-k:${NORMAL}" - logtext "Result: found self-signed certificate, however not related -k upload option" + echo "Example: ${WHITE}config:upload_options:-k:${NORMAL}" + logtext "Result: found self-signed certificate, however cURL -k option not used." else output "${RED}Error: ${NORMAL}cURL exited with code ${EXITCODE}" logtext "Result: cURL exited with code ${EXITCODE}" From cf9b12ca5b1baddfae247a236d2daefc41d92130 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 20 Aug 2015 18:36:07 +0200 Subject: [PATCH 048/122] Version bump --- lynis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lynis b/lynis index c3ac0843..b81fc1a0 100755 --- a/lynis +++ b/lynis @@ -22,8 +22,8 @@ # # Program information PROGRAM_name="Lynis" - PROGRAM_version="2.1.1" - PROGRAM_releasedate="22 July 2015" + PROGRAM_version="2.1.2" + PROGRAM_releasedate="20 August 2015" PROGRAM_author="CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" From 649f0cfb3c1c1bff7976a11c86a069ffd097d35a Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 20 Aug 2015 18:37:03 +0200 Subject: [PATCH 049/122] Improved BOOT-5180 detection for newer systems like Debian 8 and screen output enhancement --- include/tests_boot_services | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 5ce609f8..014acc67 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -24,6 +24,7 @@ # BOOT_LOADER="unknown" BOOT_LOADER_FOUND=0 + BOOT_LOADER_SEARCHED=0 GRUB_VERSION=0 SERVICE_MANAGER="unknown" # @@ -34,6 +35,7 @@ # Notes : The AIX bootstrap is called as software ROS. Bootstrap contains IPL (Initial Program loader) Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --description "Check for AIX boot device" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 logtext "Test: Query bootinfo for AIX boot device" if [ -x /usr/sbin/bootinfo ]; then FIND=`/usr/sbin/bootinfo -b` @@ -61,6 +63,7 @@ # upstart - Used by Debian/Ubuntu Register --test-no BOOT-5104 --weight L --network NO --description "Determine service manager" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 case ${OS} in "Linux") if [ -f /proc/1/cmdline ]; then @@ -120,6 +123,7 @@ # Description : Check for GRUB boot loader Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 FOUND=0 logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)" if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then @@ -204,6 +208,7 @@ # Description : Check for FreeBSD boot loader Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then logtext "Result: found boot1, boot2 and loader files in /boot" Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN @@ -220,6 +225,7 @@ # Description : Check for NetBSD boot loader Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --description "Check for NetBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then logtext "Result: found NetBSD secondary bootstrap" Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN @@ -238,6 +244,7 @@ # Notes : password= or password = Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 LILOCONFFILE="/etc/lilo.conf" logtext "Test: checking for presence LILO configuration file" if [ -f ${LILOCONFFILE} ]; then @@ -274,6 +281,7 @@ # Description : Check for SILO boot loader Register --test-no BOOT-5142 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 if [ -f /etc/silo.conf ]; then logtext "Result: Found SILO configuration file (/etc/silo.conf)" Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN @@ -310,6 +318,7 @@ # Description : Check for YABOOT boot loader Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 logtext "Test: Check for /etc/yaboot.conf" if [ -f /etc/yaboot.conf ]; then logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)" @@ -328,6 +337,7 @@ # More info : Only OpenBSD Register --test-no BOOT-5159 --os OpenBSD --weight L --network NO --description "Check for OpenBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 FOUND=0 # Boot files # /usr/mdec/biosboot: first stage bootstrap @@ -365,7 +375,7 @@ # ################################################################################# # - if [ ${BOOT_LOADER_FOUND} -eq 0 ]; then + if [ ${BOOT_LOADER_FOUND} -eq 0 -a ${BOOT_LOADER_SEARCHED} -eq 1 ]; then # Your boot loader is not detected. Want to help supporting it, see the README ReportException "BOOTLOADER" "No boot loader found" Display --indent 4 --text "- Boot loader" --result "NONE FOUND" --color RED @@ -460,12 +470,15 @@ # # Test : BOOT-5180 # Description : Check for Linux boot services (Debian style) + # Notes : Debian 8+ shows runlevel 5 if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)" if [ ${SKIPTEST} -eq 0 ]; then # Runlevel check - sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"` - if [ ! "${sRUNLEVEL}" = "" ]; then + sRUNLEVEL=`${RUNLEVELBINARY} | grep "N [0-9]" | awk '{ print $2} '` + logtext "Result: found runlevel ${sRUNLEVEL}" + if [ "${sRUNLEVEL}" = "2" ]; then + logtext "Result: performing find in /etc/rc2.d as runlevel 2 is found" FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort` if [ ! "${FIND}" = "" ]; then N=0 @@ -475,10 +488,12 @@ done Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE Display --indent 4 --text "Result: found $N services" - logtext "Found $N services" + logtext "Result: found $N services" fi - else + elif [ "${sRUNLEVEL}" = "" ]; then ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup" + else + logtext "Result: skipping further actions" fi fi # From 210ba41a3c2c43041fa4ba40e9e0b0676052a2b8 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 20 Aug 2015 18:46:06 +0200 Subject: [PATCH 050/122] Improved umask detection and logging --- include/tests_authentication | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index b00ef5ad..d4e9463b 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -813,7 +813,9 @@ #FIND2=`egrep "^([[:space:]])([[:tab:]])*umask" /etc/profile | awk '{ print $2 }' | wc -l` WEAK_UMASK=0 FOUND_UMASK=0 - if [ "${FIND2}" = "1" ]; then + if [ "${FIND2}" = "0" ]; then + logtext "Result: did not find umask in /etc/profile" + elif [ "${FIND2}" = "1" ]; then logtext "Result: found umask (prefixed with spaces)" FOUND_UMASK=1 if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" ]; then @@ -824,7 +826,7 @@ fi # Found more than 1 umask value in profile else - logtext "Result: found several umask values configured in /etc/profile" + logtext "Result: found multiple umask values configured in /etc/profile" FOUND_UMASK=1 for I in ${FIND}; do if [ ! "${I}" = "077" -a ! "${I}" = "027" ]; then @@ -861,7 +863,7 @@ logtext "Test: Checking umask entries in /etc/passwd (pam_umask)" if [ -f /etc/passwd ]; then logtext "Result: file /etc/passwd exists" - logtext "Test: Checking umask value in /etc/profile" + logtext "Test: Checking umask value in /etc/passwd" FIND=`grep "umask=" /etc/passwd` if [ "${FIND}" = "" ]; then ReportManual "AUTH-9328:03" @@ -873,7 +875,7 @@ # /etc/login.defs logtext "Test: Checking /etc/login.defs" if [ -f /etc/login.defs ]; then - logtext "Result: file /etc/profile exists" + logtext "Result: file /etc/login.defs exists" logtext "Test: Checking umask value in /etc/login.defs" FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then From d1ae757240bfe0a8c9e45026e5cc330ae541bcd5 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 20 Aug 2015 18:50:30 +0200 Subject: [PATCH 051/122] Replaced -z for empty string testing --- include/tests_containers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_containers b/include/tests_containers index ce350aee..c8c81fe0 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -119,7 +119,7 @@ # Check total of containers logtext "Test: checking total amount of Docker containers" DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'` - if [ ${DOCKER_CONTAINERS_TOTAL} -z ]; then + if [ "${DOCKER_CONTAINERS_TOTAL}" = "" ]; then DOCKER_CONTAINERS_TOTAL=0 fi logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers" From 3251b4a6a6b7a02d4b2ae23af7cfeba17009d6f3 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 31 Aug 2015 13:22:28 +0200 Subject: [PATCH 052/122] Added full author name --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index b81fc1a0..d49c4bf9 100755 --- a/lynis +++ b/lynis @@ -24,7 +24,7 @@ PROGRAM_name="Lynis" PROGRAM_version="2.1.2" PROGRAM_releasedate="20 August 2015" - PROGRAM_author="CISOfy" + PROGRAM_author="Michael Boelen, CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" PROGRAM_copyright="Copyright 2007-2015 - ${PROGRAM_author}, ${PROGRAM_website}" From 7cb9e364c77cd67caa27081164e4d9588b3b74c4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 31 Aug 2015 13:23:17 +0200 Subject: [PATCH 053/122] Proper filtering for IPv6 addresses --- include/tests_nameservices | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_nameservices b/include/tests_nameservices index 6aedd833..0a7b8d56 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -566,7 +566,7 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check /etc/hosts contains an entry for this server name" if [ -f /etc/hosts ]; then - sFIND=`cat /etc/hosts | egrep -v '^(#|$|::1|localhost)' | grep ${HOSTNAME}` + sFIND=`cat /etc/hosts | egrep -v '^(#|$|^::1\s|localhost)' | grep ${HOSTNAME}` if [ "${sFIND}" != "" ]; then logtext "Result: Found entry for ${HOSTNAME} in /etc/hosts" Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN @@ -587,7 +587,7 @@ Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check server hostname not locally mapped in /etc/hosts" - sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|::1)' | grep ${HOSTNAME}` + sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|^::1\s)' | grep ${HOSTNAME}` if [ ! "${sFIND}" = "" ]; then logtext "Result: Found this server hostname mapped to a local address" Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW From 401bf26c910b4bdf60de7b1fd27f94ed98179378 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 1 Sep 2015 13:37:55 +0200 Subject: [PATCH 054/122] NIS improvement for test --- include/tests_authentication | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index d4e9463b..dd48d80c 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -31,11 +31,12 @@ # Test : AUTH-9204 # Description : Check users with UID zero (0) + # Notes : Ignores :0: in file if match is in NIS related line Register --test-no AUTH-9204 --weight L --network NO --description "Check users with an UID of zero" if [ ${SKIPTEST} -eq 0 ]; then # Search accounts with UID 0 logtext "Test: Searching accounts with UID 0" - FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^:0:0:::' | cut -d ":" -f1,3 | grep ':0'` + FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'` if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED logtext "Result: Found more than one administrator accounts" From d4b18129620904b345210b1a1896e4a406ba39d6 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 1 Sep 2015 15:47:32 +0200 Subject: [PATCH 055/122] Changed screen output when finding old files in /tmp --- include/tests_filesystems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 28dfab75..19e44669 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -297,7 +297,7 @@ Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN logtext "Result: no files found in /tmp which are older than 3 months" else - Display --indent 2 --text "- Checking for old files in /tmp" --result WARNING --color RED + Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED N=0 for I in ${FIND}; do FILE=`echo ${I} | sed 's/!space!/ /g'` From 8cefc0f7b9e948bf3da8a2d1c1abaacbb9b946f8 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 1 Sep 2015 15:49:50 +0200 Subject: [PATCH 056/122] Show different status on screen when expired SSL certificates were found --- include/tests_crypto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_crypto b/include/tests_crypto index 8db5eb69..d883e8b8 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -64,9 +64,9 @@ done if [ ${FOUNDPROBLEM} -eq 0 ]; then - Display --indent 2 --text "- Checking SSL certificate expiration" --result OK --color GREEN + Display --indent 2 --text "- Checking for expired SSL certificates" --result NONE --color GREEN else - Display --indent 2 --text "- Checking SSL certificate expiration" --result WARNING --color RED + Display --indent 2 --text "- Checking for expired SSL certificates" --result FOUND --color RED ReportSuggestion ${TEST_NO} "Check available certificates for expiration" fi fi From 18d97ce60e03e99e19d532c6fcaee01423ed3e26 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 1 Sep 2015 15:50:14 +0200 Subject: [PATCH 057/122] Use different status for unused firewall rules --- include/tests_firewalls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 8563d4e0..81e8dccc 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -120,7 +120,7 @@ Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN logtext "Result: There are no unused rules present" else - Display --indent 4 --text "- Checking for unused rules" --result WARNING --color YELLOW + Display --indent 4 --text "- Checking for unused rules" --result FOUND --color YELLOW logtext "Result: Found one or more possible unused rules" logtext "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" logtext "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." From d2aaa9662e269e2e91d05c2e7586e54d53e50da1 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 1 Sep 2015 16:10:16 +0200 Subject: [PATCH 058/122] Changed test description --- include/tests_containers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_containers b/include/tests_containers index c8c81fe0..c1ce3379 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -112,7 +112,7 @@ # Description : Checking Docker containers (basic stats) # Notes : Hardening points are awarded, if there aren't a lot of stopped containers if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings" + Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather basic stats from Docker" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 6 --text "- Containers" From 2577caf66df1d338c8e31e4bf1f7b044ca8a44f4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 1 Sep 2015 17:40:05 +0200 Subject: [PATCH 059/122] Only show suggestion for ntpdate if ntpd isn't running --- include/tests_time | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/tests_time b/include/tests_time index 5569c804..4184f9b3 100644 --- a/include/tests_time +++ b/include/tests_time @@ -164,10 +164,12 @@ FIND=`grep 'ntpdate_enable="YES"' /etc/rc.conf` if [ ! "${FIND}" = "" ]; then logtext "Result: ntpdate is enabled in rc.conf" - # Mark system having a NTP client, but remind user to improve it FOUND=1 NTP_CONFIG_TYPE_STARTUP=1 - ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon" + # Only show suggestion when ntpdate is enabled, however ntpd is not running + if [ ${NTP_DAEMON_RUNNING} -eq 0 ]; then + ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon" + fi else logtext "Result: ntpdate is not enabled in rc.conf" fi From e37446521d31205a59bb23e6768d91b3e8a533c8 Mon Sep 17 00:00:00 2001 From: dataking Date: Tue, 1 Sep 2015 11:50:07 -0700 Subject: [PATCH 060/122] include/tests_filesystems tweak --- include/tests_filesystems | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 19e44669..e2c46e6c 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -297,7 +297,7 @@ Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN logtext "Result: no files found in /tmp which are older than 3 months" else - Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED + Display --indent 2 --text "- Checking for old files in /tmp" --result WARNING --color RED N=0 for I in ${FIND}; do FILE=`echo ${I} | sed 's/!space!/ /g'` @@ -567,7 +567,7 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking locate database" FOUND=0 - LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database" + LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database" for I in ${LOCATE_DBS}; do if [ -f ${I} ]; then logtext "Result: locate database found (${I})" From 235b228fe29d9b83c5a3c19cbd3ff9ea708a1590 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 3 Sep 2015 11:15:55 +0200 Subject: [PATCH 061/122] Added vmtoolsd detection --- include/functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/functions b/include/functions index d2db98ce..4d8bd1ce 100644 --- a/include/functions +++ b/include/functions @@ -615,6 +615,8 @@ # VMware IsRunning vmware-guestd if [ ${RUNNING} -eq 1 ]; then SHORT="vmware"; fi + IsRunning vmtoolsd + if [ ${RUNNING} -eq 1 ]; then SHORT="vmware"; fi # VirtualBox based on guest services IsRunning vboxguest-service From f4c2bd52fb8eeec64e7489db5abd365157f2a6a4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 3 Sep 2015 15:43:33 +0200 Subject: [PATCH 062/122] Ensure that docker is a file, not directory in /usr/libexec --- include/binaries | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/binaries b/include/binaries index ab8f67fe..206f6b12 100644 --- a/include/binaries +++ b/include/binaries @@ -86,9 +86,6 @@ as) ASFOUND=1; ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: as (compiler) - ${BINARY}" ;; auditctl) AUDITCTLFOUND=1; AUDITCTLBINARY="${BINARY}"; logtext " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;; autolog) AUTOLOGFOUND=1; AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; logtext " Found known binary: autolog (idle session killer) - ${BINARY}" ;; - debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;; - debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;; - docker) DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}" ;; chkconfig) CHKCONFIGFOUND=1; CHKCONFIGBINARY=${BINARY}; logtext " Found known binary: chkconfig (administration tool) - ${BINARY}" ;; clamscan) CLAMSCANFOUND=1; CLAMSCANBINARY=${BINARY}; logtext " Found known binary: clamscan (AV scanner) - ${BINARY}" ;; cfagent) CFAGENTFOUND=1; CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; logtext " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;; @@ -96,8 +93,11 @@ comm) COMMBINARY="${BINARY}"; logtext " Found known binary: comm (file compare) - ${BINARY}" ;; csum) CSUMFOUND=1; CSUMBINARY="${BINARY}"; logtext " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;; curl) CURLFOUND=1; CURLBINARY="${BINARY}"; logtext " Found known binary: curl (browser) - ${BINARY}" ;; + debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;; + debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;; dig) if [ -f ${BINARY} ]; then DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (network/dns tool) - ${BINARY}"; fi ;; dnsdomainname) DNSDOMAINNAMEFOUND=1; DNSDOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;; + docker) if [ -f ${BINARY} ]; then DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}"; fi ;; domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: domainname (NIS domain) - ${BINARY}" ;; dpkg) DPKGBINARY="${BINARY}"; logtext " Found known binary: dpkg (package management) - ${BINARY}" ;; egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; logtext " Found known binary: egrep (text search) - ${BINARY}" ;; From d9b7d9a9fd5ab43b3cca6804330ca42e3346c040 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 3 Sep 2015 15:44:10 +0200 Subject: [PATCH 063/122] Combined several potential mount option tests into 1 unit --- include/tests_filesystems | 119 +++++++++++++++++++------------------- 1 file changed, 59 insertions(+), 60 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 19e44669..dedfa556 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -460,76 +460,75 @@ ################################################################################# # # Test : FILE-6374 - # Description : Check /boot mount options for Linux - # Notes : Expecting nodev,noexec,nosuid + # Description : Check mount options for Linux + # Notes : This test determines if the mount point exists. If it does not exist as mount point, yet it is an directory, + # you might consider to make it a separate mount point with restrictions. + # + # Depending on the primary goals of a machine, some mount points might be too restrictive. Before applying any + # mount flags, test them on a similar or cloned test system. + # + # --------------------------------------------------------- + # Mount point nodev noexec nosuid + # /boot v v v + # /home v v + # /tmp v v v + # /var v + # /var/log v v v + # /var/log/audit v v v + # --------------------------------------------------------- + + FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /home:nodev,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /tmp:nodev,noexec,nosuid" Register --test-no FILE-6374 --os Linux --weight L --network NO --description "Checking /boot mount options" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/fstab ]; then - HARDENED=0 - FIND=`echo /etc/fstab | awk '{ if ($2=="/boot") { print $4 } }'` - NODEV=`echo ${FIND} | awk '{ if ($1=="nodev") { print "YES" } else { print "NO" } }'` - NOEXEC=`echo ${FIND} | awk '{ if ($1=="noexec") { print "YES" } else { print "NO" } }'` - NOSUID=`echo ${FIND} | awk '{ if ($1=="nosuid") { print "YES" } else { print "NO" } }'` - if [ "${NODEV}" = "YES" -a "${NOEXEC}" = "YES" -a "${NOSUID}" = "YES" ]; then HARDENED=1; fi - if [ ! "${FIND}" = "" ]; then - logtext "Result: mount system /boot is configured with options: ${FIND}" - if [ ${HARDENED} -eq 1 ]; then - logtext "Result: marked /boot options as hardenened" - Display --indent 2 --text "- Mount options of /boot" --result HARDENED --color GREEN - AddHP 5 5 - else - if [ "${FIND}" = "defaults" ]; then - logtext "Result: marked /boot options as default (non hardened)" - Display --indent 2 --text "- Mount options of /boot" --result DEFAULT --color RED - AddHP 3 5 - else - logtext "Result: marked /boot options as non default (unclear about hardening)" - Display --indent 2 --text "- Mount options of /boot" --result "NON DEFAULT" --color YELLOW + for I in ${FILESYSTEMS_TO_CHECK}; do + FILESYSTEM=`echo ${I} | cut -d: -f1` + EXPECTED_FLAGS=`echo ${I} | cut -d: -f2 | sed 's/,/ /g'` + IN_FSTAB=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print "FOUND" } }'` + if [ ! "${IN_FSTAB}" = "" ]; then + FOUND_FLAGS=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' | sed 's/,/ /g'` + logtext "File system: ${FILESYSTEM}" + logtext "Expected flags: ${EXPECTED_FLAGS}" + logtext "Found flags: ${FOUND_FLAGS}" + PARTIALLY_HARDENED=0 + FULLY_HARDENED=1 + for FLAG in ${EXPECTED_FLAGS}; do + FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | grep ${FLAG}` + if [ "${FLAG_AVAILABLE}" = "" ]; then + logtext "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}" + FULLY_HARDENED=0 + else + logtext "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}" + PARTIALLY_HARDENED=1 + fi + done + if [ ${FULLY_HARDENED} -eq 1 ]; then + logtext "Result: marked ${FILESYSTEM} as fully hardenened" + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN + AddHP 5 5 + elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then + logtext "Result: marked ${FILESYSTEM} as fully hardenened" + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW AddHP 4 5 + else + if [ "${FOUND_FLAGS}" = "defaults" ]; then + logtext "Result: marked ${FILESYSTEM} options as default (non hardened)" + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW + AddHP 3 5 + else + logtext "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)" + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW + AddHP 4 5 + fi fi + else + logtext "Result: file system ${FILESYSTEM} not found in /etc/fstab" fi - else - logtext "Result: no mount point /boot or expected options found" - fi + done fi fi # ################################################################################# -# - # Test : FILE-XXXX - # Description : Check /home mount options for Linux - # Notes : Expecting nodev,nosuid -# -################################################################################# -# - - # Test : FILE-XXXX - # Description : Check /var mount options for Linux - # Notes : Expecting nosuid -# -################################################################################# -# - # Test : FILE-XXXX - # Description : Check /var/log mount options for Linux - # Notes : Expecting nodev,noexec,nosuid -# -################################################################################# -# - # Test : FILE-XXXX - # Description : Check /var/log/audit mount options for Linux - # Notes : Expecting nodev,noexec,nosuid -# -################################################################################# -# - - # Test : FILE-XXXX - # Description : Check /tmp mount options for Linux - # Notes : Expecting nodev,noexec,nosuid -# -################################################################################# -# -# -################################################################################# # # Test : FILE-6378 # Description : Check for nodirtime option From e1a87794bce6460113935d35a1053bc5a74808db Mon Sep 17 00:00:00 2001 From: Alexander Lobodzinski Date: Thu, 3 Sep 2015 17:20:34 +0200 Subject: [PATCH 064/122] Do not let a hostname that is contained in "localhost" like "cal" trigger a false positive --- include/tests_nameservices | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_nameservices b/include/tests_nameservices index 0a7b8d56..8413e99e 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -587,7 +587,7 @@ Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check server hostname not locally mapped in /etc/hosts" - sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|^::1\s)' | grep ${HOSTNAME}` + sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|^::1\s)' | grep -w ${HOSTNAME}` if [ ! "${sFIND}" = "" ]; then logtext "Result: Found this server hostname mapped to a local address" Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW From 12d9b38288c2a41b5bc9e32c1d10bb4f0c102c3e Mon Sep 17 00:00:00 2001 From: squid-cache-object Date: Thu, 3 Sep 2015 14:14:02 -0700 Subject: [PATCH 065/122] Update tests_filesystems --- include/tests_filesystems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index e2c46e6c..8a26e4ac 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -297,7 +297,7 @@ Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN logtext "Result: no files found in /tmp which are older than 3 months" else - Display --indent 2 --text "- Checking for old files in /tmp" --result WARNING --color RED + Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED N=0 for I in ${FIND}; do FILE=`echo ${I} | sed 's/!space!/ /g'` From 461920ff721e6f956d712c457985ed4c4d9ad312 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sat, 5 Sep 2015 18:41:04 +0200 Subject: [PATCH 066/122] Enabled dmidecode for virtualization detection --- include/functions | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/include/functions b/include/functions index d35150fa..9d815f4e 100644 --- a/include/functions +++ b/include/functions @@ -589,8 +589,9 @@ logtext "Test: Determine if this system is a virtual machine" # 0 = no, 1 = yes, 2 = unknown ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown" + SHORT="" - # Trying facter + # facter if [ -x /usr/bin/facter ]; then case "`facter is_virtual`" in "true") @@ -603,9 +604,7 @@ esac fi - SHORT="" - - # Trying systemd + # systemd if [ "${SHORT}" = "" -a ! "${SYSTEMCTLBINARY}" = "" ]; then logtext "Test: trying to guess virtualization technology with systemctl" FIND=`${SYSTEMCTLBINARY} | grep "^Virtualization=" | awk -F= '{ print $2 }'` @@ -614,12 +613,14 @@ fi fi - # # dmidecode - # if [ "${SHORT}" = "" ]; then - # if [ -x /usr/sbin/dmidecode ]; then - # SHORT=`dmidecode -s system-product-name` - # fi - # fi + # dmidecode + # Values: VMware Virtual Platform / VirtualBox + if [ "${SHORT}" = "" ]; then + logtext "Test: trying to guess virtualization with dmidecode" + if [ -x /usr/sbin/dmidecode ]; then + SHORT=`dmidecode -s system-product-name | awk '{ print $1 }'` + fi + fi # lshw if [ "${SHORT}" = "" ]; then @@ -663,7 +664,7 @@ # Check if we catched some string along all tests if [ ! "${SHORT}" = "" ]; then # Lowercase and see if we found a match - SHORT=`echo ${SHORT} | tr [[:upper:]] [[:lower:]]` + SHORT=`echo ${SHORT} | awk '{ print $1 }' | tr [[:upper:]] [[:lower:]]` case ${SHORT} in amazon-ec2) ISVIRTUALMACHINE=1; VMTYPE="amazon-ec2"; VMFULLTYPE="Amazon AWS EC2 Instance" ;; From 05dd1a6814e3a6518dbc2bef1d73ea609313e149 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sat, 5 Sep 2015 18:51:36 +0200 Subject: [PATCH 067/122] Remove systemctl to detect virtualization, use systemd-detect-virt instead --- include/functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/functions b/include/functions index 9d815f4e..89e9c662 100644 --- a/include/functions +++ b/include/functions @@ -605,9 +605,9 @@ fi # systemd - if [ "${SHORT}" = "" -a ! "${SYSTEMCTLBINARY}" = "" ]; then - logtext "Test: trying to guess virtualization technology with systemctl" - FIND=`${SYSTEMCTLBINARY} | grep "^Virtualization=" | awk -F= '{ print $2 }'` + if [ "${SHORT}" = "" -a -x /usr/bin/systemd-detect-virt ]; then + logtext "Test: trying to guess virtualization technology with systemd-detect-virt" + FIND=`/usr/bin/systemd-detect-virt` if [ ! "${FIND}" = "" ]; then SHORT="${FIND}" fi From 10a300ddb7bee1c93023ec64c276b158dbad76d7 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 6 Sep 2015 17:38:15 +0200 Subject: [PATCH 068/122] Don't show pf status on screen when it is not available --- include/tests_firewalls | 1 - 1 file changed, 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 7b3fa88e..fdd6106a 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -194,7 +194,6 @@ FIREWALL_SOFTWARE="pf" else logtext "Result: pf not running on this system" - Display --indent 2 --text "- Checking pf" --result "NOT FOUND" --color WHITE fi fi # From 4a354c84796c5eae74053435ccc5ecd718734c34 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 6 Sep 2015 17:42:56 +0200 Subject: [PATCH 069/122] Change ipfw to IPFW, change exeception ID for IPFW test --- include/tests_firewalls | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index fdd6106a..9f620faf 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -269,32 +269,32 @@ ################################################################################# # # Test : FIRE-4530 - # Description : Check ipfw (FreeBSD) - Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check ipfw status" + # Description : Check IPFW (FreeBSD) + Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check IPFW status" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${SYSCTLBINARY}" = "" ]; then # For now, only check for IPv4. FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` if [ "${FIND}" = "1" ]; then - Display --indent 2 --text "- Checking ipfw status" --result RUNNING --color GREEN - logtext "Result: ipfw is running for IPv4" + Display --indent 2 --text "- Checking IPFW status" --result RUNNING --color GREEN + logtext "Result: IPFW is running for IPv4" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipfw" IPFW_ENABLED=`service -e | grep -o ipfw` if [ "${IPFW_ENABLED}" = "ipfw" ]; then - Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result YES --color GREEN - logtext "Result: ipfw is enabled at start-up for IPv4" + Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result YES --color GREEN + logtext "Result: IPFW is enabled at start-up for IPv4" else Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW - logtext "Result: ipfw is disabled at start-up for IPv4" + logtext "Result: IPFW is disabled at start-up for IPv4" fi else - Display --indent 2 --text "- Checking ipfw status" --result "NOT RUNNING" --color YELLOW - logtext "Result: ipfw is not running for IPv4" + Display --indent 2 --text "- Checking IPFW status" --result "NOT RUNNING" --color YELLOW + logtext "Result: IPFW is not running for IPv4" fi else - Display --indent 2 --text "- Checking ipfw" --result SKIPPED --color YELLOW - ReportException "${TEST_NO}:4" "No IPFW test available (sysctl missing)" + Display --indent 2 --text "- Checking IPFW" --result SKIPPED --color YELLOW + ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)" fi fi # From 98de52e0f88e71f09b78c93859c37fc38c1ca795 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 6 Sep 2015 17:54:18 +0200 Subject: [PATCH 070/122] Added some guidelines for pull requests --- CONTRIBUTIONS.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md index 19a17295..34d1d970 100644 --- a/CONTRIBUTIONS.md +++ b/CONTRIBUTIONS.md @@ -1,8 +1,8 @@ # Contributions ## Pull Requests -Contributions to the Lynis project should be submitted as a pull request. The upstream -project can be found in our [GitHub repository](https://github.com/CISOfy/lynis). +We welcome any contribution to improve Lynis. Contributions to the Lynis project can +be submitted as a pull request. The upstream project can be found in our [GitHub repository](https://github.com/CISOfy/lynis). By submitting a [Pull Request](https://help.github.com/articles/using-pull-requests/) to this repository, you agree that you: @@ -17,6 +17,7 @@ to this repository, you agree that you: 4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution +If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com) ## Unlimited Rights Our project is licensed under GPLv3. By providing a contribution to the project, it @@ -29,3 +30,9 @@ If you want to be named in as a contributor in the CONTRIBUTOR file, then includ this notition in your pull request. Preferred format: Full Name, with optional the company name and/or your e-mail address). +## Developer Guidelines + +To ensure all pull requests can be easily checked and merged, here are some tips: +* Your code should work on other platforms running the bourne shell (/bin/sh), not just BASH. +* Properly document your code where needed. Besides the 'what', focus on explaining the 'why'. +* Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others. \ No newline at end of file From 88caa85f594497908865c90c48121520122a2c65 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 6 Sep 2015 21:37:26 +0200 Subject: [PATCH 071/122] Added default values for name cachers and Unbound status --- include/consts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/consts b/include/consts index d0d2b2c9..608b5b29 100644 --- a/include/consts +++ b/include/consts @@ -69,6 +69,7 @@ unset LANG LYNIS_COMPLIANCE_TESTS=0 MACHINEID="" MALWARE_SCANNER_INSTALLED=0 + NAME_CACHE_USED=0 NGINX_ACCESS_LOG_DISABLED=0 NGINX_ACCESS_LOG_MISSING=0 NGINX_ALIAS_FOUND=0 @@ -115,6 +116,7 @@ unset LANG TESTS_EXECUTED="" TESTS_SKIPPED="" TRIPWIREBINARY="" + UNBOUND_RUNNING=0 UPLOAD_OPTIONS="" UPDATE_CHECK_SKIPPED=0 VALUE="" From a42e8feac260d9888492f221469043c805f413ab Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 6 Sep 2015 21:38:21 +0200 Subject: [PATCH 072/122] Added Unbound status and configuration check, logging name cacher status to report file --- include/tests_nameservices | 48 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/include/tests_nameservices b/include/tests_nameservices index 8413e99e..5e59f53f 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -30,6 +30,7 @@ POWERDNS_AUTH_CONFIG_LOCATION="" POWERDNS_AUTH_MASTER=0 POWERDNS_AUTH_SLAVE=0 + UNBOUND_CONFIG_OK=0 YPBIND_RUNNING=0 # ################################################################################# @@ -228,6 +229,7 @@ logtext "Test: checking nscd status" IsRunning nscd if [ ${RUNNING} -eq 1 ]; then + NAME_CACHE_USED=1 logtext "Result: nscd is running" Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN else @@ -237,6 +239,51 @@ fi # ################################################################################# +# + # Test : NAME-4034 + # Description : Check name service caching daemon (Unbound) status + Register --test-no NAME-4034 --weight L --network NO --description "Check Unbound status" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: checking Unbound (unbound) status" + IsRunning unbound + if [ ${RUNNING} -eq 1 ]; then + UNBOUND_RUNNING=1 + NAME_CACHE_USED=1 + logtext "Result: Unbound daemon is running" + Display --indent 2 --text "- Checking Unbound status" --result RUNNING --color GREEN + else + logtext "Result: Unbound daemon is not running" + Display --indent 2 --text "- Checking Unbound status" --result "NOT FOUND" --color WHITE + fi + fi +# +################################################################################# +# + # Test : NAME-4036 + # Description : Checking Unbound configuration file + if [ ${UNBOUND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Unbound configuration file" + if [ ${SKIPTEST} -eq 0 ]; then + FIND=`which unbound-checkconf` + if [ ! "${FIND}" = "" ]; then + logtext "Test: running unbound-checkconf" + # Don't capture any output, just gather exit code (0 is fine, otherwise bad) + FIND=`unbound-checkconf > /dev/null 2>&1` + if [ $? -eq 0 ]; then + UNBOUND_CONFIG_OK=1 + logtext "Result: Configuration is fine" + Display --indent 2 --text "- Checking configuration file" --result OK --color GREEN + else + logtext "Result: Unbound daemon is not running" + Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW + ReportWarning "${TEST_NO}" "L" "Found Unbound configuration file issues (run unbound-checkconf)" + fi + else + logtext "Result: skipped, can't find unbound-checkconf utility" + fi + fi +# +################################################################################# # # Test : NAME-4202 # Description : Check if BIND is running @@ -602,6 +649,7 @@ ################################################################################# # +report ="name_cache_used=${NAME_CACHE_USED}" wait_for_keypress # From a9966ac4ba99e20738bd887fe6549e9df7f305f6 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 6 Sep 2015 21:38:56 +0200 Subject: [PATCH 073/122] Extended guidelines --- CONTRIBUTIONS.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md index 34d1d970..ba03583b 100644 --- a/CONTRIBUTIONS.md +++ b/CONTRIBUTIONS.md @@ -35,4 +35,5 @@ company name and/or your e-mail address). To ensure all pull requests can be easily checked and merged, here are some tips: * Your code should work on other platforms running the bourne shell (/bin/sh), not just BASH. * Properly document your code where needed. Besides the 'what', focus on explaining the 'why'. -* Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others. \ No newline at end of file +* Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others. +* Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1) \ No newline at end of file From 0e97f7936fb522c82c0cb1566e01dfa105fe1de4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Mon, 7 Sep 2015 04:12:58 +0200 Subject: [PATCH 074/122] Wrote 'AUTH-9407' - logging failed login attempts. --- include/tests_authentication | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/include/tests_authentication b/include/tests_authentication index dd48d80c..f8c9b6f4 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -1077,6 +1077,27 @@ fi # ################################################################################# +# + # Test : AUTH-9407 + # Description : Logging failed login attempts + if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no AUTH-9407 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging failed login attempts" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking FAILLOG_ENAB option in /etc/login.defs " + FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'` + if [ "${FIND}" = "" -o "${FIND}" = "no" ]; then + logtext "Result: failed login attempts are not logged" + Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW + ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog" + AddHP 0 1 + else + logtext "Result: failed login attempts are logged in /var/log/faillog" + Display --indent 2 --text "- Logging failed login attempts" --result OK --color GREEN + AddHP 3 3 + fi + fi +# +################################################################################# # report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" From fc27379452e7dc7b64841619d93d023d54c0040e Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 10:13:20 +0200 Subject: [PATCH 075/122] Minor cleaning up and improved comment --- include/tests_webservers | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/include/tests_webservers b/include/tests_webservers index bb5db39d..51a8d528 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -391,19 +391,16 @@ Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx configuration file" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: searching nginx configuration file" - #YYY warning if multiple nginx.conf files are found for I in ${NGINX_CONF_LOCS}; do if [ -f ${I}/nginx.conf ]; then NGINX_CONF_LOCATION="${I}/nginx.conf" logtext "Found file ${NGINX_CONF_LOCATION}" fi done - #YYY strings /usr/sbin/nginx | grep "conf$" if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then logtext "Result: found nginx configuration file" report "nginx_main_conf_file=${NGINX_CONF_LOCATION}" Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN - #FIND=`cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}` else logtext "Result: no nginx configuration file found" Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE @@ -415,7 +412,7 @@ # Test : HTTP-6706 # Description : Search for includes within nginx configuration file # Notes : Daemon nginx should be running, nginx.conf should be found - if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for additional nginx configuration files" if [ ${SKIPTEST} -eq 0 ]; then # Remove temp file @@ -426,14 +423,14 @@ for I in ${FIND}; do FIND2=`${LSBINARY} ${I} 2>/dev/null` for J in ${FIND2}; do - # Double check if we are dealing with a file + # Ensure that we are parsing normal files if [ -f ${J} ]; then N=`expr ${N} + 1` logtext "Result: found Nginx configuration file ${J}" report "nginx_sub_conf_file=${J}" FileIsReadable ${J} if [ ${CANREAD} -eq 1 ]; then - FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}` + FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}` else ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable" fi @@ -442,14 +439,14 @@ done # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx - SORTFILE=`cat ${TMPFILE2} | sort | uniq | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"` - for I in ${SORTFILE}; do + SORTFILE=`cat ${TMPFILE} | sort | uniq | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"` + for I in ${SORTFILE}; do I=`echo ${I} | sed 's/:space:/ /g'` report "nginx_config_option=${I}"; - done + done # Remove unsorted file for next tests - if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi + if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi if [ ${N} -eq 0 ]; then logtext "Result: no nginx include statements found" From 53840a4cfb6eaa9bf2ecb98b259c57161cee79d3 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 11:17:08 +0200 Subject: [PATCH 076/122] Added variable for logging status of failed logins --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index 608b5b29..bddc11eb 100644 --- a/include/consts +++ b/include/consts @@ -39,6 +39,7 @@ unset LANG # == Variable initializing == # AUDITORNAME="" + AUTH_FAILED_LOGINS_LOGGED=0 PROFILE="" REPORTFILE="" AFICKBINARY="" From 5165e57b86ec3ec631d14a3e9c0a1e82a8a426c5 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 11:17:38 +0200 Subject: [PATCH 077/122] Added report option to store logging status of failed logins --- include/tests_authentication | 1 + 1 file changed, 1 insertion(+) diff --git a/include/tests_authentication b/include/tests_authentication index dd48d80c..acf866b2 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -1079,6 +1079,7 @@ ################################################################################# # +report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}" report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" report "ldap_pam_enabled=${LDAP_PAM_ENABLED}" if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then From 84baf688c8003b3da6081bd69729b5460742a5c2 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 11:26:09 +0200 Subject: [PATCH 078/122] Renumber test and search for explicit yes value, log status --- include/tests_authentication | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 79c1b94c..5817263e 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -1078,22 +1078,24 @@ # ################################################################################# # - # Test : AUTH-9407 - # Description : Logging failed login attempts + # Test : AUTH-9408 + # Description : Logging of failed login attempts if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9407 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging failed login attempts" + Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging of failed login attempts via /etc/login.defs" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking FAILLOG_ENAB option in /etc/login.defs " FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'` - if [ "${FIND}" = "" -o "${FIND}" = "no" ]; then + # Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value) + if [ "${FIND}" = "yes" ]; then + AUTH_FAILED_LOGINS_LOGGED=1 + logtext "Result: failed login attempts are logged in /var/log/faillog" + Display --indent 2 --text "- Logging failed login attempts" --result ENABLED --color GREEN + AddHP 3 3 + else logtext "Result: failed login attempts are not logged" Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW - ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog" + #ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog" AddHP 0 1 - else - logtext "Result: failed login attempts are logged in /var/log/faillog" - Display --indent 2 --text "- Logging failed login attempts" --result OK --color GREEN - AddHP 3 3 fi fi # From c6d8aaa72e936d7c81df245017f938f2720ed87c Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 12:30:54 +0200 Subject: [PATCH 079/122] Extended suggestions and added Kamil as contributor --- CONTRIBUTORS | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 015e55ba..1352db0d 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -12,19 +12,22 @@ Want to contribute as well? Here are some suggestions: - - New tests for your favorite daemons + - Create new tests for your favorite software packages - Report (unexpected) screen errors - - Missing results + - Share missing results and findings - Check for grammar issues + Create a pull request at GitHub --> https://github.com/CISOfy/lynis -[+] Patches, bug fixes and suggestions + +[+] Contributors ------------------------------------------ Brian Ginsbach C.J. Adams-Collier, US Charlie Heselton, US Dave Vehrs + Kamil Boratyński Mikko Lehtisalo, Finland Steve Bosek, France Thomas Siebel, Germany From 98e27f52c2f334121cadd4461a7f1c0b3d6b34af Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 12:32:26 +0200 Subject: [PATCH 080/122] Added Kamil as contributor --- CONTRIBUTORS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 1352db0d..0a7c2664 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -27,7 +27,7 @@ C.J. Adams-Collier, US Charlie Heselton, US Dave Vehrs - Kamil Boratyński + Kamil Boratyński, Poland Mikko Lehtisalo, Finland Steve Bosek, France Thomas Siebel, Germany From f7ec431a659acae07bcca0feff73888721fa8055 Mon Sep 17 00:00:00 2001 From: Alexander Lobodzinski Date: Mon, 7 Sep 2015 17:31:18 +0200 Subject: [PATCH 081/122] /usr/sbin/httpd on OpenBSD is builtin non-Apache webserver, do not run with -v If Apache is installed it is detected in /usr/local/sbin/httpd nevertheless --- include/tests_webservers | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/tests_webservers b/include/tests_webservers index bb5db39d..35194eea 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -50,9 +50,13 @@ # Test : HTTP-6622 # Description : Test for Apache installation # Notes : Do not run on NetBSD, -v is unknown option for httpd binary + # On OpenBSD do not run /usr/sbin/httpd with -v: builtin non-Apache if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Apache presence" if [ ${SKIPTEST} -eq 0 ]; then + if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then + HTTPDBINARY="" + fi if [ "${HTTPDBINARY}" = "" ]; then Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE else From 3cdd9ea949379a8ad06daa06e739d1e65e4a52bc Mon Sep 17 00:00:00 2001 From: Laurent Quillerou Date: Mon, 7 Sep 2015 18:35:07 +0300 Subject: [PATCH 082/122] Delete trailing whitespace --- CHANGELOG | 32 ++++++++++++++++---------------- CONTRIBUTIONS.md | 2 +- FAQ | 2 +- db/fileperms.db | 2 +- db/hints.db | 2 +- db/malware-susp.db | 2 +- db/malware.db | 2 +- db/sbl.db | 2 +- debian/README.Debian | 8 ++++---- debian/rules | 4 ++-- default.prf | 6 +++--- extras/README | 2 +- extras/build-lynis.sh | 4 ++-- include/functions | 8 ++++---- include/tests_crypto | 2 +- include/tests_databases | 2 +- include/tests_file_integrity | 2 +- include/tests_filesystems | 2 +- include/tests_kernel | 6 +++--- include/tests_mac_frameworks | 4 ++-- include/tests_malware | 2 +- include/tests_memory_processes | 2 +- include/tests_nameservices | 4 ++-- include/tests_ports_packages | 2 +- include/tests_storage_nfs | 6 +++--- include/tests_webservers | 10 +++++----- lynis | 2 +- 27 files changed, 62 insertions(+), 62 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index db90546e..147c35b7 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -921,7 +921,7 @@ - Added Squid test: reply_body_max_size option [SQD-3630] - Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328] - Check PHP option allow_url_include [PHP-2378] - + Changes: - Extended possible Squid configuration file locations - Added additional sysctl keys to default profile @@ -1098,7 +1098,7 @@ - nginx configuration file check [HTTP-6704] - Exim status check [MAIL-8802] - Postfix status check [MAIL-8814] - + Changes: - atd needs to run before testing at files [SCHD-7720] - Removed Solaris OS requirement from logrotate test [LOGG-2148] @@ -1108,7 +1108,7 @@ - Binary scan optimized and partially combined with other check - Only perform iptables tests if kernel module is active - Don't show message when /etc/shells can't be found [SHLL-6211] - - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704] + - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704] - Renumbered FreeBSD test SHLL-7225 [SHLL-6202] - Renumbered malware test MALW-3292 [HRDN-7230] - Improved grep on process status [PRNT-2304] @@ -1298,10 +1298,10 @@ New: - New test: Passwordless Solaris accounts test [AUTH-9254] - New test: AFICK file integrity [FINT-4310] - - New test: AIDE file integrity [FINT-4314] - - New test: Osiris file integrity [FINT-4318] - - New test: Samhain file integrity [FINT-4322] - - New test: Tripwire file integrity [FINT-4326] + - New test: AIDE file integrity [FINT-4314] + - New test: Osiris file integrity [FINT-4318] + - New test: Samhain file integrity [FINT-4322] + - New test: Tripwire file integrity [FINT-4326] - New tests: NIS and NIS+ authentication test [AUTH-9240/42] - Initial support added for AFICK, AIDE, Osiris, Samhain, Tripwire @@ -1327,12 +1327,12 @@ - New test: Promiscuous network interfaces (Linux) [NETW-3015] - Report option 'bootloader' added to several tests - Added readlink binary check - + Changes: - Extended file check (IsWorldWritable) for symlinks - Show result if no default gateway is found [NETW-3001] - Added /usr/local/etc to sudoers test [AUTH-9250] - - Improved FreeBSD banner output [BANN-7113] + - Improved FreeBSD banner output [BANN-7113] - Removed incorrect line at promiscuous interface test [NETW-3014] - Fix: Show only once the GRUB test output [BOOT-5121] - Fix: Typo in NTP test [TIME-3104] @@ -1380,7 +1380,7 @@ - New test: checking for heavy IO waiting processes [PROC-3614] - Initial HP-UX support (untested) - Initial AIX support (untested) - - Added iptables binary check + - Added iptables binary check - Added dig check, for DNS related tests - Added option --no-colors to remove all colors from screen output - Added option --reverse-colors for optimizing output at light backgrounds @@ -1400,7 +1400,7 @@ - Several tests have their warning reporting improved - Improved SuSE Linux detection - Improved syslog-ng detection - - Adjusted README with link to online (extended) documentation + - Adjusted README with link to online (extended) documentation -- @@ -1410,7 +1410,7 @@ - New test: Check writable startup scripts [BOOT-5184] - New test: Syslog-NG consistency check [LOGG-2134] - New test: Check yum-utils package and scanning package database [PKGS-7384] - - New test: Test for empty ruleset when iptables is loaded [FIRE-4512] + - New test: Test for empty ruleset when iptables is loaded [FIRE-4512] - New test: Check for expired SSL certificates [CRYP-7902] - New test: Check for LDAP authentication support [AUTH-9238] - New test: Read available crontab/cron files [SCHD-7704] @@ -1449,7 +1449,7 @@ * 1.1.5 (2008-06-10) New: - - Assigned ID to Apache configuration file test [HTTP-6624] + - Assigned ID to Apache configuration file test [HTTP-6624] - Added pause_between_tests to profile file, to regulate the speed of a scan - Assigned ID to dpkg test and solved issue with colon in package names [PKG-7345] - Assigned ID to Solaris package test [PKG-7306] @@ -1732,12 +1732,12 @@ -- * 1.0.3 (2007-11-19) - + New: - Added check for sockstat - Test: added test for GRUB and password option - Test: query listening ports (sockstat) - + Changes: - Fixed NTPd check (bug) - Extended help for 'double installed package' check (BSD systems, pkg_info) @@ -1789,7 +1789,7 @@ Changes: - [bug] Changed skel directory check - Fixed display Apache configuration file - + -- * 1.0.0 (2007-11-08) diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md index ba03583b..dd032453 100644 --- a/CONTRIBUTIONS.md +++ b/CONTRIBUTIONS.md @@ -36,4 +36,4 @@ To ensure all pull requests can be easily checked and merged, here are some tips * Your code should work on other platforms running the bourne shell (/bin/sh), not just BASH. * Properly document your code where needed. Besides the 'what', focus on explaining the 'why'. * Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others. -* Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1) \ No newline at end of file +* Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1) diff --git a/FAQ b/FAQ index 858bddfd..e0bd9736 100644 --- a/FAQ +++ b/FAQ @@ -58,7 +58,7 @@ have a dark background, so it gives extra attention to the message. However if you have a white background (for example Mac OS X), you can run Lynis with --no-colors to strip colors or --reverse-colors to reverse the color - scheme. Another option is to change your terminal colors within Mac OS. + scheme. Another option is to change your terminal colors within Mac OS. Q: Some tests take very long to finish, what to do? A: Use a second console (or connection) and check the output of ps/lsof etc, diff --git a/db/fileperms.db b/db/fileperms.db index a4bbcf18..327db5ea 100644 --- a/db/fileperms.db +++ b/db/fileperms.db @@ -9,7 +9,7 @@ # 5) file group owner # 6) operating system, or systems # 7) operating system special -# 8) +# 8) # #================================================== file:/etc/group:644:root:root:Linux: diff --git a/db/hints.db b/db/hints.db index 1504cb30..18a7c680 100644 --- a/db/hints.db +++ b/db/hints.db @@ -1,2 +1,2 @@ #version=20091015 -100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.: \ No newline at end of file +100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.: diff --git a/db/malware-susp.db b/db/malware-susp.db index 5c6ace24..6c0c982f 100644 --- a/db/malware-susp.db +++ b/db/malware-susp.db @@ -1,4 +1,4 @@ #version=2009101500 vuln.txt::: crack*::: -exploit*::: \ No newline at end of file +exploit*::: diff --git a/db/malware.db b/db/malware.db index 7844f1f3..28ffcb28 100644 --- a/db/malware.db +++ b/db/malware.db @@ -41,4 +41,4 @@ /tmp/.b:::Slapper::: /usr/man/.sman/sk:::Superkit::: /usr/lib/.tbd:::TBD::: -/sbin/.login:::Login backdoor::: \ No newline at end of file +/sbin/.login:::Login backdoor::: diff --git a/db/sbl.db b/db/sbl.db index 323303b4..d493e510 100644 --- a/db/sbl.db +++ b/db/sbl.db @@ -1,2 +1,2 @@ #version=2008052800 -php:5.2.5 \ No newline at end of file +php:5.2.5 diff --git a/debian/README.Debian b/debian/README.Debian index 60820ff7..8a6f45c5 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -1,20 +1,20 @@ lynis for Debian ---------------- -When execute Lynis from Debian menu, the program runs with the following +When execute Lynis from Debian menu, the program runs with the following parameter: lynis --no-colors -It makes a full system check, with the default profile file +It makes a full system check, with the default profile file (/etc/lynis/default.prf). Please adjust this config file with your needs. For better perform, launch Lynis from a terminal, as root user, with your best configuration. Lynis can be executed directly: -# lynis -c -or +# lynis -c +or # lynis After Lynis runs the system check, it creates the following two files with the diff --git a/debian/rules b/debian/rules index 468f07a6..5ea1eafc 100755 --- a/debian/rules +++ b/debian/rules @@ -12,13 +12,13 @@ clean: dh_testdir dh_testroot rm -f build-stamp - dh_clean + dh_clean install: build dh_testdir dh_testroot - dh_prep + dh_prep # Add here commands to install the package into debian/lynis. install -D -m 0755 $(CURDIR)/lynis $(CURDIR)/debian/lynis/usr/sbin/lynis diff --git a/default.prf b/default.prf index 8f79daa5..3a51832a 100644 --- a/default.prf +++ b/default.prf @@ -122,7 +122,7 @@ sysctl:kernel.use-nx:0:1:XXX: [network] sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address: sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: -sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: +sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects: @@ -149,9 +149,9 @@ sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack: sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps: sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects: sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: +sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: +sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: [security] #sysctl:kern.securelevel:1^2^3:1:FreeBSD security level: diff --git a/extras/README b/extras/README index c51df06f..57f42d94 100644 --- a/extras/README +++ b/extras/README @@ -6,4 +6,4 @@ - Integrity checks and tools - Development tools -================================================================================ \ No newline at end of file +================================================================================ diff --git a/extras/build-lynis.sh b/extras/build-lynis.sh index 9d82bcc6..f0f6cc72 100755 --- a/extras/build-lynis.sh +++ b/extras/build-lynis.sh @@ -364,7 +364,7 @@ Exit #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - echo -n "- Cleaning up OpenBSD package build... " + echo -n "- Cleaning up OpenBSD package build... " if [ -f openbsd/+CONTENTS ]; then rm openbsd/+CONTENTS; fi echo "DONE" OPENBSD_CONTENTS="openbsd/+CONTENTS" @@ -377,7 +377,7 @@ Exit for I in ${PACKAGE_LIST_FILES}; do echo -n "${I} " - #FULLNAME=`cat files.dat | grep ":file:include: + #FULLNAME=`cat files.dat | grep ":file:include: #echo "${FULLNAME}" >> ${OPENBSD_CONTENTS} echo "${I}" >> ${OPENBSD_CONTENTS} FILE="../${I}" diff --git a/include/functions b/include/functions index 89e9c662..2e610fe2 100644 --- a/include/functions +++ b/include/functions @@ -89,10 +89,10 @@ # If 'file' is an directory, use -d if [ -d ${CHECKFILE} ]; then FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10` - PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3` + PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3` else FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10` - PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3` + PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3` fi if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi fi @@ -1060,7 +1060,7 @@ if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi fi - # Skip if test is not in the list + # Skip if test is not in the list if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then FIND=`echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}"` if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi @@ -1146,7 +1146,7 @@ { if [ $1 = "" ]; then TESTID="UNKNOWN"; fi # Status: OK, WARNING, NEUTRAL, SUGGESTION - # Impact: HIGH, SEVERE, LOW, + # Impact: HIGH, SEVERE, LOW, #report "result[]=TESTID-${TESTID},STATUS-$2,IMPACT-$3,MESSAGE-$4-" # Reset ID before next test TESTID="" diff --git a/include/tests_crypto b/include/tests_crypto index d883e8b8..7a08962b 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -29,7 +29,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUNDPROBLEM=0 # Check profile for paths to check - sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3` + sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3` for I in ${sSSL_PATHS}; do if [ -d ${I} ]; then FileIsReadable ${I} diff --git a/include/tests_databases b/include/tests_databases index ca2fb24c..80e7405b 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -79,7 +79,7 @@ Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED AddHP 0 5 else - logtext "Result: Login did not succeed, so a MySQL root password is set" + logtext "Result: Login did not succeed, so a MySQL root password is set" Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN AddHP 2 2 fi diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 7bdc2072..03fa0908 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -94,7 +94,7 @@ Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --description "AIDE configuration: Checksums (SHA256 or SHA512)" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${GREPBINARY} "^Checksums" ${AIDECONFIG}` - FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"` + FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"` if [ "${FIND}" = "" ]; then logtext "Result: Unclear how AIDE is dealing with checksums" Display --indent 6 --text "- AIDE config (Checksums)" --result UNKNOWN --color YELLOW diff --git a/include/tests_filesystems b/include/tests_filesystems index ded21fc1..50c7308c 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -322,7 +322,7 @@ #SKELDIRS="/etc/skel /usr/share/skel" #for I in ${SKELDIRS}; do - # + # # logtext "Searching skel directory ${I}" # # if [ -d ${I} ]; then diff --git a/include/tests_kernel b/include/tests_kernel index 15c84206..66241526 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -49,7 +49,7 @@ logtext "Result: Found match on runlevel5/graphical" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN report "linux_default_runlevel=5" - else + else logtext "Result: No match found on runlevel, defaulting to runlevel 3" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN report "linux_default_runlevel=3" @@ -376,7 +376,7 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking presence /etc/security/limits.conf" if [ -f /etc/security/limits.conf ]; then - logtext "Result: file /etc/security/limits.conf exists" + logtext "Result: file /etc/security/limits.conf exists" logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf" FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'` FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'` @@ -438,7 +438,7 @@ FILE="/var/run/reboot-required.pkgs" logtext "Test: Checking presence ${FILE}" if [ -f ${FILE} ]; then - logtext "Result: file ${FILE} exists" + logtext "Result: file ${FILE} exists" FIND=`cat ${FILE}` if [ "${FIND}" = "" ]; then logtext "Result: No reboot needed (file empty)" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 4a0bc6dc..9b7fa2c2 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -71,7 +71,7 @@ elif [ ${FIND} -eq 1 ]; then logtext "Result: AppArmor is disabled" Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW - else + else Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected" fi @@ -119,7 +119,7 @@ Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN else logtext "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." - ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" + ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED fi Display --indent 8 --text "Current SELinux mode: ${FIND}" diff --git a/include/tests_malware b/include/tests_malware index 1462646c..75517156 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -47,7 +47,7 @@ ################################################################################# # # Test : MALW-3276 - # Description : Check for installed tool (Rootkit Hunter) + # Description : Check for installed tool (Rootkit Hunter) Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: checking presence Rootkit Hunter" diff --git a/include/tests_memory_processes b/include/tests_memory_processes index fda6a32e..b78429db 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -64,7 +64,7 @@ # # Test : PROC-3612 # Description : Searching for dead and zombie processes - # Notes : Don't perform test on Solaris + # Notes : Don't perform test on Solaris if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dead or zombie processes" if [ ${SKIPTEST} -eq 0 ]; then diff --git a/include/tests_nameservices b/include/tests_nameservices index 5e59f53f..5131364b 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -94,7 +94,7 @@ # Check amount of search domains (max 1) FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '` if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then - logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" + logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" else @@ -566,7 +566,7 @@ fi fi # Check if we found any NIS domain - if [ ! "${NISDOMAIN}" = "" ]; then + if [ ! "${NISDOMAIN}" = "" ]; then logtext "Found NIS domain: ${NISDOMAIN}" report "nisdomain=${NISDOMAIN}" Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 8143113a..c21db924 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -860,7 +860,7 @@ SCAN_PERFORMED=0 # Update portage. # Multiple ways to do this. Some require extra packages to be installed, - # others require potential firewall ports to be open, outbound. This is the + # others require potential firewall ports to be open, outbound. This is the # "most friendly" way. logtext "Action: updating portage with emerge-webrsync" /usr/bin/emerge-webrsync --quiet 2> /dev/null diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 2b3d7d6b..1795aeb6 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -59,7 +59,7 @@ # # Test : STRG-1906 # Description : Check nfs protocols (TCP/UDP) and port in rpcinfo - if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking NFS registered protocols" @@ -114,7 +114,7 @@ # Description : Check NFS exports if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports" - if [ ${SKIPTEST} -eq 0 ]; then + if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: check /etc/exports" if [ -f /etc/exports ]; then logtext "Result: /etc/exports exists" @@ -139,7 +139,7 @@ # # Test : STRG-1928 # Description : Check for empty exports file while NFS is running - if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports" if [ ${SKIPTEST} -eq 0 ]; then if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then diff --git a/include/tests_webservers b/include/tests_webservers index 51a8d528..b630c7a3 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -194,9 +194,9 @@ # # Configuration specific tests # SERVERTOKENSFOUND=0 # APACHE_CONFIGFILES="${APACHE_CONFIGFILE} /usr/local/etc/apache22/extra/httpd-default.conf /etc/apache2/sysconfig.d/global.conf" -# +# # for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do -# if [ -f ${APACHE_CONFIGFILE} ]; then +# if [ -f ${APACHE_CONFIGFILE} ]; then # # Check if option ServerTokens is configured # SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'` # if [ ! "${SERVERTOKENSTEST}" = "" ]; then @@ -215,17 +215,17 @@ # else # Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE # fi -# +# # else # # File does not exist, skipping # logtext "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file" # fi # done -# +# # # Display results from checks # if [ ${SERVERTOKENSFOUND} -eq 1 ]; then # Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN -# else +# else # Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED # ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template" # fi diff --git a/lynis b/lynis index d49c4bf9..575e2e06 100755 --- a/lynis +++ b/lynis @@ -488,7 +488,7 @@ echo " Program version: ${PROGRAM_version}" echo " Operating system: ${OS}" echo " Operating system name: ${OS_NAME}" - echo " Operating system version: ${OS_VERSION}" + echo " Operating system version: ${OS_VERSION}" if [ ! "${OS_MODE}" = "" ]; then echo " Operating system mode: ${OS_MODE}"; fi echo " Kernel version: ${OS_KERNELVERSION}" echo " Hardware platform: ${HARDWARE}" From 429fb62fd71b3044221f6de4d90aaeabfeb43f34 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 17:40:03 +0200 Subject: [PATCH 083/122] Added UEFI_BOOTED --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index bddc11eb..d1ea1b7e 100644 --- a/include/consts +++ b/include/consts @@ -117,6 +117,7 @@ unset LANG TESTS_EXECUTED="" TESTS_SKIPPED="" TRIPWIREBINARY="" + UEFI_BOOTED=0 UNBOUND_RUNNING=0 UPLOAD_OPTIONS="" UPDATE_CHECK_SKIPPED=0 From 919995eb5a208a4bae3a531b70302b02cb64729c Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 17:40:26 +0200 Subject: [PATCH 084/122] Added UEFI_BOOTED_SECURE --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index d1ea1b7e..aa884190 100644 --- a/include/consts +++ b/include/consts @@ -118,6 +118,7 @@ unset LANG TESTS_SKIPPED="" TRIPWIREBINARY="" UEFI_BOOTED=0 + UEFI_BOOTED_SECURE=0 UNBOUND_RUNNING=0 UPLOAD_OPTIONS="" UPDATE_CHECK_SKIPPED=0 From 1283ccc06161f919bc8c7928e0d7e90647e4d12a Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 17:41:05 +0200 Subject: [PATCH 085/122] Added new test for UEFI detection [BOOT-5116] and storing data in report --- include/tests_boot_services | 62 +++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/include/tests_boot_services b/include/tests_boot_services index 014acc67..982805f5 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -118,6 +118,66 @@ fi # ################################################################################# +# + # Test : BOOT-5116 + # Description : Check if system is booted in UEFI mode + Register --test-no BOOT-5116 --weight L --network NO --root-only YES --description "Check if system is booted in UEFI mode" + if [ ${SKIPTEST} -eq 0 ]; then + UEFI_TESTS_PERFORMED=0 + case ${OS} in + Linux) + UEFI_TESTS_PERFORMED=1 + # Check if UEFI is available in this boot + logtext "Test: checking if UEFI is used" + if [ -d /sys/firmware/efi ]; then + logtext "Result: system booted in UEFI mode" + UEFI_BOOTED=1 + else + logtext "Result: UEFI not used, can't find /sys/firmware/efi directory" + fi + + # Test if Secure Boot is enabled + logtext "Test: determine if Secure Boot is used" + if [ -d /sys/firmware/efi/efivars ]; then + FIND=`ls /sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null` + if [ ! "${FIND}" = "" ]; then + for I in ${FIND}; do + logtext "Test: checking file ${I}" + J=`od -An -t u1 ${I} | awk '{ print $5 }'` + if [ "${J}" = "1" ]; then + logtext "Result: found SecureBoot file with enabled status" + UEFI_BOOTED_SECURE=1 + else + logtext "Result: system not booted with Secure Boot (status 0 in file ${I})" + fi + done + fi + else + logtext "Result: system not booted with Secure Boot (no SecureBoot file found)" + fi + ;; + #MacOS) + # Mac OS ioreg -l -p IODeviceTree | grep firmware-abi + #;; + *) + logtext "Result: no test implemented yet to test for UEFI on this platform" + ;; + esac + if [ ${UEFI_BOOTED} -eq 1 ]; then + Display --indent 2 --text "- Checking UEFI boot" --result ENABLED --color GREEN + if [ ${UEFI_BOOTED_SECURE} -eq 1 ]; then + Display --indent 2 --text "- Checking Secure Boot" --result ENABLED --color GREEN + else + Display --indent 2 --text "- Checking Secure Boot" --result DISABLED --color YELLOW + fi + else + if [ ${UEFI_TESTS_PERFORMED} -eq 1 ]; then + Display --indent 2 --text "- Checking UEFI boot" --result DISABLED --color GREEN + fi + fi + fi +# +################################################################################# # # Test : BOOT-5121 # Description : Check for GRUB boot loader @@ -682,6 +742,8 @@ # report "boot_loader=${BOOT_LOADER}" +report "boot_uefi_booted=${UEFI_BOOTED}" +report "boot_uefi_booted_secure=${UEFI_BOOTED_SECURE}" report "service_manager=${SERVICE_MANAGER}" wait_for_keypress From d23ef2db0ba8ef1b7457e1102092424f78f5ef43 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 17:42:29 +0200 Subject: [PATCH 086/122] Changed screen identation of GRUB2 test --- include/tests_boot_services | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 982805f5..b913e04b 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -51,7 +51,6 @@ fi fi fi - # ################################################################################# # @@ -191,7 +190,7 @@ BOOT_LOADER="GRUB" BOOT_LOADER_FOUND=1 GRUB_VERSION=1 - Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN + Display --indent 2 --text "- Checking presence GRUB" --result "OK" --color GREEN if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi fi From e50eef0c1998524583c47a6cf28a89cb683cff78 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 17:43:00 +0200 Subject: [PATCH 087/122] Added hint for possible extension to kernel scheduler --- include/tests_kernel | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/tests_kernel b/include/tests_kernel index 15c84206..d844f4a0 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -252,6 +252,8 @@ # # Test : KRNL-5730 # Description : Checking default I/O kernel scheduler + # Notes : This test could be extended with testing some of the specific devices like disks + # cat /sys/block/sda/queue/scheduler PREQS_MET="NO" if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi From b83c3fbb10600964963b96c4099867822b56fcb0 Mon Sep 17 00:00:00 2001 From: Laurent Quillerou Date: Mon, 7 Sep 2015 18:52:19 +0300 Subject: [PATCH 088/122] Include main nginx.conf so that it generate nginx_config_option --- include/tests_webservers | 1 + 1 file changed, 1 insertion(+) diff --git a/include/tests_webservers b/include/tests_webservers index b630c7a3..2a0cc79c 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -418,6 +418,7 @@ # Remove temp file if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi N=0 + cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE} # Search for included configuration files (may include directories and wild cards) FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'` for I in ${FIND}; do From d4f024faa6e2cb3c46f0e62ed44193c649bb7dc2 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 21:07:47 +0200 Subject: [PATCH 089/122] Updated log of changes --- CHANGELOG | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 61 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index db90546e..38073ef6 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -17,6 +17,67 @@ ================================================================================ + = Lynis 2.1.2 = + + This is an major release, which includes both new features and enhancements to existing tests. + + * Operating systems + Improved support for Debian 8 + Don't show boot loader exception when a subset of tests is performed + + * Screen output + Improved output for tests which before showed results as a warning, while actually are just suggestions + + * Virtual machines + Detection of virtual machines extended with vmtoolsd detection + + * Mount points + FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags. + + * Docker + Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker + + * UEFI and Secure Boot + Initial support to test UEFI settings, including Secure Boot option + Options boot_uefi_booted and boot_uefi_booted_secure added to report file + + * Authentication + Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes + checking for /etc/login.defs [AUTH-9408] + + report option: auth_failed_logins_logged + **** ^ NEEDS more tests ################################### + + * DNS and Name services + Support added for Unbound DNS caching tool [NAME-4034] + Configuration check for Unbound [NAME-4036] + Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used + + * Firewalls + IPFW firewall on FreeBSD test improved + + * Individual tests + BOOT-5180 now only gets executed if runlevel 2 is found + AUTH-9328 show correct message when no umask is found in /etc/profile, including correct logging entries + AUTH-9204 now excludes NIS entries to avoid false positives + TIME-3104 Only shows suggestion now on FreeBSD if ntpdate is configured, yet ntpd isn't running + FILE-6410 Added /var/lib/locatedb as search path + + Don't wait when using pentest mode in quick mode + Data uploads: provide help when self-signed certificates are used + + + + 8888888888888888888888888 + implement base64 + 8888888888888888888888888 + + + * Plugins + --------- + [PLGN-2804] Limit report output of EXT file systems to 1 item per line + + -------------------------------------------------------------- = Lynis 2.1.1 (2015-07-22) = @@ -91,7 +152,6 @@ * Plugins --------- - [PLGN-2602] Disabled by default, as it may be too slow for some machines [PLGN-3002] Extended with /sbin/nologin From 1a12d82ed6d71029b2bdb6fa7fa40d2c4d2751dc Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 21:11:51 +0200 Subject: [PATCH 090/122] Removed last newline --- CHANGELOG | 1 - db/fileperms.db | 1 - db/hints.db | 2 +- db/integrity.db | 2 +- db/malware-susp.db | 2 +- db/malware.db | 2 +- db/sbl.db | 2 +- default.prf | 2 +- 8 files changed, 6 insertions(+), 8 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 7d15b294..f53d4435 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1898,4 +1898,3 @@ ================================================================================ Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com - diff --git a/db/fileperms.db b/db/fileperms.db index 327db5ea..1abba213 100644 --- a/db/fileperms.db +++ b/db/fileperms.db @@ -16,4 +16,3 @@ file:/etc/group:644:root:root:Linux: file:/etc/gshadow:400:root:root:Linux: file:/etc/passwd:644:root:root:Linux: file:/etc/shadow:400:root:root:Linux: - diff --git a/db/hints.db b/db/hints.db index 18a7c680..1504cb30 100644 --- a/db/hints.db +++ b/db/hints.db @@ -1,2 +1,2 @@ #version=20091015 -100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.: +100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.: \ No newline at end of file diff --git a/db/integrity.db b/db/integrity.db index 421d8196..4a2ebbaf 100644 --- a/db/integrity.db +++ b/db/integrity.db @@ -1,3 +1,3 @@ #version=2008062800 #binary:string:|NOT: -ifconfig:PROMISC:: +ifconfig:PROMISC:: \ No newline at end of file diff --git a/db/malware-susp.db b/db/malware-susp.db index 6c0c982f..5c6ace24 100644 --- a/db/malware-susp.db +++ b/db/malware-susp.db @@ -1,4 +1,4 @@ #version=2009101500 vuln.txt::: crack*::: -exploit*::: +exploit*::: \ No newline at end of file diff --git a/db/malware.db b/db/malware.db index 28ffcb28..7844f1f3 100644 --- a/db/malware.db +++ b/db/malware.db @@ -41,4 +41,4 @@ /tmp/.b:::Slapper::: /usr/man/.sman/sk:::Superkit::: /usr/lib/.tbd:::TBD::: -/sbin/.login:::Login backdoor::: +/sbin/.login:::Login backdoor::: \ No newline at end of file diff --git a/db/sbl.db b/db/sbl.db index d493e510..323303b4 100644 --- a/db/sbl.db +++ b/db/sbl.db @@ -1,2 +1,2 @@ #version=2008052800 -php:5.2.5 +php:5.2.5 \ No newline at end of file diff --git a/default.prf b/default.prf index 3a51832a..ab167e45 100644 --- a/default.prf +++ b/default.prf @@ -362,4 +362,4 @@ permdir:/root/.ssh:rwx------:root:-:WARN: #config:group:[group name]: #config:group:test: -#EOF +#EOF \ No newline at end of file From 1316fdf38bc498bb3918e6bce782ea7354c5a5e6 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 21:13:12 +0200 Subject: [PATCH 091/122] Changed identation for GRUB2 test --- include/tests_boot_services | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index b913e04b..40f97dce 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -200,7 +200,7 @@ BOOT_LOADER="GRUB2" BOOT_LOADER_FOUND=1 GRUB_VERSION=2 - Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN + Display --indent 2 --text "- Checking presence GRUB2" --result FOUND --color GREEN if [ -f /boot/grub/grub.cfg ]; then GRUBCONFFILE="/boot/grub/grub.cfg" elif [ -f /boot/grub2/grub.cfg ]; then From 2d72fe18d3e4f1a7137865c118e9d103699c929c Mon Sep 17 00:00:00 2001 From: Alexander Lobodzinski Date: Tue, 8 Sep 2015 14:19:11 +0200 Subject: [PATCH 092/122] Detect automation with Cfengine 3 --- include/tests_tooling | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/include/tests_tooling b/include/tests_tooling index 302a28d9..a8797263 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -20,6 +20,8 @@ PUPPET_MASTER_RUNNING=0 SALT_MASTER_RUNNING=0 SALT_MINION_RUNNING=0 + CF3_MASTER_RUNNING=0 + CF3_MINION_RUNNING=0 # ################################################################################# # @@ -44,6 +46,24 @@ AUTOMATION_TOOL_FOUND=1 Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN fi + # Cfengine 3 + CF3_LOCATIONS="/var/cfengine/bin" + for I in ${CF3_LOCATIONS}; do + if [ -d ${I} ]; then + if [ -e ${I}/cf-agent ]; then + logtext "Result: found Cfengine3 agent (cf-agent) in ${I}" + AUTOMATION_TOOL_FOUND=1 + Display --indent 4 --text "Found: Cfengine (agent)" --result FOUND --color GREEN + fi + IsRunning "cf-server" + if [ ${RUNNING} -eq 1 ]; then + logtext "Result: found cfengine server" + CF3_MASTER_RUNNING=1 + report "automation_tool_running[]=cf-server" + Display --indent 4 --text "Found: Cfengine (server)" --result FOUND --color GREEN + fi + fi + done CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin" for I in ${CHEF_LOCATIONS}; do From 66ff2a92292552219940857420b7cca830b126ce Mon Sep 17 00:00:00 2001 From: Alexander Lobodzinski Date: Tue, 8 Sep 2015 14:28:24 +0200 Subject: [PATCH 093/122] Fixed typos --- include/tests_tooling | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/include/tests_tooling b/include/tests_tooling index a8797263..3da4d60c 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -20,8 +20,8 @@ PUPPET_MASTER_RUNNING=0 SALT_MASTER_RUNNING=0 SALT_MINION_RUNNING=0 - CF3_MASTER_RUNNING=0 - CF3_MINION_RUNNING=0 + CF3_AGENT_FOUND=0 + CF3_SERVER_RUNNING=0 # ################################################################################# # @@ -53,14 +53,15 @@ if [ -e ${I}/cf-agent ]; then logtext "Result: found Cfengine3 agent (cf-agent) in ${I}" AUTOMATION_TOOL_FOUND=1 - Display --indent 4 --text "Found: Cfengine (agent)" --result FOUND --color GREEN + CF3_AGENT_FOUND=1 + Display --indent 4 --text "Found: Cfengine (cf-agent)" --result FOUND --color GREEN fi IsRunning "cf-server" if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found cfengine server" - CF3_MASTER_RUNNING=1 + logtext "Result: found Cfengine3 server" + CF3_SERVER_RUNNING=1 report "automation_tool_running[]=cf-server" - Display --indent 4 --text "Found: Cfengine (server)" --result FOUND --color GREEN + Display --indent 4 --text "Found: Cfengine (cf-server)" --result FOUND --color GREEN fi fi done @@ -137,6 +138,8 @@ # ################################################################################# # + report "cf3_server=${CF3_SERVER_RUNNING}" + report "cf3_agent=${CF3_AGENT_INSTALLED}" report "puppet_master=${PUPPET_MASTER_RUNNING}" report "salt_master=${SALT_MASTER_RUNNING}" report "salt_minion=${SALT_MINION_RUNNING}" From e9373b59b08711ee483b0b979671741f8dd8480f Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 8 Sep 2015 14:49:42 +0200 Subject: [PATCH 094/122] Cleanup: Don't show pflogd status on screen, when pf is not available --- include/tests_firewalls | 1 - 1 file changed, 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 9f620faf..302fd733 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -185,7 +185,6 @@ PFLOGDFOUND=1 else logtext "Result: pflog daemon not found in process list" - Display --indent 4 --text "- Checking pflogd status" --result "NOT FOUND" --color YELLOW fi fi From 174172eeba5628455edf628bcd76515b09f869d2 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 8 Sep 2015 14:59:25 +0200 Subject: [PATCH 095/122] Simplify: clarify if a particular set of module is not available, instead of showing cross --- include/report | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/include/report b/include/report index b211f0e1..00d10144 100644 --- a/include/report +++ b/include/report @@ -168,9 +168,10 @@ echo "" echo " ${SECTION}Lynis Modules${NORMAL}:" - echo " - Heuristics Check [${WHITE}NA${NORMAL}] - Security Audit [${GREEN}V${NORMAL}]" - if [ ${LYNIS_COMPLIANCE_TESTS} -eq 1 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi - echo " - Compliance Tests [${COMPLIANCE}${NORMAL}] - Vulnerability Scan [${GREEN}V${NORMAL}]" + if [ ${LYNIS_COMPLIANCE_TESTS} -eq 1 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${YELLOW}NA"; fi + echo " - Compliance Tests [${COMPLIANCE}${NORMAL}]" + echo " - Security Audit [${GREEN}V${NORMAL}]" + echo " - Vulnerability Scan [${GREEN}V${NORMAL}]" echo "" echo " ${SECTION}Files${NORMAL}:" echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}" From c47d00a37b036036f6111d35c2e3d5fec1813b4e Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 8 Sep 2015 15:58:38 +0200 Subject: [PATCH 096/122] Added Alexander --- CONTRIBUTORS | 1 + 1 file changed, 1 insertion(+) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 0a7c2664..1a1e7a13 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -23,6 +23,7 @@ [+] Contributors ------------------------------------------ + Alexander Lobodzinski Brian Ginsbach C.J. Adams-Collier, US Charlie Heselton, US From 5f2ef483f649a39903e80e83dbb6dc1b25c5bb38 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 8 Sep 2015 16:02:41 +0200 Subject: [PATCH 097/122] Improved tests and logging for automation tools --- include/tests_tooling | 72 ++++++++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 32 deletions(-) diff --git a/include/tests_tooling b/include/tests_tooling index 3da4d60c..0ae7f194 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -16,12 +16,12 @@ # AUTOMATION_TOOL_FOUND=0 AUTOMATION_TOOL_RUNNING="" + CFENGINE_AGENT_FOUND=0 + CFENGINE_SERVER_RUNNING=0 BACKUP_AGENT_FOUND=0 PUPPET_MASTER_RUNNING=0 SALT_MASTER_RUNNING=0 SALT_MINION_RUNNING=0 - CF3_AGENT_FOUND=0 - CF3_SERVER_RUNNING=0 # ################################################################################# # @@ -42,36 +42,41 @@ # Cfengine if [ ! "${CFAGENTBINARY}" = "" ]; then - logtext "Result: Cfengine (cfagent) is installed (${CFAGENTBINARY})" + logtext "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})" AUTOMATION_TOOL_FOUND=1 + CFENGINE_AGENT_FOUND=1 + report "automation_tool_running[]=cf-agent" Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN fi - # Cfengine 3 - CF3_LOCATIONS="/var/cfengine/bin" - for I in ${CF3_LOCATIONS}; do + OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin" + for I in ${OTHER_CFENGINE_LOCATIONS}; do if [ -d ${I} ]; then - if [ -e ${I}/cf-agent ]; then - logtext "Result: found Cfengine3 agent (cf-agent) in ${I}" - AUTOMATION_TOOL_FOUND=1 - CF3_AGENT_FOUND=1 - Display --indent 4 --text "Found: Cfengine (cf-agent)" --result FOUND --color GREEN - fi - IsRunning "cf-server" - if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found Cfengine3 server" - CF3_SERVER_RUNNING=1 - report "automation_tool_running[]=cf-server" - Display --indent 4 --text "Found: Cfengine (cf-server)" --result FOUND --color GREEN - fi + if [ -f ${I}/cf-agent ]; then + logtext "Result: found CFEngine agent (cf-agent) in ${I}" + AUTOMATION_TOOL_FOUND=1 + CFENGINE_AGENT_FOUND=1 + report "automation_tool_running[]=cf-agent" + Display --indent 4 --text "Found: CFEngine (cf-agent)" --result FOUND --color GREEN + fi + IsRunning "cf-server" + if [ ${RUNNING} -eq 1 ]; then + logtext "Result: found CFEngine server" + AUTOMATION_TOOL_FOUND=1 + CFENGINE_SERVER_RUNNING=1 + report "automation_tool_running[]=cf-server" + Display --indent 4 --text "Found: CFEngine (cf-server)" --result FOUND --color GREEN + fi fi done + # Chef CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin" for I in ${CHEF_LOCATIONS}; do if [ -d ${I} ]; then if [ -f ${I}/chef-client ]; then CHEFCLIENTBINARY="${I}/chef-client" AUTOMATION_TOOL_FOUND=1 + report "automation_tool_running[]=chef-client" Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN logtext "Result: found chef-client (chef client daemon) in ${I}" fi @@ -79,6 +84,7 @@ CHEFSERVERBINARY="${I}/erchef" logtext "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})" AUTOMATION_TOOL_FOUND=1 + report "automation_tool_running[]=chef-server" Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN logtext "Result: found erchef (chef server daemon) in ${I}" fi @@ -89,13 +95,14 @@ if [ ! "${PUPPETBINARY}" = "" ]; then logtext "Result: Puppet is installed (${PUPPETBINARY})" AUTOMATION_TOOL_FOUND=1 + report "automation_tool_running[]=puppet-agent" Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN fi IsRunning "puppet master" if [ ${RUNNING} -eq 1 ]; then logtext "Result: found puppet master" PUPPET_MASTER_RUNNING=1 - report "automation_tool_running[]=puppet" + report "automation_tool_running[]=puppet-master" Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN fi @@ -104,19 +111,24 @@ logtext "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})" AUTOMATION_TOOL_FOUND=1 SALT_MINION_RUNNING=1 + report "automation_tool_running[]=saltstack-minion" Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result FOUND --color GREEN fi if [ ! "${SALTMASTERBINARY}" = "" ]; then logtext "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})" AUTOMATION_TOOL_FOUND=1 - Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN - fi - IsRunning "salt-master" - if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found SaltStack (master)" SALT_MASTER_RUNNING=1 - report "automation_tool_running[]=saltstack-master" - Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN + report "automation_tool_running[]=saltstack-minion" + Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN + else + IsRunning "salt-master" + if [ ${RUNNING} -eq 1 ]; then + logtext "Result: found SaltStack (master)" + AUTOMATION_TOOL_FOUND=1 + SALT_MASTER_RUNNING=1 + report "automation_tool_running[]=saltstack-master" + Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN + fi fi if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then @@ -138,11 +150,7 @@ # ################################################################################# # - report "cf3_server=${CF3_SERVER_RUNNING}" - report "cf3_agent=${CF3_AGENT_INSTALLED}" - report "puppet_master=${PUPPET_MASTER_RUNNING}" - report "salt_master=${SALT_MASTER_RUNNING}" - report "salt_minion=${SALT_MINION_RUNNING}" + report "automation_tool_present=${AUTOMATION_TOOL_FOUND}" wait_for_keypress From 090bb2d4ebbcc3e932872dc8165076c0a1083e66 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 9 Sep 2015 20:24:48 +0200 Subject: [PATCH 098/122] Extended virtualization tests and logging --- include/functions | 108 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 87 insertions(+), 21 deletions(-) diff --git a/include/functions b/include/functions index 2e610fe2..efa088f5 100644 --- a/include/functions +++ b/include/functions @@ -592,41 +592,92 @@ SHORT="" # facter - if [ -x /usr/bin/facter ]; then - case "`facter is_virtual`" in - "true") - VMTYPE=`facter virtual` - logtext "Result: found virtual machine (type: ${VMTYPE})" - report "vm=1" - report "vmtype=${VMTYPE}" - return ;; - "false") return ;; - esac + if [ "${SHORT}" = "" ]; then + if [ -x /usr/bin/facter ]; then + case "`facter is_virtual`" in + "true") + SHORT=`facter virtual` + logtext "Result: found ${SHORT}" + ;; + "false") + logtext "Result: facter says this machine is not a virtual" + ;; + esac + else + logtext "Result: facter utility not found" + fi + else + logtext "Result: skipped facter test, as we already found machine type" fi # systemd - if [ "${SHORT}" = "" -a -x /usr/bin/systemd-detect-virt ]; then - logtext "Test: trying to guess virtualization technology with systemd-detect-virt" - FIND=`/usr/bin/systemd-detect-virt` - if [ ! "${FIND}" = "" ]; then - SHORT="${FIND}" + if [ "${SHORT}" = "" ]; then + if [ -x /usr/bin/systemd-detect-virt ]; then + logtext "Test: trying to guess virtualization technology with systemd-detect-virt" + FIND=`/usr/bin/systemd-detect-virt` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found ${FIND}" + SHORT="${FIND}" + fi + else + logtext "Result: systemd-detect-virt not found" fi + else + logtext "Result: skipped systemd test, as we already found machine type" + fi + + # lscpu + # Values: VMware + if [ "${SHORT}" = "" ]; then + if [ -x /usr/bin/lscpu ]; then + logtext "Test: trying to guess virtualization with lscpu" + FIND=`lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found ${FIND}" + SHORT="${FIND}" + else + logtext "Result: can't find hypervisor vendor with lscpu" + fi + else + logtext "Result: lscpu not found" + fi + else + logtext "Result: skipped lscpu test, as we already found machine type" fi # dmidecode # Values: VMware Virtual Platform / VirtualBox if [ "${SHORT}" = "" ]; then - logtext "Test: trying to guess virtualization with dmidecode" if [ -x /usr/sbin/dmidecode ]; then - SHORT=`dmidecode -s system-product-name | awk '{ print $1 }'` + logtext "Test: trying to guess virtualization with dmidecode" + FIND=`dmidecode -s system-product-name | awk '{ print $1 }'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found ${FIND}" + SHORT="${FIND}" + else + logtext "Result: can't find product name with dmidecode" + fi + else + logtext "Result: dmidecode not found" fi + else + logtext "Result: skipped dmidecode test, as we already found machine type" fi # lshw if [ "${SHORT}" = "" ]; then if [ -x /usr/bin/lshw ]; then - SHORT=`lshw -quiet -class system | awk '{ if ($1=="product:") { print $2 }}'` + logtext "Test: trying to guess virtualization with lshw" + FIND=`lshw -quiet -class system | awk '{ if ($1=="product:") { print $2 }}'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found ${FIND}" + SHORT="${FIND}" + fi + else + logtext "Result: lshw not found" fi + else + logtext "Result: skipped lshw test, as we already found machine type" fi # Try common guest processes @@ -644,12 +695,20 @@ if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi IsRunning VBoxClient if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi + else + logtext "Result: skipped processes test, as we already found platform" fi # Amazon EC2 if [ "${SHORT}" = "" ]; then logtext "Test: checking specific files for Amazon" - if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then SHORT="amazon-ec2"; fi + if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then + SHORT="amazon-ec2" + else + logtext "Result: system not hosted on Amazon" + fi + else + logtext "Result: skipped Amazon EC2 test, as we already found platform" fi # sysctl values @@ -658,7 +717,12 @@ # NetBSD: machdep.dmi.system-product # OpenBSD: hw.product - SHORT=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'` + FIND=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'` + if [ ! "${FIND}" = "" ]; then + SHORT="${FIND}" + fi + else + logtext "Result: skipped sysctl test, as we already found platform" fi # Check if we catched some string along all tests @@ -691,9 +755,11 @@ logtext "Result: found virtual machine (type: ${VMTYPE}, ${VMFULLTYPE})" report "vm=1" report "vmtype=${VMTYPE}" - elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then + elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then logtext "Result: unknown if this system is a virtual machine" report "vm=2" + else + logtext "Result: system seems to be non-virtual" fi } From 8142a221015ee28f59393aa4df74040825cb6feb Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 9 Sep 2015 20:25:23 +0200 Subject: [PATCH 099/122] Updated timestamp of build --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index 575e2e06..8cbcb38a 100755 --- a/lynis +++ b/lynis @@ -23,7 +23,7 @@ # Program information PROGRAM_name="Lynis" PROGRAM_version="2.1.2" - PROGRAM_releasedate="20 August 2015" + PROGRAM_releasedate="9 September 2015" PROGRAM_author="Michael Boelen, CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" From 7f4ee7ba5650cfb5345d7a45fc4d533add6448bf Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 08:35:09 +0200 Subject: [PATCH 100/122] Added ExitCustom function and notes for virtualization --- include/functions | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/include/functions b/include/functions index efa088f5..39e63826 100644 --- a/include/functions +++ b/include/functions @@ -28,6 +28,7 @@ # DirectoryExists Check if a directory exists on the disk # Display Output text to screen with colors and identation # ExitClean Stop the program (cleanly), with exit code 0 +# ExitCustom Stop the program (cleanly), with custom exit code # ExitFatal Stop the program (cleanly), with exit code 1 # FileExists Check if a file exists on the disk # FileIsEmpty Check if a file is empty @@ -250,6 +251,18 @@ exit 0 } + # Clean exit with custom code + ExitCustom() + { + RemovePIDFile + # Exit with the exit code given, otherwise use 1 + if [ $# -eq 1 ]; then + exit $1 + else + exit 1 + fi + } + # Clean exit (removing temp files, PID files), with error code 1 ExitFatal() { @@ -680,6 +693,10 @@ logtext "Result: skipped lshw test, as we already found machine type" fi + # Other options + # SaltStack: salt-call grains.get virtual + # < needs snippet > + # Try common guest processes if [ "${SHORT}" = "" ]; then logtext "Test: trying to guess virtual machine type by running processes" @@ -715,6 +732,7 @@ if [ "${SHORT}" = "" ]; then logtext "Test: trying to guess virtual machine type by sysctl keys" + # FreeBSD: hw.hv_vendor (remains empty for VirtualBox) # NetBSD: machdep.dmi.system-product # OpenBSD: hw.product FIND=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'` From a8972b7b7fc993a5e422125f9e27b53a004e231e Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 08:35:40 +0200 Subject: [PATCH 101/122] Changed exit codes when using incorrect parameters --- include/parameters | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/parameters b/include/parameters index aadc6700..b4501f6a 100644 --- a/include/parameters +++ b/include/parameters @@ -169,11 +169,11 @@ LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'` if [ "${LASTCHAR}" = "/" ]; then echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}" - ExitFatal + ExitCustom 65 fi if [ ! -d ${PLUGINDIR} ]; then echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}" - ExitFatal + ExitCustom 66 fi ;; From b6c0736d6e4676412a78a5de7371337eb72eb4a0 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 08:35:57 +0200 Subject: [PATCH 102/122] Added counters for suggestions and warnings --- include/consts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/consts b/include/consts index aa884190..22c8c294 100644 --- a/include/consts +++ b/include/consts @@ -116,6 +116,8 @@ unset LANG TEST_SKIP_ALWAYS="" TESTS_EXECUTED="" TESTS_SKIPPED="" + TOTAL_SUGGESTIONS=0 + TOTAL_WARNINGS=0 TRIPWIREBINARY="" UEFI_BOOTED=0 UEFI_BOOTED_SECURE=0 From e7adeb8a6bfef3f276ab90e0c93ddbe38b82d687 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 08:36:26 +0200 Subject: [PATCH 103/122] Changed exit codes for specific events --- lynis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lynis b/lynis index 8cbcb38a..9fa9e08b 100755 --- a/lynis +++ b/lynis @@ -276,7 +276,7 @@ if [ "${PROFILE}" = "" ]; then echo "${RED}Fatal error: ${WHITE}No profile defined and could not find default profile${NORMAL}" echo "Search paths used --> ${tPROFILE_TARGETS}" - ExitFatal + ExitCustom 66 fi # Initialize and check profile file, auditor name, log file and report file if [ ! -r ${PROFILE} ]; then echo "Fatal error: Can't open profile file (${PROFILE})"; exit 1; fi @@ -389,7 +389,7 @@ # Cleanup PID file if we drop out earlier RemovePIDFile # Exit with exit code 1 - exit 1 + exit 64 fi # ################################################################################# From 7feb7e9a6cf11feb00c78369697f8bc066a71d52 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 09:18:03 +0200 Subject: [PATCH 104/122] Show amount of suggestions and warnings --- include/report | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/report b/include/report index 00d10144..ff24cc44 100644 --- a/include/report +++ b/include/report @@ -106,7 +106,7 @@ if [ "${SWARNINGS}" = "" ]; then echo " ${OK}No warnings${NORMAL}"; echo "" else - echo " ${WARNING}Warnings${NORMAL}:" + echo " ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):" echo " ${WHITE}----------------------------${NORMAL}" for WARNING in ${SWARNINGS}; do SHOWWARNING=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: //'` @@ -128,7 +128,7 @@ if [ "${SSUGGESTIONS}" = "" ]; then echo " ${OK}No suggestions${NORMAL}"; echo "" else - echo " ${YELLOW}Suggestions${NORMAL}:" + echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):" echo " ${WHITE}----------------------------${NORMAL}" for SUGGESTION in ${SSUGGESTIONS}; do SHOWSUGGESTION=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: //'` From 0db8eca467b7f70dbe3c23d48e6741ec44d39049 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 09:18:20 +0200 Subject: [PATCH 105/122] Count total amount of suggestions and warnings --- include/functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/functions b/include/functions index 39e63826..dac54cc2 100644 --- a/include/functions +++ b/include/functions @@ -1239,6 +1239,7 @@ # Log suggestions to report file ReportSuggestion() { + TOTAL_SUGGESTIONS=`expr ${TOTAL_SUGGESTIONS} + 1` # 2 parameters # report "suggestion[]=$1|$2|" @@ -1248,6 +1249,7 @@ # Log warning to report file ReportWarning() { + TOTAL_WARNINGS=`expr ${TOTAL_WARNINGS} + 1` # 3 parameters # if [ "$2" = "L" -o "$2" = "M" -o "$2" = "H" ]; then From 04b2a900c174d95e0e8144a6b96d7602230395e3 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 09:18:41 +0200 Subject: [PATCH 106/122] Exit with code 78 when warnings were found --- lynis | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lynis b/lynis index 9fa9e08b..99dfb04b 100755 --- a/lynis +++ b/lynis @@ -836,7 +836,11 @@ logtext "================================================================================" # Clean exit (Delete PID file) - ExitClean + if [ ${TOTAL_WARNINGS} -gt 0 ]; then + ExitCustom 78 + else + ExitClean + fi # The End From 02d735c4e16c0d91fe9a04dcb55c8f18b3983c7d Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 09:31:55 +0200 Subject: [PATCH 107/122] Changed text, markup, added exit codes, and first time usage --- lynis.8 | 68 +++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 44 insertions(+), 24 deletions(-) diff --git a/lynis.8 b/lynis.8 index 8de5135f..742354a8 100644 --- a/lynis.8 +++ b/lynis.8 @@ -1,17 +1,17 @@ -.TH Lynis 8 "30 April 2015" "1.18" "Unix System Administrator's Manual" +.TH Lynis 8 "10 September 2015" "1.19" "Unix System Administrator's Manual" .SH "NAME" \fB \fB \fB -Lynis \fP\- Run an system and security audit on the system +Lynis \fP\- System and security auditing tool \fB .SH "SYNOPSIS" .nf .fam C -\fBlynis\fP \-\-check-all(\-c) [other options] +\fBlynis\fP [scan mode] [other options] .fam T .fi .SH "DESCRIPTION" @@ -33,6 +33,17 @@ The following system areas may be checked: \- Files part of software packages .IP \- Directories and files related to logging and auditing + +.SH "FIRST TIME USAGE" +When running \fBLynis\fP for the first time, run: lynis audit system --quick + +.SH "SCAN MODES" + +.IP audit system +Performs a system audit, which is the most common audit. + +For more scan modes, see the helper utilities. + .SH "OPTIONS" .TP @@ -43,7 +54,7 @@ quotes, like "Your Name". .B \-\-checkall (or \-c) \fBLynis\fP performs a full check of the system, printing out the results of each test to stdout. Additional information will be saved into a log file -(default is /var/log/lynis.log). +(default is /var/log/lynis.log). This option invokes scan mode "audit system". .IP In case the outcome of a scan needs to be automated, use the report file. .TP @@ -111,33 +122,42 @@ with others. When running Lynis without any parameters, help will be shown and the program will exit. .RE .PP - .SH "HELPERS" Lynis has special helpers to do certain tasks. This way the framework of Lynis is used, while at the same time storing most of the functionality in a separated file. This speeds up execution and keeps the code clean. -.TP + .B audit Run audit on the system or on other targets -.TP + .B update Run updater utility -.TP -To use a helper, run Lynis followed by the helper name -.RE -.PP -.SH "BUGS" -Discovered a bug? Please report them via GitHub: https://github.com/CISOfy/lynis -.RE -.PP -.SH "Documentation" -Supporting documentation can be found via https://cisofy.com/documentation/lynis/ -.RE -.PP -.SH "LICENSING" -Lynis is licensed as GPL v3, written by Michael Boelen and supported by CISOfy. Plugins may have their own license. -.RE -.PP -.SH "CONTACT INFORMATION" +To use a helper, run Lynis followed by the helper name. + +.SH "EXIT CODES" +Lynis uses exit codes to signal any invoking script. Currently the following codes are used: +.IP 0 +Program exited normally, nothing found +.IP 1 +Fatal error +.IP 64 +An unknown parameter is used, or incomplete +.IP 65 +Incorrect data encountered +.IP 66 +Can't open file or directory +.IP 78 +Lynis found 1 or more warnings or configurations errors + +.SH "BUGS" +Bugs can be reported via GitHub at https://github.com/CISOfy/lynis + +.SH "DOCUMENTATION" +Supporting documentation can be found via https://cisofy.com/documentation/lynis/ + +.SH "LICENSING" +Lynis is licensed as GPL v3, written by Michael Boelen. Development is supported by CISOfy. Plugins may have their own license. + +.SH "CONTACT INFORMATION" Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com. From 28d9a49a5f2c6728d9f8da4f4e41bdf88c8c2d37 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 19:45:12 +0200 Subject: [PATCH 108/122] Renamed BINPATHS to BIN_PATHS --- include/binaries | 2 +- include/consts | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/binaries b/include/binaries index 206f6b12..a27912e1 100644 --- a/include/binaries +++ b/include/binaries @@ -37,7 +37,7 @@ BINARY_PATHS_FOUND=""; N=0 Display --indent 2 --text "- Checking system binaries..." logtext "Status: Starting binary scan..." - for SCANDIR in ${BINPATHS}; do + for SCANDIR in ${BIN_PATHS}; do logtext "Test: Check if directory exists" ORGPATH="" if [ -d ${SCANDIR} ]; then diff --git a/include/consts b/include/consts index 22c8c294..e80baa64 100644 --- a/include/consts +++ b/include/consts @@ -19,12 +19,14 @@ # # Paths where system and program binaries are located -BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ +BIN_PATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ /usr/local/libexec /usr/libexec /usr/sfw/bin /usr/sfw/sbin \ /usr/sfw/libexec /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec \ /usr/xpg4/bin /usr/css/bin /usr/ucb /usr/X11R6/bin /usr/X11R7/bin \ /usr/pkg/bin /usr/pkg/sbin" +ETC_PATHS="/etc /usr/local/etc" + # Do not use specific language, fall back to default # Some tools with translated strings are very hard to parse unset LANG From b43bf179546c6465fbbd988ea16c55c8ed8a3831 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:04:18 +0200 Subject: [PATCH 109/122] Remove tool tips section from report --- include/report | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/include/report b/include/report index ff24cc44..91856958 100644 --- a/include/report +++ b/include/report @@ -224,16 +224,6 @@ echo "================================================================================" fi - if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then - echo " Tip: Disable all tests which are not relevant or are too strict for the" - echo " purpose of this particular machine. This will remove unwanted suggestions" - echo " and also boost the hardening index. Each test should be properly analyzed" - echo " to see if the related risks can be accepted, before disabling the test." - echo "================================================================================" - fi - - - echo ""; echo "" fi From 81e0dfcb66152e8bbe35c7722cf4a61c12fb6748 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:04:50 +0200 Subject: [PATCH 110/122] Add tool tips --- lynis | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lynis b/lynis index 99dfb04b..1266b9dd 100755 --- a/lynis +++ b/lynis @@ -809,6 +809,9 @@ # Show report if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi + # Show tool tips + if [ -f ${INCLUDEDIR}/hints_tips ]; then SafePerms ${INCLUDEDIR}/hints_tips; . ${INCLUDEDIR}/hints_tips; fi + logtext "================================================================================" logtext "Tests performed: ${CTESTS_PERFORMED}" logtext "Total tests: ${TOTAL_TESTS}" From fa98d9bba299dbbb262a4d3b7bbbbd0d79aeab72 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:05:04 +0200 Subject: [PATCH 111/122] Import of tool tips section --- include/tool_tips | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 include/tool_tips diff --git a/include/tool_tips b/include/tool_tips new file mode 100644 index 00000000..ee37fa94 --- /dev/null +++ b/include/tool_tips @@ -0,0 +1,40 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Hints and Tips +# +################################################################################# +# + + # Only show tips when enabled + if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then + + # Bash completion support + if [ ! "${ETC_PATHS}" = "" ]; then + for I in ${ETC_PATHS}; do + if [ -d ${I}/bash-completion.d ]; then + if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then + Display "This system has a bash_completition directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis" + fi + fi + done + fi + fi + + +# +#================================================================================ +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com From 0b9c6132c6958841880d4261144f78eca9f1e4f6 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:06:40 +0200 Subject: [PATCH 112/122] Add test [SHLL-6230] to test for umask values in common shell configuration files --- include/tests_shells | 52 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/include/tests_shells b/include/tests_shells index 52550562..1f1cdc21 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -213,6 +213,58 @@ fi # ################################################################################# +# + # Test : SHLL-6230 + # Description : Check for umask values in shell configurations + SHELL_CONFIG_FILES="/etc/bashrc /etc/bash.bashrc /etc/csh.cshrc /etc/profile" + Register --test-no SHLL-6230 --weight H --network NO --description "Perform umask check for shell configurations" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + HARDENING_POSSIBLE=0 + Display --indent 2 --text "- Checking default umask values" + for FILE in ${SHELL_CONFIG_FILES}; do + FIND="" + if [ -f ${FILE} ]; then + logtext "Result: file ${FILE} exists" + FOUND=1 + FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'` + if [ "${FIND}" = "" ]; then + logtext "Result: did not find umask configured in ${FILE}" + Display --indent 4 --text "- Checking default umask in ${FILE}" --result NONE --color YELLOW + else + for UMASKVALUE in ${FIND}; do + logtext "Result: found umask ${UMASKVALUE} in ${FILE}" + case ${UMASKVALUE} in + 027|0027|077|0077) + logtext "Result: umask ${UMASKVALUE} is considered a properly hardened value" + ;; + *) + logtext "Result: umask ${UMASKVALUE} can be hardened " + HARDENING_POSSIBLE=1 + ;; + esac + done + if [ ${HARDENING_POSSIBLE} -eq 0 ]; then + Display --indent 4 --text "- Checking default umask in ${FILE}" --result OK --color GREEN + AddHP 3 3 + else + Display --indent 4 --text "- Checking default umask in ${FILE}" --result WEAK --color YELLOW + AddHP 1 3 + fi + fi + else + logtext "Result: file ${FILE} not found" + fi + done + #if [ ${FOUND} -eq 1 ]; then + # if [ ${HARDENING_POSSIBLE} -eq 0 ]; then + # logtext "Result: all shell files found, contain a proper umask" + # Display --indent 4 --text "- Default umask" --result OK --color GREEN + # fi + #fi + fi +# +################################################################################# # # Test : SHLL-6290 # Description : Check for Shellshock vulnerability From 21d305b68907c71d790785fd2a5581d0d6b6dfe9 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:07:06 +0200 Subject: [PATCH 113/122] Add support for testing umask value in /etc/login.conf like FreeBSD systems --- include/tests_authentication | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/include/tests_authentication b/include/tests_authentication index 5817263e..05d37114 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -945,6 +945,41 @@ logtext "Result: file /etc/init.d/rc does not exist" fi + # FreeBSD + if [ -f /etc/login.conf ]; then + FOUND=0 + WEAK_UMASK=0 + logtext "Result: file /etc/login.conf exists" + FIND=`cat /etc/login.conf | grep "umask" | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'` + if [ ! "${FIND}" = "" ]; then + for UMASK_VALUE in ${FIND}; do + case VALUE in ${UMASK_VALUE} + 027|0027|077|0077) + logtext "Result: found umask value ${VALUE}, which is fine" + AddHP 2 2 + FOUND=1 + ;; + *) + AddHP 0 2 + FOUND=1 + WEAK_UMASK=1 + logtext "Result: found umask value ${VALUE}, which can be more strict" + ;; + esac + done + fi + if [ ${FOUND} -eq 1 ]; then + if [ ${WEAK_UMASK} -eq 0 ]; then + Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result OK --color GREEN + else + ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027" + fi + else + logtext "Result: no umask setting found in /etc/login.conf, which is unexpected" + Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "NONE" --color YELLOW + fi + fi + # /etc/init.d/rcS logtext "Test: Checking /etc/init.d/rcS" if [ -f /etc/init.d/rcS ]; then From 7d0759297ee60245cd5e6126a3a47a889634148c Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:42:30 +0200 Subject: [PATCH 114/122] Corrected case function --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 05d37114..ae113f1b 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -953,7 +953,7 @@ FIND=`cat /etc/login.conf | grep "umask" | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'` if [ ! "${FIND}" = "" ]; then for UMASK_VALUE in ${FIND}; do - case VALUE in ${UMASK_VALUE} + case ${UMASK_VALUE} in 027|0027|077|0077) logtext "Result: found umask value ${VALUE}, which is fine" AddHP 2 2 From 78f32c2f2854cab01992c589c5175e98f6454316 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:46:23 +0200 Subject: [PATCH 115/122] Added screen output for /etc/login.conf --- include/tests_authentication | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index ae113f1b..251060d1 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -972,11 +972,12 @@ if [ ${WEAK_UMASK} -eq 0 ]; then Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result OK --color GREEN else + Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result WEAK --color YELLOW ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027" fi else logtext "Result: no umask setting found in /etc/login.conf, which is unexpected" - Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "NONE" --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result NONE --color YELLOW fi fi From d2c0e7491edbee618d92b519d9907abc90c22058 Mon Sep 17 00:00:00 2001 From: Alexander Lobodzinski Date: Fri, 11 Sep 2015 14:54:38 +0200 Subject: [PATCH 116/122] In quiet mode, hardening index was not written to log and report files --- include/report | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/include/report b/include/report index 91856958..fb57bd00 100644 --- a/include/report +++ b/include/report @@ -19,17 +19,6 @@ ################################################################################# # - - # Only show overview if not running in quiet mode - if [ ${QUIET} -eq 0 ]; then - echo ""; echo "================================================================================" - echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-" - echo ""; - - - if [ ${SHOW_REPORT} -eq 1 ]; then - - logtextbreak # ################################################################################# # @@ -88,6 +77,18 @@ logtext "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" logtext "Hardening strength: ${HIDESCRIPTION}" + + # Only show overview if not running in quiet mode + if [ ${QUIET} -eq 0 ]; then + echo ""; echo "================================================================================" + echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-" + echo ""; + + + if [ ${SHOW_REPORT} -eq 1 ]; then + + logtextbreak + # ################################################################################# # From 6fbe0e95c55ac2006d5880bafad1d6386d3c201e Mon Sep 17 00:00:00 2001 From: mboelen Date: Sat, 12 Sep 2015 15:19:21 +0200 Subject: [PATCH 117/122] Changes to comments only --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 251060d1..ad24a432 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -811,11 +811,11 @@ logtext "Test: Checking umask value in /etc/profile" FIND=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }'` FIND2=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l` - #FIND2=`egrep "^([[:space:]])([[:tab:]])*umask" /etc/profile | awk '{ print $2 }' | wc -l` WEAK_UMASK=0 FOUND_UMASK=0 if [ "${FIND2}" = "0" ]; then logtext "Result: did not find umask in /etc/profile" + #YYY possibly weak umask elif [ "${FIND2}" = "1" ]; then logtext "Result: found umask (prefixed with spaces)" FOUND_UMASK=1 From cae5915c476c9a2a7e1d2174a1b036ee027365c6 Mon Sep 17 00:00:00 2001 From: Bodine Wilson Date: Sun, 13 Sep 2015 10:51:39 -0400 Subject: [PATCH 118/122] Fixed a typo and mitigated a symlink attack for a corner case involving PID file creation. --- CONTRIBUTORS | 1 + lynis | 40 +++++++++++++++++++++++----------------- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 1a1e7a13..53b83795 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -24,6 +24,7 @@ ------------------------------------------ Alexander Lobodzinski + Bodine Wilson Brian Ginsbach C.J. Adams-Collier, US Charlie Heselton, US diff --git a/lynis b/lynis index 1266b9dd..8d3d44b5 100755 --- a/lynis +++ b/lynis @@ -290,8 +290,22 @@ # ################################################################################# # - # Check if there is already a PID file (incorrect termination of previous instance) - if [ -f lynis.pid -o -f /var/run/lynis.pid ]; then + + # Decide where to write our PID file. For unprivileged users this will be in their home directory, or /tmp if their + # home directory isn't set. For root it will be /var/run, or the current workign directory if /var/run doesn't exist. + MYHOMEDIR=`echo ~` + if [ "${MYHOMEDIR}" = "" ]; then MYHOMEDIR="/tmp"; fi + + if [ ${PRIVILEGED} -eq 0 ]; then + PIDFILE="${MYHOMEDIR}/lynis.pid" + elif [ -d /var/run ]; then + PIDFILE="/var/run/lynis.pid" + else + PIDFILE="./lynis.pid" + fi + + # Check if there is already a PID file in any of the locations (incorrect termination of previous instance) + if [ -f "${MYHOMEDIR}/lynis.pid" -o -f "./lynis.pid" -o -f "/var/run/lynis.pid" ]; then echo "" echo " ${WARNING}Warning${NORMAL}: ${WHITE}PID file exists, probably another Lynis process is running.${NORMAL}" echo " ------------------------------------------------------------------------------" @@ -305,26 +319,18 @@ echo " ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${NORMAL}" echo "" wait_for_keypress - # Deleting temporary files + # Deleting any stale PID files that might exist. # Note: Display function does not work yet at this point - if [ -f lynis.pid ]; then rm -f lynis.pid; fi - if [ -f /var/run/lynis.pid ]; then rm -f /var/run/lynis.pid; fi + if [ -f "${MYHOMEDIR}/lynis.pid" ]; then rm -f "${MYHOMEDIR}/lynis.pid"; fi + if [ -f "./lynis.pid" ]; then rm -f "./lynis.pid"; fi + if [ -f "/var/run/lynis.pid" ]; then rm -f "/var/run/lynis.pid"; fi fi - # Create new PID file (use work directory if /var/run is not available) - if [ ${PRIVILEGED} -eq 0 ]; then - # Store it in home directory of user - MYHOMEDIR=`echo ~` - if [ "${MYHOMEDIR}" = "" ]; then HOMEDIR="/tmp"; fi - PIDFILE="${MYHOMEDIR}/lynis.pid" - elif [ -d /var/run ]; then - PIDFILE="/var/run/lynis.pid" - else - PIDFILE="lynis.pid" - fi + # Create new PID file writable only by owner. Decrease the window for symlink attacks. + (umask 077; rm -f ${PIDFILE} ; touch ${PIDFILE}) OURPID=`echo $$` echo ${OURPID} > ${PIDFILE} - chmod 600 ${PIDFILE} + # ################################################################################# # From 7db712c0b2d2726df699156d8c7a7f7543591190 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 13 Sep 2015 17:07:22 +0200 Subject: [PATCH 119/122] Textual changes and link to contributions guide --- README.md | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 6997db75..c7016f7a 100644 --- a/README.md +++ b/README.md @@ -3,22 +3,19 @@ lynis Lynis - Security auditing and hardening tool, for Unix based systems -Lynis is a security auditing for Unix derivatives like Linux, BSD, and Solaris. It performs an in-depth security scan -on the system to detect software and security issues. Besides information related to security, it will also scan for -general system information, installed packages, and possible configuration issues. +Lynis is a security auditing for Unix derivatives like Linux, BSD, and Solaris. It performs an in-depth security scan on the system to detect software and security issues. Besides information related to security, it will also scan for general system information, vulnerable software packages, and possible configuration issues. -We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, -and even alter the software. Many agree with us, as the software is being used by thousands every day to protect -their systems. +We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, and even alter the software. Many agree with us, as the software is being used by thousands every day to protect their systems. Main goals: -- Automated security auditing -- Compliance testing -- Vulnerability management +- Security auditing (automated) +- Compliance testing (e.g. PCI-DSS, HIPAA) +- Vulnerability testing The software aims to also assist with: - Configuration management - Software patch management +- System hardening - Penetration testing - Malware scanning - Intrusion detection @@ -45,13 +42,13 @@ chgrp -R to recursively alter the owner and group. Full documentation: https://cisofy.com/documentation/lynis/ ## Flexibility -For people who want to expand tests, it is suggested to use the tests_custom file (template in include directory). +If you want to create your own tests, use the 'tests_custom' file (template available in 'include' directory). Plugins are another possibility to customize, although their main goal is collecting data. -## Enterprise options -This software component has additional options and support available for companies. If you want to perform more -tests and centrally manage them, consider the purchase of a license. +## Enterprise version +This software is also available as part of an enterprise suite. It includes additional functionality (plugins, centralized system, reporting, dashboard), and supports. -## Support -Got an improvement to share? Create an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com +## Contribute +Got an improvement? Create it as an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com +More details can be found at https://github.com/CISOfy/lynis/CONTRIBUTIONS.md From 19b56631fa598f9eef73483ffd63d23c97b8d161 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 13 Sep 2015 17:17:37 +0200 Subject: [PATCH 120/122] Updated link to contributors guide --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c7016f7a..84c68134 100644 --- a/README.md +++ b/README.md @@ -50,5 +50,5 @@ This software is also available as part of an enterprise suite. It includes addi ## Contribute Got an improvement? Create it as an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com -More details can be found at https://github.com/CISOfy/lynis/CONTRIBUTIONS.md +More details can be found at [Contributors Guide](https://github.com/CISOfy/lynis/blog/master/CONTRIBUTIONS.md) From eb6385484c5a2c915c4aa5ef158fa5cf4ba23dbc Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 13 Sep 2015 17:18:13 +0200 Subject: [PATCH 121/122] Updated link to contributors guide --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 84c68134..b7fa2940 100644 --- a/README.md +++ b/README.md @@ -50,5 +50,5 @@ This software is also available as part of an enterprise suite. It includes addi ## Contribute Got an improvement? Create it as an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com -More details can be found at [Contributors Guide](https://github.com/CISOfy/lynis/blog/master/CONTRIBUTIONS.md) +More details can be found at [Contributors Guide](https://github.com/CISOfy/lynis/blob/master/CONTRIBUTIONS.md) From ae0e24aace993a4238514e7d2e01f5a6e9a54660 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 13 Sep 2015 21:35:02 +0200 Subject: [PATCH 122/122] Added minor improvements to ensure PID file is correctly written --- lynis | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/lynis b/lynis index 8d3d44b5..87687673 100755 --- a/lynis +++ b/lynis @@ -23,7 +23,7 @@ # Program information PROGRAM_name="Lynis" PROGRAM_version="2.1.2" - PROGRAM_releasedate="9 September 2015" + PROGRAM_releasedate="13 September 2015" PROGRAM_author="Michael Boelen, CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" @@ -293,7 +293,7 @@ # Decide where to write our PID file. For unprivileged users this will be in their home directory, or /tmp if their # home directory isn't set. For root it will be /var/run, or the current workign directory if /var/run doesn't exist. - MYHOMEDIR=`echo ~` + MYHOMEDIR=`echo ~ 2> /dev/null` if [ "${MYHOMEDIR}" = "" ]; then MYHOMEDIR="/tmp"; fi if [ ${PRIVILEGED} -eq 0 ]; then @@ -326,10 +326,16 @@ if [ -f "/var/run/lynis.pid" ]; then rm -f "/var/run/lynis.pid"; fi fi - # Create new PID file writable only by owner. Decrease the window for symlink attacks. - (umask 077; rm -f ${PIDFILE} ; touch ${PIDFILE}) + # Ensure symlink attack is not possible, by confirming there is no symlink of the file already OURPID=`echo $$` - echo ${OURPID} > ${PIDFILE} + if [ -L ${PIDFILE} ]; then + echo "Found symlinked PID file (${PIDFILE}), quitting" + ExitFatal + else + # Create new PID file writable only by owner + echo "${OURPID}" > ${PIDFILE} + chmod 600 ${PIDFILE} + fi # #################################################################################